Privacy notice

MyOpNotes adheres to high standards for data security and privacy principles. This privacy notice provides an explanation of why and how personal data is handled, who manages the data processing, and the rights of patients concerning this process.

What is MyOpNotes?

MyOpNotes is an application for digital consent to treatment employed by healthcare institutions to share consent details with patients and record their approval for treatment. In most situations, this supersedes the earlier practice of using paper-based consent forms within the healthcare entity. MyOpNotes has been created by Opnote Ltd, a UK-based firm.

What categories of personal data are processed?

The MyOpNotes digital consent application processes personal data on behalf of the healthcare entity, to streamline the consent process, which is an integral part of direct care delivery.

MyOpNotes holds personal data that is either manually entered by a healthcare professional or through an integration with another clinical system employed by the healthcare organisation. This data, along with clinical information, makes up the consent information for a proposed treatment, allowing sharing with a patient and documentation of consent.

The processed personal data includes: optional title, first name, last name, date of birth, gender, patient ID number (such as NHS/hospital number), and optionally, either or both of email address and mobile phone number. This data is essential for clinical safety as it should be displayed during all clinical interactions. Best practice encourages sharing consent information with patients, thus contact details may be stored for digital communication of consent information.

The processed special category data (i.e., health-related data) includes: treatment name, reason and aim of treatment, alternatives, anaesthetic options, risks discussed, and the name and job title of healthcare professionals involved in care provision. This information is necessary as it is part of the consent record.

What is the lawful basis for processing?

Under the Data Protection Act 2018 (the UK's adaptation of the General Data Protection Regulation or GDPR), organisations are allowed to process personal data only if there is a legal basis. The data controller determines whether a legal basis exists for processing personal data, and a data processor may act on behalf of the data controller concerning that data processing. If data processing involves health data, the data controller should consider completing a Data Protection Impact Assessment (DPIA) before clinical usage, approving or rejecting the proposed data processing.

When MyOpNotes is utilised, the healthcare organisation (e.g., NHS Trust) is the data controller, and Opnote Ltd acts as the data processor for the healthcare organisation.

The legal basis for processing depends on the healthcare organisation. Information about the legal basis in a specific situation can be requested from the healthcare organisation or by contacting Opnote Ltd (see below for contact details). Generally, the following apply:

Public sector healthcare organisations:

  • Art.6(1)(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Art.9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision or management of health or social care systems and services

Private sector healthcare organisations:

  • Art.6(1)(b) - processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract
  • Art.9(2)(h) - processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, provision or management of health or social care systems and services

In all situations, a contract exists between the healthcare organisation and Opnote Ltd, which outlines the data processing agreement between both parties.

How is data processed?

Opnote Ltd uses the following sub-processors to deliver the functions of the MyOpNotes digital consent application:

  • AWS Cloud Platform
  • Postmark
  • Twilio

All these sub-processors have agreed to data processing and security terms of service with Opnote Ltd for appropriate and agreed sub-processing of data.

Google Cloud Platform (GCP) is used for data hosting needs within a UK-based data centre. GCP complies with healthcare information governance requirements.

Postmark enables email sending from the MyOpNotes application. An email with a secure link to their consent information may be sent to a patient on behalf of and at the request of the clinician user. Postmark complies with the requirements of the Data Protection Act 2018, as specified on Postmark’s EU General Data Protection Regulation (GDPR) page.

Twilio enables SMS sending from the MyOpNotes application. An SMS with a secure link to their consent information may be sent to a patient on behalf of and at the request of the clinician user. Twilio complies with the requirements of the Data Protection Act 2018, as detailed in Twilio’s General Data Protection Regulation resources.

How is data protected?

Data is safeguarded according to industry best practices with regard to access control and encryption.

Access controls: Healthcare organisations control clinicians' access. Patients receive an email or SMS with a unique link to their consent information, and they must input their date of birth to verify their identity.

Encryption: All data is securely stored using top-notch encryption techniques and is securely transferred.

For how long is data stored?

All data related to consent episodes is stored for a period specified by the individual healthcare organisation as the data controller. In line with best practice, this will usually be between 8 and 25 years. After the agreed duration, the data is reduced to a stub record containing patient details, procedure name, date, and responsible clinician.

If the healthcare organisation no longer remains a Opnote Ltd client, all data pertaining to that organisation's patients is returned to them as the data controller, and then it is either deleted or anonymised.

How are data subject rights met?

Under the Data Protection Act 2018, individuals possess data subject rights, which are fulfilled as follows:

Right to be informed: This privacy notice provides information about what data is collected, how it is used, whether it is shared, and how long it is kept.

Right of access: To access all information that Opnote Ltd holds relating to you, a request should be made to your healthcare organisation as the data controller.

Right to rectification: If you discover any incorrect or incomplete information, you can request your healthcare organisation to correct it.

Right to erasure: This does not apply since the data is for healthcare provision.

Right to restrict processing: If you wish to restrict the processing of your data, you can request your healthcare organisation to do so.

Right to data portability: If you want your personal data to be transferred, you can request your healthcare organisation to do so.

Automated decision making and profiling: Your data does not undergo any automated decision making or profiling.

How are the Caldicott Principles met?

The Caldicott Principles consist of eight principles to ensure confidential information is kept secure and appropriately used.

Principle 1. Justify the purpose(s) for using confidential information: The rationale for storing confidential information in MyOpNotes is that such information - like treatment name and reason for treatment - are required as part of documenting treatment consent.

Principle 2. Use confidential information only when necessary: All uses of MyOpNotes relate to recording or reviewing consent information, necessitating the display of patient involved and treatment details at all times to ensure patient safety. Provisions are in place to ensure no patient or healthcare detail is displayed unless requested by the clinician user.

Principle 3. Use the minimum necessary confidential information: Only the necessary minimum confidential information is displayed at each step of the MyOpNotes process. Summary views are utilised, for instance, a view for use within an operating theatre, displaying only the necessary details at that stage for safe care delivery.

Principle 4. Access to confidential information should be strictly need-to-know: The healthcare organisation manages clinician access, giving access only to identified users involved in the consent process.

Principle 5. Everyone with access to confidential information should understand their responsibilities: All clinician users receive onboarding information about appropriate application usage, access to confidential information, and information security.

Principle 6. Comply with the law: MyOpNotes’ processing of confidential information, and access to the information by clinician users, meet legal requirements.

Principle 7. The duty to share information for individual care is as important as the duty to protect patient confidentiality: Access to confidential information, with suitable authentication, is not limited to individual clinicians, enabling suitable sharing and visibility across an organisation to facilitate safe healthcare delivery.

Principle 8. Inform patients and service users about how their confidential information is used: Patients and service users are informed about the use of their confidential information. A link to this page is included for each patient within the patient's consent information. Organisations are encouraged to also include information about this use of their confidential information at other points in the relevant healthcare pathways. Information from the healthcare organisation should outline the patient's options regarding the use of their confidential information, but in most situations, MyOpNotes will be used as the mandated method for documenting consent within an organisation.

How to contact Opnote?

You can reach out to Opnote via:

  • Email:
  • Post: Company name: Opnote Ltd, Registration number: 14438750, Address: Opnote Ltd, 19 Clowbridge Drive, Loughborough, Leicestershire, United Kingdom, LE11 4SU.

How to contact your healthcare organisation?

If you have any queries related to anything mentioned in this privacy notice and would like to contact your healthcare organisation, you can request the relevant contact details by emailing

Didn’t get the answer you were looking for?