DataMedic Ltd – Privacy Policy

1. Introduction

DataMedic Ltd ("we", "us", "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, and safeguard information when you access our services as a data processor for NHS organisations.

We operate in strict accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the NHS Data Security and Protection Toolkit (DSPT) requirements, and relevant NHS data standards.

Our Role: DataMedic acts as a data processor on behalf of NHS general practices, Primary Care Networks (PCNs), and Integrated Care Boards (ICBs), who remain the data controllers of patient information.

2. Information We Process

As a data processor for NHS organisations, we handle the following categories of information:

2.1 NHS Patient Data (Processed on Behalf of Controllers)

Identifiable Patient Information:

Personal identifiers: NHS number, patient name, date of birth
Contact details: full address, telephone numbers, email addresses
Clinical data: diagnoses, medications, test results, clinical measurements, immunisation records
Health indicators: BMI, blood pressure, HbA1c, cholesterol levels
Care pathways and referral information
Appointment and consultation records

Note: Why We Process Identifiable Data: Patient identifiers are essential to enable healthcare professionals to act on clinical insights. Our analytics identify specific patients who may benefit from interventions (e.g., patients due for medication reviews, immunisations, or health checks). Clinicians require this information to contact patients, update records, and deliver appropriate care. We extract only the minimum data necessary for these clinical purposes and process it strictly within the lawful framework established by NHS data governance standards.

Data Minimisation Principle: While we process identifiable data, we adhere strictly to the principle of data minimisation. We request only the specific data fields required for the contracted analytics services and do not retain information beyond what is necessary for service delivery and regulatory compliance.

2.2 Healthcare Professional Data (Users of Our Platform)

Contact details: name, email address, job title, organisation
Professional identifiers: GMC/NMC registration numbers, GMP codes, ODS codes
Authentication credentials (securely hashed)
Platform usage analytics and audit logs

2.3 Technical Information

IP addresses and device information
Browser type and operating system
Access logs and security event data
Session management tokens

3. Legal Basis for Processing

Our processing activities are conducted under the following legal bases:

Contractual Necessity (Article 6(1)(b) GDPR): Processing is necessary to deliver our analytics services under Data Processing Agreements with NHS organisations
Legitimate Interests (Article 6(1)(f) GDPR): For platform security, fraud prevention, and service improvement, balanced against individual rights
Legal Obligation (Article 6(1)(c) GDPR): Compliance with NHS data security standards, Care Quality Commission requirements, and regulatory reporting obligations
Special Category Data (Article 9(2)(h) GDPR): Processing of health data for healthcare management purposes, subject to appropriate safeguards under UK GDPR and the Data Protection Act 2018

4. How We Use Information

We process data solely for the purposes instructed by our NHS data controllers:

4.1 Primary Processing Purposes

Generating population health analytics and clinical dashboards for healthcare professionals
Identifying specific patients eligible for guideline-recommended interventions, preventive care, or medication reviews
Enabling clinicians to take informed action on patient cohorts (e.g., contacting patients for health checks, immunisations, or chronic disease management)
Supporting quality improvement initiatives, QOF achievement, and care pathway optimization
Providing comparative benchmarking against national clinical standards and peer practices
Facilitating data-driven clinical decision-making at individual and population levels
Supporting care coordination between practices, PCNs, and ICBs

Clinical Actionability: The identifiable patient information we process enables authorised healthcare professionals to act directly on insights. For example, when our system identifies patients overdue for diabetic retinopathy screening, clinicians need patient names and contact details to reach out and arrange appointments. This direct clinical utility is the core purpose of our data processing activities.

Service communications and platform updates
Technical support and troubleshooting
Aggregated research and service development (fully anonymised with no patient identifiers)

We do not: Sell, rent, or trade any personal data; Use patient data for marketing purposes; Share identifiable information with third parties without explicit consent or legal requirement; Process data beyond the scope agreed with data controllers; Use patient data for purposes unrelated to healthcare delivery and improvement.

5. Data Security and Protection

We maintain robust technical and organisational measures aligned with NHS DSPT standards:

5.1 Technical Safeguards

Encryption: TLS 1.3 for data in transit; AES-256 encryption for data at rest
Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and principle of least privilege
Network Security: Firewalls, intrusion detection systems, and DDoS protection
Secure Infrastructure: ISO 27001 certified hosting providers with UK-based data centres
Vulnerability Management: Regular penetration testing, security patches, and code audits

5.2 Organisational Measures

Annual NHS DSPT assessments with Standards Met status
Mandatory staff data protection and security training
Documented information security policies and procedures
Incident response and breach notification protocols
Regular internal and external security audits
Background checks for all staff with data access

5.3 Data Minimisation and Access Controls

We extract only the minimum data fields necessary for contracted analytics services
Patient identifiers are processed only where required for clinical actionability (enabling healthcare professionals to contact and care for specific patients)
Strict role-based access ensures only authorised healthcare professionals at the relevant organisation can view identifiable patient information
Technical controls prevent cross-organisation data access—practices can only view their own patients' information
All access to identifiable patient data is logged and auditable
Data extraction protocols are reviewed annually to ensure continued adherence to the minimisation principle

Lawful Processing Framework: All patient data processing occurs within Data Processing Agreements that specify exact data fields, purposes, retention periods, and security requirements. We operate under the strict oversight of NHS data controllers who retain full control over patient information and can audit our processing activities at any time.

6. Data Retention and Deletion

We retain data only for as long as necessary to fulfil contractual obligations:

Active Clinical Data: Retained for the duration of the service contract with the data controller, enabling longitudinal trend analysis and quality improvement
Audit Logs: Maintained for 2 years in accordance with NHS audit requirements
User Account Data: Deleted within 90 days of account closure or contract termination
Backup Data: Securely destroyed after 90 days following contract termination

Upon contract termination or at the data controller's request, we securely delete or return all personal data within 30 days, providing certification of destruction where required.

We engage carefully vetted sub-processors subject to equivalent data protection obligations:

7.1 Sub-Processors

Cloud Infrastructure: UK-based hosting providers with ISO 27001 and SOC 2 certifications
Email Services: For essential service communications only
Support Tools: Encrypted platforms for customer support and technical assistance

All sub-processors are bound by written Data Processing Agreements that meet UK GDPR Article 28 requirements. Further details about sub-processors can be provided to controllers on request.

7.2 Regulatory Disclosures

We may disclose information when legally required by:

NHS England, ICO, or CQC in performance of regulatory functions
Law enforcement agencies with appropriate legal authority
Courts or tribunals pursuant to valid legal process

7.3 International Transfers

We do not transfer personal data outside the United Kingdom. All data processing occurs within UK data centres, and our sub-processors are contractually prohibited from international transfers without explicit written approval.

8. Your Rights

As a data processor, we support the exercise of data subject rights, but requests must be directed to the relevant NHS data controller (your GP practice, PCN, or ICB).

For Healthcare Professionals (Platform Users)

You have the right to:

Access: Request a copy of your personal information we hold
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your data (subject to legal retention requirements)
Restriction: Limit how we use your data in certain circumstances
Portability: Receive your data in a machine-readable format
Object: Object to processing based on legitimate interests
Withdraw Consent: Where processing is based on consent, you may withdraw at any time

To exercise these rights, contact us at: info@datamedic.uk or write to our Data Protection Officer at the address provided in Section 14.

For Patients

Your NHS clinical data is processed by DataMedic on behalf of your GP practice to support better healthcare delivery. This includes identifying when you may benefit from health checks, preventive care, or treatment adjustments based on current clinical guidelines.

Your practice remains in control of your data. If you have questions about how your information is used, wish to exercise your data protection rights, or want to understand what insights have been generated about your care, please contact your GP practice directly. They can explain the analytics performed and any actions taken as a result.

Opting Out: If you have concerns about your data being used for healthcare analytics, discuss Type 1 Objections (National Data Opt-Out) with your practice, though this may limit their ability to provide proactive, preventive care tailored to your needs.

9. Cookies and Tracking Technologies

Our platform uses essential cookies and similar technologies:

Strictly Necessary Cookies: Authentication, security, and session management (cannot be disabled)
Functional Cookies: User preferences and interface customisation
Performance Cookies: Anonymised usage analytics to improve service quality

We do not use advertising or marketing cookies. You can manage non-essential cookies through your browser settings, though this may limit platform functionality.

10. Children's Privacy

Our platform is designed for healthcare professionals and not intended for individuals under 18. We do not knowingly collect personal information from children through our direct services.

Pseudonymised clinical data processed on behalf of NHS organisations may include information about patients of all ages, handled in accordance with NHS safeguarding standards and UK GDPR special protections for children's data.

11. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities involving NHS data where required. These assessments evaluate privacy risks and implement appropriate mitigations before new service features are deployed.

DPIAs are reviewed and updated when processing operations change significantly. Copies are available to data controllers upon request where appropriate.

12. Security Incidents and Breach Notification

In the unlikely event of a data breach affecting personal information:

We will notify affected data controllers within 24 hours of becoming aware of the breach
We provide detailed breach reports including the nature, scope, and potential impact
We work collaboratively with controllers to assess notification requirements to the ICO and affected individuals
We implement remedial actions to prevent recurrence

Our incident response procedures are aligned with NHS cyber security incident response guidance.

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices, legal requirements, or service offerings. Significant changes will be communicated through:

Email notification to registered users
Prominent notice on our website
Updated "Last updated" date at the top of this policy

Continued use of our services following notice of changes constitutes acceptance of updated terms. We encourage periodic review of this policy to stay informed about how we protect your information.

14. Contact Information

For questions, concerns, or requests regarding this Privacy Policy or our data protection practices:

DataMedic Ltd
128 City Road
London
EC1V 2NX
United Kingdom

Email: info@datamedic.uk

Regulatory Authority: If you are not satisfied with our response to your data protection concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ICO
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
Web: ico.org.uk

15. NHS Data Security Standards Compliance

DataMedic maintains compliance with:

NHS Data Security and Protection Toolkit (DSPT): Annual Standards Met assertion
Cyber Essentials Plus: Current certification renewed annually
ISO 27001: Information Security Management System certification

Evidence of current compliance status is available to NHS organisations upon request through our assurance portal.

Document Control
Version: 2.1 | Effective Date: 2 November 2025 | Review Date: 2 May 2026

This Privacy Policy was prepared in consultation with our Data Protection Officer and legal advisors to support compliance with UK data protection legislation and NHS information governance requirements.

Common Law Duty of Confidentiality and Caldicott

In addition to UK GDPR and the Data Protection Act 2018, uses and disclosures of confidential patient information are also subject to the common law duty of confidentiality. We act only on the documented instructions of the Controller and in accordance with the Caldicott Principles. Where a Controller identifies consent or another recognised justification (e.g., direct care, overriding public interest), we process accordingly.

Special Category Data (Article 9) – Controller Determination

Controllers determine the appropriate Article 9 condition for health data. For our services this is ordinarily Article 9(2)(h) (health or social care management) with appropriate safeguards. Where an alternative condition is identified by the Controller (e.g., 9(2)(i) public health), we process in line with that instruction.

Data Subject Rights (Processor Assistance)

We assist Controllers in responding to data subject requests (access, rectification, erasure, restriction, objection, portability) within a reasonable timeframe of a valid instruction, providing cooperation and information needed to fulfil the request.

International Transfers

We do not routinely transfer personal data outside the UK. If a transfer becomes necessary, we will implement a valid UK international transfer mechanism (e.g., IDTA or UK Addendum to the EU SCCs) and undertake a transfer risk assessment, as required by UK law.

Cookies and PECR

We set only essential cookies by default. For analytics or other non-essential cookies we seek prior consent where required and provide controls and a withdrawal option via browser settings or cookie preferences. See our Cookie Policy for details.

Security Standards & NDG 10

We align our controls to the National Data Guardian’s 10 Data Security Standards. Illustrative measures include: information governance and cyber training for staff; multi-factor authentication for administrative access; least-privilege and joiners-movers-leavers controls; vulnerability management and timely patching; penetration testing; logging and monitoring; incident response and business continuity planning.

Retention

Patient-level datasets (processor): retained in line with the controller’s instructions and deleted following controller instruction or contract end (unless a longer period is legally required or expressly instructed by the Controller).
Security/audit logs: retained for operational and regulatory purposes, typically up to 12 months unless incident investigation requires longer.
Encrypted backups: retained on a rolling basis, then purged in line with backup rotation.

Business Continuity & Disaster Recovery

We maintain BCP/DR arrangements and aim to restore services as quickly as reasonably practicable following a major incident, in line with agreed service objectives.

Open Data & Clinical Terminology

For English Prescribing Data, we use the dataset as published by NHSBSA under the Open Government Licence and apply small-number suppression with safeguards against re-identification. SNOMED CT® is used under licence from the UK Terminology Centre. We do not grant any sublicences or extended rights beyond our licence.