We process personal data to:

  • Deliver our products and services to customers
  • Enter into and maintain contracts with customers and suppliers
  • Recruit and administer staff
  • Promote our services


We process personal data about:

  • Patients
  • Customers, suppliers and contacts
  • Job applicants
  • Current and former employees


Visitors to our website

We use anonymised cookies to analyse traffic and improve our website. We do not process identifiable data about website visitors. See our cookies notice for details. 



We process patient data to help healthcare organisations achieve sustainable improvements in their performance. We receive anonymised and pseudonymised patient data from NHS England and directly from our customers.

We are a data controller for the anonymised and pseudonymised patient data sent to us by NHS England. See the privacy notices for:

  • Hospital Episode Statistics (HES) and Civil Registration (Deaths) Secondary Care Cut)
  • Emergency Care Data Set (ECDS)
  • Summary Hospital-level Mortality Indicator (SHMI) 

We are a data processor for personal data supplied by and processed on behalf of our customers under contract. 


Customers, suppliers and other contacts

We process your information when you contact us about our services, and during the course of your contract, for purposes of administration, support and service delivery, keeping you updated, monitoring service usage for security, improvement and development, and for compliance with our agreements, legal obligations, the NHS Data Security and Protection Toolkit and our ISO 27001 certification.

We use contact details to inform current and prospective clients of our products and services. Manage communication preferences using the button in our emails, contacting our team or logging into your account.

We process contact details and correspondence relating to current, former and prospective suppliers, to enter into and maintain contracts and for compliance with legal and contractual obligations.

See the privacy notice for customers, suppliers and other contacts.


Job applicants

We process queries and CVs from job applicants and agencies, to complete the recruitment process, ensure it is run fairly, enter into contracts with successful candidates and produce anonymised statistics. A third-party agency processes references, DBS and credit checks as required.

We keep unsuccessful application personal data for a year, for equality and diversity monitoring, assurance that the process is run fairly and to consider applicants for similar vacancies. Successful applicant information is transferred to their employee file.

See our recruitment privacy notice.


Current and former employees

Employees provide details about themselves and, where necessary, next of kin and emergency contacts, and have access to a detailed privacy notice. Data on former employee files are kept for six years after employment unless required for longer, for example, by compliance with legal obligations.


Your rights

Your personal data rights include:

  • Access – request copies of your personal data.
  • Rectification – request correction or completion of information that we hold about you.
  • Erasurerequest deletion of data if we no longer need it, you withdraw consent, retention is unlawful or there are no overriding grounds to retain it.
  • Restrictionrequest that we limit processing to storage and do not use it for anything else.
  • Objectionif you object to us processing your data on the basis of legitimate interests we must stop unless there are compelling legitimate grounds for continuing.
  • Portability – request a digital copy is sent (ported) to another organisation, this applies to information processed by automated means and on the basis of consent or for a contract.

Contact us or see the privacy notices for more information about your rights. 

We cannot identify you in data disseminated by NHS England. Any requests relating to your health data must be made to your healthcare provider or NHS England.


Information processed by third parties and where it is processed

Our data storage and processing locations are in the UK. Data disseminated by NHS England is processed within and not transferred outside the UK. In some cases, and subject to restrictions, we may need to disclose personal data to related entities, partners and other organisations, both within and outside the UK, such as to third parties providing services to us. Our use of Microsoft 365 involves processing within the UK and Australia.

See our privacy notices for more details about third parties and processing locations.


Data Protection Officer

For data protection queries contact our Data Protection Officer on


How to complain

If you feel that we have let you down in relation to your personal data then please contact our Data Protection Officer. You can also contact the Information Commissioner’s Office, the UK’s independent authority upholding information rights, at or on 0303 123 1113.