Trust & Compliance

Data handled lawfully, minimised and secured

Privacy by design — clear lawful bases, DPIAs where needed, sensible retention, and security throughout.

Our approach

Privacy architecture

Lawful basis

Article 6 basis + Article 9 condition for any health data.

DPIA

Completed for high-risk and innovative-AI processing.

Data minimisation

We ask only for what we need, and flag what not to share.

Retention

Defined schedules; delete or anonymise on time.

Consent (PECR)

Non-essential cookies blocked until affirmative consent.

Security

Access control, encryption in transit, processor due diligence.

Two gates for health data

Lawful basis and the special-category condition

Personal data about someone's health is special-category data under UK GDPR, and processing it lawfully means clearing two gates, not one. First, you need an Article 6 lawful basis — most often legitimate interests, performance of a contract, or consent. Second, and separately, you need an Article 9 condition that permits special-category processing at all, such as explicit consent, the provision of health or social care, or substantial public interest. Many projects stumble because they identify a lawful basis but never establish a valid Article 9 condition, which leaves the processing unlawful however good the intentions.

Our approach is to document both gates before any health data is touched, alongside the appropriate-policy-document and additional safeguards that several Article 9 conditions require under the Data Protection Act 2018. We then minimise hard: we design the data flow to collect the least information that achieves the purpose, separate identifiers from clinical content where feasible, and flag to clients exactly what should never be sent to us in an enquiry. This is privacy by design rather than privacy by paperwork.

Boundary. Our public website and tools are designed not to require patient-identifiable data. When a client engagement does involve health data, the lawful basis, Article 9 condition and safeguards are agreed in writing first.

From assessment to assurance

How we help you evidence it

  1. Map the processing. We document what data is involved, why, who touches it and where it flows — the foundation for every other control.
  2. Establish the legal footing. We confirm the Article 6 basis and Article 9 condition, record the controller/processor roles, and put any required agreements in place.
  3. Run the DPIA where needed. For high-risk or innovative-AI processing we conduct a structured DPIA, identify residual risks and define mitigations, consulting the ICO where the risk cannot be reduced.
  4. Apply proportionate security. Access control, encryption in transit, processor due diligence and a defined retention and deletion schedule — sized to the sensitivity of the data, not boilerplate.
  5. Make it buyer-ready. For NHS-facing work we align with the data-security expectations behind the DSP Toolkit and help you present the evidence procurement teams ask for.

Data protection rarely stands alone. For AI processing it interlocks with our AI governance and oversight rules, and for products it sits beside clinical safety and risk management. To see how it all maps for an NHS purchase, read DPIA for AI in healthcare and our guide to the DSP Toolkit.

Answers

Frequently asked questions

How do you handle special-category health data?

Health data needs both a lawful basis (Article 6) and a condition for special-category processing (Article 9), with a DPIA where processing is high-risk. We minimise data, document the basis, and apply appropriate safeguards before any such processing.

Do you complete the DSP Toolkit?

For engagements involving NHS data or systems, we support the data-security expectations buyers hold, including DSP Toolkit alignment, and help you evidence it.

Where is data stored and for how long?

We store enquiry data minimally and only as long as needed to respond and meet legal obligations, then delete or anonymise it. See our Privacy & Cookies notice.

When is a DPIA actually required?

A Data Protection Impact Assessment is required under UK GDPR before any processing likely to result in a high risk to people — which expressly includes large-scale special-category (health) data and many innovative or AI-driven uses. We help you decide whether the threshold is met, and produce the DPIA where it is, rather than treating it as a tick-box after the fact.

Are you a data controller or a processor?

It depends on the engagement. For our own enquiry handling we are the controller; when we process data on your behalf to deliver a service we act as your processor under a written agreement. We make the roles explicit at the outset because they determine who is accountable for what.

How do you handle international data transfers?

We minimise transfers of personal data outside the UK and, where one is unavoidable, rely on an appropriate safeguard such as adequacy or the relevant standard contractual terms, supported by a transfer risk assessment. We prefer UK or adequate-jurisdiction processing for health data wherever possible.

Need data-protection support?

We help teams get lawful basis, DPIAs and governance right.

Get in Touch ☎ +44 7448 439750
☎ Call Get a Proposal