Privacy Policy

Health IQ Privacy Policy and information

As a data analytics company with an outstanding healthcare heritage, Health iQ considers that Information Governance (IG) and the protection of data are critical to everything we do. Health iQ ensures that all the data we hold is protected to the highest standards, always held securely and processed safely. Everyone at Health iQ is fully trained to understand the importance of IG and to further ingrain it in our DNA.

When we say “Health IQ” we are referring to “Health IQ Ltd”, the data analytics company.

Health iQ is registered as a Data Controller with the Information Commissioner’s Office (ICO). The ICO is the UK's independent body set up to uphold information rights ( 

If you have any questions, concerns or requests about your personal data, or how we process it, then please do not hesitate to contact us, via our Data Protection Officer, at so that we can make things right. If our response is not to your satisfaction, then you can make a complaint to the ICO.

According to the General Data Protection Regulation: 

 “personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

The sections below describe how personal data is processed by Health IQ:


HES Data

Under licence from NHS Digital Health iQ receives the HES (Hospital Episode Statistics) dataset. HES details all the hospital admissions, outpatient appointments and A&E attendances for England and Wales. Under the terms of the GDPR de-identified data is now recognised as personal data. The data Health iQ uses for our products and services is de-identified and Health iQ does not hold the re-identification key – this means that identifying an individual patient is extremely unlikely, in most cases impossible. Only NHS Digital, the Data Controller for HES data, can identify this information. The reasons and purpose for our processing of this data is to provide statistical and research services to our clients in the healthcare and life sectors


Legitimate Interest


Purpose Test


Health iQ processes data in order to conduct analysis that will support the optimal delivery of healthcare as a whole, and hence be a benefit to the individuals and all patients.


This analysis helps in a variety of ways including:

·      understanding the prevalence and burden of conditions, so that budgeting priorities can be appropriately set.

·      understanding where good practice lies and what it looks like.

·      to conduct new research into disease areas, resulting in publications which provide new knowledge for the benefit of all.

Patient-level data is required in order to accurately conduct the above types of analysis, without this Health iQ could not conduct the level of research needed to provide new insights into diseases or treatment pathways, and the potential benefit to healthcare of this research would not be realised.


The use of this data is entirely ethical and within the law.



Necessity Test


Understanding how healthcare is delivered and developing new ideas about how to make treatment better is a priority for all. Analysis of healthcare data is a vital component in this, and the sheer volume of publications released every year using HES data is evidence of its usefulness.


Health iQ believes this is a reasonable approach to achieving the aim of improving healthcare.


The same level of insight cannot be achieved without looking into patient-level data, therefore there is not an alternative approach that would be feasible.



Balancing Test


The data is collected in a well-known and transparent database held by a government body, so the source of the data is clear.


Health iQ only ever uses non-sensitive, de-identified data, and all outputs are also small-number suppressed. Data deemed particularly sensitive, such as data relating to sexually transmitted diseases, is protected even further as it carries no trackable HES-ID.  This data is de-identified and means the patient cannot be identified without the inclusion of additional information – which Health IQ does not hold.


Health iQ only holds data for a limited period (5 years plus current year), so a patient’s potential exposure is limited.


All use of the data is tightly controlled and limited to purposes which benefit the healthcare system and patients. In many cases the outputs are published pieces of research, which can be seen by anyone and provide a very clear and tangible benefit back to the system in terms of new knowledge and insight into a particular aspect of healthcare. These projects are often supported by leading clinicians in the field, so their value is even clearer.


Data is used in line with prevailing good and best practice, Health iQ does not undertake any unusual or out of the ordinary analysis on the data that could be cause for concern.


We therefore believe that the impact on individuals is minimal, and the benefits achieved do outweigh any harm that could potentially be caused.



Legitimate and Lawful


Health iQ processes sensitive classes of information – and have chosen special category condition section 9.2 (j) of the GDPR for the processing of such data.


Data is retained as per our agreement with NHS Digital and data is destroyed as per NHS Digital Guidelines. We do not transfer any patient-level data to 3rd parties or 3rd countries. By “patient-level” we mean data relating to an individual patient. 

For more information please contact our DPO at 


When using/browsing the Health IQ website:

·      Responding to “Contact Us”, “Request Live Demo” or “Download Brochure” requests which, in order to respond to the requester, involves the processing of a firstname, a lastname and an email address. We therefore use Legitimate Interests as our basis for processing this data.

·      We use Google Analytics to collect anonymous data to understand how users interact with the website and therefore use Legitimate Interests as our basis for processing this data. It is possible to opt-out and prevent this data from being collected. For further information please visit


Client or potential client:

·      In order to engage with or sell our products and services to clients, or potential clients, we would use the lawful basis of Contract to process client names, email addresses, telephone numbers and any other personal data in relation to the engagement with those clients or the selling of those products and services.


Normal Business Use:

In order to maintain our accounts and records, support and manage our employees, or prospective employees, the information we process may include personal details, family details, lifestyle, employment and education details, CVs. Legitimate Interests is therefore our basis for processing this information.

We sometimes need to share the personal information we process with the individuals themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act/GDPR. What follows is a description of the types of organisations we may need to share some of the personal data with for one or more reasons:

• Healthcare professionals
• Social and welfare organisations
• Central government
• Business Associates
• Family, associates and reps of the person whose personal data we are processing
• Suppliers and service providers
• Financial organisations
• Current, past and prospective employees
• Employment agencies and examining bodies


Automated decision making and profiling

Automated decision-making is the process of making a decision by automated means without any human involvement. These decisions can be based on factual data, as well as on digitally created profiles or inferred data. Examples of this include:

·       an online decision to award a loan; and

·       an aptitude test used for recruitment which uses pre-programmed algorithms and criteria.

Profiling analyses aspects of an individual’s personality, behaviour, interests and habits to make predictions or decisions about them.

What are the benefits of profiling and automated decision-making?

Profiling and automated decision making can be very useful for organisations and also benefit individuals in many sectors, including healthcare, education, financial services and marketing. They can lead to quicker and more consistent decisions, particularly in cases where a very large volume of data needs to be analysed and decisions made very quickly.                           

Health iQ does not employ any automated decision making or profiling techniques.



The 2018 Data Protection Act and GDPR gives individuals the help to understand and the rights to control how their personal data is being used or processed. Those rights are as follows:

·      The right to be informed about how your data is being used. You have the right to a clear explanation of how any of your personal data is being collected and processed by us.

·      The right of access to your personal data via a “Subject Access Request” (SAR) which allows you to see what personal data we hold and how we process it. 

·      The right to rectification if any of the data we hold on you is incomplete or incorrect. If so, then please inform us and we will update it as soon as possible.

·      The right to erasure which is sometimes referred to as the “right to be forgotten” allows you to ask for personal data to be deleted when the processing of it is no longer necessary or can be justified, or if the law demands it be deleted, or if you have withdrawn your consent and we have no further legitimate interest in processing it.

·      The right to restrict processing. Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances e.g. they may have a particular reason with the content of the information on file or how it is being processed. In some circumstances you can limit how your personal data is being used by us and restrict its processing.

·      The right to data portability allows you to request the personal data which we process by automated means (i.e. a PC), and which you provided to us on the basis of consent or contract, to be transferred back to you in a PC-based format.

·      The right to object to some forms of processing – you have the right to object to the processing of your personal data where we use Legitimate Interests as our basis for processing. We will revisit our rational for the Legitimate Interests Assessment of the data in question and decide, based on your needs and our requirements, whether to cease processing or not. You also have the right to stop your data being used for direct marketing purposes.


At Health-IQ we take our data protection responsibilities very seriously. If you wish to exercise any of the rights listed above or, if you are not happy with how we process your personal data, then please get in touch with us at and we will ensure you receive a response within 30 days.


This Privacy Policy relates to: 

Health iQ Limited, trading as CorEvitas® | Company No. 07505343,
Office 602-605, 20 Birchin Lane