As a data analytics company with an outstanding healthcare heritage, Health iQ considers that Information Governance (IG) and the protection of data are critical to everything we do. Health iQ ensures that all the data we hold is protected to the highest standards, always held securely and processed safely. Everyone at Health iQ is fully trained to understand the importance of IG and to further ingrain it in our DNA.
When we say “Health IQ” we are referring to “Health IQ Ltd”, the data analytics company.
We are registered as a Data Controller with the Information Commissioner’s Office (ICO). The ICO is the UK's independent body set up to uphold information rights ().
If you have any questions, concerns or requests about your personal data, or how we process it, then please do not hesitate to contact us, via our Data Protection Officer, at so that we can make things right. If our response is not to your satisfaction, then you can make a complaint to the ICO.
According to the General Data Protection Regulation:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”
The sections below describe how personal data is processed by Health IQ:
· Under licence from NHS Digital we receive the HES (Hospital Episode Statistics) dataset. HES details all the hospital admissions, outpatient appointments and A&E attendances for England and Wales. Under the terms of the GDPR pseudonymised data is now recognised as personal data. The data we use for our products and services is pseudonymised and we do not hold the re-identification key – this means that identifying an individual patient is extremely unlikely, in most cases impossible. Only NHS Digital, the Data Controller for HES data, can identify this information. The reasons and purpose for our processing of this data is to provide statistical and research services to our clients in the healthcare and life sectors. We therefore use Legitimate Interests as our lawful basis for processing this data.
We also process sensitive classes of information – and have chosen special category condition section 9.2 (j) of the GDPR for the processing of such data.
Data is retained as per our agreement with NHS Digital and data is destroyed as per NHS Digital Guidelines. We do not transfer any patient-level data to 3rd parties or 3rd countries. By “patient-level” we mean data relating to an individual patient. This data is pseudonymised and means the patient cannot be identified without the inclusion of additional information – which Health IQ does not hold. For more information please contact our DPO at
When using/browsing the Health IQ website:
· Responding to “Contact Us”, “Request Live Demo” or “Download Brochure” requests which, in order to respond to the requester, involves the processing of a firstname, a lastname and an email address. We therefore use Legitimate Interests as our basis for processing this data.
· We use Google Analytics to collect anonymous data to understand how users interact with the website and therefore use Legitimate Interests as our basis for processing this data. It is possible to opt-out and prevent this data from being collected. For further information please visit
Client or potential client:
· In order to engage with or sell our products and services to clients, or potential clients, we would use the lawful basis of Contract to process client names, email addresses, telephone numbers and any other personal data in relation to the engagement with those clients or the selling of those products and services.
Normal Business Use:
· In order to maintain our accounts and records, support and manage our employees, or prospective employees, the information we process may include personal details, family details, lifestyle, employment and education details, CVs. Legitimate Interests is therefore our basis for processing this information.
We sometimes need to share the personal information we process with the individuals themselves and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act/GDPR. What follows is a description of the types of organisations we may need to share some of the personal data with for one or more reasons:
• Healthcare professionals
• Social and welfare organisations
• Central government
• Business Associates
• Family, associates and reps of the person whose personal data we are processing
• Suppliers and service providers
• Financial organisations
• Current, past and prospective employees
• Employment agencies and examining bodies
The 2018 Data Protection Act and GDPR gives individuals the help to understand and the rights to control how their personal data is being used or processed. Those rights are as follows:
· The right to be informed about how your data is being used. You have the right to a clear explanation of how any of your personal data is being collected and processed by us.
· The right of access to your personal data via a “Subject Access Request” (SAR) which allows you to see what personal data we hold and how we process it.
· The right to rectification if any of the data we hold on you is incomplete or incorrect. If so, then please inform us and we will update it as soon as possible.
· The right to erasure which is sometimes referred to as the “right to be forgotten” allows you to ask for personal data to be deleted when the processing of it is no longer necessary or can be justified, or if the law demands it be deleted, or if you have withdrawn your consent and we have no further legitimate interest in processing it.
· The right to restrict processing. Article 18 of the GDPR gives individuals the right to restrict the processing of their personal data in certain circumstances e.g. they may have a particular reason with the content of the information on file or how it is being processed. In some circumstances you can limit how your personal data is being used by us and restrict its processing.
· The right to data portability allows you to request the personal data which we process by automated means (i.e. a PC), and which you provided to us on the basis of consent or contract, to be transferred back to you in a PC-based format.
· The right to object to some forms of processing – you have the right to object to the processing of your personal data where we use Legitimate Interests as our basis for processing. We will revisit our rational for the Legitimate Interests Assessment of the data in question and decide, based on your needs and our requirements, whether to cease processing or not. You also have the right to stop your data being used for direct marketing purposes.
At Health-IQ we take our data protection responsibilities very seriously. If you wish to exercise any of the rights listed above or, if you are not happy with how we process your personal data, then please get in touch with us at and we will ensure you receive a response within 30 days.