The Patient Privacy Policy is available here.

Introduction

IDEOSHIFT Ltd is committed to protecting the privacy and security of personal data processed on behalf of healthcare organisations. This privacy notice explains how we handle, store, and secure personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller Contact Details

• IDEOSHIFT Ltd

• 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

• hello@ideoshift.co.uk

2. Data Protection Officer Contact Details

• Umar Sabat – Data Protection Officer

• Email: Umar.sabat@ig-health.co.uk

3. Purpose of Processing

IDEOSHIFT Ltd processes data to support healthcare providers in handling clinical letters, administrative documents, and operational workflows. This ensures timely and efficient data processing to enhance patient care and healthcare service management.

4. Lawful Basis for Processing

Processing is conducted under the UK GDPR and the Data Protection Act 2018, based on:

• Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest.

• Article 9(2)(h) – Processing is necessary for medical diagnosis, healthcare service management, and treatment planning.

• Compliance with the Common Law Duty of Confidentiality.

5. Categories of Data Processed

Personal Data Processed:

• Patient Name, Date of Birth, NHS Number, Address

• Healthcare records and clinical letters

• Correspondence between healthcare professionals

Special Category Data Processed:

• Medical history, treatment records

• Information regarding physical and mental health conditions

• Ethnicity and religious beliefs (where relevant)

6. Data Storage and Processing Locations

IDEOSHIFT Ltd processes data both within the UK and internationally. Some processing activities may be carried out abroad under strict data security and contractual safeguards to ensure compliance with UK GDPR requirements.

All international data transfers comply with:

• UK GDPR adequacy decisions

• Standard Contractual Clauses (SCCs) (where necessary)

7. Data Sharing

• Data is shared only with authorised parties under contract with IDEOSHIFT Ltd.

• No data is sold or shared for marketing purposes.

• Approved third-party service providers and subcontractors may process data under strict data protection agreements.

8. Retention Period

Personal data is retained in accordance with the NHS Records Management Code of Practice 2021.

Upon contract termination, IDEOSHIFT Ltd will securely delete or return all data as per the controller’s instructions.

9. Security Measures

IDEOSHIFT Ltd applies robust technical and organisational security measures, including:

• ISO 27001 certified infrastructure

• Cyber Essentials Plus security compliance

• Encrypted data storage and transmission

• Regular security audits and access controls

10. Rights of Data Subjects

Individuals have the right to:

• Access their personal data

• Request correction of inaccurate data

• Object to certain processing activities

• Request data deletion (where legally permissible)

• Raise complaints with the Information Commissioner’s Office (ICO)

11. Right to Complain 

Individuals can file complaints with the ICO via:

• Website: ICO Contact Page

• Phone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)

12. Analytics

We partner with Microsoft Clarity and Microsoft Advertising to capture how you use and interact with our website through behavioral metrics, heatmaps, and session replay to improve and market our products/services. Website usage data is captured using first and third-party cookies and other tracking technologies to determine the popularity of products/services and online activity. Additionally, we use this information for site optimization, fraud/security purposes, and advertising. For more information about how Microsoft collects and uses your data, visit the Microsoft Privacy Statement.

We want to process as little personal information as possible when you use our website. That's why we've chosen Fathom Analytics for our website analytics, which doesn't use cookies and complies with the GDPR, ePrivacy (including PECR), COPPA and CCPA. Using this privacy-friendly website analytics software, your IP address is only briefly processed, and we (running this website) have no way of identifying you. As per the CCPA, your personal information is de-identified. You can read more about this on Fathom Analytics' website.

The purpose of us using this software is to understand our website traffic in the most privacy-friendly way possible so that we can continually improve our website and business. The lawful basis as per the GDPR is "Article 6(1)(f); where our legitimate interests are to improve our website and business continually." As per the explanation, no personal data is stored over time.