Data processing

Types of data processed

The healthcare organisation is the data controller, and Concentric Health is the data processor.

Patient personal data used:

  • Title, given name(s), and family name
  • Date of birth
  • Gender
  • Hospital number and/or NHS number
  • Email and/or mobile number

These may be provided by the healthcare organisation via integration, or entered manually by the clinician.

Justification: For clinical safety reasons this data (except contact details) must be displayed on-screen during all clinician interactions with a patient’s records, and also appears on the patient’s consent form. Since this information forms part of a consent record, it must be stored according to the same retention schedule as those records. Best practice states that patients are given a copy of their consent form, and therefore contact details are stored to allow communication of the consent interaction and outcome data collection.

For all consent episodes discussed (which may or may not have resulted in surgical consent being given), the following special category data (all relating to the patient’s health) is used:

  • The treatment (A)
  • The responsible clinician (A)
  • The consent episode (B)
  • Other treatment options discussed (B)
  • The medical diagnosis which led to this procedure (A)
  • The intended purpose of the procedure (A)
  • The risks which the patient has been informed of (A)

Justification: Data marked (A) is a requirement for the consent form as per Department of Health guidelines, and thus must be maintained. In order to fully understand the context in which consent was discussed and taken, data marked (B) is also stored. In combination data (A) and (B) are cryptographically linked to the state of a consent episode at all points in time.

Clinician personal data used:

  • Name
  • Job title
  • GMC number (optional)
  • Email address

Justification: As part of the audit trail of the application, all activity is tied to the identity of the logged in user, and in some cases is shown to other users of the system (for example the name of the clinician taking confirmation of consent). The clinician’s email address, where applicable, is used for login, and to support use cases such as password reset, but is not disclosed to patients or other users.

The legal basis for processing is that of ‘direct care’. The healthcare organisation has a requirement to take and store procedural consent as part of providing direct care to an individual. The contract between the healthcare organisation and Concentric Health to deliver a digital consent platform will provide Concentric Health’s ‘direct care’ legal basis for processing.

Third party processors

The following ‘Commercial Third Party’ processors are used, with which Concentric Health have agreed data processing and security terms:

Google Cloud Platform

Google Cloud Platform (GCP) provides all hosting and data processing. GCP are fully compliant with NHS information governance requirements. GCP enters data processing and security terms with Concentric Health with regards to appropriate and contracted sub-processing of data. GCP lists sub-processors here.


Postmark provides email sending. These terms of service and this data processing addendum apply to Concentric Health’s use of Postmark services. Details regarding Postmark’s compliance with GDPR requirements and their use of sub-processors is available here.


Twilio provides SMS sending. Twilio have Binding Corporate Rules (BCRs) in place with regard to compliance with data protection laws. Twilio lists sub-processors here.

Transparency and user rights

The platform has been designed to meet the GDPR individual rights requirements by design, as requested by the data controller.

A data processing notice can be provided as part of the consent interaction with the patient. Service access requests, rectification requests, processing freeze requests, and data portability requests can be met by design.

National data opt-out

The use or disclosure of data is considered out of scope of the National data opt-out for the following reasons:

  • The national data opt-out policy does not apply to uses of information for individual patient care. For example; creation of a consent episode; sharing of interaction information to the patient; sharing completed documentation into the medical record.
  • The opt-out for research and planning purposes only applies to confidential patient information - data that includes both:
    • information that identifies or could be used to identify the patient, and
    • information about their health, care or treatment

No other use of data by Concentric Health, that falls outside use for individual patient care, meets both these conditions.

Further details regarding the National data opt-out can be found here:

Testing considerations

All data used during application development and testing is synthetic.

Further reading

Information security

Details on the data flows, who can access the data, audit logs, hosting, data security, retention and disposal, and our security accreditations.


Data protection impact assessment (DPIA) template

A DPIA template for use by organisations deploying Concentric.