Privacy notice (UK)

Last updated: 21 September 2025

At Concentric Health, protecting your privacy and safeguarding your personal information is central to how we operate. This privacy notice explains how your data is collected, protected, and used when Concentric is provided to you by a healthcare organisation in the United Kingdom.

What is Concentric?

Concentric is a digital consent application used by your healthcare organisation to support safe, informed decision-making about treatment and care.

Healthcare professionals use Concentric to share information about treatment options, record discussions and decisions, and capture your consent. You may also use Concentric to review information, record your preferences, and provide your consent electronically.

Concentric is not used for marketing purposes, and your information is never sold. Its sole purpose is to support your care and treatment. Click here to read our Concentric introduction for patients.

Who is responsible for your information?

Because Concentric is provided to you by your healthcare organisation (for example, a hospital or clinic), it is important to understand how responsibilities are shared:

  • Your healthcare organisation is the data controller. They decide what information is collected, how it is used, and how long it is retained, in line with applicable laws and professional standards.

  • Concentric Health is the data processor. We provide the technology platform and process your information strictly on behalf of, and under the instructions of, your healthcare organisation. We do not determine the purposes for which your data is used.

What information is processed?

Concentric processes both personal data and special category health data, entered or generated in the following ways:

  • Patient demographic information: details brought through from your healthcare organisation’s clinical systems, such as name, date of birth, gender, patient identification number (e.g. NHS or hospital number), and contact details (email address and/or mobile phone number). These demographic details are used to ensure safe identification and communication.
  • Clinician-entered information: information recorded by your clinical team about your care, which may include the indication and purpose for treatment, alternative options, anaesthetic choices, risks of treatment, clinician notes, and external resources shared. This information is required for the consent record and supports you with decision-making about your treatment.
  • Patient-entered information: details you provide directly, such as consent preferences and your signature.
  • System-generated information: technical and security information, including audit logs, timestamps, and access records. These help ensure your information is handled securely.

Lawful basis for processing

To provide Concentric’s services, your healthcare organisation (as the data controller) must identify a lawful basis under UK GDPR. Concentric Health processes your information only at the instruction of your healthcare organisation and does not determine which lawful basis applies in your care setting – your healthcare organisation decides this as the data controller.

Personal data: The lawful basis depends on your healthcare organisation.

  • For NHS and other public sector providers, this is Article 6(1)(e) – processing necessary for the exercise of official authority vested in the controller (public task).
  • For private healthcare providers, this is Article 6(1)(b) – processing necessary for the performance of a contract with the patient.

Special category (health) data: In all cases, processing is covered by Article 9(2)(h) – necessary for the provision and management of health or social care.

Before data processing starts, your healthcare organisation completes its own Data Protection Impact Assessment (DPIA) to ensure that use of Concentric is safe, appropriate, and compliant with data protection law. In all cases, your healthcare organisation and Concentric Health have a contract that includes data processing terms, setting out Concentric Health’s responsibilities as a data processor and ensuring your information is handled in accordance with UK GDPR.

Third-party processors & international data transfers

To provide Concentric, we work with carefully-selected third-party service providers (sub-processors). These organisations support the secure delivery of the service (for example, cloud hosting and communications).

All sub-processors are engaged under contracts that include data processing terms, ensuring that they meet UK GDPR standards for data protection and security. Concentric Health does not permit any sub-processor to use your information for their own purposes.

Hosting / Cloud Infrastructure

The core Concentric application and health record data are hosted on Google Cloud Platform (GCP). For UK healthcare organisations, this data is stored in secure UK data centres. GCP meets NHS information governance requirements and provides contractual safeguards for the protection of special category health data. This hosting arrangement does not involve international transfers.

Communications Providers

To deliver notifications, a limited subset of personal data (such as your email address or phone number, and the message content necessary for the communication) is processed by:

  • Postmark (part of ActiveCampaign): used to send email notifications.
  • Twilio: used to send SMS notifications.

These communication providers process personal data only (not special category health data). Each is engaged under a contract with data processing terms. Where international transfers occur, they take place only under UK adequacy mechanisms, such as the UK–US Data Bridge (the UK extension to the EU–US Data Privacy Framework). This ensures your information is protected to UK GDPR standards without the need for additional transfer assessments.

How long is your information kept?

The length of time your healthcare record is retained is determined by your healthcare organisation, which acts as the data controller. For NHS organisations, retention follows the NHS Records Management Code of Practice. For private providers, it is in line with the organisation’s own retention policies.

Concentric Health retains information only while providing services on behalf of your healthcare organisation. If a healthcare organisation stops using Concentric, all information required for the patient’s clinical record — including the consent information shared, summary PDFs, and the audit trail — is transferred to them as part of the offboarding process. After this transfer, the data is securely deleted from Concentric Health’s systems.

Where a healthcare organisation continues to use Concentric over the long term (for example, 8 years or more), records are retained in line with the controller’s policies and then reduced to a minimal record kept only for evidential purposes, with the remainder of the record securely deleted from Concentric Health’s systems.

For communications data, message metadata and content are retained by Postmark and Twilio for up to 45 days to support delivery, troubleshooting, and abuse prevention, after which they are permanently deleted.

Your rights

You have rights under data protection law in relation to your personal information. Because Concentric acts as a data processor, these rights are primarily exercised through your healthcare organisation (the data controller). Below is a summary of your rights under data protection law, with an explanation of how each applies in this context:

  • Right to be informed: This privacy notice explains what data is collected, how it is used, whether it is shared, and how long it is kept. It is linked directly from the Concentric patient application, allowing you to access it whenever you use the service.

  • Right of access: You can request access to the information held about you through your healthcare organisation. Your request covers your entire health record, which may include information recorded in Concentric.

  • Right to rectification: If your information is inaccurate or incomplete, you can ask your healthcare organisation to correct it. Updates will then be reflected in Concentric where relevant.

  • Right to erasure: This right is limited where information is processed for the provision of healthcare. Health records, including consent information, usually cannot be deleted as they must be retained for patient safety, continuity of care, and legal purposes.

  • Right to restrict processing: In some circumstances, you can ask your healthcare organisation to restrict how your information is used (for example, marking a record so it is not actively used but not deleted).

  • Right to object: Where your information is processed under the public task basis (for example, by NHS organisations), you have a right to object. However, because processing is necessary for the provision of healthcare, this right is unlikely to apply in practice.

  • Right to data portability: This right applies where your personal data is processed based on a contract (for example, in private healthcare settings). It does not apply to processing carried out under the public task basis (for example, by NHS organisations). If you wish your information to be transmitted to another provider, you can make a request to your healthcare organisation.

  • Rights in relation to automated decision-making and profiling: Concentric does not use automated decision-making or profiling that could make important decisions about you without a healthcare professional being involved.

To exercise these rights, please contact your healthcare organisation (the data controller). You can find your healthcare provider’s Data Protection Officer contact details via the ICO’s public register.

For independent advice about your rights, or if you are unhappy with how your information is handled, you can contact the Information Commissioner’s Office (ICO).

If you have questions about Concentric’s role specifically, you can also contact us directly (see below).

How we keep your information safe

We take data security seriously and use both technical and organisational measures to protect your information. Concentric Health holds recognised accreditations, including Cyber Essentials Plus and compliance with the NHS Data Security and Protection Toolkit (DSPT). These frameworks, renewed or reviewed annually, require controls such as encryption of data in transit and at rest, secure hosting, access controls, and appropriate organisational processes.

Healthcare professionals sign in using secure authentication, for example, through single sign-on via their organisational login. Patients are provided with access via a secure method that combines something you have (a unique link sent by email or SMS) with something you know (your date of birth), ensuring that only you can view your information.

Cookies and similar technologies

Concentric uses only essential session cookies, which are required for the application to function securely. These cookies allow clinician and patient users to log in and maintain a secure session. Concentric does not use cookies for marketing, analytics, or tracking across other websites.

Contact information

In most cases, you should contact your healthcare organisation (the data controller) if you have questions or concerns about your information. They are responsible for your health record and for responding to rights requests under data protection law. You can find your healthcare provider’s Data Protection Officer contact details via the ICO’s public register.

If you have questions about Concentric Health’s role as the technology provider, you can contact our Data Protection Officer using the details published on our entry in the UK Information Commissioner’s Office’s (ICO) public register: Concentric Health (ICO Registration ZB709350).

Further reading

Accessibility statement

Our accessibility statement for the Concentric digital consent application.

Read