We’re award winners! Read more about our latest achievement here!

HBSUK Logo
I'm a Patient
CONTACT US

HBSUK Privacy Notice

We are Healthcare Business Solutions (UK) Limited (HBSUK). We are the controller and responsible for your personal data covered by this Privacy Notice. Protecting your personal data is very important to us. We will always be transparent about how and why we collect it.

We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you do have any questions, including any requests to exercise your legal rights, please contact the DPO using the information set out in the contact details section below.

This Privacy Notice tells you what to expect us to do with your personal data. It is provided in a layered format so you can click through to the specific areas set out below:

1. Our Data Protection Officer and How to contact us

If you have any questions about this Privacy Notice or would like to exercise any of your rights, please contact our Data Protection Officer (DPO) by email or post;

The Data Protection Officer,
Sherwood Business Park,
Pure Offices,
Lake View Dr,
Nottingham,
NG15 0DT

Email address: data.protection@hbsuk.co.uk

back to top ↑

2. What information we collect, use and why

How we use your personal data will depend on how we’re interacting with you. This Notice covers when we interact with you on our website or our Virtual Lucy Platform when you are a website user, patient or referrer (for example an insurance provider administrator, NHS hospital or NHS Trust administrator or private GP).

If you are a clinician working via our clinican’s network for our insourcing services or on our Virtual Lucy platform, please see the privacy notice provided to you with your contract, via your registration form or a copy can be provided on request by our DPO.

If you are an applicant for a position at HBSUK please see our Candidate Privacy Notice.

 

NHS patients

Where we provide our insourcing service to NHS England, we process patient data as their processor, and we refer you to your NHS Trust’s privacy notice.

If you access our services using your NHS login details, the identify verification services are managed by NHS England. NHS England is the controller for any personal data you provided to NHS England to get an NHS login account and verify your identity and it uses that personal data solely for that single purpose. For this personal data, our role is a processor only and we must act under the instructions provided by NHS England (as the controller) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please Click Here. This does not apply to the personal data you provide to us separately.

If you are receiving care from a health or care organisation, that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number the health and care organisations can work together more closely to improve your care and support.

Your NHS number is accessed through a NHS digital service called the personal demographic service (PDS). A health or care organisation sends basic information such as your name, address, and date of birth to the PDS in order to find your NHS number. Once retrieved from the PDS the NHS number is stored in our case management system. We will share your personal data only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional, and where the user has a direct care relationship with you.

You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care but will result in the benefits outlined above not being realized. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options that you have. If you wish to opt-out from the use of your NHS number in this way please Contact Us.

We may process your personal data for a number of different purposes, and these are set out in more detail in the below sub sections.

 

Legal Grounds we rely on for each use of your personal data

Under data protection laws we can only process your personal data where we have one or more legal grounds or conditions for doing so as set out in the law. When the personal data we process about you is classed as sensitive information (for example criminal offences data and ‘Special Category Personal Data’ such as your health, sexual orientation and ethnic origin), we must have an additional legal condition for such processing or, where necessary, we will ask for your consent. We have set out our legal grounds for processing in the below sub-sections.

 

Clinical Consent

Where we are acting as a healthcare provider via our Virtual Lucy Platform, we also have to satisfy clinical confidentiality rules. This is in addition to meeting the ‘legal grounds’ and conditions for processing under data protection law. We do this, when necessary, by obtaining a clinical consent to process your clinical information or to share information from your clinical records with third parties, for example your insurer or another healthcare professional.

Our clinical consent processes are based on the General Medical Council (GMC) and British Medical Association (BMA) Confidentiality Guidance as well as laws such as the Access to Medical Reports Act 1988 (where applicable). Clinical consent is not the same as consent to process personal data under data protection law. We do not generally use consent as our legal ground or condition for processing personal data under data protection law. If we ever need your consent under data protection law to process your personal data, we’ll make that clear to you at the time.

Please click on the relevant button below to learn more about how we use your personal data.

back to top ↑

3. Where we get your information from

  • Directly from you
  • Regulatory authorities
  • Other healthcare providers including the NHS or your GP
  • Insurance companies
  • Publicly available sources
back to top ↑

4. Who we share your personal data with

We may share your personal data where necessary with the parties set out below for the purposes set out in the tables above.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

 

When you are a website user:

  • Service providers who assist us in operating our website and business.
  • Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.

 

When you are a patient:

  • Personal Demographics Service to confirm your identity as an NHS patient, link your care records and support the management of NHS services using your name, address, and NHS number.
  • Clinicians to provide services to you as a patient. This may include other clinicians and providers to the clinician who carried out the initial assessment such as medical imaging providers, physiotherapists and consultants. We may use GP Connect, the NHS e-Referral Service, NHS login and other platforms utilised by the NHS to synchronise your care and records.
  • Your GP.
  • Regulators/ Authorities/ Enforcement Agencies if we are under a duty to disclose or share your personal data to comply with any legal obligation, or to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of our clients, patients or others. This may include disclosures to the General Medical Council (GMC), the Medicines and Healthcare products Regulatory Agency (MHRA) and the Care Quality Commission (CQC).
  • Administrative teams from the NHS Trust or private medical insurer who originally referred you to us, for the purposes of updating your treatment or insurance file (including insurance validations).
  • Call centre operators from the NHS Trust or private medical insurer who originally referred you to us, to enable them to assist you with your questions.
  • Finance teams from the NHS Trust or private medical insurer who originally referred you to us, for the purposes of invoicing for your care.
  • Service providers who assist us in operating our Virtual Lucy Platform and business.
  • Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.

 

When you are a referrer:

  • Patients to enable to them to contact you to process their claim.
  • Clinicians to enable them to contact you for administration purposes.
  • Service providers who assist us in operating our business.
  • Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.

 

We want to reassure you that we never sell personal data to third parties. We’ll only use your data in ways we are allowed to by law, which includes only collecting as much data as we need.

back to top ↑

5. When we share your personal data outside the UK

Where do you store my data?

We store your personal data on servers within the UK and EU only. The EU is designated by the UK Government as “adequate” and therefore offers the same protection as UK Law.

Transfers out of the UK and EU

As we store your data in the UK and the EU, we do not routinely make transfers of data outside the UK or EU. However, we may, for example, work with third party service providers based both inside and outside of the UK and the EU. This may involve transferring personal data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.

Whenever such onwards transfers occur, we ensure that a similar degree of protection is afforded to your personal data by ensuring that the following safeguards are implemented:

  • We use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK, namely the International Data Transfer Agreement or the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers.
  • To obtain a copy of these contractual safeguards, please contact us at data.protection@hbsuk.co.uk.
back to top ↑

6. How we use Artificial Intelligence

Artificial Intelligence (AI) is an umbrella term for a range of technologies that replace manual processes and solve complex tasks by carrying out functions that previously required human action or input. Tasks that we have traditionally done by thinking and reasoning are increasingly being done by, or with the help of, AI.

We use AI to support our existing activities. This means that how we collect your personal data and the types of personal data we use do not change.  To use AI, we combine information you have provided to us directly, information we derive about you from your use of our services or your interactions with us, and information from other people and organisations.  We use AI for different purposes which we explain in more detail below.

 

Business process improvement and efficiency

We use AI to improve our business processes with a particular focus on simplifying complex processes, ensuring consistent standards and driving efficiencies. For example, we may use AI to help triage, organise and compile documents, extract data for entry into the relevant systems, translate or summarise text or transcribe recordings.

 

Training AI

We may use personal data as part of the development and training phase of an AI solution to be used in the provision of our services. Where we use personal data for such training the lawful basis, we will rely on is that it is necessary for the purposes of our legitimate interest to train an AI tool to assist in improving the efficiency and accuracy of our services, managing our business efficiently and maintaining accurate records.

When we process personal data on the basis that we have a legitimate interest to do so, we always balance this against your fundamental rights and freedoms and put in place robust safeguards to ensure that your privacy is protected.

Where we need to use health data to train an AI solution to be used in the provision of our services it will be anonymised.

back to top ↑

7. How we carry out analytics

We analyse anonymous data to gain insights about how we can improve our services and the health and wellbeing of the people who use them. Further, it allows us to show our clients, for example the NHS or your insurer, how their patients or customers interact with our services. To do this we may bring together information from your use of Virtual Lucy and analyse it without using information from which you can be identified. For example, we may provide reports to your referrer about service utilisation. These are based on aggregated data to a level which means you cannot be identified. 

We may use your personal data collected from customer satisfaction surveys and where possible, we will anonymise such information. However, sometimes we may need to use your personal data including health data. In such circumstances, if necessary, we will obtain your consent as our legal ground to process your personal data under data protection rules.

The way that we anonymise personal data is in line with regulatory guidance and is achieved using different techniques, for example removing identifying data or overwriting it with randomised non-identifiable data. In line with regulatory guidance our use of your personal data to create anonymised data relies on the same legal grounds and conditions that were relied on when we obtained your data: the processing is in our legitimate interests and is necessary for the purposes of the provision of healthcare services.

back to top ↑

8. How long we keep your personal data

We will only retain your personal data for as long as we need it unless we are required to keep it for longer to comply with our legal, accounting or regulatory requirements.

Your medical records are retained by us in accordance with national best practice guidance in particular, advice provided by the Department of Health (2006) Records management: NHS code of practice, and summary guidance issued by the British Medical Association.

Where you have used our platform to provide or receive services, we will hold your relevant personal details to enable us to facilitate our services and meet our regulatory requirements. Different retention periods apply for different types of data, however the longest we will normally hold your data is ten years in line with prevailing NHS record keeping requirements.

In some circumstances we may carefully anonymise your personal data so that it can no longer be associated with you, and we may use this anonymised data indefinitely without notifying you. We use this anonymised data to improve our products and services.

back to top ↑

9. The data security measures we have in place

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

back to top ↑

10. What are your data protection rights?

You have various other rights under applicable data protection laws, including the right to:

access your personal data (also known as a “subject access request”)

You have the right to ask us for copies of your personal data. You can request other information such as details about where we get personal data from and who we share personal data with. There are some exemptions which means you may not receive all the personal data you ask for.

 

correct incomplete or inaccurate data we hold about you

You have the right to ask us to correct or delete personal data you think is inaccurate or incomplete, though we may need to verify the accuracy of the new data you provide to us.

 

ask us to erase the personal data we hold about you

You have the right, in certain circumstances, to ask us to delete your personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your data unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

 

ask us to restrict our handling of your personal data

You have the right to ask us to limit how we can use your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:

  • If you want us to establish the accuracy of the data;
  • Where our use of the data is unlawful, but you do not want us to erase it;
  • Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • You have objected to our use of your information, but we need to verify whether we have overriding legitimate grounds to use it.

 

ask us to transfer your personal data to a third party

You have the right to ask that we transfer the personal data you gave us to another third party, or to you. We will provide to you, or the third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

 

object to how we are using your personal data

You have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your right to object.

You also have the absolute right to object at any time to the processing of your personal data for direct marketing purposes

 

withdraw your consent to us handling your personal data

You can read more about these rights here. If you make a request, we must respond to you without undue delay and in any event within one month.

back to top ↑

11. How to complain

You also have the right to lodge a complaint with us or the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales.

back to top ↑

12. How we use cookies

Please see our Cookie Notice and Cookie Banner for information about the cookies used on our website and platform.

back to top ↑

13. Changes to this privacy notice and your duty to inform us of any changes

We keep our Privacy Notice under regular review. This version was last updated 14 July 2025. Historic versions can be obtained by contacting us.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.

back to top ↑

14. Third party links

Our website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

back to top ↑