The Patient Privacy Policy is available here.

Introduction

IDEOSHIFT Ltd is committed to protecting the privacy and security of personal data processed on behalf of healthcare organisations. This privacy notice explains how we handle, store, and secure personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller Contact Details

• IDEOSHIFT Ltd

• 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

• hello@ideoshift.co.uk

2. Data Protection Officer Contact Details

• Umar Sabat – Data Protection Officer

• Email: Umar.sabat@ig-health.co.uk

3. Purpose of Processing

IDEOSHIFT Ltd processes data to support healthcare providers in handling clinical letters, administrative documents, and operational workflows. This ensures timely and efficient data processing to enhance patient care and healthcare service management.

4. Lawful Basis for Processing

Processing is conducted under the UK GDPR and the Data Protection Act 2018, based on:

• Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest.

• Article 9(2)(h) – Processing is necessary for medical diagnosis, healthcare service management, and treatment planning.

• Compliance with the Common Law Duty of Confidentiality.

5. Categories of Data Processed

Personal Data Processed:

• Patient Name, Date of Birth, NHS Number, Address

• Healthcare records and clinical letters

• Correspondence between healthcare professionals

Special Category Data Processed:

• Medical history, treatment records

• Information regarding physical and mental health conditions

• Ethnicity and religious beliefs (where relevant)

6. Data Storage and Processing Locations

IDEOSHIFT Ltd processes data both within the UK and internationally. Some processing activities may be carried out abroad under strict data security and contractual safeguards to ensure compliance with UK GDPR requirements.

All international data transfers comply with:

• UK GDPR adequacy decisions

• Standard Contractual Clauses (SCCs) (where necessary)

7. Data Sharing

• Data is shared only with authorised parties under contract with IDEOSHIFT Ltd.

• No data is sold or shared for marketing purposes.

• Approved third-party service providers and subcontractors may process data under strict data protection agreements.

8. Retention Period

Personal data is retained in accordance with the NHS Records Management Code of Practice 2021.

Upon contract termination, IDEOSHIFT Ltd will securely delete or return all data as per the controller’s instructions.

9. Security Measures

IDEOSHIFT Ltd applies robust technical and organisational security measures, including:

• ISO 27001 certified infrastructure

• Cyber Essentials Plus security compliance

• Encrypted data storage and transmission

• Regular security audits and access controls

10. Rights of Data Subjects

Individuals have the right to:

• Access their personal data

• Request correction of inaccurate data

• Object to certain processing activities

• Request data deletion (where legally permissible)

• Raise complaints with the Information Commissioner’s Office (ICO)

11. Right to Complain 

Individuals can file complaints with the ICO via:

• Website: ICO Contact Page

• Phone: 0303 123 1113 (local rate) or 01625 545 745 (national rate)