Healthbridge Direct Limited

Data Protection Policy

1st June 2026

 

  1. Introduction

This Policy sets out the obligations of Healthbridge Direct Limited, a company registered in England and Wales under number 09116741, whose registered office is at The Vintry, Redbridge Lane East, Ilford, Essex IG4 5EY (“the Federation”) regarding data protection and the rights of customers, clients, business contacts, staff and associates in respect of their personal data under UK Data Protection Legislation.

This Policy sets out the Federation’s obligations regarding the collection, processing, transfer, storage, and disposal of personal information. The procedures and principles set out in this Policy must be followed at all times by the Federation, its employees, agents, contractors, or other parties working on behalf of the Federation.

This Policy should be read in conjunction with the Federation’s Data Security Policy and Data Retention Policy.

  1. Definitions

 

“data controller” means the person or organisation which, alone or jointly with others, determines the purposes and means of the processing of personal information. For the purposes of this Policy, the Federation is the data controller of all personal information relating to customers, clients, business contacts, staff and associates used in our business;
“data processor” means a person or organisation which processes personal data on behalf of a data controller;
“Data Protection Legislation” means all applicable legislation in force from time to time in the United Kingdom applicable to data protection and privacy including, but not limited to, the UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the Privacy and Electronic Communications Regulations 2003 as amended, and any additional or successor legislation;
“data subject” means a living, identified, or identifiable individual about whom the Federation holds personal information;
“personal data or personal information” means any information that relates to an individual who can be identified, either directly or indirectly, and includes details such as name, identification number, location data, online identifiers, or factors specific to a person’s physical, physiological, genetic, mental, economic, cultural, or social identity;
“personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed;
“processing” means any operation or set of operations performed on personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
“special category personal data or sensitive personal information” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex, sexual orientation, biometric, or genetic data.

 

  1. Data Protection Roles and Responsibilities

The Federation is committed to protecting personal information and handling it responsibly.

  • The Federation’s Board recognises that good data protection practices are essential not only for meeting legal obligations, but also for maintaining the trust and confidence of clients, customers, and staff. By taking data protection seriously, the Federation demonstrates respect for individuals’ privacy and dedication to operating with integrity and transparency.
  • The Federation’s Board make sure that data protection is treated as a priority within the Federation. They appoint the Federation’s data protection lead, approve policies and procedures and ensure that the Federation has the resources to meet the obligations to the law and to customers, contacts, employees.
  • The Federation’s Data Protection Officer is Judith Andrews, andrews8@nhs.net/judith@businesstamer.co.uk. They are responsible for ensuring the Federation handles personal information ethically and correctly, keeps this policy up to date and introduces any related procedures, guidance and training to help the Federation stay compliant.
  • Shafique Rana, Finance Manager and Farzana Siddique, HR Manager are responsible for the day-to-day management of the Federation’s IT systems. Operational tasks are undertaken by BCS and this includes keeping software and security tools up to date, managing access controls, supporting staff with technical issues, and ensuring that data protection measures, such as encryption and secure storage, are properly implemented and followed.
  • All Managers within the Federation are responsible for overseeing day-to-day compliance, supporting staff and ensuring procedures are followed.
  • All staff play their part in data protection compliance by handling personal information responsibly, following established procedures, reporting any concerns or breaches without delay, and maintaining good data management practice.
  1. The Data Protection Principles

This Policy aims to ensure compliance with Data Protection Legislation, the Freedom of Information Act (2000) and common law duty of confidentiality, and appropriate regulatory requirements including the NHS Care Record Guarantee, the NHS Records Management Code of Practice, the Caldicott Principles, Caldicott II – “Information: To share or not to share”, and the National Data Guardian’s information security standards.  All personal data must:

  • be processed lawfully, fairly, and in a transparent manner in relation to the data subject;
  • have a specified and legitimate purpose for collecting personal information, which must not be processed beyond the reasons why it was collected;
  • be adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed;
  • be accurate and, where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which it is processed, is erased, or rectified without delay;
  • be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed, unless that personal data is processed solely for research or statistical purposes, subject to implementation of the appropriate technical and organisational measures required by the Data Protection Legislation in order to safeguard the rights and freedoms of the data subject;
  • be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

The Caldicott Principles are as follows:

  • Justify the purpose for using or sharing personal confidential data;
  • Don’t use personal confidential data unless it is absolutely necessary;
  • Use the minimum necessary personal confidential data;
  • Access to personal confidential data shall be on a strict need to know basis;
  • Everyone with access to personal confidential data shall be aware of their responsibilities;
  • Comply with the law;
  • The duty to share information can be as important as the duty to protect patient confidentiality.
  1. Lawful, Fair, and Transparent Data Processing

The Data Protection Legislation is designed to ensure that personal information is handled in a lawful, fair, and transparent way, and that individuals’ rights are respected.

  • For personal data to be processed lawfully, at least one valid legal basis must apply. Specifically, one of the following lawful bases:
    1. the processing is necessary for the performance of a contract to which the data subject is a party;
    2. the processing is necessary for the legitimate interests of the Company provided those interests do not override the rights and freedoms of the data subject;
    3. the data subject has given consent to the processing of their personal data for one or more specific purposes;
    4. the processing is necessary for compliance with a legal obligation to which the data controller is subject;
    5. the processing is necessary to protect the vital interests of the data subject; or
    6. the processing is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the data controller.
  • If the personal data in question is special category personal data (also known as “sensitive personal data”), such as racial or ethnic origin, political opinion, religious or philosophical belief, trade union membership, health information (physical or mental), genetic or biometric data,) or sex or sexual orientation, it requires extra protection, and an additional clear lawful basis is required:
    1. the data subject has given explicit consent;
    2. it is required by law (e.g. employment or social security);
    3. it is needed to protect the data subject’s vital interests;
    4. it is in the Federation’s legitimate interests to process the information (e.g. membership of political, philosophical, religious, or trade union foundation, association or other non-profit body);
    5. it is necessary for legal claims or public health;
    6. the data has been made public by the individual; or
    7. it supports research, archiving, or statistical purposes

 

  1. Personal Data Collected, Held, and Processed
    • The Federation documents the details of personal data collected, held and processed by the Federation in the Record of Processing Activity (ROPA).
    • The Federation collects, processes and stores the personal data for specified purposes. This includes personal data collected directly from data subjects and/or personal data obtained from third parties.
    • The Federation only keeps personal data for the periods as defined in the Federation’s Data Retention Policy.
    • The Federation shall ensure that all personal data collected, processed, and held by it is kept accurate and up to date.
    • Data subjects have the right to request that the Federation erases the personal data it holds about them.
    • Data subjects may request that the Federation ceases processing the personal data it holds about them. If a data subject makes such a request, the Federation shall retain only the amount of personal data concerning that data subject (if any) that is necessary to ensure that the personal data in question is not processed further.
    • Data subjects have the right to object to the Federation processing their personal data based on legitimate interests such as direct marketing statistical purposes.
    • The Federation does not use personal data in automated decision-making processes.
    • The Company does not use personal data for profiling purposes.

 

  1. Keeping Data Subjects Informed
    • The Federation will provide each individual (data subject) with a clear and accessible privacy notice. This notice will explain:
      1. what personal data is collected;
      2. how the data has been collected;
      3. why it is needed;
      4. the legal basis for using it;
      5. how long it will be kept;
      6. where and how it will be stored;
      7. whether it will be shared or transferred;
      8. what rights the individual has;
      9. how to raise a concern or make a complaint; and
      10. the details of the Company, including contact details, and if applicable its Data Protection Officer.
    • Where personal data has been obtained from a third party (such as a data broker) the Federation shall:
      1. ensure the Federation’s use of bought data is compliant with the Data Protection Legislation;
      2. inform the data subjects that the Federation will be processing their personal information; and
      3. make the Federation’s privacy notice available.

 

  1. Direct and Indirect Marketing
    • The Federation will comply with the Data Protection Legislation when sending direct and indirect marketing messages to its database.
    • The Federation shall provide clear customer service messages i.e. those that are administrative and/or transactional without any direct marketing messaging.
    • The Federation will ensure that a clear lawful basis has been established before carrying out any direct marketing. This could be:
      • Consent
        • The clear indication by the data subject that they agree to the processing of their personal data. Such a clear indication may take the form of a statement or a positive action.
        • Data subjects are free to withdraw consent at any time and it must be made easy for them to do so. If a data subject withdraws consent, their request must be honoured promptly.
        • In all cases where consent is relied upon as the lawful basis for collecting, holding, and/or processing personal data, records must be kept of all consents obtained in order to ensure that the Federation can demonstrate its compliance with consent requirements.
      • Legitimate Interest
        • The Federation will carry out a legitimate interest assessment (LIA) to balance the Federation’s interests against those of the individual concerned.
        • The LIA document will be stored for the duration of the direct marketing period.
      • The right to object to direct marketing shall be explicitly offered to data subjects in a clear and intelligible manner and must be kept separate from other information in order to preserve its clarity.
      • If a data subject objects to direct marketing, their request must be complied with promptly. A limited amount of personal data may be retained in such circumstances to the extent required to ensure that the data subject’s marketing preferences continue to be complied with.
  1. Data Security
    • The Federation will make sure that all personal data it collects, stores, or uses is kept safe and protected from being lost, damaged, or accessed or used without permission. For further information please refer to the Federation’s Data Security Policy.
    • Everyone who works for or with the Federation, including employees, agents, and contractors, must only use the Federation’s systems and data in ways that follow UK law. They must not use them for anything that breaks the law now or could break the law in the future.

 

  1. Third Parties, Data Sharing and Transfers
    • If a member of staff needs to share or transfer personal information to a third party, they must first contact the Chief Executive Officer. Guidance will be provided only after confirming that the Federation’s data sharing procedure has been followed and all necessary due diligence checks have been completed.
    • The Federation will only share personal data with third parties when there is a clear legal basis, a legitimate business need, and appropriate safeguards in place. All data sharing must comply with the Federation’s data protection policies and relevant UK data protection laws.
    • The Federation may, from time to time, transfer personal information to countries outside of the UK. If this is the case, the Data Protection Officer will ensure that the correct procedure has been followed and the level of protection given to data subjects is not compromised.

 

  1. Incident Management Process
    • If a complaint is made about how the Federation handles personal information, the staff member must report it to their line manager in the first instance. The line manager will follow the Federation’s complaints procedure.  The staff member must provide all relevant details about the complaint and the circumstances.
    • If a data subject request access to their personal information, the staff member must immediately inform their line manager. All Data Subject Access Requests will be managed by the Company’s Data Protection Officer.
    • If a personal data breach occurs, staff must follow the Data Breach Guide in the Staff Handbook and report incident to the Federation’s Data Protection Officer without delay.

 

  1. Implementation of Policy

This Policy shall be deemed effective as of 1st June 2026.  No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

 

This Policy has been approved and authorised by:

Name:  
Position:  
Date: 1st June 2026
Due for Review by: June 2027