Contact us Request demo
Link to Home

View navigation


Privacy Policy for End Users of Graphnet products

Graphnet Health Limited of Sunrise Parkway, Linford Wood, Milton Keynes, Buckinghamshire MK14 6DY ("we"/"us"/"our") is committed to protecting and respecting your privacy

Scope of Policy

This policy sets out how we process and protect any information about those who are end users of the product, that is staff or patients whose data is processed.

For the purpose of the General Data Protection Regulation (GDPR) and any additional data protection legislation, the data controller responsible for your personal data is the healthcare provider who employs or engages you and that has made our products and services available to you for your use.  Graphnet is the Data Process for this information.

This policy should be read in accordance with the privacy policy published by the Data Controller responsible for your own data.

Privacy policy

In this policy, personal data, or personal information, means any information about an individual from which that person can be identified.

It does not include data where the identity has been removed (anonymous data).

On behalf of the Data Controller, we may collect, process, store and transfer different kinds of personal data about you which we have grouped together follows:

On behalf of the Data Controller we also collect, process and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific product feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

Keeping your data secure

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions as per the requirements set out by the Data Controller and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify the Data Controller and any applicable regulator of a breach where we are required to do so.

Where your data is stored 

Data collected as part of our services will be stored in accordance with the Data Controller’ instructions.  We do not transfer your personal data outside the European Economic Area (EEA).

Controlling your personal information

We will not sell, distribute or lease your personal identifiable information to third parties without your instruction from the Data Controller.

Under certain circumstances, you have rights under data protection laws in relation to your personal data including the right to:

To exercise any of these rights you must contact the Data Controller.

What we do with the information we gather?

We will only process your personal data for the purposes agreed with the Data Controller and when the law allows us to. Most commonly, we will process your personal data in the following circumstances:

Who is your information shared with?

Information may be shared in line with the responsibilities we carry out on behalf of the Data Controller and to the authorised third parties listed below:

In addition, we may disclose your personal information to third parties if we are required to do so by law or if we believe that such action is necessary to protect and defend the rights, property or personal safety of us, or any of our products or services.

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

How long do we keep your information for?

We will only store your information in accordance with the Data Controller’s instructions and we will not hold your data for any longer than is necessary.


NHS Login

If you access our service using your NHS login details the identity verification services are managed by NHS Digital.   NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here.

This restriction does not apply to the personal information you provide to us separately.


NHS Digital’s Personal Demographic Service (PDS)

If you are receiving care from a health or care organisation, then that organisation may share your NHS number with other organisations providing your care.  This is so that the health and care organisations are using the same number to identify you whilst providing your care.  By using the same number, the health and care organisations can work together more closely to improve your care and support. Graphnet acts as the Data Processor for managing information to provide the shared care record platform where relevant health care data, such as that provided from PDS will be processed.

Your NHS number is accessed through an NHS Digital service called the Personal Demographic Service (PDS).  A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in the organisation’s case management system.  These data are retained in line with the organisation’s record retention policies and in accordance with the Data Protection Act 2018, Government record retention regulations and best practice. 

The organisation will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you.  Access to information is strictly controlled, based on the role of the professional.  For example, social workers will only have access to information that is relevant to the execution of their care duties.

Case management systems are provided by system suppliers, who are bound by the same rules.  In such cases, systems may access the PDS directly or use third party software to access the PDS, such as the PDS FHIR API.

The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care.  Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward.  The hospital does not know who to contact to discuss the ongoing care of a patient.  The linking of social care and health information via the NHS Number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is.  Ongoing care can be planned earlier in the process because hospital staff will know who to talk to.

You have the right to object to the processing of your NHS Number in this way.  This will not stop you from receiving care but will result in the benefits outlined above not being realised.  To help you decide, the health or care organisation will discuss with you how this may affect their ability to provide you with care, and any other options that you have.

If you wish to opt-out from the use of your NHS Number in this way, please ensure you contact your healthcare providers direct.


Changes to our privacy policy

Any changes we may make to our privacy policy in the future will be posted on our website/system/app and we may let you know about changes by e-mail.


Please email any questions, concerns, comments and requests regarding this privacy policy to or write to us at:

Graphnet Health Limited
Ground Floor Building 5
Caldecotte Lake Drive
Milton Keynes

For the purposes of the Data Protection Act 2018 our Data Protection Officer is Anthony Smith:


We’re using cookies as specified in our cookies policy to give you the best experience on our website.You can find out more about which cookies we are using or switch them off by clicking Manage settings

Accept and continueManage settings