CuraSky Privacy Notice Portal v1.1

June 18, 2025

This website is the property of Data Care Solutions Ltd, a company registered in England and Wales. By using this website, you agree to the terms set out by Data Care Solutions Ltd as the operator and data controller.

Why are we providing this privacy notice?

We understand that when you provide your personal data to us, we must look after it and keep your personal data safe and secure. We respect the data protection laws in the UK and EU, and this Privacy Notice tells you what personal data we collect and use in our company, how it is being collected, what allows us to do this (called the legal bases), how long we are keeping it and it tells you about your rights. This privacy notice applies to our software systems and applications, our website, and the services that we provide.

The data protection laws are the EU General Data Protection Regulation and the UK General Data Protection Regulation (collectively referred to here as 'GDPR') and the UK Data Protection Act 2018 ('DPA18').

Who are we and how do you contact us?

We are a company based in the UK called Data Care Solutions (trading as CuraSky Federation) (Company Registration No. 11006029). Data Care Solutions provides a range of services for use in a clinical environment, inclusive of but not limited to hospitals, general practices or other community providers.

Where we provide these services and we require certain information to help us form a contract, or where we are running our own business, we are the 'Controller' (or 'Data Controller') of your personal data. This means we are responsible for collecting, storing, and handling your personal information when you enquire and/or register for any of our services.

Where we process personal data on behalf of another organisation (e.g. their patients), we are known as a 'Data Processor' and we have contracts in place with those organisations.

If you are unclear about how we process or use your personal information, or you have any questions about this Privacy Notice or any other issue regarding your personal information, then please do contact our Data Protection Officer (details below).

Data Protection Officer

Address: Data Care Solutions, Elers Road Clinic, Elers Road, Hayes UB3 1NY

Email: DPO@curasky.co.uk

Information we collect from you

We collect personal data about you when you use our website (for example, when you contact us with a query or download a report) or when you email us directly. For this the personal data is generally:

  • Your contact details (such as your name, job title, place of work, telephone number, and email address);
  • The reason for your enquiry; and
  • Which website pages you have visited and when.

If you decide to use any of our services, then we will collect different personal data depending on which application module or service you are using.

For other application modules or services, we will temporarily collect personal data of patients and clinicians when we are processing this before providing the completed task to the Practice or health setting. We process identifiable patient information in accordance with a valid data processing agreement for each practice.

We will collect and use anonymised and/or pseudonymised information from a practice or health setting's own system for auditing, monitoring, payment and quality improvement purposes. Where we collect pseudonymised data which can only be matched to an individual by the health setting or practice, this may include the following:

  • Emis number;
  • Age of patient;
  • Gender;
  • The first part of postcode (e.g. UB3 XXX);
  • Usual GP initials;
  • Coded Medical history (including event date, code and associated free text);
  • Medication type (including brand), quantity and issue date(s);
  • Recent investigations values (e.g. blood test results, spirometry);
  • Hospital outpatient (department and date); and
  • Count of appointments or consultations.

Information we collect about you from others

We collect personal data about you from others where they are making a recommendation or where you have provided consent to a third party to contact us and share your personal data. A third party may share your personal data with us, and they should obtain your consent to do so.

We have obligations and specific requirements for processing of personal data to enable us to provide services. These obligations form what are known as the lawful or legal bases for the processing under GDPR.

The specific lawful bases that apply to the processing of patient's personal data are:

  • We are required to perform a public task carried out in the public interest (article 6(1)(e) of GDPR);
  • The personal data is necessary for the performance of a contract directly with you to provide the specific service such as a consultation (article 6(1)(b) of GDPR);
  • The processing is necessary for the purpose of preventative medicine, the provision of health care and the treatment or management of health care systems and services (article 9(2)(h) of GDPR);

For Practices or health settings who take out a contract with us, the legal (lawful) basis is:

  • The data is necessary for the performance of a contract and to take the steps necessary to enter a contract with you (article 6(1)(b) of GDPR).

We do have a Legitimate interest to collect certain personal data to enable us to provide some services, enable our website to work and operate our business interest. This also applies to analysis of the app usage (article 6(1)(f) of GDPR), except where your rights override these legitimate interests.

How we use the information about you

We will use personal data to:

  • Inform you, if requested, of specific patients suitable for medical record review.
  • Understand coding patterns to help improve the accuracy of future searches.
  • Understand trends in patients' journey for optimal care.

We may use your information to:

  • We may also contact you (practice staff) about the latest research, best practice, and innovations in analytics technology.
  • Personalise and tailor educational and skills share content;
  • Invite you to upcoming events that may interest you;
  • Ask for your feedback on any Curasky Federation services you are using;
  • Notify you of changes to our services.

We do not use patient data for marketing purposes.

How long we keep your personal information

We will not keep your information for longer than is necessary for the purposes as set out in this Privacy Notice.

We do not retain identifiable patient data unless contractually requested. In such cases this will be in line with the Records Management Code of Practice for Health and Social Care 2021. We delete personal data earlier if the lawful basis no longer applies or is withdrawn.

If you decide to discontinue using any of Data Care Solutions services, we will keep your information for up to six years after you leave us to enable us to comply with contract law.

For HMRC (Tax) purposes and financial records, we are required to keep financial data for 6 years after the end of the current financial year, after which time it will be destroyed.

If you have consented to your information being used for marketing purposes, it will be kept until you inform us that you no longer wish to receive this marketing.

You can find out more about how long we keep it in our retention schedule by contacting us.

How we store your data and security

We take the security of your information very seriously and we do everything we can to ensure that your information is always protected and secure. All personal data is processed within the UK. We use secure electronic storage facilities that meet all industry standards.

Transfers of personal data are undertaken using all available and reasonable technical and organisational measures. We regularly review these measures and our processes and systems to ensure they comply.

Sharing your data

We do not allow third parties to have access to your personal data unless we are required to share your data with them by law or we are ordered to do so by a Court.

If we have a technical problem, we may need to allow access to our systems by our technical support team who work within our confidentiality policies, and we restrict access to a 'need to know' basis to enable them to resolve the technical issues only.

Overseas Transfers

We do not intend to transfer your personal data to third countries outside of the EU. If we do have to, for example, to obtain technical support, we will ensure that we have all appropriate security and safeguards in place as required by the data protection laws in the UK and EU, and in line with our obligations as a responsible Data Processor or Controller of your personal data.

If we are required to transfer your personal data to countries outside the EU, we will only do this if that country has an adequate level of protection for personal data, or we have appropriate International Data Transfer Agreements and Clauses in place as these provide similar protections.

What are your rights?

You have a number of rights relating to the processing of your personal data.

  • A right to be informed -- This privacy notice fulfils that right.
  • A right of access to your personal data held by us, also called a Subject Access Request.
  • A right to rectify any personal data held by us that you believe is incorrect.
  • A right to erase any personal data that we no longer have a legitimate purpose to process (right to be forgotten).
  • A right to restrict the processing of your personal data subject to certain conditions and obligations.
  • A right of access to a machine-readable version of your data (data portability). There are conditions that apply to this right, but we will endeavour to give you a portable version of any of your data where possible.
  • A right to object to us processing any of your data that we do not have a legal or contractual obligation to process.
  • Rights linked to automated decisions or profiling involving your data.

You can contact us at DPO@curasky.co.uk or write to us at our London address if you wish to exercise these rights.

Where you have provided personal data with consent, you can withdraw this consent at any time. This may mean that we are unable to provide all services to you or your GP. We recommend speaking to your GP first. If you wish to do this, please send an email to DPO@curasky.co.uk with the subject "withdraw consent".

More information on your rights is available on the Information Commissioner's website at www.ico.org.uk.

Complaints

If you have a concern about the way we handle your personal data or you have a complaint about what we are doing, then please contact our Data Protection Officer who will investigate the matter.

If you are not satisfied with our response, or believe we are processing your personal data in a way that is not in line with the legislation, you have a right to raise a complaint with the Information Commissioner's Office Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone 0303 123 1113 (local rate) or by completing their online form at https://ico.org.uk/make-a-complaint/your-personal-information-concerns/.

Changes to Our Privacy Notice

We review and update our Privacy Notice, especially where there is a change in the legislation. We recommend that you visit this page periodically to read any updates. This Privacy Notice was last updated in Jun 2025.