Privacy Policy

Data Transparency, Privacy, Governance and Security Statements

Introduction: Reach AI, a data analytics consultancy founded in 2024 and based in England are dedicated to ethical, secure, and transparent data practices. Specializing in healthcare analytics, we collaborate closely with clinicians and partner organizations to transform clinical data into actionable insights that enhance patient care. From scoping requirements to developing analytical tools and comprehensive reports, we provide end-to-end data solutions tailored to optimize healthcare services. Committed to upholding the highest standards of privacy and compliance, we strictly adhere to legal frameworks such as the UK GDPR and the Data Protection Act 2018.

Our mission: Our mission is to leverage data responsibly to improve healthcare outcomes while continuously evolving our policies to meet the demands of advancing regulations and technologies to maintain trust. At Reach AI, we are committed to transparency and accountability in our use of data. As responsible and ethical processors of patient data in our work, we adhere to the highest standards of privacy, security, and ethical governance. Reach AI is dedicated to improving healthcare outcomes through responsible data usage.

Our commitment to transparency:

Ethical use: data is used solely for purposes aligned with healthcare improvement and service optimization.

Individual rights: stakeholders can access, correct, or request the deletion of their data.

Informed consent: we ensure that data subjects understand how their data will be used, offering clear explanations and obtaining consent where required.

Compliance with legal standards: we adhere to strict legal and regulatory frameworks and comply fully with the UK GDPR (1,2), applicable regulations set by the Information Commissioner (ICO) (2), and the Data Protection Act 2018 (3,4).

Data minimization: we collect and use only the data necessary to achieve our objectives.

Our commitment to privacy, governance, and security:

Confidentiality and privacy

We recognize the sensitivity of health data and take rigorous steps to protect patient confidentiality. Our practices align with the NHS’s code of practice on confidential information (5), outlining standards for responsibly handling sensitive data.

Key measures include:

  • Secure handling and limiting access to personal data to authorized personnel.
  • Anonymizing data where possible.
  • Establishing secure data handling protocols for collection, storage, and transmission.

Legal frameworks

We adhere to the following legal provisions:

  • UK GDPR: Article 6(1)(e): processing for tasks in the public interest. Article 9(2)(h): processing special category data for healthcare management.
  • Data Protection Act 2018: safeguarding health data with robust controls.
  • Compliance with ICO regulations: as a responsible data processor, we align our practices with the guidelines and regulatory standards set by the Information Commissioner’s Office (ICO) to ensure lawful, fair, and transparent processing of personal data.

Data usage and retention

We ensure that data is:

  • Purpose-specific: collected and used only for defined, lawful purposes.
  • Time-limited: retained only for as long as necessary, with strict retention policies (e.g., 90 days for audit logs).
  • Securely deleted: removed securely when no longer required.

Data quality framework6

We ensure data is accurate, complete, consistent, and up-to-date. High-quality data is essential for reliable analytics and insights. We follow the Government Data Quality Framework to ensure:

  • Accuracy: reflecting real-world conditions.
  • Completeness: capturing all relevant data points.
  • Consistency: maintaining uniformity across datasets.
  • Timeliness: ensuring up-to-date information.

Security and roles

Robust measures are taken to ensure data is accessible by the relevant stakeholders. Data security is a cornerstone of our governance strategy. Information Asset Owners (IAOs)7 oversee data security and compliance, ensuring that all systems meet NHS and industry information governance standards.

Key practices include:

  • Regular security audits.
  • Role-based access control.
  • Comprehensive staff training on data protection. 

References

  1. UK GDPR guidance and resources [Internet]. Wilmslow (UK): Information Commissioner’s Office; [updated 2024; cited 2024 Dec 24]. Available from: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/
  2. Guide to the General Data Protection Regulation (GDPR) [Internet]. Wilmslow (UK): Information Commissioner’s Office; [updated 2024; cited 2024 Dec 24]. Available from: https://ico.org.uk/media/for-organisations/guide-to-the-general-data-protection-regulation-gdpr-1-0.pdf
  3. UK Government. Data Protection Act 2018 [Internet]. London (UK): UK Government; 2018 [cited 2024 Dec 24]. Available from: https://www.legislation.gov.uk/ukpga/2018/12/contents
  4. Introduction to the Data Protection Bill [Internet]. Wilmslow (UK): ICO; 2018 [cited 2024 Dec 24]. Available from: https://ico.org.uk/media/2614158/ico-introduction-to-the-data-protection-bill.pdf
  5. Codes of practice for handling information in health and care [Internet]. Leeds (UK): NHS Digital; [updated 2022 Nov 1; cited 2024 Dec 24]. Available from: https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care
  6. UK Government. The Government Data Quality Framework [Internet]. London (UK): UK Government; [updated 2020 Jul 15; cited 2024 Dec 24]. Available from: https://www.gov.uk/government/publications/the-government-data-quality-framework
  7. UK Government. Information Asset Owner Role Guidance [Internet]. London (UK): UK Government; [updated 2018 Oct 31; cited 2024 Dec 24]. Available from: https://www.gov.uk/government/publications/information-asset-owner-role-guidance