UK GDPR Compliance Policy

1. Scope and Application

1.1 When This Policy Applies

This UK GDPR Compliance Policy applies when PreConsult:

Processes personal data of individuals located in the United Kingdom
Provides services to healthcare organisations operating in the UK
Offers goods or services to UK residents
Monitors the behaviour of UK residents

1.2 Regulatory Framework

PreConsult complies with:

UK General Data Protection Regulation (UK GDPR) — retained EU law as amended
Data Protection Act 2018 — UK legislation supplementing the UK GDPR
Privacy and Electronic Communications Regulations (PECR) — for electronic communications
Common law duty of confidentiality — for health information (see Section 1.4 below)
NHS data protection requirements — where applicable to NHS customers (see Section 1.5 below)
Caldicott Principles — for handling patient-identifiable information

1.4 Common Law Duty of Confidentiality

In addition to data protection legislation, health information in the UK is subject to the common law duty of confidentiality. This duty requires that:

Information provided in confidence is not disclosed without consent or lawful justification
Healthcare providers and their systems (including PreConsult) maintain confidentiality of patient information
Any disclosure is proportionate and in the patient's best interests or required by law

PreConsult supports healthcare organisations in meeting this duty through:

Strict access controls limiting data access to authorised personnel with legitimate clinical or administrative need
Comprehensive audit logging of all access to patient information
Secure transmission and storage of all patient data
Clear data sharing agreements with healthcare organisations

The Caldicott Principles guide our handling of patient information:

Justify the purpose(s) for using confidential information
Use only when absolutely necessary
Use the minimum necessary
Access should be on a strict need-to-know basis
Everyone with access must understand their responsibilities
Comply with the law
The duty to share information can be as important as the duty to protect confidentiality
Inform patients and service users about how their information is used

1.5 NHS Data Security and Protection Toolkit (DSPT)

For NHS customers, PreConsult aligns with the requirements of the NHS Data Security and Protection Toolkit. The DSPT is an online self-assessment tool that allows organisations to measure their performance against the National Data Guardian's 10 data security standards.

NHS DSPT Compliance Status

PreConsult is committed to meeting NHS DSPT requirements. We are currently preparing our DSPT submission and will update this section with our registration number and compliance status once complete. NHS organisations can request our current DSPT assessment documentation by contacting compliance@preconsult.ai.

Our security practices are designed to meet the 10 National Data Guardian standards, including:

Personal confidential data is protected and only shared for lawful purposes
Staff understand their responsibilities and receive appropriate training
Processes and procedures are in place to prevent data breaches
Technology is secure and up-to-date
Plans are in place to respond to threats and cyber attacks

1.3 Our Commitment

PreConsult is committed to:

Processing personal data lawfully, fairly, and transparently
Collecting data only for specified, explicit, and legitimate purposes
Ensuring data is adequate, relevant, and limited to what is necessary
Keeping data accurate and up to date
Retaining data only as long as necessary
Processing data securely with appropriate technical and organisational measures

2. Data Controller and Processor Roles

2.1 PreConsult as Data Processor

For patient health information, PreConsult acts as a data processor on behalf of healthcare organisations (the data controllers). This means:

The healthcare organisation determines the purposes and means of processing
PreConsult processes data only on documented instructions from the controller
We enter into Data Processing Agreements (DPAs) with all UK healthcare customers
We provide assistance with data subject requests, breach notifications, and DPIAs

2.2 PreConsult as Data Controller

PreConsult acts as a data controller for:

Practitioner and staff account information
Business contact information for healthcare organisations
Website visitor data and marketing communications
Supplier and partner information

2.3 Data Processing Agreement (Article 28 Compliance)

UK healthcare organisations using PreConsult will receive a Data Processing Agreement (DPA) that fully complies with Article 28 UK GDPR requirements. Our DPA includes:

Subject matter and duration of processing
Nature and purpose of processing
Types of personal data processed
Categories of data subjects
Obligations and rights of the controller
Technical and organisational security measures (Article 32)
Sub-processor arrangements and prior authorisation requirements
International transfer mechanisms (including SCCs/IDTA where applicable)
Data breach notification procedures (within timeframes required by Article 33)
Assistance with data subject rights requests (Article 28(3)(e))
Assistance with DPIAs and prior consultation (Article 28(3)(f))
Audit and inspection rights
Deletion or return of data upon termination

Our UK-specific DPA template with IDTA provisions is available: UK Data Processing Agreement. Contact legal@preconsult.ai for customised agreements.

2.4 Records of Processing Activities (Article 30)

PreConsult maintains Records of Processing Activities (ROPA) as required by Article 30 UK GDPR. As a data processor, our records include:

Name and contact details of the processor and each controller on whose behalf we act
Categories of processing carried out on behalf of each controller
International transfers and transfer mechanisms used
A general description of technical and organisational security measures

Our ROPA is regularly reviewed and updated to ensure accuracy. Controllers may request relevant extracts of our ROPA relating to their data by contacting privacy@preconsult.ai.

3. Lawful Basis for Processing

3.1 Article 6 Lawful Bases

We rely on the following lawful bases under Article 6 UK GDPR:

Processing Activity	Lawful Basis
Patient health information (as processor)	As instructed by controller (typically consent or legitimate interests)
Practitioner account management	Performance of contract (Article 6(1)(b))
Service improvement and analytics	Legitimate interests (Article 6(1)(f))
Legal compliance and audit	Legal obligation (Article 6(1)(c))
Marketing communications	Consent (Article 6(1)(a)) or legitimate interests
Emergency situations	Vital interests (Article 6(1)(d))

3.2 Legitimate Interests Assessment

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) considering:

Purpose test: Is there a legitimate interest behind the processing?
Necessity test: Is the processing necessary for that purpose?
Balancing test: Do the individual's interests override the legitimate interest?

LIA documentation is available upon request to UK data protection authorities.

4. Special Category Data

4.1 Health Data Processing

Health data is "special category data" under Article 9 UK GDPR, requiring additional protections. When processing health data, we rely on:

Article 9(2)(h): Processing necessary for healthcare purposes, including medical diagnosis and the provision of health treatment
Article 9(2)(a): Explicit consent where appropriate

4.2 Additional Safeguards

For health data, we implement additional safeguards:

Processing only by or under the supervision of healthcare professionals
Subject to professional confidentiality obligations
Strict access controls and need-to-know restrictions
Enhanced encryption and security measures
Regular privacy impact assessments

4.3 Schedule 1 Conditions (DPA 2018)

Under Schedule 1 of the Data Protection Act 2018, we meet additional UK-specific conditions for processing health data, including:

Having an appropriate policy document in place
Implementing specific safeguards for individuals' rights
Meeting conditions for health and social care purposes

5. Data Subject Rights

UK individuals have the following rights under the UK GDPR:

5.1 Right to Be Informed (Articles 13-14)

You have the right to clear, transparent information about how we use your data. This policy and our Privacy Policy fulfil this obligation.

5.2 Right of Access (Article 15)

You can request:

Confirmation of whether we process your personal data
A copy of your personal data
Information about how and why we process it

We will respond within one month (extendable by two months for complex requests).

5.3 Right to Rectification (Article 16)

You can request correction of inaccurate personal data or completion of incomplete data.

5.4 Right to Erasure (Article 17)

You can request deletion of your data in certain circumstances. However, this right does not apply where processing is necessary for:

Compliance with legal obligations
Archiving in the public interest or scientific/historical research
Establishment, exercise, or defence of legal claims
Healthcare record retention requirements

5.5 Right to Restrict Processing (Article 18)

You can request restriction of processing while we verify accuracy, consider objections, or where processing is unlawful but you don't want erasure.

5.6 Right to Data Portability (Article 20)

You can receive your data in a structured, commonly used, machine-readable format and transmit it to another controller.

5.7 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing purposes.

5.8 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. See Section 11 for our approach to AI.

5.9 Exercising Your Rights

For patients: Contact your healthcare provider directly, as they are the data controller for your health information.

For practitioners and other individuals: Contact us at privacy@preconsult.ai or write to our Privacy Officer.

6. Data Residency and International Transfers

6.1 UK Data Residency

For UK healthcare organisations, PreConsult hosts primary data within the United Kingdom:

Primary hosting location: London, United Kingdom

This means your patient health information, clinical records, interview transcripts, and audit logs are stored and processed within the UK, ensuring compliance with UK data protection requirements.

6.2 Limited International Transfers

While primary data remains in the UK, some processing may occur outside the UK in limited circumstances:

Service	Destination	Transfer Mechanism
User authentication (centralised)	Australia	UK IDTA + encrypted session tokens only
AI Language Models (where UK not available)	USA	UK SCCs + explicit consent
SMS Delivery	USA	UK SCCs (minimal data - phone numbers only)
Voice Processing (optional)	USA	UK SCCs + explicit consent

Note: Patient health data and clinical records remain in the UK. Only authentication tokens and specific optional services involve international transfers.

6.3 Supplementary Measures

For any international transfers, we implement supplementary technical and organisational measures:

Technical measures: End-to-end encryption, pseudonymisation, access controls
Organisational measures: Staff training, access logging, incident response procedures
Contractual measures: Transparency clauses, government access notification provisions

6.4 Transfer Impact Assessments

We conduct Transfer Impact Assessments (TIAs) for international transfers, considering:

The legal framework of the destination country
Relevant government access laws and practices
Effectiveness of supplementary measures
Specific circumstances of the transfer

7. Data Security Measures

7.1 Technical Measures

Encryption: TLS 1.3 in transit, AES-256 at rest
Access controls: Role-based access, multi-factor authentication
Network security: Firewalls, intrusion detection, DDoS protection
Monitoring: Real-time security monitoring, anomaly detection
Backup: Encrypted backups with tested recovery procedures

7.2 Organisational Measures

Policies: Comprehensive information security policies
Training: Regular staff training on data protection and security
Access management: Need-to-know access, regular access reviews
Vendor management: Security assessments for all sub-processors
Incident response: Documented procedures for security incidents

7.3 Certifications and Standards

Our security practices align with:

ISO 27001 Information Security Management principles
OWASP security guidelines for web applications
NHS Data Security and Protection Toolkit requirements (for NHS customers)

8. Data Retention

8.1 Retention Periods

Data Category	Retention Period	Basis
Patient health records	As per NHS Records Management Code (typically 8+ years for adults)	Healthcare record-keeping requirements
Practitioner accounts	Duration of account + 2 years	Audit and legal compliance
Security logs	12-24 months	Security monitoring and incident investigation
Marketing data	Until consent withdrawn + 6 months	Consent management

8.2 Retention Review

We regularly review retained data and securely delete data that is no longer needed, unless retention is required by law.

9. Data Breach Procedures

9.1 Breach Detection and Assessment

We maintain procedures to detect, investigate, and assess personal data breaches, including:

24/7 security monitoring
Incident reporting channels for staff
Breach assessment criteria and escalation procedures

9.2 Notification to Supervisory Authority

Where a breach is likely to result in a risk to individuals' rights and freedoms, we will:

Notify the Information Commissioner's Office (ICO) within 72 hours
Provide details of the breach, likely consequences, and mitigation measures
Update the notification if further information becomes available

9.3 Notification to Data Controllers

As a data processor, we will notify affected data controllers (healthcare organisations) without undue delay upon becoming aware of a breach affecting their data.

9.4 Notification to Individuals

Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will (or assist the controller to) notify affected individuals directly.

10. Data Protection Impact Assessments

10.1 When DPIAs Are Conducted

We conduct Data Protection Impact Assessments for processing that is likely to result in high risk, including:

Large-scale processing of health data
Use of new technologies (including AI)
Systematic monitoring of individuals
Processing that could affect individuals' access to services

10.2 DPIA Process

Our DPIA process includes:

Description of processing operations and purposes
Assessment of necessity and proportionality
Assessment of risks to individuals
Measures to address and mitigate risks
Review and approval by appropriate personnel

10.3 Consultation

We will consult with the ICO prior to processing if a DPIA indicates high residual risk that cannot be mitigated.

11. AI and Automated Decision-Making

11.1 Our Approach to AI

PreConsult uses AI to support clinical decision-making. Our approach ensures compliance with Article 22 UK GDPR:

No solely automated decisions: All AI outputs are suggestions requiring human review
Human-in-the-loop: Qualified practitioners must review and approve AI suggestions
Meaningful human oversight: Practitioners exercise genuine discretion, not rubber-stamping
No legal or significant effects: AI suggestions do not directly determine treatment or access to services

11.2 AI Transparency

We provide transparency about AI use:

Clear labelling of AI-generated content
Information about how AI suggestions are generated
Explanation of AI limitations in our Usage Policy

11.3 Your Rights Regarding AI

Where AI is involved in processing your data, you have the right to:

Be informed about the use of AI in processing
Request human review of any decision that significantly affects you
Express your point of view and contest decisions
Request meaningful information about the logic involved

12. Sub-Processors

12.1 Sub-Processor Categories

We use sub-processors in the following categories for UK data:

Service Category	Purpose	Location	Transfer Mechanism
Cloud Infrastructure	Hosting and data storage	United Kingdom	N/A (no transfer)
AI Language Models	Conversational AI and clinical decision support	UK or USA	UK SCCs where required
SMS Delivery	Appointment notifications	USA	UK SCCs + supplementary measures
Voice Processing	Voice interview services (optional)	USA	UK SCCs + explicit consent
Email Delivery	Transactional emails	UK or USA	UK SCCs where required
User Authentication	Account credentials and login sessions	Australia (centralised)	UK IDTA (encrypted tokens only)

A detailed list of specific sub-processors is available to UK healthcare organisations upon request as part of our Data Processing Agreement.

12.2 Sub-Processor Changes

Data controllers have the right to object to new sub-processors. We will:

Notify controllers of any intended changes to sub-processors
Provide reasonable time (typically 30 days) to raise objections
Work with controllers to address legitimate concerns

13. Contact and Complaints

13.1 Contact Details

Data Protection Contact:
Slay Pty Ltd (trading as PreConsult)
ABN 59 686 642 366 | ACN 686 642 366
Email: privacy@preconsult.ai
Address: Melbourne, Australia

13.2 UK Representative

As PreConsult is established outside the UK, we will appoint a UK representative under Article 27 UK GDPR before commencing UK operations. Details will be provided here once appointed.

13.3 Complaints to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Phone: 0303 123 1113

We encourage you to contact us first so we can try to resolve your concern directly.