Data Processing Privacy Notice

  1. Introduction

This privacy notice strictly applies to Ellescope's technology-enabled data analytics service, where personal information or data may be processed.

By law, all organisations using personal information or data must provide a clear description of how it is used, providing related information to ensure processing is carried out lawfully and fairly.  

We will only use your personal data when the law allows us to. As part of our business, we process personal data about: 

  • patients (where we provide clinical decision-intelligence services to health care providers);

  • Health care professional users of our systems;

  • our staff and contractors, and 

  • people who contact us (e.g., via email/website). 

“Processing” can mean collecting, recording, organising, storing, sharing, accessing, analysing, or destroying data. 

We are committed to being transparent about why we need your personal data and what we do with it. This information is set out in this privacy notice. It also explains your rights when it comes to your data. 

If you have any concerns or questions, please contact us at: hello@ellescope.com 

  1. Decision-intelligence service for maternal care providers

Your care provider has engaged a specialised decision-intelligence supplier - approved to NHS England technical standards - which has gone through stringent scrutiny, achieving all necessary requirements to provide data analytics and decision-intelligence for maternity units. Your care provider remains responsible for this data and is the data controller, ensuring that any data provided for this service is for improved direct care purposes only. 

The UK GDPR and The Data Protection Act 2018 (the data protection laws) protect individuals with regard to the processing of personal data. The organisation providing this service is Ellescope Ltd. (Ellescope), who will act as a personal data processor under the data protection laws. 

  1. Patients

What data do we have?  

So that we can provide our clinical decision-intelligence service, we process patient data provided by health care providers. This may include: 

  • Your basic details needed to match the right care records to you; 

  • Maternity-related clinical information (e.g., observations, diagnoses, medications, investigations, clinical events); 

  • Derived features created by our system to accurately identify maternal risks 

This includes “special category” personal data because it relates to health. 

The lawful basis for processing your data 

The following legal bases set out in the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 allow us to use your personal information as follows: 

  • Article 6(1) (f): when data processing is necessary for the purposes of the legitimate interests pursed by the controller (your care provider), except where such interests are overridden by the interest or fundamental rights and freedoms of the data subject which require protection of personal data.  


  • Article 9(2) (i): when personal data processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.  

In all deployments the health care provider will act as the Data Controller for patient data and Ellescope Ltd will act as a Data Processor. If this applies, the health care provider’s privacy information will describe the lawful basis for your data being used. 

Common law duty of confidentiality 

We recognise that confidential patient information must be handled appropriately. We only process and disclose patient information as required to deliver the service to the health care provider, and we apply access controls and auditing. 

Information processing and storage  

Your personal information is processed and stored within our secure cloud environment in the United Kingdom.   

We only retain information for the periods set out in our Retention & Secure Disposal Schedule which is informed by the Records Management Code of Practice for Health and Social Care 2021, and we securely dispose of information when it is no longer required. When information reaches the end of its retention period, it is securely disposed of (e.g. secure deletion/purge of cloud data; secure wiping of devices) in line with our disposal procedure, and the disposal is logged. 

Who do we share patient data with? 

We do not share, sell or trade patient data with any third party.

We only share personal information: 

  • with the relevant health care provider where you are receiving your maternal care (as part of delivering the service); and 

We may also disclose information where required by law. 

  1. National Data Opt-Out 

In accordance with the National Data Opt-Out, we do not process any patient data where the data subject has assented to the National Data Opt-Out.  

You can find out more at www.nhs.uk/your-nhs-data-matters

  1. Health Care Professionals  

What data do we have? 

So that we can provide access to our system and keep it secure, we may process: 

  • your name, work email address, organisation, and role/permissions; 

  • login/authentication and access records; 

  • audit logs of key actions within the system (e.g. access to reports); 

  • support communications (e.g. emails to/from our support channels). 

Why do we have this data? 

We need this data to: 

  • manage user access and permissions; 

  • provide auditability and system security; and 

  • provide support and incident handling. 

We process your data because: 

  • we have a legitimate interest in operating and securing the service (Article 6(1)(f)). 

Where any communications include health information (e.g. a patient reference), we process that special category data because: 

  • it is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy (Article 9(2) (i)). 

Where do we process your data? 

We process user account and audit information within our secure cloud environment used to operate the service. 

  1. Your rights 

The data we keep about you is your data and we ensure that we keep it confidential and is used appropriately. You have rights which may include: 

  1. Request a copy of the personal data that you care provider holds about you

  2. Request erasure of personal data where it is no longer necessary and if it required before the end of the retention period; 

  3. Ask us to restrict processing in certain circumstances;

  4. Object to processing in certain circumstances; 

  5. Withdraw consent at any time, where consent is needed. 

We may need adequate information to confirm your identity. We respond as soon as possible and at the latest within one month. 

If you are a patient and your data is being processed as part of your care provider’s maternity service, requests will be handled by the relevant care provider as Data Controller. If you contact Ellescope Ltd directly, we will direct your request appropriately and/or support your care provider as required. 

If you would like to complain about how we have dealt with your request, you can contact: 

Information Commissioner’s Office 
Wycliffe House 
Water Lane 
Wilmslow 
Cheshire 
SK9 5AF – https://ico.org.uk/global/contact-us/