Privacy Policy

Global Health Services Ltd (GHS) is committed to our obligations under data protection legislation in all territories it operates including the Data Use and Access Act 2025 (DUAA), UK General Data Protection Regulations (UK GDPR), Data Protection Act 2018 (DPA18) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).

GHS is a registered company in England and Wales with the company number, 14780143 whose registered address is 802 Eagle Tower Montpellier Drive, Cheltenham, England, GL50 1TA. GHS is registered with the Information Commission in the UK with the registration code ZB891992.

Unless stated otherwise on this page or on any GHS official documentation, we are the data controller for all uses of personal information outlined on this page. We are committed to making sure that we’re transparent about the ways in which we use your personal information, that we have the right controls in place to make sure it’s used responsibly and is kept safe.

This privacy notice explains:

How we use your personal information
Your privacy rights
How the law protects you

We may update or revise this privacy notice at any time. Please read the privacy notice(s) relevant to you as they provide important information about how we handle your personal data and your rights. If you have any questions about any aspect of any of this privacy notice you can contact us by emailing dataprotection@ghs.health

We have identified the following areas when we will collect and use your personal information. Please refer to the area relevant to you. New services may have their own privacy notice available for that specific service which are separate to this page. GHS is not responsible for uses of personal data that are not outlined in our privacy notices.

When you become a Patient or Client with GHS
You are a Healthcare Professional we work with that indirectly employed by GHS
When you attend a GHS event either in person or online (Event Attendee)
If you are attending any training we are providing (Trainee)
When you apply to work for us (Recruitment)
When you visit one of our Clinics or Offices (Visitors)
When you visit our website(s) (Website Visitor)
When you supply a service to us (Supplier)
Patients / Clients

We collect your personal information to:
- Manage you as a patient or a client who is using our services

What personal information might we collect?

Name, email address, home address, phone number, date of birth
The reason for contacting us and the service you are interested in
Details of which GHS health products you have purchased
Details of your use of our products or services
Details of when you contact us and when we contact you (including voice recordings of telephone calls and copies of written communications such as emails or letters)
Personal information you provide to us whilst we are working with you
If relevant, information about your physical or mental health, including genetic or biometric information
If relevant, next of kin or emergency contact information, your NHS patient number, information about a prescription and medication you may be taking or any other identifiable information that will allow us to access any relevant health information
If relevant, whether you smoke, your weight, height, BMI, blood pressure, heart rate, previous surgeries, your past medical history and your GP
Health information derived through the service(s) we may provide you and your physical or psychological response to them
Financial details including payment and bank details
Any communications we have with you either verbally or in digitally including any complaints or incidents
On occasion, proof of residency and/or proof of identity, proof of employment
Any relevant behavioural and usage information regarding how you use and access our digital services
If applicable, information about allergies or any specific dietary requirements
How you made contact with us which may mean we have captured your social media handle
CCTV images, which are used for building security

Where do we get your personal information?

Notes from calls and other communications you’ve had with us
From you when you complete a physical or any digital forms on our website or any marketing locations including social media locations
From notes and reports made by our healthcare practitioners or staff
Referrals from an insurance provider
From family members (if there is a requirement for this or the patient is a child)
The NHS or other healthcare providers records of medical services and treatment you’ve received
From our service providers after they have delivered their services for you
If required, biometric verification, which is where we ask for an image of your photo ID along with a selfie which we then analyse for authenticity (we do this where we are required to verify your identity before you attend an appointment)
From you or other healthcare professionals you have put us in contact with which are relevant to your treatment or service. This includes information captured in emails and any communications we have with you

What do we use your personal information for and what is our lawful basis for using it?

Uses	Lawful basis
To deliver to you the product or service you have purchased.	The lawful basis we shall be relying in accordance with UK GDPR Article 6.1(b) where the use of your personal data is necessary in the performance of a contract which you have agreed to or where we are working to enter into a contract with you.The consent you have provided us for this use of your special categories of personal data in accordance with UK GDPR Article 9.2(a) which is related to the product or service we are providing you.
To formulate a medical diagnosis, or provide relevant healthcare or treatment and manage our healthcare system and service delivery in accordance with a contract you have with us. This is where you have purchased a product or service from us.
To conduct statistical research and analytics based on our products and services for their improvement and to understand our patients and the reasons for their interactions with us.	The lawful basis we shall be relying on is the legitimate interest of the Data Controller in accordance with UK GDPR Article 6.1(f).
Request feedback from you about the product or service you have purchased and use that feedback to make improvements.
To help us train our employees and contractors through examples and shadowing of our delivery of our services.
To send you marketing material either in the post, via email or text (SMS).	The consent you have provided us for this use of your personal data in accordance with UK GDPR Article 6.1(a).And,The consent you have provided us for this use of your special categories of personal data in accordance with UK GDPR Article 9.2(a) which may be related to the services we are providing information to you about.
To identify personal data and take relevant action upon submission of a data subject rights request.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To be able to assess any impact on individuals of a data breach involving personal data held on GHS systems or on third party systems on behalf of GHS.
To help protect an individual from neglect or physical, mental or emotional harm, or protect the physical, mental or emotional well-being of an individual.	Use of the personal data is necessary to protect the vital interests of an individual or individuals in accordance with UK GDPR Article 6.1(d).Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To deal with legal claims and ongoing litigation cases.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity under UK GDPR Article 9.2(f).

Who do we share your personal information with?

Relevant healthcare professionals which may or may not be GHS employees but are contracted to deliver the healthcare services to you
Healthcare organisations we work with to provide the services offered by GHS
Mailing, email, SMS messaging, and/or print fulfilment organisations (to enable us to communicate with you efficiently)
Providers of business services such as auditors, consultants, solicitors and/or insurers (to enable us to run GHS efficiently)
Providers of records management services such as secure disposal suppliers, and IT storage providers (to enable us to secure data efficiently)
Providers of IT systems or services (to enable us to run GHS efficiently)
Market researchers (to help us to improve the services we offer)
If applicable, approved alternative dispute resolution (ADR) schemes
Providers of information management services (to help us learn about our you)
Companies you ask us to share your personal information with (upon request) which may include your GP or other parts of the NHS or other healthcare provider
If applicable, any company that GHS acquires or that acquires GHS, or any company that GHS may merge with

When we share your information with our approved third party providers, our contractual relationship with them prevents them from using your information for any other purpose outside of our instructions to them. They may use their own third party data processors, but are always required to meet the same legal requirements as GHS does.

There may be scenarios where we are subject to a legal obligation to disclose or share your personal data, such as with law enforcement agencies, regulatory bodies or public authorities in order to prevent or detect crime, or prove we have adhered to their request. We will only ever disclose your personal data to these third parties to the extent we are required to do so by law.

GHS will never sell your information, or share it with external companies for their own marketing purposes.

How long will we keep your personal information?

For our health care businesses, we typically keep personal information for 20 years to comply with the law and NHS guidance.

How long we keep your information depends on several factors:

How long you’ve been a customer with us, the types of products or services you have with us and when you’ll stop being our customer
How long it’s reasonable to keep records to show we’ve met the obligations we have to you and by law
Any periods set by law or recommended by regulators, professional bodies or associations
Any time limits for making a legal claim
Any relevant proceedings that apply

We often have to keep your personal information to comply with a legal obligation, and this means that if you ask us to delete your personal information before the retention period has expired, we’ll be unable to do so.

Healthcare Professionals

We collect your personal information to:

So you are able to work with GHS and deliver healthcare services to our patients and clients
This personal information helps us to conduct our operations and manage our workforce and those working for us.

If you do not provide certain personal data, we may not be able to achieve some of the aims outlined in this notice.

What personal information might we collect?

Name, email address, home address, phone number
Your personal contact details, next of kin and emergency contact information (e.g. name, home address, home telephone, personal email)
Date of birth, gender, marital status and number of dependents
National insurance number, bank account details, payroll records and tax status information
Details of your qualifications, skills, and experience;
Start date, salary, place of work, days of work, working hours, attendance at work, annual leave, pension and benefits information
Copies of your driving licence and/or your passport and photographs
Employment record including job titles, work history, working hours, start and end dates, training records and professional memberships
Evidence of how you meet the requirements of the job, such as application forms, CVs, covering letters, references, assessment outputs, employment history, academic qualifications/history, professional training/certifications, skills, and work experience or internships
Evidence of your current and/or future work eligibility status, immigration status, including visa type, and visa expiry date
Recruitment Information (e.g. application form, cover letter, CV, right to work documentation, references, assessment information)
Details of periods of leave taken by you, including holiday, sickness absence, family leave and sabbaticals, and the reasons for the leave
Compensation history, disciplinary and grievance information in which you have been involved, including any warnings issued to you and related correspondence
Assessments of your performance, including appraisals, performance reviews and ratings, training you have participated in, performance improvement plans and related correspondence
Information about your use of our information systems and IT assets
Photographs and videos including images recorded using CCTV and maybe recordings of your voice
Information collected from workforce management systems, or employee digital systems including location data
Language and behaviour of yourself within the public domain such as social media posts (X, Meta platforms, YouTube etc.)
Further information you have provided us in interviews, conversations and communications with us which may or may not be recorded

Sensitive personal data

We may also collect, store and use the “special categories” of more sensitive personal information including:

Information about your health and medical conditions for health and safety reporting purposes
Information about your physical or mental health and any medical or health conditions, including whether or not you have a disability for which the organisation needs to make reasonable adjustments
Equal opportunities monitoring information, including information about your ethnic origin, sexual orientation, health and religion or belief
Personal information related to our internal equality and diversity monitoring policy (geographical location, organisation, socio-economic class, caring responsibilities, educational background)
Personal information related to the Equality Act 2010 inclusive of data known as ‘Protected Characteristics’ (age, disability, gender reassignment, marriage or civil partnership (in employment only), pregnancy and maternity, race, religion or belief, sex, sexual orientation)
Details of trade union membership
Criminal records information

Where do we get your personal information?

When you apply to work for any part of GHS or the GHS group
During the ordinary course of your working relationship with us, e.g., when we on-board you as a new member of our staff, when we use your personal information for payroll purposes and when you use our IT systems
From publicly available information which you have chosen to make public, including via social media (to the extent that you choose to make your profile publicly visible)
When we conduct background checks, in accordance with the protections provided by applicable law
From third parties who provide it to us, e.g., past employers, referees, and law enforcement agencies
We also create personal data about you, such as your job title, compensation details and performance reviews.

What do we use your personal information for and what is our lawful basis for using it?

Uses	Lawful basis
To ensure compliance with employment law, contract of employment and HMRC.	The lawful basis we shall be relying in accordance with UK GDPR Article 6.1(b) where the use of your personal data is necessary in the performance of a contract which you have agreed to or where we are working to enter into a contract with you.
To enable the payment of salary, pension contributions, tax and national insurance payments as well as company benefit schemes.
To ensure the welfare of employees, workers, interns and contractors from a health and safety perspective.
To help set objectives and targets for performance and to keep a record of performance in the event of any concerns over performance.
To ensure there is documentation in the event there are concerns from an employer or employee regarding conduct.
Use for business related purposes such as websites, events, business cards etc.
To plan staffing levels and any necessary absence cover.	The lawful basis we shall be relying on is the legitimate interest of the Data Controller in accordance with UK GDPR Article 6.1(f).
To ensure meaningful equal opportunity monitoring and reporting.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the Equality Act 2010.
To identify personal data and take relevant action upon submission of a data subject rights request.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To be able to assess any impact on individuals of a data breach involving personal data held on GHS systems or on third party systems on behalf of GHS.
To help protect an individual from neglect or physical, mental or emotional harm, or protect the physical, mental or emotional well-being of an individual.	Use of the personal data is necessary to protect the vital interests of an individual or individuals in accordance with UK GDPR Article 6.1(d).Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To deal with legal claims and ongoing litigation cases.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity under UK GDPR Article 9.2(f).

Who do we share your personal information with?

Members of the organisation who are involved in the following processes: Finance, HR, Payroll and external payroll/pension providers will have the relevant information for their role
If applicable, third party agencies: Pension providers, external payroll providers, other providers we use for benefit schemes
GHS employees who have line management responsibilities for you
Other healthcare professionals or providers as you are required to work with them in the capacity you are employed or contracted by us
GHD patients or clients you are working with and any other individuals with legitimate access to their health records where you have been mentioned as the associated professional providing them with care
If applicable, any company that GHS acquires or that acquires GHS, or any company that GHS may merge with

How long will we keep your personal information?

7 years after your employment/work with us ceases

Event Attendee

We collect your personal information to:

Manage your application and attendance at any of our events

What personal information might we collect?

First Name(s), surname, email address, phone number, country of residence
Job title, occupation, place of work, employer, previous employers and work history
If relevant, motivations for attending the event
If relevant to the event, passport information and other relevant proof of identity documentation
Further information you provide us in interviews, conversations and communications with us which may or may not be recorded e.g. for our marketing collateral or feedback about the event
Dietary requirements and any accessibility requirements you may have
Videos of you where you are in the background when you attend an in-person event we are recording
Videos of you or Podcasts recordings of you where you are acting as a speaker for our work or being interviewed on or off camera either as an invited guest or as an attendee of an exhibition we are holding or attending
Any personal data you volunteer in any free text fields in any paper-based or digital survey or webform related to an event
If applicable, payment details managed by a third-party payment provider

Where do we get your personal information?

From yourself when you register or sign up for an event
From someone else if they have registered you for an event on your behalf
From yourself when we record you at an event either in the foreground or background depending on the circumstances of the recording taking place
From yourself via email, telephone or face to face communications we have with you
If relevant to the event, from yourself when you make a payment to us
From any security or law enforcement agencies we are working with in conjunction with any safeguarding agencies during an event
From any photographs/video taken by GHS or a photographer/videographer on behalf of GHS
We may gain personal information about you from the venues we use, travel companies, food and beverage companies or other relevant service providers you interact with
From an individual who is aware of you and has referred you to us as either a speaker, exhibitor, sponsor or attendee based on your relevant
From publicly available locations online or social media which have been made explicitly public facing by you

What do we use your personal information for and what is our lawful basis for using it?

Purpose for using personal data	Lawful basis for using
To register your attendance to a GHS event.	The lawful basis we shall be relying in accordance with UK GDPR Article 6.1(b) where the use of your personal data is necessary in the performance of a contract which you have agreed to or where we are working to enter into a contract with you.
If relevant, to take and manage payment for attendance.
To manage the event and your attendance at the event as well as any issues that may occur.
When you have attended an event or purchased a ticket (whether you attended or not) we will use your information to contact you for marketing purposes. You can opt-out at any time.	The lawful basis we shall be relying on is the legitimate interest of the Data Controller in accordance with UK GDPR Article 6.1(f).
Where you have not made a purchase of a ticket but have signed up to attend an event where there is no purchase necessary, unless you opt-out, we will send you information about other online and offline events.
To gather opinions from you about the event so we can improve future events.
To allow for accessibility and dietary needs/requirements at an event.	The lawful basis we shall be relying on is the legitimate interest of the Data Controller in accordance with UK GDPR Article 6.1(f).
To use any photograph/video taken at the event within GHS marketing documentation which may include brochures and/or promotional videos. If you do not wish to be in any photograph/video being taken, please make sure you position yourself out of the line of sight of any cameras.
To identify personal data and take relevant action upon submission of a data subject rights request.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To be able to assess any impact on individuals of a data breach involving personal data held on GHS systems or on third party systems on behalf of GHS.
To help protect an individual from neglect or physical, mental or emotional harm, or protect the physical, mental or emotional well-being of an individual.	Use of the personal data is necessary to protect the vital interests of an individual or individuals in accordance with UK GDPR Article 6.1(d).Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To deal with legal claims and ongoing litigation cases.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity under UK GDPR Article 9.2(f).

Who do we share your personal information with?

Events venue (in-person events)
Digital events management platform providers
Pre-approved digital communications and storage providers
Pre-approved online survey platform providers (which may include questionnaire and polling platform providers)
If relevant, venues, hotels, travel companies and any other concierge services
If applicable, any company that GHS acquires or that acquires GHS, or any company that GHS may merge with

How long will we keep your personal information?

If you attend one of our events, we will use your information for the purpose of the event and will only contact you for any other purpose if you have said we can.

We will retain your personal information collected for the purpose of the event for 2 years to help us understand our audience and reach, and to improve future events.

Trainee

We collect your personal information to:

Manage your application, attendance and completion of our training courses

What personal information might we collect?

Name, age, email address, telephone number, home address/location
Gender, ethnicity, whether you have a disability
Any further training you have participated in, in the past
Any personal information you volunteer about yourself within a training session or in communications with us
Where applicable within the nature of the training being delivered:
1. Identification
2. Dietary requirements
3. An image of you

Where do we get your personal information?

From yourself upon application to attend GHS training
From yourself within verbal or digital communications or conversations in (person/online/telephone) you have either with GHS or with a training partner organisation on our behalf
From a training partner organisation on our behalf where GHS has not been the first point of contact for you
From yourself via an online form or feedback survey we have sent you

What do we use your personal information for and what is our lawful basis for using it?

Uses	Lawful basis
To invite you to attend a training session either in person or online.	The lawful basis we shall be relying on is the legitimate interest of the Data Controller in accordance with UK GDPR Article 6.1(f).
To allow you access to online training materials and for training to be delivered to you online.
To monitor your attendance and follow up any non-attendance.
Where training is in person we will use your personal data to ensure any accessibility requirements are met and, if applicable, we can account for dietary requirements.	The lawful basis we shall be relying on is the legitimate interest of the Data Controller in accordance with UK GDPR Article 6.1(f).Special categories of personal data used for the determination of any health related accessibility requirements will be under UK GDPR Article 9.2(h).
To update a regulatory body based on any relevant statutory requirements.	The lawful basis we shall be relying on is GDPR, Article 6.1(c) in which the relevant law will be specified in the lead up to the training.
To update a regulatory body or external assessor based on best practice or requirements of the type of training you are receiving. E.g. to register any Continual Professional Development (CPD or CPE credits).	The lawful basis we shall be relying on is the legitimate interest of the Data Controller in accordance with UK GDPR Article 6.1(f).
To send you a follow up questionnaire or survey so we are able to monitor effectiveness of the training provided or the training provider.
To send you any certificates or notification of qualification or outcomes of the training.
To notify you of further relevant training you may like to attend. You can opt-out of receiving these notifications by clicking ‘Unsubscribe’ in the email we have sent you.
To identify personal data and take relevant action upon submission of a data subject rights request.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To be able to assess any impact on individuals of a data breach involving personal data held on GHS systems or on third party systems on behalf of GHS.
To help protect an individual from neglect or physical, mental or emotional harm, or protect the physical, mental or emotional well-being of an individual.	Use of the personal data is necessary to protect the vital interests of an individual or individuals in accordance with UK GDPR Article 6.1(d).Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To deal with legal claims and ongoing litigation cases.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity under UK GDPR Article 9.2(f).

Who do we share your personal information with?

In-house or external training providers as applicable
The venue, building management or office manager of the location the training may be taking place
Online digital training platform service provider(s)
Digital communications and storage providers (for email and maintaining relevant records)
Pre-approved online survey platform providers
If applicable, regulatory bodies or certification providers, your employer, catering providers
If applicable, any company that GHS acquires or that acquires GHS, or any company that GHS may merge with

How long will we keep your personal information?

We keep your personal data for the minimum time necessary for the training to be provided successfully and for any necessary follow ups as required.

Personal data shall be reduced, redacted, de-identified and deleted at appropriate times so we retain the minimum amount of personal data possible. For example, a paper based login sheet at a venue will be destroyed once added to a digitised spreadsheet or training platform.

In general, unless any other laws are not in conflict with this, we will keep a record of your training with the minimum amount of data necessary for at least 7 years. If you are a GHS employee, we will keep a record of your training for at least 7 years after you are no longer employed.

Recruitment

We collect your personal information to:

Process your application through our recruitment process

What personal information might we collect?

Contact details such as name, title, addresses, telephone numbers, and personal email addresses
Preferred method of contact
Copies of driving licence, passport, birth certificates and proof of current address, such as bank statements and council tax bills
Notice period, preferred start date
Evidence of how you meet the requirements of the job, such as application forms, CVs, covering letters, references, assessment outputs, employment history, academic qualifications/history, professional training/certifications, skills, and work experience or internships
Evidence of your current and/or future work eligibility status, immigration status, including visa type, and visa expiry date
Diversity and equal opportunities monitoring information – this can include information about your race or ethnicity, religious beliefs, sexual orientation, disability and other ‘special category data’ information about your health, including any medical needs or conditions
Other unforeseen information required for some applications
If you contact us regarding your application, a record of that correspondence including, but not limited to, the content and attachments of emails
Details of your use of our recruitment tools and services, such as your candidate profile, the source of your application, the date/time, the role(s) you applied for, salary history/expectations, alerts for vacancies, the status of your application and updates on how it moves forward
Derived data about you, that is, data that includes our staff’s opinion of you such as, but not limited, to the stages you complete of the recruitment process and those you do not, records of interviews, interview notes/feedback, assessment feedback, rejection stage, rejection reason, and job offer details
Language and behaviour of yourself within the public domain such as social media posts (X, Meta platforms, YouTube etc.)
Further information you provide us in interviews, conversations and communications with us which may or may not be recorded

We may also collect, store and use the “special categories” of more sensitive personal information including, but not limited to:

Information about your physical or mental health, or disability status
Information about your health and medical conditions for health and safety reporting purposes
Criminal records information
Personal information related to the Equality Act 2010 inclusive of data known as ‘Protected Characteristics’ (age, disability, gender reassignment, marriage or civil partnership (in employment only), pregnancy and maternity, race, religion or belief, sex, sexual orientation)
Personal information related to our internal equality and diversity monitoring policy (geographical location, organisation, socio-economic class, caring responsibilities, educational background)

Where do we get your personal information?

From yourself where you have responded to an advert on our website, complete our ‘contact us’ page on our website or sent an unsolicited prospective email to us about having a role with us
From yourself via a recruitment web advert we have developed which may also mean we have received your personal data via a recruitment platform or website which you have filled in
From a recruiter, recruitment agency or other applicant tracking system or recruitment website
We also use platforms such as LinkedIn, Indeed, CV Library and others where we may have identified you as a potential candidate for employment, work experience or internship
Via publicly available sources such as social media, where we have identified you as an individual we would like to approach as a good fit for employment, work experience or internship
From a reference of a sectoral relevant individual where they have gained permission from you to be introduced to us
From a current or former employee where they hold a previously established relationship with you and sharing your personal information with us would not be unexpected
From former employers and people named by candidates as references
Where relevant, the Disclosure and Barring Service (DBS) and/or police records
Where this may be relevant to the role, the NHS or other health service provider

What do we use your personal information for and what is our lawful basis for using it?

Uses	Lawful basis
Processing your personal information is necessary to move your application forward before signing a contract of work. This concerns employment or pre-employment checks.	The lawful basis we shall be relying in accordance with UK GDPR Article 6.1(b) where the use of your personal data is necessary in the performance of a contract which you have agreed to or where we are working to enter into a contract with you.
To ensure compliance with employment law.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is The Employment Rights Act 1996.
To reply to you about the position you have applied for or inquired about.	The lawful basis we shall be relying on is the legitimate interest of the Data Controller in accordance with UK GDPR Article 6.1(f).
To approach you as a good fit for employment, work experience or internship.
To move your application forward including making changes in applicant tracking systems or dedicated recruitment-based software and websites, or with agencies.
To inform you about the status of your application.
To check you are the right candidate for the role.
To receive a reference from a sectoral relevant individual where they have gained permission from you to be introduced to us
To send you notifications for other job, work experience or internship vacancies.
To invite you to participate in relevant surveys, questionnaires, and/or employment polls regarding your recruitment experience so we can improve our processes.
With permission, retain your personal information for longer statutory requirements where you have not been successful but would like the opportunity to invite you to apply again in the future.	The consent you have provided us for this use of your personal data in accordance with UK GDPR Article 6.1(a).
To identify personal data and take relevant action upon submission of a data subject rights request.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To be able to assess any impact on individuals of a data breach involving personal data held on GHS systems or on third party systems on behalf of GHS.
To help protect an individual from neglect or physical, mental or emotional harm, or protect the physical, mental or emotional well-being of an individual.	Use of the personal data is necessary to protect the vital interests of an individual or individuals in accordance with UK GDPR Article 6.1(d).Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To deal with legal claims and ongoing litigation cases.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity under UK GDPR Article 9.2(f).

We maintain a reserve list of candidates who met our requirements but were not successful in securing the specific post they applied for. We’ll ask for your permission to be added to this list. We will refer to the list when other roles are advertised and will contact you if you match the role. We will ask for your permission before putting you forward for the role.

If you are successfully recruited, we will upload your details to our HR system. We will also share your data for statistical analysis (it will be anonymised first) if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

For the purposes of reporting on and improving the effectiveness and efficiency of our recruitment systems and processes, we may retain a handful of personal data points about you (the source of your application, the stage you reached in the process, and the overall reason you were rejected), however, none of these data points are personally traceable to you.

When we carry out National Security vetting for some roles, we have to process personal data to perform a task that is of a substantial public interest depending on the sensitivity of the role.

Who do we share your personal information with?

Pre-approved digital Human Resources Management platform provider
Pre-approved digital communications and storage providers
Pre-approved online survey/web-form platform providers
If applicable, any company that GHS acquires or that acquires GHS, or any company that GHS may merge with

Please be reassured GHS limits access to your recruitment personal data to those who have a genuine need to access it, including:

The Human Resources department
The recruiting manager for the role in question
Interviewers/assessment reviewers for the role in question
The director of the team where the role in question sits
Other approvals managers or reviewers including internal or external auditors conducting an audit or investigation of our processes

How long will we keep your personal information?

We will only keep personal information for as long as it is needed to fulfil the purpose for which it was collected.

We will store your information for the duration of the recruitment process. Where you have not been successful, we shall retain your personal data for up to 6 months in accordance with the UK Limitation Act 1980. We will only retain your personal data longer than 6 months where we have gained your permission to do so.

If you have been successful in the recruitment process, we will provide you with an Employee Privacy Notice outlining the retention period of your personal information.

Visitors

We collect your personal information to:

Manage your attendance at one of our clinics or office locations

What personal information might we collect?

Name(s), Email Address, Phone number;
Job Title, occupation, place of work, employer;
Information that may aid accessibility needs including any relevant special categories of information (“Health Data”)
If applicable, your relationship to a patient or member of staff
Personal data recorded in any verbal or digital communications we may have with you
Reason for visiting, time of entry and exit, and duration of visit
CCTV footage of you

Where do we get your personal information?

From you when you have purchased a service that means you will visit our premises or have been booked in as an inpatient to any of our clinics
From your if you sign in to a visitors book or its digital equivalent
Office visitor information will be collected via email from yourself, or the individual that has arranged your visit on your behalf
If you are visiting offices to attend an event we are holding you may be asked to write your personal information on a name badge/sticker and you may be filmed should we be recording the event
You are also likely to be filmed by our security cameras and any related CCTV we have around our building locations

What do we use your personal information for and what is our lawful basis for using it?

The lawful basis we will be relying on for using your personal data during the arrangement of your visit to a clinic where you have purchased a service from us will be under the obligations of a contract in accordance with UK GDPR Article 6.1(b).

Unless stated otherwise, the following uses of your personal information are in accordance with UK GDPR Article 6.1(f) for our legitimate interests.

When you visit our clinics or offices we will use your personal information to register you at the reception of our building who will log entry and exit times as part of building security measures. We will use this information to manage your visit successfully and ensure that you have the best experience possible of our facilities.

It is likely that our reception team and/or the individual or department you are visiting will log your contact details in a database or digital calendar (if you have not already done so via one of our digital platforms) so we can monitor and manage your visit.

Depending on the building location you are visiting, you may be asked to write your name and further details into a visitors’ book by building entrance staff. You will also be captured on CCTV cameras during your visit which is also for security and monitoring purposes.

Your personal information will also be stored in an electronic calendar application and used as a lookup to understand arrival and departure times and to identify when you last visited.

Should you be visiting for an event at one of our offices we may produce name badges for ease of identification by ourselves and others in attendance.

Uses	Lawful basis
To identify personal data and take relevant action upon submission of a data subject rights request.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To be able to assess any impact on individuals of a data breach involving personal data held on GHS systems or on third party systems on behalf of GHS.
To help protect an individual from neglect or physical, mental or emotional harm, or protect the physical, mental or emotional well-being of an individual.	Use of the personal data is necessary to protect the vital interests of an individual or individuals in accordance with UK GDPR Article 6.1(d).Special categories of personal data used for the purpose of Substantial Public Interest (Preventing or detecting unlawful acts; Protecting the public; Regulatory requirements) under UK GDPR Article 9.2(g).
To deal with legal claims and ongoing litigation cases.	Compliance with a legal obligation under UK GDPR Article 6.1(c). The legal obligation is the UK General Data Protection Regulation to uphold your data protection rights.Special categories of personal data used for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity under UK GDPR Article 9.2(f).

Who do we share your personal information with?

Pre-approved digital communications and storage providers
Pre-approved office location or building management service providers
If applicable, any company that GHS acquires or that acquires GHS, or any company that GHS may merge with

How long will we keep your personal information?

We will only keep personal information for as long as it is needed to fulfil the purpose for which it was collected.

Your personal information shall be retained within digital email calendars and subject to archiving processes conducted on an ad hoc basis. Name badges will be destroyed when you leave the premises. Any ID that is requested to be shown at the building front desk is for verification purposes only and we won’t always record this information.

Closed-circuit television (CCTV) operates inside and outside the buildings for security purposes. The information is viewed by the building security company on a live feed and may be recorded at the discretion of the provision of security services supplied by the buildings we occupy.

When we provide you Wi-Fi on site for the use of visitors, we’ll provide you with the login details. We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited, duration and date sent/received. This information is retained for a reasonable period of time to monitor the security of Wi-Fi use when onsite.

Website Visitor

We collect your personal information to:

To understand visitor patterns, how we might improve a visitor’s journey and to notify us of your interest in any of our services or your desire to be contacted by us

What personal information might we collect?

Information about the device used to access our website, your visits and use of the website including your IP address, internet log information, location, browser type and version, referrer and activity, and details of visitor behaviour patterns
We record your activity and preferences when visiting our website through the use of cookies (see “Cookies”, below)
Any information you submit on any of the webforms held on our website

Where do we get your personal information?

We collect data about you from your device and via third-party website analytics services such as Google Analytics and cookies (see below) when you visit our website. We do not make, and do not allow our Google Analytics settings to make, any attempt to find out the identities of those visiting our website.

What do we use your personal information for and what is our lawful basis for using it?

Monitor the website and keep it secure, it helps us understand how we might improve the website through numbers of visits, visitor patterns and behaviour
Promote and develop services and grow our organisation
Run our organisation, provide administration and IT services, ensure network security, and prevent fraud
Collect information to understand more about our website visitors interests and preferences and to inform our marketing strategy
To keep our website updated and relevant, to develop our organisation
To add you to digital communications activities lists and send you content where you have indicated your consent for us to do so
Answer any enquiries you submit to us via the website inclusive of information submitted via any webform, survey, poll or information capture on any part of the website

We use the personal information of visitors to our website based on our legitimate interest as the data controller.

We request your consent within the website for adding your personal information to our marketing lists when you fill out a relevant form. We also request your consent for the use of cookies when you first visit our website.

Who do we share your personal information with?

Pre-approved website and analytics services and hosting service providers
Pre-approved cloud services and IT security services providers that manage, monitor and track all website uses including all data captured from our website
If applicable, any company that GHS acquires or that acquires GHS, or any company that GHS may merge with

How long will we keep your personal information?

We will only keep personal information for as long as it is needed to fulfil the purpose for which it was collected.

Depending on your reason for visiting the website and how you decide to interact with our website will determine the amount of time we retain your personal information outlined above.

Supplier

We collect your personal information to:

Manage our relationship with the supplier we work with

What personal information might we collect?

Name and job title, telephone number and email address
The company you work for, and any relevant personal information you provide to us as part of us scoping or providing services to you or working with you as partners on a project (or as part of you providing services to us if you are a supplier), which depends on the nature of the work
Relevant information as required by any applicable Know Your Client and/or anti-money laundering regulations (which may include request for identity information such as passports and information collected from publicly available sources e.g. Companies House)

Where do we get your personal information?

When you have approached us to become supplier
From you or your company at an industry, business based event we have attended or have hosted
When you or the organisation you work for submit a proposal to become a supplier and/or entered into a contract of work with us
Where it is given to us by one of our business partners or related associates or employees
Publicly facing websites including social media during our review of applicability to provide a service to us
When you communicate with us or submit information via our website
Referral from an organisation you already act as a supplier

What do we use your personal information for and what is our lawful basis for using it?

Review your applicability to provide your services to us
Conduct business operations with you
Request feedback from you
Resolve queries or complaints with you
Provide you access to digital or physical infrastructure as appropriate
Prevent or detect fraud or money laundering including fraudulent payments and fraudulent use of our services
Establish, defend, or enforce legal claims or regulatory investigations
Contact you to agree on a contract or a purchase order with you
Process the payment of invoices

We use the personal information of employees of suppliers and potential suppliers based on our legitimate interest as the data controller.

Who do we share your personal information with?

Our relevant employees, contractors and/or other suppliers you may be working with as part of our services with you
Our digital communications and storage providers
IT service providers where there is a requirement for activities to be part of a digital services supply chain
If applicable, any company that GHS acquires or that acquires GHS, or any company that GHS may merge with

How long will we keep your personal information?

We will only keep personal information for as long as it is needed to fulfil the purpose for which it was collected. This is most likely to be calculated as seven (7) years after your service has ended although may be longer if there are legal or political circumstances which mean we need to keep your personal data for longer.

What are your data protection rights?

You have the following rights in respect of your personal data:

Your right of access – You have the right to ask us for copies of your personal information. There is no charge for a reasonable search for your personal information and we reserve the right to charge a fee if the request goes outside of a reasonable search. Within our booking systems we have provided the capability for you to easily make a request of that system by clicking a link in the signature of emails you receive from us if they are from our bookings system. For more sensitive information including any health information we will always request that you verify your identity before we share this with you.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances including where we are processing your data based on consent.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Unless otherwise stated you are not required to pay a charge for exercising your rights. If you make a request, we have one month to respond to you.

Changes or access to the personal information we hold could have significant consequences to someone if it was not them making the request. Due to the nature of being a clinical health care provider, we maintain a risk averse approach to giving access to or updating anyone’s personal information.

We ask everyone to verify their identity when we receive any rights request. We are allowed to do this in line with what the UK regulator, the Information Commission, says on their website.

You must provide at least 2 forms of identification. We can accept copies of a:

Passport
Driving licence
Utility bill
Council tax bill
Bank statement bearing your full name and current postal address

To make any data protection requests please email dataprotection@ghs.health clearly stating which request you are making. When we’ve received your request, we’ll send you a written acknowledgement. We may ask for additional information if necessary.

How can you complain to us?

If you want to raise a concern about the way we’ve handled your personal information, you can contact the Data Protection Officer by emailing dataprotection@ghs.health and outlining your concern.

Where you feel the level of concern is higher and you would like to make a complaint to the UK data protection regulator the Information Commission, we ask that you give us the opportunity to address your complaint before this escalation, although we respect that you may still like to make your complaint to the Commission before coming to us and you do have a right to do so. You can submit your complaint to them by either:

Clicking here to access to ICO complaints tool; or
By giving them a call on the ICO helpline: 0303 123 1113.

Further information about your rights are can be found on their website which can be accessed by clicking here.

How do we protect your personal information?

We take the security of your information very seriously and have put physical, technical, operational, contractual and administrative strategies, controls and measures in place to help protect your personal information from unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. We will always keep these under review to make sure that the measures we have implemented remain appropriate.

We use Google Workspace & Google Cloud Platform for the secure storage of personal information processed by us. Through the use of Google services, the organisation is able to provide a high level of security around the storage of highly sensitive personal data which is captured within a high variety of our activities. You can find further security and compliance information in the Google Compliance Resource Centre, Privacy Resource Centre and the Google Cloud & the GDPR pages.

Your personal data may also be stored with specific third-party services for the minimum period necessary to perform activities with your personal information. Each third-party is subject to contractual and security reviews to ensure adequate and comparative levels of security, we’d expect for ourselves, is provided for the data they process on our behalf.

Unless otherwise specified on this page the types of third-party providers we are likely to share your personal information with so we are able to run our business effectively include:

Website services and platform providers
IT services organisations
Mass email and storage services
Communications services providers
Survey platform service providers
Client Relationship Management service providers
Training and calendar management service providers
Transcription service providers
Payment processing service provider

All suppliers that use personal data on our behalf have an agreement in place with us no matter where the data is going. This is known as a Data Processing Agreement.

Where appropriate, we may share your personal information with our professional advisers including our lawyers and auditors where it is strictly necessary. It is also possible that we may be required to share your data to comply with applicable laws or with valid legal processes, such as in response to a court order.

How do we protect your personal information if it’s sent to other countries?

It is unlikely that we’ll ever share your personal data outside the UK or the EU. If, however, it becomes necessary or is part of one of the services we offer, we will only share it with organisations in other countries:

Where the UK or European Commission have said the country is ‘adequate’ (this means countries that have a similar level of data protection law as we have in the UK) – the UK and EU are ‘adequate’ for each other;
On the basis of an International Data transfer Agreement (IDTA) or European Commission Standard Contractual Clauses (SCCs) with an addendum required by the UK (both of these are contracts which require the organisation to use and protect your personal data to the standard we expect within the UK); or
On the basis of a supplier sharing data to another of their offices located outside the UK and EU, they have implemented contractual arrangements called ‘Binding Corporate Rules’. (These need to be verified by data protection regulators and do not allow an organisation to share data outside of their contracted network of suppliers and their own offices).

Cookies

As you interact with our website, we automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies to enhance your experience of our website.

Our website uses cookies for collecting user information which may include IP address, operating system, and browser information. We use persistent cookies to track returning visitors. They expire after 12 months and enable us to compare website traffic from month to month.

Cookies are text files, which identify a user’s computer to our servers. Cookies in themselves do not identify the individual user, just the computer used. You can learn more about cookies by visiting http://www.allaboutcookies.org/.

You can manage and delete cookies through your web browser. Each browser manages cookies differently, but you can learn more about cookie settings in the most common browsers using the links below:

You can also prevent your data from being used by Google Analytics by using the Google Opt-out Browser Add-on, available at this link.

When was this page last updated?

This Privacy Notice was last updated in June 2025.