Hanley Health Ltd privacy notice for Surgery Assist (Previously EDATT)
This privacy notice tells you what to expect us to do with your personal information when you use Surgery Assist V5.
Our contact details
Name: Hanley Health Ltd
Address: One Park Lane Hemel Hempstead Hertfordshire HP2 YL
General phone number: 0800 470007
General enquiries email address: [email protected]
Website: https://hanleyconsulting.co.uk/
We are the controller for your information. A controller decides on why and how information is used and shared.
Data Protection Officer contact details
Our Data Protection Officer duties are provided by Curistica Ltd and they are responsible for monitoring our compliance with data protection requirements. You can contact them with queries or concerns relating to the use of your personal data at [email protected].
How do we get information?
The personal information we collect is directed by your interaction with Surgery Assist V5.
We collect information in two ways:
Information you provide to us directly, voluntarily and with consent.
Information we collect automatically when you use our services.
Why do we need the information (Purpose)?
We process anonymous data to ensure the safe, effective, and reliable operation of our digital assistant services. Specifically, this includes:
Providing you with the service: The service requires input and data from you, as the user, to provide you with the appropriate benefits.
Ensuring Clinical Safety: To monitor and review the safety of our service in line with applicable healthcare standards, and to investigate any safety-related incidents.
System Monitoring: To maintain the stability, functionality, and performance of the service across different devices and sessions.
Service Improvement: To analyse how the service is used in order to enhance the accuracy of responses, improve user experience, and update the underlying knowledge base.
Usage Analytics: To understand general trends in user behaviour, such as common queries and usage patterns, and to inform future development.
Support and Incident Response: To investigate and resolve technical issues or complaints, including reviewing past interactions where necessary.
What information do we collect?
Information you provide to us directly and voluntarily
We collect, only with your explicit and informed consent, the following personal data information when you submit feedback to us through the digital assistant:
Your name
Your contact information
Information we collect automatically
We currently automatically collect and use the following information:
Organisation Data Service (ODS) Code – the unique identifier of the GP practice which is hosting the Surgery Assist V5 software
Device information (e.g. mobile, tablet, desktop)
Operating System information
Browser information
None of the data we automatically collect directly identifies you, it is considered anonymous data.
More sensitive information
Through interaction with the digital assistant, you may enter data which is more sensitive (e.g. about your health or sexual orientation) in order for the digital assistant to provide information about relevant health services to you.
This information is termed special category data under GDPR. Any special category data we collect about you however is anonymous. This means that you cannot be identified from the information you have provided.
Who do we share information with?
We may share aggregate information with the following types of organisations:
Our data processors – Microsoft Azure
Your GP Practice
We may share anonymous sensitive information with the following types of organisations:
Our data processors – Microsoft Azure
We have contracts in place with our processors to ensure they meet UK GDPR standards, including obligations of confidentiality and data security.
In some circumstances we are legally obliged to share information, for example we will share information if the public good outweighs your right to confidentiality. This could include:
where a serious crime has been committed
where there are serious risks to the public or staff
to protect children or vulnerable adults
Is information transferred outside the UK?
Our data is hosted and processed in the UK only and is not sent to any other location, even for fall-back purposes in case UK servers are down.
What is our lawful basis for using information?
Information you provide to us directly and voluntarily
Under the UK General Data Protection Regulation (UK GDPR), the lawful basis we rely on for using personal information is Article 6(1)(a); consent.
When submitting feedback, if you choose to include your name and contact information you are consenting to us using that information for the purposes of investigating your feedback and contacting you with the outcome, if appropriate.
We will not use your personal information for any other purpose, save for when we are legally required to do so.
Information we collect automatically
As the data is anonymous, no lawful basis is required for collection of the data.
More sensitive data
As the data is anonymous, no lawful basis is required for collection of the data.
How do we store your personal information?
Your information is stored securely on Microsoft Azure UK South (London area) servers owned by Hanley Health Ltd and managed by Microsoft UK.
We retain anonymous data for up to 3 years to support clinical safety investigations, technical auditability, and service performance monitoring.
We will then securely dispose of your information by secure destruction to legal standards.
What are your data protection rights?
Under GDPR UK, you have the following rights:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
In most cases however, as we process data in an anonymous form, this means we cannot identify individuals.
While we do not collect identifying information such as names or email addresses for the majority of our processing, if a user provides sufficient information for us to be able to identify and authenticate their session, we will consider requests for erasure or other rights under UK GDPR where feasible.
Where we cannot reasonably identify the individual from the data we hold, we may not be able to act on certain rights requests, in accordance with Article 11 of the UK GDPR
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at [email protected] if you wish to make a request.
How do I complain?
If you have any concerns about our use of your personal information, you can make a complaint to us at [email protected].
Following this, if you are still unhappy with how we have used your data, you can then complain to the ICO.
The ICO’s address is:   Â
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Date of last review: 12/06/2025
Date of next review: 12/06/2026
