HDRS Privacy Notice
Last updated: 03/07/2026
Health Data Research Service Limited (HDRS) is a private limited company wholly owned by the Department for Health and Social Care. Its aim is to provide a secure, single access point to national-scale health datasets for research, innovation and improved public outcomes.
At the date of publication of this privacy notice, HDRS does not process any health datasets. This privacy notice covers HDRS’ current data processing activities and will be updated in compliance with Data Protection Laws to reflect HDRS’ data processing activities over time. HDRS is committed to ensuring the highest levels of data protection and security, and in maintaining public trust.
1. Who we are and what we do
- HDRS is a limited company wholly owned by the Department of Health and Social Care. We are registered in England and Wales with company number 17304295. Our registered office is c/o Wellcome Trust Gibbs Building, 215 Euston Road, London, United Kingdom, NW1 2BE.
- This privacy notice applies to the personal data we collect about you through our website, by post, by telephone, by social media and when you otherwise communicate with us. It explains your rights and gives you the information you are entitled to under the Data Protection Act 2018, the UK General Data Protection Regulation and the Data (Use and Access) Act 2025 (the Data Protection Laws). Amongst other things, it sets out who we are, what we do and how we handle and use personal data. Any use of “we”, “us” and “our” in this privacy notice refers to HDRS.
- We are registered as a data controller with the Information Commissioner’s Office (ICO), and our registration number is ZC186108.
2. How to contact our Data Protection Officer
- HDRS’ Data Protection Officer (DPO) can be contacted:
- By email: DPO@hdrs.com
- By post: c/o Wellcome Trust Gibbs Building, 215 Euston Road, London, United Kingdom, NW1 2BE
3. What data we collect
- When you contact us or make an enquiry through our website, social media channels, by email or by any other means, or if you enter into a contract to provide goods, services, or contingent labour to HDRS, we may collect, use, store and transfer different kinds of personal data about you. Primarily this personal data comprises your name, email address, social media identifiers and any other personal data that you provide in your correspondence with us.
- We do not collect or use ‘special category’ (or sensitive) personal data, such as health data, except where it is provided voluntarily to us in the context of a query or complaint made by you.
- Each time you visit our website, we may automatically collect the following information:
- web usage information (e.g. IP address), browser type and version, time zone setting, operating system and platform; and
- information about your visit, including the URL clickstream to, through and from our website (including date and time); time on page, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks and mouse-overs).
- Please see our Cookie Policy for more information on cookies used, and instructions on how to opt out.
4. How we use your data
We use your personal data for the following purposes:
- to respond to any enquiries that you send us, if you have asked us for a response;
- to gather data for market research purposes to shape our work;
- to send you relevant marketing communications by email if you are part of our mailing list;
- to respond to requests under the Freedom of Information Act 2000 (FOI Request);
- to monitor use of the website including to identify any security threats;
- to support recruitment processes;
- to manage contracts to provide goods, services, or contingent labour to HDRS;
- to monitor the performance of our website to identify inefficiencies and errors; and
- to notify you about changes to this privacy notice.
5. Our lawful basis for using your data
Under the Data Protection Laws, we must identify a lawful basis to process your information. We rely on the following:
- Public task: In most cases, as a government-owned company, HDRS may process personal data necessary for the performance of a task carried out in the public interest or in the exercise of official authority, including but not limited to handling your general contact queries and complaints.
- Legitimate interests: We rely on legitimate interests to process personal data collected via cookies that are strictly necessary, where our legitimate interest is to maintain the operation and security of the website.
- Legal obligation: Sometimes, we may need to process your data to comply with a legal or regulatory obligation such as when you submit an FOI Request.
- Contract: If you have entered into a contract with HDRS, we will process the necessary data required to perform the contract.
- Consent: We rely on consent to:
- send you marketing emails if you are part of our mailing list; and
- process personal data collected via cookies which are not strictly necessary (e.g. analytics) and location data.
6. Where your data is held and shared
- Your information is stored on secure servers located within the UK, protected by strict access controls.
- We may share your personal data with you, and where appropriate, your family, your associates and your representatives.
- We may share your personal data with any member of our group which means our subsidiaries as defined in section 1159 of the UK Companies Act 2006.
- We may disclose your personal data to law enforcement agencies, the courts or regulators to the extent necessary for purposes including preventing, investigating, detecting, and prosecuting criminal offences; preventing threats to public security in accordance with applicable law; or validating a claim.
- We may share your personal data with carefully selected third parties. These may include service providers, support services, joint event hosts and organisations that help us to market our services and third parties instructed to enable us to fulfil our contractual obligations to you in the course of business.
- The third parties include:
- business partners, professional advisers, suppliers and sub-contractors for the performance of any contract we enter into with them or you;
- analytics and search engine providers that assist us in the improvement and optimisation of our website;
- government bodies including the Department of Health and Social Care, in order to comply with our regulatory obligations and to help resolve complaints or other issues;
- agents we engage to perform functions on our behalf including sending communications, analysing data, providing marketing assistance, processing payments, researching customer satisfaction, and providing customer service. They have access to personal data needed to perform their functions, but may not use it for other purposes; and
- any third party you ask us to share your personal data with.
The list above is not exhaustive.
- If we share your personal data with third parties, they will process your information as either a data controller or as our data processor and this will depend on the purposes of our sharing your personal data. We will only share your personal data in compliance with Data Protection Laws.
- We may also pass aggregated data on the usage of our site (e.g. we might disclose the median ages of visitors to our site, or the numbers of visitors to our site that come from different geographic areas) to third parties but this will not include information that can be used to identify you personally.
- If a business transfer or change of business ownership takes place or is envisaged we may transfer your personal data to the new owner (or a prospective new owner). If this happens, you will be informed of this transfer.
7. How long we keep your data
- We will keep your personal data for no longer than is necessary for the purposes for which it was obtained. The criteria for determining the duration for which we will retain your personal data are as follows:
- we will retain your personal data in a form that permits identification only for as long as:
- we maintain an ongoing relationship with you; or
- your personal data is necessary in connection with the lawful purposes set out in this policy for which we have a valid legal basis.
plus
- the duration of:
- any applicable limitation period under applicable law (i.e. any period during which any person could bring a legal claim against us in connection with your personal data, or to which your personal data may be relevant); or
- an additional reasonable period following the end of such applicable limitation period.
and
- in addition, if any relevant legal claims are brought, we may continue to process your personal data for such additional periods as are necessary in connection with that claim.
- we will retain your personal data in a form that permits identification only for as long as:
- During the periods in paragraphs (2)a and (2)b above, we will restrict our processing of your personal data to the storage of, and maintaining the security of, that data, except to the extent that those data need to be reviewed in connection with any legal claim or obligation under applicable law.
- After this period your personal data will be anonymised so that you are no longer identified or identifiable from such information, or securely deleted/destroyed.
- Any third parties that we engage will keep your data stored on their systems for as long as is necessary to provide the relevant services to you or us. If we end our relationship with any third party providers, we will make sure that they securely delete or return your personal data to us.
- We may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
8. Marketing
- If you sign up to our mailing list, we may use your personal information to send you information about HDRS that may be of interest to you. If you do not want to receive it, you can let us know at any time by following the unsubscribe link in any marketing emails that you receive or by contacting us at DPO@hdrs.com.
- If you opt out of receiving marketing communications, you will still receive communications that are essential for administrative purposes for example relating to updates to this privacy notice.
9. International transfers
We do not transfer your personal data outside of the UK.
10. Your rights over your data
Under certain circumstances, you have certain rights regarding your personal data. You have the right to:
- Be informed: You have a right to be informed about how and why we use your personal data.
- Request access: You can ask for a copy of the personal data we hold on you, known as a subject access request.
- Request correction: If we hold inaccurate information about you, let us know and we can update it.
- Request that your personal data is erased: You can ask to have your personal data that we hold on you erased if there is no good reason for us continuing to process it. This is not an absolute right, as we have to balance requests against other factors like legal or regulatory requirements.
- Request restriction: You can ask us to stop using your personal data in certain circumstances. For example, you can do this if you have objected to your data being processed where the lawful basis is legitimate interests.
- Request transfer: You can ask us to transfer your personal information to you or a third party of your choice.
- Object to processing: You can object to any processing where we rely on legitimate interests (or those of a third party) to process your data.
- Withdraw consent: You can withdraw your consent at any time where we are relying on consent to process your personal data.
Automated Decision-Making: You will be informed if we use automated decision making or profiling, and you have the right to request human intervention, express your view, and challenge the decision.
In almost all circumstances, you can exercise any of these rights free of charge. However, in circumstances where your request for access is unfounded or excessive, we reserve the right to charge you a reasonable administrative fee or simply refuse to respond.
Handling your requests:
- We may ask for proof of identity when you make a request to make sure we are processing the correct data.
- We aim to respond to all valid requests within one month. If the request is particularly complicated or if you have made several requests, it may take us longer than one month but we will always let you know.
- We may not always be able to do what you have asked. This is because your rights will not always apply, for example, if it would impact the duty of confidentiality we owe to others, or if the law allows us to deal with the request differently.
- We will always explain to you how we are dealing with your request.
11. Contact us
- We have appointed a Data Protection Officer (see details above) who is responsible for overseeing questions in relation to this privacy notice.
- If you have any questions about our use of your information, or if you wish to exercise any of your rights in relation to your personal information, please contact the Data Protection Officer at DPO@hdrs.com.
12. Complaints
- If you have concerns or wish to make a complaint about how we process your personal data, you can submit your complaint by email to the Data Protection Officer at DPO@hdrs.com. We will acknowledge your complaint within 30 calendar days of receipt. We will respond to your complaint without undue delay and aim to resolve all issues promptly.
- You also have the right to lodge a complaint with the ICO (or any successor body). For more details, please visit the ICO website.
13. Updates to this privacy notice
This privacy notice may change from time to time, and if it does, the up-to-date version will always be available on our website. We will also tell you about any important changes to our privacy policy.