i5 Health Privacy Policy

i5 Health Limited (“i5”) is a UK-based health and social care analytics provider committed to properly addressing applicable data protection requirements in a way that is transparent, responsive, and reliable. These are met and relate to the controlling and processing of personal data, under data protection, privacy and security laws and legislation, including, without limitation and to the extent applicable from time-to-time,
(i) national laws implementing the EU Data Protection Directive (95/46/EC) and the EU Privacy and Electronic Communications Directive (2002/58/EC),
(ii) the General Data Protection Regulation (EU) 2016/679 (GDPR), and
(iii) all other applicable international, regional, and/or national data protection laws and regulations (“Data Protection Laws”).

i5 helps health and social care organizations (“Customers”) make best practise decisions, always keeping in mind the sensitivity of the data we process and control. This information is Secondary Uses Services (SUS) and Hospital Episode Statistics (HES) data, provided under agreement with NHS Digital. We host the SUS and HES data in a UK data centre alongside i5’s intelligent analytics platform. The SUS and HES data is run through the analytics platform in a manner designed to limit display of the data to only that which is necessary to deliver the state-of-the-art analytics, in a meaningful business context, in the fulfilment of a positive outcome – advanced health and social care data orchestration.

i5 uses historic SUS and HES data to develop algorithm tools that can be applied to other health data by i5 or by Customers such as Commissioning Support Units (CSUs) which provide technical support for CCGs, Clinical Commissioning Groups (CCGs ) which are the organisations that commission health support activities from clinicians, GP practices and Hospital Trusts to produce reports used for decision making in the NHS. Included amongst the algorithms are those referred to as Commissioning Opportunity (COP), Diagnosis Stratification (DST), Targeted Social Prescribing (TSP) and Coronavirus Health Risk Calculator.


This i5 Privacy Policy (“Policy”) provides the individuals and entities who access and receive i5 services (“You”) with certain important information about how the Company handles personal data (including sensitive health-care information). i5 is a controller alongside NHS Digital, with whom it contracts for the provision of pseudonymised SUS and HES data, and is a processor of this data. We supply analytics of SUS and HES data via secure online access for Customers, and this website is not accessible to the public nor to any non-Customers.

i5 is a data analytics entity that works in the UK with health and social care providers; these Customers include NHS providers, commissioners, and national bodies. Where an i5 client is an independent sector provider, data is only used in support of NHS-commissioned work. Our objective is to provide reports, dashboards and tools for commissioning activities, operational and financial analytics, comparators and indicators, SUS and HES data quality verification and other mission critical insights as requested and directed by Customers.

In this Policy is explained the purposes for which data is collected and the lawful bases for controlling and processing activities. This Policy provides information on rights with respect to personal data, and in the Contact section below whom to contact at i5 regarding data protection issues and/or concerns.

Personal data means any information that relates to an identified or identifiable individual – in the context of i5 activities, all SUS and HES data provided to i5 is pseudonymised first, and the identification of an individual patient is highly unlikely if not impossible in most cases. i5 does not share any information that could identify individuals. Any SUS and HES data is shared only for the planning, evaluation, commissioning, and/or provision of health and social care pursuant to the contract with NHS Digital, end-user Customer contracts, and applicable Data Protection Laws. By accessing this i5 website, You agree to this Policy.


i5 is data recipient and controller of SUS and HES data provided by NHS Digital. Its contact details are as follows:

i5 Health Limited
2 Cedar Grove
London W5 4AP


i5 conducts processing at the address above. i5 receives SUS and HES data directly from NHS Digital, which may be related to patients of a General Practice (GP) who may or may not be part of a Clinical Commissioning Group (CCG) that i5 has a contract with as a Customer.

Pseudonymised patient information that i5 processes does not include patient name, address, date of birth, email address, telephone number, gender, NHS number, health data, genetic data, and biometric data. Identifying information is removed before the SUS and HES data provided to i5. In the vast majority of cases only NHS Digital could know the identity of any given individual. i5 generates no secondary data sets, makes no attempt to identify individuals and in every instance of controlling and processing SUS and HES data endeavours to have no risk of identification arise. I5’s processing of SUS and HES data for Customers is purely to inform and improve the NHS with respect to patient, health, and social care.


i5 collects SUS and HES data, under contract with NHS Digital, which is, pseudonymised patient, hospital, health and social care information. Personal identifiers are omitted, and the information is with respect to SUS and HES Admitted Patient Care, Outpatient, and Accident and Emergency.


In order to process SUS and HES data fairly and lawfully, i5 must have a lawful bases for processing activities. i5’s legal bases for processing HES data are covered under Article 6(1)(f) and Article 9(2)(j) of the GDPR. The legitimate interests include assisting end-user Customers with the access and use of i5 analytics products and services, and the development of the same – which i5 considers to be in the public interest as well as of critical value to end-user Customers.


i5’s legitimate interests are a necessary and lawful bases for processing and controlling SUS and HES data, as they enable i5 to assist Customers with the access and use of i5 analytics products and services, and the development of the same. i5 considers access to its analytics to be in the public interest as well as of critical value to end-user Customers, so they can better understand their patient pools and make better health and social care decisions. Legitimate interests also include for i5, as a commercial for-profit company, to continue as a leading provider of leading analytics in the UK, and as well to support compliance with the clinical and non-clinical performance expectations of the NHS.

The purpose of i5 solutions includes, though not limited to, utilization by Customers to produce baselines for innumerable outcome metrics derived from key data combinations, to support better use of resources, staff, and services, ultimately resulting in better health and social care outcomes. It is important to note that access to SUS and HES data by i5’s Customers is only ever to aggregated data, with numbers suppressed in line with ICO standards, and pseudonymisation always occurring prior to transfer of SUS and HES data to i5.

We firmly believe that i5 processing activities are a necessary, targeted, and proportionate means of achieving the purposes of the legitimate interests outlined above, and these interests are not overridden by moral or ethical issues, and balance against any impact on individual rights. i5 uses the least intrusive means possible to achieve the analytics it provides to Customers, strictly within the UK only. The risks of any data breach are clearly understood by i5, which is why i5 require SUS and HES data to be pseudonymised before it is provided to the company, and we do not require access to the encryption key in order to process SUS and HES information.

The solutions that i5 delivers are limited to the Customers like CCGs, care quality commission registered providers, public health departments, and similar health care providers within the UK. Our objective for processing is to provide commissioning activities, operational and financial analytics, comparators and indicators, data quality validation, and other critical insights as requested and directed by Customers on the basis of the pseudonymised SUS and HES data.


SUS and HES data is health data, and thus is to be treated with extra care and all personal information retained, disposed of and pseudonymised to ensure the greatest attention is given to i5 responsible controlling and processing of the same. Safeguards are in place at every level of SUS and HES data treatment in line with laws, rules, regulations, and legislation relevant to i5’s activities. Policies such as incident response, security escalation, breach notification, and the like are regularly reviewed and updated to conform with Data Protection Laws and i5’s own efforts to ensure the HES data it handles is protected with best practice corporate governance.


The SUS and HES data i5 collects and applies analytics to is accessed by Customers only through this website, and is only used for the purpose of providing those services for which the Customer has engaged i5. These services include presenting the website and its contents to You, maintaining and improving i5 products and services, and assisting with statistical analysis to benefit health and social care decisions. We provide reports to Customers (“Client Reports”), and these Client Reports are aggregate statistical reports provided to organisations that relate to overall service delivery information, trends within and across organisations.


i5 maintains a rolling seven (7) full years of data and the oldest year is destroyed on receipt of the latest year. At the end of a retention period, i5 removes expired data, and can provide appropriate destruction certificates. Data is retained only for so long as necessary for the purposes set out herein and as agreed with Customers, and complies with data deletion requests.


i5 maintains a robust cache of safeguards to protect SUS and HES data from loss, interference, misuse, unauthorized access, disclosure, alteration, or destruction. We also maintain regularly updated procedures to help ensure that the analytics of SUS and HES data are completely reliable for i5 Customers’ intended use. i5 conducts automated assessments to operationalize privacy by design, and regularly reviews its Data Privacy Impact Assessments to self-evaluate, always improving where possible the security and protection of the data We process, to reflect best practice – with respect to every aspect of SUS and HES data transfers, contracting, risk control, and complying with Article 35 of the GDPR and Data Protection Laws generally.


Customers may contact i5 by following the instructions below in the “Contact Information” section to request deletion of data, or to withdraw consent to processing, in accordance with applicable Data Protection Law. We might be unable to comply with such a request where doing so would place us in breach of obligations under applicable rules, regulation, codes of practice, or Data Protection Law. In the event correction of HES data is requested, contact must be made with NHS Digital. As the SUS and HES data i5 holds is pseudonymised and not individually identifiable, i5 is not able to process requests to access individual data or transfer it (data portability). A subject access request (SAR) and issues related to access, correction, erasure, and restriction can be raised directly with NHS Digital.


i5 keeps this Policy under regular review. We will update this Policy to reflect variations to Our information practices, and any relevant regulatory changes. We encourage You to periodically review this Policy to learn of any changes to how We treat the personal information of visitors to the website. If We decide to use personal data provided by Customers in a manner that is materially different from the uses described in this Policy or otherwise disclosed to You, You will have the choice to allow or disallow any additional uses or disclosures of data. We will not make retroactive changes that reduce privacy rights unless We are legally required to do so.


Under data protection legislation, You have the right to make a ‘subject access request’ to gain access to personal data about You that we hold. If You make a subject access request, and if we hold personal data about You, we will:
• Tell You what it is
• Tell You why we are holding and processing it, and how long we will keep it for
• Tell You who it has been, or will be, shared with
• Let You know whether any automated decision-making is being applied to the data, and any consequences of this
• Give You a copy of the information in an intelligible form
If You would like to make a request, please contact support@i5health.com.


You also have the right to:
• Object to processing of personal data that is likely to cause, or is causing, damage or distress
• Prevent processing for the purpose of direct marketing
• Object to decisions being taken by automated means
• In certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed
• Claim compensation for damages caused by a breach of the Data Protection regulations
To exercise any of these rights, please raise this, in the first instance, with the Data Protection Officer who can be contacted at support@i5health.com or by mail at the registered office address. Alternatively, You can make a complaint to the Information Commissioner’s Office:
• Report a concern online at https://ico.org.uk/concerns/
• Call 0303 123 1113
• Or write to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF