Skip to Main
BCG in the United Kingdom

BCG Privacy Statement for Processing of NHS Datasets

Introduction

This is the Privacy Statement for The Boston Consulting Group UK LLP (“BCG”, “we”). This Privacy Statement was last updated in November 2023.

BCG understands that your privacy is important. BCG, as a data controller, is committed to protecting your privacy and personal information provided to BCG by NHS England (“NHS”) in accordance with the Data Access Request Service (the “DARS”) application approved by NHS that is available here: https://digital.nhs.uk/services/data-access-request-service-dars.NHS is responsible for collecting and disseminating your personal information to third party organisations such as BCG.

BCG may, in its discretion, amend this Privacy Statement from time to time. To ensure you are able to remain informed about the information we process and how we use it, material changes to our statement will be reflected here.

Information That We Process, and How We Process It

What information do we process?

BCG processes your information which includes patient information registered in NHS that are categorised as sensitive data, please see the list of data categories that BCG will have access to below. Your information will be received in record-level but in non-identifiable, pseudonymised format which means it does not allow individuals to be directly identified and BCG will keep processing your information in a non-identifiable format for the purposes of processing as explained in the DARS and this Privacy Statement.

BCG will have access to the hospital episode statistics, emergency care dataset, community services dataset, diagnostic imaging dataset, mental health services dataset, and patient reported outcome measures dataset. Information included in these datasets will be used for providing the following services as approved by NHS: benchmarking, financial and operational performance analysis, demand and capacity modelling, service evaluation, service analysis, care pathway analysis, hospital feedback services, health economics and outcomes analysis. Please review the next section for further details on the purposes of processing.

How do we process personal information?

Personal information is processed in accordance with applicable information privacy laws, for the legitimate interests1 pursued by us for following purposes. The data is maintained in a cloud environment within the UK region. The purposes of processing your personal information are:

  • to support commissioned work of the UK public sector organisations2
  • to improve access and quality of health and social services for UK residents; to benchmark their overall performance within each clinical factors and help prioritise the key areas to focus their resources
  • to create new proprietary tools (advanced analytics) that can benefit NHS organisations
  • to build a clear view of care pathways across clinical specialties and care provision settings and enable identification of gaps and opportunities for effective integrated care provision in England
  • to run financial and operational performance benchmarking across the country
  • to provide information on historic trends in use of care services for establishing accurate baselines and making robust projections.

How We Might Share Your Information

The information may only be shared with the UK public sector organisations mentioned above in aggregated form; and will not be shared onwards to any third party except following cases:

  • We may need to transfer personal information to law enforcement agencies, courts, other government authorities or other third parties where we believe necessary to comply with a legal or regulatory obligation.
  • We may securely transfer the personal information, BCG vendors who are bound by privacy requirements, to help operate our business efficiently; to perform IT services, IT infrastructure, business, administrative, and management functions for BCG and cloud storage capabilities. BCG appreciates the confidential nature of personal information and discloses it only as necessary for BCG’s valid business purposes or as required by law as described herein, although whenever possible to do so, information will be anonymized prior to its production.

International Information Protection Standards

Your information will not be transferred outside the UK unless otherwise requested by law.

Retention of Your Personal Information

BCG retains your personal information for so long as is necessary to fulfil the purposes for which it was collected. Following BCG’s standard practice, BCG will retain the personal information during the term of the service that BCG will provide to NHS and/or the above-mentioned UK public sector organisations and delete the data on a continuous basis.

Security Processes

BCG has in place appropriate technological and operational security processes designed to protect personally identifiable information from loss, misuse, alteration, or destruction. Only authorized employees and contractors will have access to any information provided by NHS, and that access is limited by need. Each employee or contractor having access to any personally identifiable information is obligated to maintain its confidentiality.

Compliance with Law

BCG complies with all applicable data privacy laws. BCG may be compelled to surrender personal user or customer information to legal authorities if presented with a court subpoena or similar legal or administrative order, or as required or permitted by the laws, rules and regulations of any nation, state or other applicable jurisdiction. Also, in the event of a violation of the terms and conditions of use of the Site or a violation of any restrictions on use of materials provided in or through the Site, we may disclose personal user information to our affected business partners or legal authorities.

Your Rights

In accordance with applicable data privacy laws, you have rights including:

  • Right of Access. You have the right to ask us for copies of your personal information.
  • Right to Rectification. You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Right to Erasure. You have the right to ask us to erase your personal information in certain circumstances.
  • Right to Restriction of Processing. You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Right to Object to Processing. You have the right to object to the processing of your personal information in certain circumstances.
  • Right to Data Portability. You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Since your information will be received in non-identifiable, pseudonymised format, we may not be able to perform certain requests. In such case, we will communicate your requests to NHS. If you wish to opt out from the use of your data for research or planning purposes, you can view or change your national opt-out choice at any time via the NHS online service at www.nhs.uk/your-nhs-data-matters.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. You also have a right to lodge a complaint with a relevant supervisory authority, please see further information here: https://ico.org.uk/make-a-complaint/

Contact Us

For any questions regarding this Privacy Statement, you may contact the appropriate information protection point of contact:

Information Protection Office
The Boston Consulting Group UK LLP
80 Charlotte Street
London W1T 4DF
United Kingdom
Contact Us

1. Article 6(1)(f) of the UK GDPR as well as the Article 9(2)(j) as the processing is necessary for scientific research purposes or statistical purposes in accordance with Article 89(1) and the Schedule 1 (Part 1)(4) of the UK DPA 2018, subject to Section 19(4)(b)(ii) UK DPA 2018.

2. Department for Health and Social Care (DHSC) and its agencies and partner organisations, including NHS England, Care Quality Commission, UK Health Security Agency, NICE and MHRA, and local and regional NHS bodies, including NHS Trusts, Commissioning Support Units (CSUs) and Integrated Care Systems (ICSs)