We collect and use personal information to:

  • Deliver our products and services to customers
  • Enter into and maintain contracts with customers and suppliers
  • Recruit and administer staff

More detail about what personal data we hold and how we use it is provided below with links to further information.

We process personal information about:

  • Patients
  • Visitors to our website
  • Customers and other business contacts
  • Suppliers
  • Job applicants
  • Current and former employees


We process patient data to help healthcare organisations achieve sustainable improvements in their performance. We receive anonymised and pseudonymised patient data from NHS Digital and, for some services, directly from our customers.

We are a data controller for the anonymised and pseudonymised patient data sent to us by NHS Digital:

HES data relating to you will be shared back to your healthcare provider if they are a customer of Dr Foster with access to certain of our tools. Though we cannot identify you in the HES data your healthcare provider will be able to do so. Statistics and analysis based on the whole HES dataset held by us will be available for all customers for purposes such as benchmarking. HES and SHMI will also be used to inform research and insight that we publish. For more information please see our HES and SHMI patient privacy notices. You can manage your health data choices through the NHS.

For some services we act as a data processor under the instruction of our customers. We use the minimum data necessary to produce the best results, subject to the strict terms of an agreement and outlined in that provider’s privacy information.

NHS patient personal data is not processed outside of the UK or EEA.

Visitors to our website

We use cookies on our website to analyse traffic and improve the way it works. The cookies are anonymised and not used to identify individuals. You can control cookies settings in your browser. Our cookies notice has more details.

Customers and other business contacts

We collect information about people when they contact us to enquire about our products and services and during the course of any contract they may take with us. This will include contact details and correspondence. We use this information for contracts administration, to deliver services to customers, to keep people updated about Dr Foster products and services, to monitor usage of tools for security and to inform development.

We also collect usage statistics for our tools for security and to inform development. Processing this security information is necessary to fulfil the terms of our contracts and to meet obligations under the General Data Protection Regulation (GDPR), the NHS Data Security and Protection Toolkit and our ISO 27001 certification.

We also process information about current and prospective clients to keep them informed of our products and services through marketing messages. You can opt out of direct marketing from us at any time. Each direct marketing message from us includes an opt-out button. Customers can also manage their communication preferences through My Dr Foster.

We collect prospective customer data from a number of sources, through recommendations, public directories, networking events and from Oscar Research, a compiler of public sector contact information.

Correspondence through Outlook is processed through Microsoft Office 365. This is processed on servers in Australia. We use Mailchimp to manage mailing lists. Mailchimp is based in the USA and is certified to the EU-U.S. Privacy Shield Framework.

Our customer privacy notice has more information.


We process contact details and correspondence relating to current, former and prospective suppliers. This includes correspondence about how suppliers meet their data protection and security obligations. The information is processed to negotiate and enter into contracts and to provide evidence of compliance with our legal and contractual obligations.

Correspondence through Outlook is processed through Microsoft Office 365. This is processed on servers in Australia.

Job applicants

We receive queries and CVs related to job vacancies either directly from candidates or from recruitment agencies. We use this information to complete the recruitment process, to monitor statistics and to provide assurance that the process is run fairly. We keep candidates informed of when we need references from third parties. References are managed through a third party agency.

We process job application data as necessary to take steps prior to entering into a contract and for the performance of a contract with successful applicants. We process special category data, relating to health and ethnic background for example, to meet legal obligations relating to employment and to safeguard your fundamental rights.

For unsuccessful candidates we keep copies of application information, such as CVs and covering letters, for up to one year after the end of the recruitment process for the advertised vacancy. The information is retained as part of our commitment to monitoring equality and diversity and to provide assurance that the process is run fairly. It is also retained so that we can consider applicants for similar vacancies during that time.

We keep anonymised statistics about candidates to inform and improve our recruitment process. We will not be able to identify individuals from these statistics.

Information relating to successful candidates will be transferred to an employee file once they start work with us.

Data relating to job applications is processed through Microsoft Office 365. This is processed on servers in Australia.

Current and former employees

Employees are provided with a detailed notice about how we use their information. This is provided when they join the company and is available to current staff on our intranet. We also hold information provided to us by employees about next of kin and emergency contacts. Data on employee files for former employees are kept for six years after the end of employment except where required for longer (for example, when necessary to comply with obligations under the Health and Safety at Work Act 1974).

Your rights

You have a number of rights relating to your personal information including:


You have the right to request a copy of any personal information we hold about you. We won’t be able to identify you from the pseudonymised and anonymised data from NHS Digital but you can make a subject access request directly through them.


You have the right to request the correction of any information we hold about you. If you believe that any data we hold about you is incomplete then you also have the right to request that we complete this.


This is also known as the right to be forgotten. You can request that your personal information is erased if it is no longer necessary for us to keep it, or you withdraw consent that you have previously provided, or you object and there are no overriding grounds to keep it or if it is unlawful to continue to keep it.


You can request that the use of your personal information is limited to storage only and that we use it for no other purpose in certain circumstances.


You have the right to object to us processing your data where we are doing so on the basis of legitimate interests.


If you have provided information on the basis of your consent or for a contract then you can request that we send a digital copy to you or directly to another organisation. This only applies where the processing is automated.

You can make a request to us using the contact details below. We must respond to you within one month. You can manage your patient data choices at NHS your data matters. The Information Commissioner’s Office website has more information about your personal data rights.

Disclosures to third parties

In exceptional circumstances we may be asked to share information with police or other investigators, if it would prevent or detect crime or safeguard a person’s wellbeing. Each instance will be judged on its own merit and any sharing of information will be done within the law.

How to contact us

For general enquiries please call +44 (0)20 7332 8800 or write to Dr Foster, 3 Dorset Rise, London, EC4Y 8EN.

If you have a query about your personal information rights then please contact our Data Protection Officer by email on or by post at: Information Governance, Dr Foster, BioCity Nottingham, Pennyfoot Street, Nottingham, NG1 1GF.

How to complain

If you feel that we have let you down in relation to your information rights then please contact our Data Protection Officer using the details above.

You can also make complaints directly to the Information Commissioner’s Office (ICO). The ICO is the independent authority upholding information rights for the UK. Their website is and their telephone helpline number is 0303 123 1113.