Privacy Notice

This Privacy Notice explains how Outcomes Based Healthcare Ltd (“OBH”, “we”, “us”, “our”) collects, uses, and protects your personal information when you interact with us through our website or as a client. OBH is committed to transparency and compliance with all relevant data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Company details

Outcomes Based Healthcare Ltd (part of RCI Group)

Registered address:
11-13 Cavendish Square,
London,
W1G 0AN

Company registration number:
08489908

ICO registration number:
ZA098768

Data Protection Officer (DPO):
rci-dpo@rcigroup.co.uk

What Personal Data We Collect

We collect and process personal data in the following situations:

  • Website newsletter subscriptions and contact forms: Name, email address, and any information you provide in your message.
  • Job applicant data: Name, contact details, CV, cover letter, and any other information you submit as part of your application.
  • Client communications and feedback: Name, contact details, and any other information necessary to communicate with you or collect your feedback.
  • Website usage data: Information collected via cookies and analytics tools (see “Cookies” section below).

We do not collect or control patient data directly. When we process patient data, we do so solely on behalf of NHS England, acting as a data processor. For information about how patient data is handled, please refer to NHS England’s privacy notice.

Purposes and Legal Basis for Processing

We process your personal data for the following purposes and legal bases:

PurposeLegal Basis (UK GDPR)
Responding to website enquiries and contact formsLegitimate interests (Article 6(1)(f))
Sending newsletters or marketing communicationsConsent (Article 6(1)(a))
Processing job applicationsContract/steps prior to entering contract (6(1)(b)); legal obligation (6(1)(c))
Managing client relationships and feedbackLegitimate interests (6(1)(f)); contract (6(1)(b))

Where we rely on consent (e.g., for marketing), you may withdraw your consent at any time by contacting us.

Data Sharing

We do not sell or share your personal data with third parties for their own purposes. We may share your data with:

  • Service providers who support our business operations (e.g., IT, email, or web hosting providers), under strict confidentiality and data protection agreements.
  • Regulatory bodies or law enforcement if required by law.

International Data Transfers: We use Google Workspace to store and process personal data, therefore your information may be transferred to and stored on servers located outside the UK and European Economic Area (EEA). Where such transfers occur, we ensure appropriate safeguards are in place to protect your data. Google relies on Standard Contractual Clauses (SCCs) and participates in the Data Privacy Framework, which are recognised mechanisms under UK and EU data protection law for ensuring that your personal data remains protected to a standard essentially equivalent to that in the UK/EEA. We regularly review these arrangements to ensure ongoing compliance. If you would like more information about these safeguards, please contact us using the details below.

Data Security and Retention

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse.

  • Files are encrypted both in transit and at rest.
  • Devices accessing personal data are required to use encryption.
  • Access to job applicant data is restricted to only those staff who need it for their role.
  • Multi-factor authentication (MFA) is enabled for all staff accounts.
  • All staff receive regular information governance (IG) training.
  • We have a clear data deletion policy to ensure personal data is not kept longer than necessary.
  • Quarterly IG meetings are held to review and improve our data protection practices.

We retain your personal data only as long as necessary for the purposes for which it was collected, or as required by law. Specifically, persona; data relating to any job application process is deleted within 12 months of receipt.

Your Rights

You have the following rights regarding your personal data:

  • Your right of access – You have the right to ask us for copies of your personal data.
  • Your right to rectification – You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure – You have the right to ask us to erase your personal data in certain circumstances.
  • Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal data in certain circumstances.
  • Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
  • Your right to data portability – You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.
  • Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent.

To exercise these rights, please contact us our DPO at rci-dpo@rcigroup.co.uk. You also have the right to complain to the Information Commissioner’s Office (ICO).

Cookies

Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of this website and to compile statistical reports on website activity. For further information visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases some of our website features may not function as a result.

Our website uses cookies to improve your experience and collect anonymous statistics.

  • Essential cookies are required for the website to function.
  • Non-essential cookies (e.g., analytics) require your consent.

Third-party cookies: We may use third-party service providers (such as Google Analytics) to help us analyse how our website is used. These providers may set their own cookies on your device. We do not control the use of these third-party cookies and recommend you review the privacy policies of these providers for more information.

Changes to This Privacy Notice

We review our privacy notice regularly. Any updates will be posted on this page.

Last reviewed: 13 May 2025

Contact Us

If you have any questions or concerns about this Privacy Notice or your data, please contact:

Email:
rci-dpo@rcigroup.co.uk

Address:
Outcomes Based Healthcare,
11-13 Cavendish Square,
London,
W1G 0AN

This Privacy Notice does not cover employee or contractor data. For employee privacy information, please refer to our internal staff privacy notice.