Privacy Notice

(Updated Tuesday, 14 October 2025)

Civica (“we”, “us”, “our”) is committed to protecting and respecting the rights of all individuals.

This privacy notice covers the following:-

  • Our contact details

  • How Civica collects personal information

  • Civica purposes and lawful bases of personal data processing

  • How we store your information

  • Sharing information

  • International transfers

  • Your rights

  • Rights related requests

  • How to complain

  • Changes to this Privacy Notice

Our contact details

Civica’s global and UK headquarters are located at:

Southbank Central (8th Floor)

30 Stamford Street

London

SE1 9LQ

Civica is registered with the Information Commissioner’s Office, with registration number Z5268164.

If you have questions or comments about this privacy information or how we handle personal data, please direct your correspondence either to the above postal address (marking the envelope FAO – Data Protection Officer), or to DPO@civica.com.

How Civica collects personal information

In order to perform our services we collect (directly from you and/or our customer as data controller) and process the following data:

1. Staff Information

We collect and process the following types of personal data about NHS staff to support workforce scheduling and system access:

Personal and Contact Details

  • Full name

  • Contact information (address, telephone number, email)

  • Employee or staff ID number

Employment and Professional Information

  • Job title and role

  • Department or service area

  • Work location and schedule

System and Access Information

  • Usernames and system credentials (encrypted)

  • Access permissions

  • Audit and activity logs

2. Patient Information

We collect and process the following personal data about patients to support appointment scheduling, care coordination, and service delivery:

Personal and Contact Details

  • Full name

  • Date of birth

  • NHS number

  • Contact details (address, telephone number)

Care and Clinical Information

  • Appointment or visit details (date, time, location, assigned clinician)

  • Service or care team information

  • Type of appointment (assessment, treatment, review, etc.)

  • Clinical specialty (e.g. physiotherapy, speech and language therapy)

  • Scheduling notes or preferences (e.g. home visit required, mobility needs)

Special Category Data

  • Health information relating to the provision of care or treatment

  • Details that may indicate a person’s health condition or disability

3. System and Technical Information

Civica is dedicated to keeping your data safe. We will ensure technical and organisational policies and procedures in place to protect personal data from loss, misuse, alteration or destruction. We ensure that access to your personal data is limited only to those who need to access it, and that those individuals are required to maintain the confidentiality of such information.

Sharing Information

Civica will never sell your data to third parties. We may, however, share your data with third party data processors (“subprocessors”) to provide our services.

These subprocessors have been agreed with, and approved by the data controller. Civica have contracts in place with our data processors. This means that they cannot do anything with your personal data unless instructed to do so. They will not share your personal data with any organisation, and they will hold it securely and only retain it for the period specified.

The third parties used for this application are:

HERE Routing

We use HERE Routing to calculate and optimise travel routes between visit locations. This helps to improve scheduling accuracy and reduce travel time for staff providing care.

  • The data shared is limited to location information (such as visit addresses or postcodes).

  • No patient clinical information or sensitive personal data is shared.

  • Data is processed securely and only for the purpose of route optimisation.

Xycare Integration Engine

We use the Xycare Integration Engine to securely exchange scheduling and workforce data between NHS systems (for example, between the scheduling system and electronic patient record).

  • The data shared may include identifiers such as staff names, roles, IDs, or patient appointment details.

  • Xycare acts as a data processor on behalf of the NHS organisation, ensuring data is transferred securely and in compliance with UK GDPR.

  • All transfers are encrypted and logged for audit purposes.

Your Rights

Under data protection legislation such as the GDPR, data subjects have the following rights regarding the use of their personal data:

Your right of access –You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing – You have the right to object to processing if we are using legitimate interests as our lawful basis for processing.

Your right to data portability – This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or as part of a contract, or in talks about entering into a contract and the processing is automated.

Your right to withdraw consent – You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.

Rights related request

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it.

No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

There are circumstances, where we have an obligation, legal or otherwise, or the right to process your personal information, and therefore your request may be challenged or denied where we believe there is good cause to do so.

How to complain

If you disagree with how your data is being processed, please contact the data controller using the details provided within their Privacy Notice.

You can also complain to the ICO if you are unhappy with how your data is being processed.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Changes to this privacy information.

Civica will occasionally update this privacy information to reflect changes in legislation, our practices and services. When we post changes to this information, we will revise the “last updated” date at the top of this page. If there are any material changes in the way we collect, use, and share personal data, we will notify you by prominently posting notice of the changes below. We recommend that you check this page from time to time to inform yourself of any changes in this privacy information

Summary of changes:

Update Detail
14/10/2025 Privacy Notice Published