Privacy notice – Health Insights
1. Background
Our Future Health will be the UK’s largest ever health research programme. It is designed to help people live healthier lives for longer through the discovery and testing of more effective approaches to prevention, earlier detection and treatment of diseases. As part of the programme, we have committed to offering participants information about their health and risk of disease (“Health Insights”).
This privacy notice explains how we process and protect the personal data of participants when sharing Health Insights. For more information about how Our Future Health processes participant data, please read our Participant Privacy Notice.
Our Future Health Limited is the Data Controller responsible for your personal data. We are registered with the ICO (ZA769724).
2. Data Collection and Processing
2.1 What personal data we collect
In this section, we explain the types of personal data that we process and why, along with any data that third parties process on our behalf. We collect, use, store and transfer the following types of data:
- Identity Data includes your full name, title, email address, date of birth, age, sex and gender.
- Contact Data includes your full postcode, region location, telephone number and any communication we have with you (including emails, phone calls, voicemail, recordings and conversations you have with our support teams).
- Profile Data includes your participant ID, consent record, feedback and survey responses
- Special Category Data includes personal data which reveals your racial or ethnic origin or information about your health. Biological data is also special category data, and includes clinical data like your weight, waist circumference, blood pressure, heart rate, heart rhythm, and cholesterol.
- Web analytics Data for more information please refer to our Cookie Policy: Cookies – Our Future Health. We also collect IP address and technical data such as browser type and version, device type and version and operating system. For more information about technical data processed please refer to our General Privacy Notice.
- Health Insight report information includes your participant ID, date your digital health insight report was created and whether or not it was possible to generate your digital report.
This data is required to help us provide you with feedback about your health. It will also help us understand how participants would like to see this information, how best to present such information to you, perform analysis on different groups to investigate specific impacts on those groups, and how receiving it might affect you.
2.2 How we collect your personal data
We use a variety of ways to collect data from our participants, and we try to make this as easy and convenient as possible. This may be through Our Future Health directly or our trusted third-party suppliers who are under contract to us to e.g. send you surveys. As a participant, we may collect your personal data in any of the following ways for the purposes of sending you a Health Insight:
- By you providing information in any contact we, or our trusted provider, have with you.
- By securely accessing the data you have already consented to provide to Our Future Health, this includes your clinic measurements.
- By you filling in a short survey: We may ask you to fill in a survey that includes questions about your experience of reviewing information about you and your health. This survey will be hosted via a trusted third-party supplier (Qualtrics).
- By checking your consent status.
- Web analytics: we collect information about how you access our website (including browser type and version, device type and version, operating system). We also track actions and events (such as clicks or screen views) to better understand how you interact with our services. To do so, we use a software tool built by one of our trusted providers that collects this information via your internet browser, using cookies or similar technology. It does not collect sensitive personal information. Anything you type into secure fields — like your name, contact details, password, or health data — is automatically hidden or excluded by the software tool before it’s recorded. We’ve set up the tool carefully to respect your privacy and follow data protection legislation.
2.3 Our legal basis and purpose for processing your personal data
All collection and processing of personal data must be legally justified with what is called a “legal basis”, under the UK GDPR and Data Protection Act 2018.
When processing the personal data of individuals user research, the legal bases are:
| Purpose/Activity | Type of data | Lawful basis for processing |
| Participant Selection & Masking | Name, postcode, email, age, contact details, consent, gender, region, clinic status, clinic appointment health measures (e.g. height, weight, blood pressure) | Article 6(1)(f) – Legitimate interest in selecting a representative participants and to understand the impact of viewing health insights digitially. Article 9(2)(j) – Public interest in the area of public health relating to scientific or historical research purposes or statistical purposes. |
| Digital Report Access & Communication | Name, DOB, postcode, email, appointment data, participant ID, sex, gender, clinic appointment health measures (e.g. height, weight, blood pressure) | Article 6(1)(f) – Legitimate interest in providing access to reports and conducting user research. Article 9(2)(j) – Public interest in the area of public health relating to scientific or historical research purposes or statistical purposes. |
| Data Accuracy & Software Evaluation | Name, DOB, postcode, email, appointment data, participant ID, sex, gender, clinic appointment health measures (e.g. height, weight, blood pressure) | Article 6(1)(f) – Legitimate interest in validating software and ensuring data accuracy Article 9(2)(j) – Public interest in the area of public health relating to scientific or historical research purposes or statistical purposes. |
| Impact Analysis of Digital Health Reports on Public Health | IP address, name, sex, gender, web analytics data, consent, appointment date, clinic appointment health measures (e.g. height, weight, blood pressure) | Article 6(1)(f) – Legitimate interest in analysing participant engagement and experience. Article 9(2)(j) – Public interest in the area of public health relating to scientific or historical research purposes or statistical purposes. |
| Programme Development & Promotion | Web analytics, consent, sex, gender, clinic appointment health measures (e.g. height, weight, blood pressure), ethnicity | Art. 6(1)(f) – Legitimate interest of informing the design and development of the feedback programme with the aim of providing digital feedback as part of the OFH programme. Art. 9(2)(j) – Public interest in the area of public health relating to scientific or historical research purposes or statistical purposes. Art. 9(2)(g) & DPA Schedule 1, Part 2, Condition 8 – Substantial public interest (research into equality of opportunity or treatment). |
| Health Insight Report Tracking | Participant ID, report creation date, report status | Article 6(1)(f) – Legitimate interest in managing pilot sessions, to enable future planning and for communication purposes. |
| Session Replay Analysis | IP address, appointment date, web analytics | Article 6(1)(f) – Legitimate interest in diagnosing issues, analysing user behaviour, and improving user experience |
2.4 How we share your personal data
Sometimes we ask trusted third parties, including suppliers and partners, to carry out business functions for us, such as maintaining and backing up our IT systems’ software, or providing a data analytics platform.
Where we are under a legal or regulatory duty to do so, we may disclose your details to the police, regulatory bodies, or legal advisors.
Data provided to Our Future Health is transferred to and stored in a highly secure data environment.
2.5 How we keep your data secure
We have put in place appropriate and robust security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. In addition, we limit access to your personal data to approved employees and suppliers, who are required to access it in accordance with their roles and responsibilities.
We have carried out robust due diligence assessments to ensure that third-party data suppliers have appropriate security standards in place that protect your personal data. We have ensured all partners have adequate security and usage standards in place for all contracts.
You can also find more information about how we keep your data securely in the Our Future Health Participant Privacy Notice Participant privacy notice – Our Future Health.
2.6 How long we keep your data
We retain your data for as long as is necessary to provide you with the services described in this notice. Data that is required for operational management of insight generation will be retained for the lifetime of the Our Future health project. Other data will be retained as long as required in line with legal and regulatory requirements or guidance.
2.7 International transfers
Please see the Our Future Health Participant Privacy notice for details: Participant privacy notice – Our Future Health
2.8 Your data subject rights
If you decide you no longer want to receive any further communications from Our Future Health related to receiving health insights you will need to partially withdraw from the programme. For details on how to withdraw please visit: Withdrawal and data deletion | Our Future Health.
For more details on your rights and how to exercise them please see the Our Future Health Participant Privacy Notice.
2.9 Contact details
Our Future Health’s Data Protection Officer is available to answer any questions and address any concerns about Our Future Health’s use of your personal data. You can email: dpo@ourfuturehealth.org.uk, or write to: DPO, Our Future Health, 2 New Bailey, 6 Stanley Street, Manchester, England, M3 5GS.
If you are not satisfied with our response, you can contact the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues (www.ico.org.uk).
This privacy notice is version 1 and was published in October 2025. Changes from the previous version include the addition of Health Insight report information. If we make changes to this privacy notice, at any time, the most current version will be published here.