Privacy Notice

Overview

This Privacy Notice explains how personal data may be processed through the Codara platform.

This notice relates to the Codara application and platform services only. Information relating to the Codara website is covered separately in our Website Privacy Policy.

Our role

Codara is a software platform provided to healthcare organisations, including NHS organisations, to support clinical documentation, operational workflows, audit, reporting, and service improvement activities.

In most cases:

• the healthcare organisation using Codara acts as the data controller;
• Blue Sky Medic Ltd (trading as Codara) acts as a data processor on behalf of that organisation.

This means the healthcare organisation determines:

• why personal data is processed;
• what information is processed;
• who is authorised to access it;
• how long it should be retained.

Codara processes data only in accordance with the instructions of the relevant healthcare organisation and under applicable contractual and data protection obligations.

Information processed through Codara

Depending on how the platform is configured and used by the healthcare organisation, Codara may process:

• patient demographic information;
• clinical and healthcare information;
• operational and workflow information;
• user account and authentication information;
• audit and activity records.

Access to information within Codara is restricted to authorised users approved by the relevant healthcare organisation.

Integrations and data exchange

Codara may exchange information with other authorised healthcare systems used by the healthcare organisation, including electronic patient record (EPR), radiology, operational, and other clinical systems.

This may include:

• receiving information from other healthcare systems into Codara;
• displaying information within the Codara platform;
• returning or synchronising information back into other healthcare systems;
• authorised export of information for approved audit, research, operational, governance, or reporting purposes.

Responsibility for determining the lawful basis for such processing remains with the relevant healthcare organisation acting as data controller.

Data security and hosting

Codara uses technical and organisational security measures designed to protect personal data against unauthorised access, loss, misuse, or disclosure.

Patient data processed through Codara is hosted within the United Kingdom.

Additional information relating to security, governance, and subprocessors may be made available to customers and prospective customers on request.

Data protection rights

Where Codara processes patient data on behalf of a healthcare organisation, requests relating to personal data — including access, correction, restriction, or deletion requests — should usually be directed to the relevant healthcare organisation in the first instance.

National Data Opt-out

Further information regarding Codara's approach to the NHS National Data Opt-out is available in our separate NHS National Data Opt-out Statement.

Contact

For questions relating to this notice or data protection matters, please contact our Data Protection Officer, Dr Anthony Cox, at dpo@codara.co.uk.