Grow Your List Size Ltd – Privacy Policy
This Privacy Policy explains how Grow Your List Size Ltd collects, uses, stores, and protects your personal data in accordance with the UK GDPR and Data Protection Act 2018.
It applies to:
• GP practice staff
• Patients whose data we access within GP systems
• Website visitors
• Partner organisations
• Staff, contractors, and applicants
Grow Your List Size Ltd (“we”, “us”, “our”) acts predominantly as a Data Processor, working under the instruction of GP practices (Data Controllers). This policy clarifies when we act as a Controller as well.
Who We Are
Grow Your List Size Ltd is a UK-based organisation providing:
• Patient registration optimisation
• Digital access improvement
• Messaging and engagement support
• Anonymous patient surveys
• Online reputation management
• Insight and performance reporting
All processing for GP practices is carried out within their NHS systems, and we do not download, store, or export identifiable patient data.
Why We Process Personal Data
We process personal data to:
• Deliver contracted services to GP practices
• Improve patient registration workflows
• Support digital engagement and messaging
• Conduct anonymous patient surveys
• Provide aggregated insights and reporting
• Maintain our internal operations (e.g., HR, finance, recruitment)
Where we act as a Processor, our access is strictly limited to GP practice instructions.
Where we act as a Controller, this relates only to:
• Our business operations
• Vendor management
• HR/employment activities
• Website interactions
We do not act as a Controller for patient identifiable data inside GP systems.
Legal Bases for Processing
Under the UK-GDPR, we rely on:
When acting as a Data Processor for GP Practices:
• Article 6(1)(b) – Performance of a contract
• Article 9(2)(h) – Management of health or social care systems and services
When acting as a Data Controller:
• Consent (e.g., marketing)
• Legitimate interests (business operations)
• Performance of a contract (HR, suppliers)
• Legal obligation (record-keeping, finance)
We process only the minimum personal data required to achieve these purposes.
We never collect or process special category data for our own marketing or commercial benefit.
What Personal Data We Process
As a Data Processor (within GP practice systems):
Personal Data:
• Name, date of birth, contact details
• Registration details
• Messaging or interaction statuses
Special Category Data:
• Registration-related health data only
(No clinical notes)
Non-Identifiable Data:
• Anonymous survey responses
• Aggregated performance metrics
• Public Google review data
Data we DO NOT process:
• Clinical notes
• Third-party healthcare data
• Criminal offence data
• Identifiable survey data
As a Data Controller (business operations):
We may process:
• Staff details
• Supplier information
• Recruitment data
• Contact details for enquiries or billing
• Website analytics (non-identifiable)
How We Use Your Information
When accessing GP systems (Processor role):
We use data solely to deliver contracted services:
• Supporting registrations
• Reviewing patient feedback
• Improving digital messaging
• Conducting anonymous surveys
• Generating aggregated reports
All work occurs inside GP practice systems, using secure NHS-approved remote access.
No identifiable data leaves the system.
When acting as a Controller:
We use data to:
• Respond to enquiries
• Manage staff and HR processes
• Manage suppliers and finances
• Maintain business operations
• Support IT security
• Conduct limited marketing (where consent applies)
How We Access and Share Data
Access inside GP systems
Remote access is:
• Granted only by the GP practice
• Protected with strong authentication and encryption
• Fully logged within EMIS/SystmOne audit trails
• Revocable at any time by the Controller
Data Sharing
We do not share patient identifiable data with any third party.
We may share operational (Controller) data with:
• Accountants
• Payroll providers
• IT security partners
• Regulators (where legally required)
We do not sell or trade personal data.
International Transfers
We do not transfer patient data outside the UK.
Any business-related transfers follow UK-approved safeguards.
Security Measures
We use NHS-aligned technical and organisational controls:
• Device encryption
• Mandatory 2FA
• Mobile device management (MDM)
• Secure VPN / NHS-approved remote access
• Role-based access
• Annual IG training
• Staff confidentiality agreements
We store no identifiable patient data on our systems.
How Long We Keep Your Data
Processor Role (GP Practice Data):
We do not retain patient identifiable data.
Operational non-identifiable retention periods:
• Access logs: 12 months
• Aggregate reports: 12–24 months
• Anonymous survey data: 24 months
• Access credentials: deleted within 24 hours of contract end
Controller Role:
Business records are retained according to:
• UK legal requirements
• Financial regulations
• NHS Records Management Code (where applicable)
Your Rights
Depending on our role (Controller or Processor), you may have the right to:
• Access your data
• Correct inaccuracies
• Request deletion
• Restrict or object to processing
• Data portability
• Withdraw consent (where used)
For patient data accessed inside GP systems, requests must be made to the GP practice, as they are the Data Controller.
Data Breach Reporting
If we identify or suspect a breach affecting GP data:
• We notify the GP practice within 24 hours
• Provide full incident details and mitigation steps
The GP practice is responsible for ICO notification.
Freedom of Information
Grow Your List Size Ltd is not subject to the Freedom of Information Act.
We assist GP practices with FOI responses only when relevant.
Changes to This Privacy Policy
We may update this policy periodically.
The most recent version will always be published on our website.
Contact Us
For questions about this Privacy Policy:
Email: admin@growyourlistsize.co.uk
Right to Complain
If you are unhappy with how we process your personal data, you have the right to complain to the ICO: www.ico.org.uk