McKinsey & Company Privacy Notice Regarding the Processing of NHS Data Sets

Effective date: June 06, 2020.

McKinsey & Company, Inc. United Kingdom (“McKinsey”, “us”, “we”), an affiliate of McKinsey & Company, understands that your personal data is important. McKinsey may process your personal data in its capacity as a data controller. When we do so, we are committed to respecting your privacy and protecting your personal data, which is any information that is capable of identifying you as an individual.

This Privacy Notice applies to McKinsey’s processing of UK Hospital Episode Statistics (HES) Data (the “Data”), access to which is provided to us by the Health and Social Care Information Centre (known as “NHS Digital”), and describes how we handle and protect your personal data in connection with our processing of the Data.


The Data are collected about you by NHS organisations as they provide services to you as a patient under their care or if you are an NHS survey respondent. The Data are collated, stored and managed by NHS Digital and shared with McKinsey for research and health system planning under UK Law.

McKinsey processes these Data, which comprise personal data and sensitive personal data, including health data, racial or ethnic origin and religious or other beliefs. The Data comprise the national HES data set. This Data are collected on all hospital patients in the UK. The Data sets we process are pseudonymised so that it would be very difficult for McKinsey to identify you as an individual from the Data we process.


McKinsey processes the Data to carry out research for the purposes of providing NHS organisations with recommendations and advice relating to how they may improve the quality and efficiency of their services, such as processing Data in connection with the benchmarking and analysis of hospital operational performance, utilization, and spending.

The Data we process is pseudonymised. This means it would be very difficult for McKinsey to identify you as an individual from the Data we process for the purposes of our research.

The Data will only be used in the context of services provided by McKinsey to NHS organisations in England and will not be used for non-NHS (or social care) organisations or for organisations outside of England. McKinsey will not use the Data to engage in automated decision-making, including profiling.

The Data, and the recommendations or advice resulting from the processing of the Data, will not be used (directly or indirectly) for sales or marketing purposes by McKinsey & Company, nor by any non-NHS organisation, and will only be used for the purposes outlined above.


McKinsey has a lawful basis for processing the Data as we have a legitimate interest in providing our services to the NHS to identify where the NHS can improve the quality and efficiency of its services.

To the extent that the Data include personal data revealing health, ethnicity or other sensitive personal data, we process it on the basis of our research purposes, which are in the wider public interest, to improve the quality and efficiency of NHS services for the benefit of NHS users in England.


Unless required to do so under US law, we will not share the Data with any person or organisation outside of England, nor with any person or organisation that is not an NHS or social care organisation.

McKinsey will only share the resulting reports and outputs with the NHS organisations who have commissioned its services.


Unless required to do so under US law, the Data are not transferred outside of the European Economic Area.


McKinsey uses appropriate measures and safeguards to protect the security of the Data. We have access to three years’ historic Data which is then deleted on a rolling basis. We securely delete the oldest year of Data within four weeks after the next full year’s Data is received.


The anonymisation process applied to the Data means that it is not possible to exclude data relating to any particular individual from an analysis.

In some circumstances you may have rights respecting the Data that the NHS holds about you, including the right to request access to the Data, the right to request its rectification, and the right to request its erasure.

You may also have the right to lodge a complaint with the Information Commissioner’s Office as the competent data protection authority in England.


If you have any questions about this Privacy Notice, or our Privacy Policy, or if you would like to communicate with our EU Data Protection Officer or the Data Privacy Team, please contact us at:

McKinsey & Company,
Legal Department
The Post Building
100 Museum Street
London, WC1A 1PB
+44 (20) 7839 8040

McKinsey reserves the right to modify this Privacy Notice. We will post any changes to our Privacy Notice on this page. Please check this page regularly to keep up-to-date.

Download statement