This notice explains how SurgEase Ltd (“SurgEase”, “we”, “us”) processes personal data submitted through our whistleblowing channel atreport.surgease.co.uk.
SurgEase Ltd is the data controller. Questions or requests about this notice can be sent to: info@surgease.co.uk . If your concern relates to information security, you may also contact the ISMS Manager atjie.ding@surgease.co.uk
This notice covers information provided by employees, workers, contractors, agency staff, suppliers, and supplier workers who raise concerns (including modern slavery or other human-rights risks) via our whistleblowing web form, voicemail/postal alternatives, or any follow-up communications.
You may report anonymously. We do not require your name or contact details. If you choose to give contact details, we will use them only to communicate about your report.
Information you provide in the report (free-text description, dates, locations, names/roles of individuals or organisations involved, uploaded files). Optional contact details (for example, email or phone) if you choose to provide them. A Case ID and Passphrase are generated so you can check progress or add information without revealing your identity. We do not log IP addresses and we do not run analytics on the reporting page.
Primarily you, the reporter. During assessment we may collect limited additional information from internal systems, suppliers, publicly available sources, or witnesses/parties involved, strictly for the purposes below.
To receive, triage, investigate, and resolve concerns about misconduct or human-rights issues (including modern slavery indicators); to safe guard affected individuals; to take corrective actions with suppliers or staff; to meet legal and regulatory obligations; to maintain records for audit and governance; and to report aggregated statistics in our annual Modern Slavery Statement.
Legitimate interests (Article 6(1)(f)): preventing and addressing wrongdoing, protecting people, and maintaining lawful, ethical operations.
Legal obligation (Article 6(1)(c)): where laws require us to assess, document, or report certain matters.
Vital interests (Article 6(1)(d)): where necessary to protect life or physical safety.
Your report may include data revealing health, trade-union membership, racial/ethnic origin, or alleged criminal conduct. Where relevant, we rely on Data Protection Act 2018 Schedule 1 conditions including employment, social protection and social security law; preventing or detecting unlawful acts; and safeguarding of individuals at risk, with appropriate policy documents and access controls. We minimise such data and process only what is necessary.
We do not use your data for marketing. We do not automate decisions about you without human involvement. The reporting page does not use cookies, analytics, or IP logging.
A restricted case team in QA/RA and Compliance, with HR involvement where appropriate. On a need-to-know basis only, we may share limited information with senior management, external legal counsel, auditors, or regulators and law-enforcement where required. For supplier-related cases, we may share necessary details with the supplier to investigate and remediate, taking care to protect your identity when you reported confidentially or anonymously. Were quire confidentiality undertakings from anyone given access.
Where data is transferred outside the UK (for example, to a service provider or legal counsel), we use appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses or other approved transfer mechanisms. You can request a copy of applicable safeguards.
We use encryption in transit and encrypted storage at rest. Access is role-based and logged. Case data is segregated from general IT logs. Uploaded files are virus-scanned. Please do not include unnecessary personal data in your report.
Case records are retained only as long as necessary for investigation, remediation, governance, and legal/audit purposes. Unless a longer period is required by law or for ongoing proceedings, we aim to close90% of substantiated cases within 120 days and retain case files for up to six years from closure to meet limitation and audit requirements. Anonymised statistics (with no personal data) may be kept longer.
You can report anonymously. If you give contact details, you may ask us to access, rectify, or erase your personal data, or to restrict or object to its processing, subject to lawful exemptions that may apply in investigations. To exercise rights, email privacy@surgease.com and quote your Case ID if you have one. If we cannot fully honour a request (for example, where doing so would prejudice an investigation or the rights of others), we will explain why.
The channel is not intended for use by children. If a report involves a child or vulnerable person, we will handle it under our safeguarding procedures and applicable laws.
You can complain to the UK Information Commissioner’s Office(ICO). See ico.org.uk for contact details. We encourage you to contact us first so we can try to resolve your concern.
We may update this notice to reflect changes in law or our processes. We will show the effective date below.
Effective date: 9th October 2025
