PCMIS Portal Privacy Notice


Your privacy is important to us, and so is being transparent about how we collect and use the information you share with us.

As a wholly-owned subsidiary company of the University of York, we adhere to their Legal Statements. PCMIS Patient Portal specific privacy policy is as follows:

Information collected via portal web forms

A portal user may be asked to provide personal information by the healthcare service that has engaged PCMIS to facilitate the collection of questionnaire and clinical assessment responses online via the Patient Portal.

PCMIS, under Data Protection laws, will be the ‘Processor’ of any personal information that you submit via the Patient Portal. The data you enter onto the Patient Portal is sent securely to the healthcare service providing your care, where it is stored against your care record on a secure, dedicated server and made available for the appropriate service staff to access in line with your care needs.

Legal basis for processing (why we collect and process your information)

Our legal basis for processing this information is the Public Task that PCMIS has been engaged to perform by the healthcare service providing your care.

Whenever we process your information for these purposes we will ensure that we always keep your personal rights in high regard and take account of these rights.

How we use the information we collect

All the information we collect is flowed directly to the healthcare service providing your care. No data is stored or accessed by PCMIS staff. Under Data Protection Laws, the healthcare service providing your care is the Data Controller of any personal information you provide to them via the Patient Portal.

No third parties have access to your personal information unless required by law and no personal information will be sent outside of the EEA.

How long we keep your information

We do not keep your data for our own commercial purpose. It is flowed directly to the PCMIS case management system where it can be accessed by healthcare professionals.

If you have any questions about your data, how and where it is processed and stored, please contact the Service directly.


The General Data Protection Regulation (GDPR) was made EU law on 25th May 2018.

Post Brexit, the GDPR has been kept in UK law as the UK GDPR.

The new data protection regulations have been designed to strengthen existing data protection laws, by expanding the rights of individuals to control how their personal information is collected and processed and places new obligations on businesses to be more accountable for data protection.

PCMIS is committed to the new regulations and recognises the importance and responsibility of protecting personal information.

Changes to our Privacy Policy

We keep our privacy policy under regular review and we will place any updates on this web page. If the changes are significant, we may also choose to email individuals with the new details. Where required by law, will we obtain consent to make these changes and provide the opportunity to opt out or unsubscribe at this time.

This page was last updated on 26 April 2023.