Our policies, and how we keep the data of trusts, clinicians and the women whose stories we carry safe.
Upskill Health is the data controller for the accounts of clinicians and trust administrators, and a data processor for the training records we hold on behalf of NHS trusts. We collect only what a lesson or a compliance report needs — name, role, trust, and learning activity — and we process it under the lawful bases of contract and legitimate interest, and, for special-category data, under the health and social care provisions of the UK GDPR.
Upskill is a training platform, not a clinical system: it is designed to run without any patient-identifiable information, and users are instructed never to enter it. Data is hosted in the UK on Microsoft Azure, and — by agreement with each trust — training records are used to evidence learning and compliance under the trust's data processing agreement, never for disciplinary action or performance management.
The lived-experience stories women share with us are handled separately and only ever with explicit, revocable consent. We never sell data, and we keep records only as long as a trust's contract and the relevant NHS retention schedules require. You can request access, correction or deletion at any time by writing to our Clinical Safety Officer at andrew@upskill.health.
Access to the Upskill app and compliance dashboard is provided to named users under a trust's subscription agreement. Accounts are personal — credentials must not be shared, and the clinical content is provided for professional education, not as a substitute for local guidelines or clinical judgement. All training material, case studies and the software itself remain the intellectual property of Upskill Health.
The full terms that govern a subscription are set out in the trust's service agreement; this summary does not replace it. Questions about the terms can be sent to admin@upskill.health.
Our aim is to support a tired clinician upskilling in the ten minutes they have in the middle of a night shift, so accessibility is never an afterthought. We build to meet the Web Content Accessibility Guidelines (WCAG) 2.2 at level AA — sufficient colour contrast, full keyboard operation, captioned and described video, and clear focus states throughout. We test with screen readers and welcome reports of anything that falls short. If you meet a barrier, tell us at admin@upskill.health and we will fix it as a priority.
Data is encrypted in transit and at rest, hosted in the UK, and access is role-based and logged. We complete the NHS Data Security and Protection Toolkit, and our credentials are independently assessed and renewed on schedule.
Core Upskill data — accounts, training records and content — is hosted in the UK on Microsoft Azure.
The one optional feature that can involve processing outside the UK is the AI-powered roleplay, delivered through ElevenLabs (using OpenAI's GPT-4o within that service), where data may be stored and processed in the United States. It is used for simulated communication practice only, and clinicians are instructed never to enter patient-identifiable or patient-specific information. Other platform services that touch international infrastructure — push notifications and transactional email — receive only the minimal data they need, and never patient data. A trust's information-governance team can review our full transfer position as part of due diligence.
DCB0129 is the NHS Data Coordination Board standard for clinical risk management in the manufacture of health IT systems. As a training platform rather than a system that directly informs a clinical decision at the point of care, Upskill sits outside the scope that formally mandates DCB0129 — but we apply its principles anyway, because the subject deserves it.
Everything sits under a clinical safety management plan that a named Clinical Safety Officer reviews every six months and after any material change. Our clinical safety documentation is available to trusts on request as part of due diligence — book a conversation to see it.