Your patients trust you with the most intimate details of their lives. Their records deserve storage that takes that seriously.
Bigby gives doctors, clinicians, and private health practitioners encrypted, UK-based cloud storage built around the data protection obligations that come with holding health records.
Health data is the most protected category under UK law. The platform you store it on should reflect that.
When a patient shares their medical history, test results, or clinical notes with you, they have no choice but to trust you entirely. That trust is both personal and legal: health data sits at the top of the GDPR special categories, carrying the strongest protection obligations the law provides.
Most private practitioners use whatever cloud storage was convenient at the time. Consumer platforms, free tiers, tools borrowed from general business use. None of them were designed with clinical records in mind, and the data handling terms that govern them don’t reflect the obligations you carry.
Where standard cloud storage falls short for clinical practice
Storing patient records on general-purpose cloud platforms creates professional, regulatory, and legal exposure that is worth understanding clearly.
Health data and UK GDPR special categories
Under UK GDPR and the Data Protection Act 2018, health data is a special category requiring a higher standard of protection and a lawful basis beyond ordinary personal data. As a data controller, you are responsible for ensuring any processor you use, including your cloud storage provider, meets those standards. A breach affecting patient records triggers mandatory ICO notification obligations and can carry substantial fines and reputational consequences.
GMC, NMC, and HCPC expectations
The GMC, NMC, HCPC, and equivalent bodies all set expectations around the security and confidentiality of patient records. Storing clinical notes, referral letters, or diagnostic reports on a platform with opaque data handling practices, or one that retains rights to scan or analyse stored content, is difficult to reconcile with those standards. In the event of a regulatory complaint or fitness-to-practise investigation, your choice of storage provider becomes a matter of record.
Platforms that can access what you store
Standard cloud services are not designed to be blind to your content. Content scanning, AI training provisions, and broad data usage rights are common across the major platforms. For personal photos or general documents those terms may be acceptable. For clinical records identifying a patient by name, condition, or treatment history, they represent a category of risk that sits directly against your duty of confidentiality.
US jurisdiction and patient data
The major cloud providers are US companies subject to US law. The CLOUD Act creates mechanisms by which US authorities can compel access to data held by those companies, regardless of where the data is physically stored. Patient records, the most sensitive category of personal data, sitting under US jurisdiction is an exposure that, once explained, most practitioners would not knowingly accept.
How Bigby works
Encryption at rest, UK infrastructure, and no business model built on your patients’ data
Unlike the major cloud platforms, Bigby does not scan, analyse, or profit from the files you store. Here is how that works.
01. Encrypted at rest
Your files are encrypted on our UK servers. The data stored on our infrastructure is in encrypted form, which provides meaningful protection in the event of a storage breach and ensures patient records are not sitting as readable plain text on any server.
02. No access to file contents
Bigby does not open, scan, or read the contents of what you store. We have no business reason to and our data processing terms prohibit it. Clinical notes, referral letters, patient correspondence, and diagnostic records are stored without anyone at Bigby reading them.
03. No AI training or secondary use
Your stored content is not used for AI training, advertising targeting, or any analysis of any kind. The subscription fee covers the cost of running the service. That is the entire arrangement.
04. Patient data stays in the UK
All data is stored on UK-based infrastructure. UK GDPR applies. There is no transfer to US servers and no exposure to US jurisdiction. What your patients share with you does not leave the UK.
Frequently asked questions
Does Bigby help with my UK GDPR and ICO obligations for health data?
Bigby is designed to reduce your exposure as a data controller. UK data residency, encryption at rest, and clear data processing terms mean your storage arrangements are on considerably stronger ground than with a general consumer or business platform. Health data is a GDPR special category, and storing it on a service with no UK data residency, no encryption at rest, or opaque data usage rights represents unnecessary exposure. That said, GDPR compliance for a clinical practice is broader than storage alone, and we would recommend a full review with a qualified data protection adviser.
Can I store clinical notes, referral letters, and patient records securely?
Yes, and that is precisely the kind of use Bigby is built for. Clinical notes, correspondence, referral letters, diagnostic reports, and patient documents can all be stored and accessed securely. Bigby does not access the contents of stored files. If you work with a small team, a practice nurse, receptionist, or clinical colleague for example, the Group plan provides shared encrypted storage with per-user access controls.
What happens if Bigby receives a request for patient data?
Bigby is a UK company subject to UK law. Like any UK business, we may be required to comply with lawful UK court orders or other legal demands. We do not hold data under US jurisdiction and are not subject to the CLOUD Act. We will challenge any demands we consider unlawful and will notify users where the law permits. For specific guidance on how legal demands interact with your clinical confidentiality duties, we recommend consulting a qualified data protection or healthcare law adviser.
Does Bigby meet CQC data security requirements?
CQC-registered providers are expected to demonstrate appropriate technical and organisational measures for protecting patient data. Bigby provides encryption at rest, UK data residency, and clear, auditable data processing terms. These are the elements most commonly scrutinised in a CQC inspection or data security review. We are happy to provide documentation of our data processing practices on request.
I run a small private practice with a few staff. Is there a plan for teams?
Yes. The Group plan is designed for small teams of three or more, with shared encrypted storage and document collaboration built in. Each user accesses only what they need, and all files remain encrypted throughout. It is priced per user from £4.99 per month on annual billing and suits practices where multiple clinicians or administrative staff need secure access to shared records.
Is Bigby suitable for a sole practitioner working from a home consulting room?
Yes. The Storage and Office plans are designed for individual users with no minimum commitment. For most sole practitioners, the 100 GB Storage plan is more than sufficient for patient records, correspondence, and referral documents. Storage can be topped up at any point. The Office plan adds document editing within your encrypted workspace, which some clinicians find useful for drafting letters and clinical summaries directly without passing through a general-purpose application.
Storage that reflects the seriousness of what your patients share with you
Private, encrypted, UK-based cloud storage from £3.99 per month. Built for clinicians who understand that a data controller’s obligations don’t stop at the consulting room door.
Annual billing · All prices in GBP · UK data residency · GDPR compliant