ARC handles patient data differently depending on the service. For our Secure and Print services, ARC does not hold patient records in its own infrastructure. Where our services involve systems that may contain patient data, we only access it when necessary to deliver support, and we handle it in line with UK GDPR, the Data Protection Act 2018, and NHS data handling standards. Where records storage is required, ARC Store is delivered through Crown Information Management, with secure offsite storage, full chain of custody, and alignment to the NHS England processing specification. In all cases ARC operates under a Data Processing Agreement (DPA) that clearly defines roles, responsibilities, and obligations. If you'd like to review the DPA before signing, we'll share it as part of the pre-contract process.