NOTICE POLICY
1. Introduction
At www.hagleyroadpharmacy.com, healthcare personnel, together with third party technical personnel, work jointly to develop and provide healthcare services. At www.hagleyroadpharmacy.com, you as an individual and as a patient always come first and this privacy notice (the “Privacy Notice”) explains how we handle your personal data when you sign up to and use our Web site or Mobile-App referred to in this document as (“The Platforms”) and when you seek healthcare or similar services from us (the “Services”).
We explain in more detail in this Privacy Notice how www.hagleyroadpharmacy.com works for you as a “user” and “patient” and who is responsible for the processing of personal data, which is carried out in connection with your use of the Services. We also describe which personal data about you is processed when you use the Services, how we process the personal data, and why. We also describe the legal basis for our processing and external parties which may handle personal data about you in order for us to provide you with the Services. You also receive information about your rights in relation to the processing of your personal data and what you can do to exercise these rights.
2. Who is responsible for the processing of personal data?
LP SD EIGHTY TWO Ltd, is the parent company of Hagley Road Pharmacy, a UK company that own and make available the ”www.hagleyroadpharmacy.com” technical platform compromising of the Website and Mobile-App (“the Platforms”) and is the data controller for the processing of the personal data, which you register in the Platforms, up until the time at which you commence contact with a healthcare provider for medical advice and follow-up. When you seek healthcare from www.hagleyroadpharmacy.com, it is solely established healthcare providers who are responsible for providing the healthcare, including the processing of personal data which is carried out in connection with providing you with healthcare. Healthcare Services typically starts when you consent to book a service with us or give us information about your health status via a self assessment or pre-meeting questionnaire and include other activities such as the consultation, record keeping and necessary administration of your matter as further described below on this Privacy Notice.
www.hagleyroadpharmacy.com works through its affiliate Pharmacies, Audiologists, GP surgeries and Medical Laboratories which may partially or fully provide the Healthcare service. Therefore, when you purchase a service or product from The Platform or start a consultation in the The Platform, and for all subsequent processing of personal data related to provisioning of healthcare to you, www.hagleyroadpharmacy.com (or such other healthcare provider as is communicated to you, “Third Party Healthcare Provider” below) is the data controller. Where a Third-Party Healthcare Provider provides you with healthcare, its privacy policy and not this Privacy Notice applies to their processing of your personal data which is carried out in the context of providing you with healthcare.
When the providers of healthcare services or a Third-Party Healthcare Provider is providing healthcare to you, LP SD EIGHTY TWO ltd acts as a data processor for the processing of personal data necessary to provide the technical platform and related services. This means that data related directly to your consultation is only processed according to the instructions of the providers of healthcare services or Third-Party Healthcare provider. In the event another healthcare provider joins the www.hagleyroadpharmacy.com platform and processes your personal data in connection to your use of the Services, we will inform you when you use the Services so that you always know which healthcare provider is the controller of your personal data.
Contacts
If you have any questions or comments regarding the processing of your personal data in connection with your use of the Services, you are always welcome to contact us and/or our data protection team via our website www.hagleyroadpharmacy.com “contact us” page, or by sending an email to hagleyrd@crestpharmacy.com.
Third Party Healthcare Providers
The contact details of Third-Party Healthcare Providers will be communicated to you before a consultation with such a provider.
3. Where do we collect your personal data which is processed when you use the Services?
3.1. Personal data which is registered via your user account in the The Platforms
www.hagleyroadpharmacy.com and the providers of healthcare services process personal data about you, which you register via your account such as your name, gender, address, email address and picture (used for verification of identity) when you open your www.hagleyroadpharmacy.com user account and, subsequently, any information you register when you use the Platforms. If you add a child to your profile, we will collect such information about your child as well, including verification of your legal guardianship. In addition, www.hagleyroadpharmacy.com may collect and process the following information: (i) technical information, including IP address, login information, type and version of operating system and unit, time settings, language settings, cookies, etc.; and (ii) information about the Services we provide to you, such as how often you use the Platforms, and which functionality you use within the Platforms.
Such information may also be collected through so-called cookies if you choose to accept them. You can find more information regarding our use of cookies in our cookie policy.
These categories of personal data, which are provided when you download, sign up to and use The Platforms, are referred to as “User Data” below.
3.2. Personal data about your health
When you seek healthcare services from us, you are asked to share data linked to your physical and/or mental health. You do this primarily if applicable by filling in the relevant symptoms form in The Platforms. This information may include, but is not limited to, information that you are suffering from an illness, your medical history, or your physiological or medical condition. We refer to this information as “Health Data”.
If you are eligible and using the NHS Service, Healthcare providers will use such Health Data to schedule a consultation for you with relevant healthcare staff (or Third Party Healthcare Providers) and to inform such staff ahead of your consultation, and to otherwise direct you to the appropriate form of care.
3.3. Personal data processed by the providers of healthcare services
The providers of healthcare services will collect and process information about you when you try to book an appointment in order to ensure secure identification and verification of parental responsibility before providing you or your child with healthcare services, such personal data is referred to below as “Identification Data”. This may include e.g. collecting photographs or copies of identification documents.
The providers of healthcare services may also collect other information about you, such as information about you in the context of consulting and treating you as a patient. This may for example include data about your health status, symptoms, treatments, consultations and sessions, medications and procedures. Personal data related to your health or to you as a patient which is used by the providers of healthcare services to provide you with healthcare services is referred to below as “Patient Data”.
The providers of healthcare services may disclose Patient Data in the context of providing healthcare and/or relevant medical treatment, for example when referring you to another healthcare provider or to our pharmacy partners for the purpose of your treatment or administering prescriptions.
3.4. Personal data from third parties including other healthcare providers
The providers of healthcare services may also receive Patient Data relating to the healthcare you have received from other healthcare providers who are not associated with the providers of healthcare services or from your insurance company. In the event this data is considered relevant to the provision of healthcare within the scope of the Services, it may be saved and processed by the providers of healthcare services and entered in your medical records by the clinician who is treating you.
4. Where is your personal data stored?
User Data, Identification Data and Health Data
This personal data is stored by www.hagleyroadpharmacy.com, in infrastructure provided by one of www.hagleyroadpharmacy.com subcontracted processors. User Data and health data is handled and stored within these secure processors.
Patient Data:
The providers of healthcare services are obligated to maintain medical records when performing the Services. It stores relevant Patient Data in a medical record system (specifically developed in order to fulfil the requirements of the applicable legislation) which is operated on its behalf by a third-party service provider. Your Patient medical records are always handled and stored within the UK.
5. Why personal data is processed when you use Hagley Road Pharmacy
5.1. www.hagleyroadpharmacy.com processing of your User Data
www.hagleyroadpharmacy.com processes your User Data (as described above in section 3.1) for the following purposes:
(i) to process your application or terminate your user account in the Platforms.
(ii) to provide you with authorisation to login and use your user account.
(iii) to verify your identity, age and guardianship.
(iv) to maintain correct and up-to-date information about you.
(v) for you to be able to monitor and administer your ongoing care.
(vi) to measure and analyse use of the Platforms, and to improve the Platforms and the Services.
(vii) to handle your choice of settings and information about payment and
(viii) to otherwise be able to provide the Services to you according to our General Terms and Conditions
The legal basis for processing your User Data is that it is necessary for us to be able to provide you with the Services, and for the providers of healthcare services’s provision of good care in connection with your use of the Services. We need to process your User Data for the performance of the contract between us, which constitutes our General Terms and Conditions. The processing for the purposes of (vi) above is based on our legitimate interest to measure and analyse use of The Platforms, and to improve the The Platforms and the Services we provide to you.
5.2. The providers of healthcare service’s processing of your Patient Data to provide healthcare services
The providers of healthcare services process Identification Data (as described above in section 3.3) for the purpose of secure identification and validation of parental responsibility before providing the Services to you.
The providers of healthcare services process Patient Data (as described above in section 3.3) for the purpose of providing the Services to you in the form of healthcare and other necessary treatment, advice or administration, such as support for the clinicians within the scope of providing the healthcare itself.
The providers of healthcare services need to process your Identification Data and Patient Data for the performance of its contract with you. The legal basis for the providers of healthcare services processing of your Patient Data is that it is necessary for the purposes of preventive or occupational medicine, for medical diagnosis and the provision of health or social care. This may include sending you emails and other electronic communications, such as appointment reminders.
In addition, where you are a patient registered in England, you may have an NHS Summary Care Record (SCR). An SCR is an electronic record of important patient information, created from GP medical records. In addition to containing demographic information such as your name and address, your SCR will also contain key information about the medicines you are taking, allergies you suffer from and any adverse reactions to medicines you have had in the past. If the providers of healthcare services seek access to your SCR for clinical safety reasons, it will ask for your permission.
The providers of healthcare service’s business operations are governed by national UK and Public health legislation. It therefore also sometimes processes your personal data in accordance with the Applicable law and as necessary to fulfil the legal obligations of the providers of healthcare services. This includes that the providers of healthcare service’s clinicians keep medical records, which the providers of healthcare services are obligated to save for a particular period of time. The providers of healthcare services also store your medical information, such as notes from consultations, and your interactions with it for safety, regulatory, and compliance purposes. For example, it may need to review your information and, where necessary, make disclosures in compliance with reasonable requests by regulatory bodies including the Care Quality Commission, or as otherwise required by law or regulation.
The providers of healthcare services, as the data controller of your Patient Data, may use www.hagleyroadpharmacy.com as a data processor to process Patient Data on its behalf to ensure that high standards of healthcare are maintained. For example, Hagley Road Pharmacy may process your Patient Data to analyse the efficiency of the Services, to ensure that clinical and all other guidelines are followed and to follow up on any issues identified with our Services.
5.3. Provision of support services related to your use of the Services
www.hagleyroadpharmacy.com and the providers of healthcare services provide support as set forth above as a part of the Services (i.e., necessary to perform the contract with you and www.hagleyroadpharmacy.com), which may involve responding to inquiries and investigating complaints and support matters (including technical support) through our support service by telephone or via our digital channels. To the extent the support services are related to care or processing of Patient Data (or sensitive personal data about you), the processing is carried out by the providers of healthcare services and takes place in order to provide you with healthcare as part of the Services and ensure high standards of quality of healthcare.
5.4. To market products and services and improve your user experience
www.hagleyroadpharmacy.com processes some of your User Data (as described above in section 3.1) for the purposes of providing you with news, updates and promotional content by email and text messages and other electronic communications channels, such as push notifications and in-Platform messages. Such communications may be based on what www.hagleyroadpharmacy.com knows about you as a user and its understanding of how you use the Platforms and the Services, for example which features you tend to use, and which prior communications you have showed an interest in, searches you have made, your various contacts with the providers of healthcare services, as well as basic demographic and geographic data about you, such as your age, gender and the region in which you reside. However, Health Data is not used for such communication unless you have provided explicit consent to receive communication related to your health.
When www.hagleyroadpharmacy.com contacts you for marketing-related purposes, any processing of your personal data is based on it being in its legitimate interests to do so. www.hagleyroadpharmacy.com legitimate interests include the provision of an online service enabling easy access to healthcare professionals for therapeutic purposes. Moreover, it sends marketing-related emails and text messages on the basis of the so-called ’soft opt-in’; that is, that www.hagleyroadpharmacy.com obtained your contact details when you first registered with the Platforms, that it is only sending emails and texts regarding the same or similar services, and that you were offered an opportunity to opt-out of such emails at the time. In addition, you may opt out of receiving marketing-related communications from www.hagleyroadpharmacy.com at any time by updating your preferences in your account settings. As described above, any communication related to your health will only be sent based on your explicit consent.
5.5. To perform legal obligations
www.hagleyroadpharmacy.com and the providers of healthcare services may also process your User Data, Health Data and Patient Data (as described above in sections 3.1 – 3.3) to the extent necessary to fulfil their legal obligations in the field of healthcare and as otherwise set forth in statutes, court judgments, or decisions by public authorities
5.6. To be able to evaluate, develop and improve the quality of Services
www.hagleyroadpharmacy.com and the providers of healthcare services may process your User Data for the purpose of developing and improving the Services and the IT systems used to provide the Services. This is done on the basis of our legitimate interests in continually improving the security and our handling of personal data, to make the The Platforms more user-friendly, for example by changing and personalising the user interface in order to simplify the user journey, or to highlight and improve functions which we deem relevant to our users. All other development of our Services takes place using anonymised data.
The providers of healthcare services will only process your Patient Data for the purpose of providing the Services, to be able to ensure high standards of quality in healthcare, and to provide healthcare in accordance with applicable legislation and as described in section 5.2 above.
6. How long do we keep your personal data?
www.hagleyroadpharmacy.com and the providers of healthcare services only process your personal data as long as is necessary for the purposes for which the information in question is processed according to section 5 above. This means we keep it as long as it is necessary in order for the providers of healthcare services to be able to provide good care or otherwise for Crest pharmacy services and/or the providers of healthcare services to be able to provide the Services, or in order to fulfil our legal obligations. Your NHS summary care records is only viewed temporarily during your consultation and is not retained following the completion of your consultation by the providers of healthcare services or Hagley Road Pharmacy.
Patient Data
The providers of healthcare services has legal obligations to save medical records connected to healthcare meetings with you for a specific period of time. It retains your Patient Data no longer than necessary for the purposes described in this Notice and has processes in place for how it stores or anonymises personal data.
User Data and Health Data
Your User Data is erased or anonymised not later than six (6) months from the time at which you close your www.hagleyroadpharmacy.com user account, provided it is not necessary to save the personal data in order for us to fulfil our legal obligations or where the information is otherwise necessary in order to establish, exercise or defend legal claims.
In addition, where your User Data is processed by us on the basis of your consent we will delete or anonymise your data if you withdraw your consent. Further details are set out in section 9.
After the purpose of the information has been fulfilled, all information is anonymised or erased automatically.
7. Third parties with whom your personal data may be shared when you use the Services
7.1. Subcontractors of www.hagleyroadpharmacy.com
In order for www.hagleyroadpharmacy.com to be able to offer you the Services, it uses external suppliers that process personal data in certain cases, for example, IT service providers, such as operating and hosting providers. These service providers process personal data in the capacity of data processors on behalf of www.hagleyroadpharmacy.com, for the sole purpose of providing the services requested by www.hagleyroadpharmacy.com, and only according to www.hagleyroadpharmacy.com service’s instructions.
www.hagleyroadpharmacy.com services also retains the services of suppliers who work independently and who, in this way, are independently responsible for the processing of your personal data, such as providers of payment solutions. Where applicable, you will be requested to enter into separate agreements directly with such suppliers. We ask you to please note that this Privacy Notice does not apply to the processing of personal data which takes place through these suppliers. For information regarding how other suppliers process your personal data, please contact these suppliers.
7.2. Subcontractors of Healthcare Provider
The providers of healthcare services keep medical records in accordance with the applicable legislation in conjunction with the provision of healthcare within the scope of the Services. The medical records are saved in a medical record system (EMR) & (PMR) outside of the Platforms which is provided by a third-party services provider based in the EU/EEA. The service provider is not allowed to access your information except as strictly necessary to provide the EMR/PMR to the providers of healthcare services and only in accordance with Healthcare Providers written instructions. The providers of healthcare services are responsible for any personal data (Patient Data) which is stored in such medical records systems.
The providers of healthcare services use a third-party service provider to provide secure identification of patients when providing healthcare services. The third-party service provider will not process any Health data or Patient data.
7.3. Other healthcare providers
The providers of healthcare services may disclose Patient Data in the context of providing healthcare and/or relevant medical treatment, for example when referring you to another healthcare provider or to pharmacies for the purpose of your treatment or administering prescriptions. The providers of healthcare services will also share a discharge summary (a summary of the care you received from the providers of healthcare services) with your registered GP following completion of a consultation. You can request that a discharge summary is not sent, however, in certain circumstances the GP may insist upon this. You will always be informed of sharing described in this section 7.3 in connection with your consultation with the providers of healthcare services.
8. Transfers to third countries
www.hagleyroadpharmacy.com and the providers of healthcare services use IT suppliers/providers for operating services Globally. However, hence www.hagleyroadpharmacy.com and the providers of healthcare services will occasionally transfer your User Data to areas where our third party providers are based, currently to the United States & Europe.
Transfers of personal data take place to countries outside the UK only if the transfer is lawful according to the applicable data protection legislation regarding the protection of your privacy in the recipient country with reference to: (i) the EU Commission’s decision regarding adequate levels of protection ; (ii) the application of the EU Commission’s standard contract clauses for transfers to third parties and the appropriate supplementary measures where necessary; or (iii) other applicable safeguards in order to fulfil the applicable data protection legislation.
9. How do we protect your personal data?
10. Your rights as a data subject in the The Platforms and user of the Services
You have a number of rights related to personal data we have about you. We are obliged to respond to your request to exercise your rights within one month of submission. If your request is complicated or if a large number of requests have been received, we have the right to extend the period by two further months. If we believe that we cannot fulfil your request, we will notify you within one month of receiving your request about our reasoning.
All information, communication and all measures we carry out are free of charge for you. If, on the other hand, what you request due to your rights is manifestly unfounded or excessive, we have the right to charge an administrative fee to provide you with the information or carry out the requested action or refuse to act on your request.
You may at any time contact us in order to:
01. request access to, and information about, the personal data which is being processed in conjunction with your use of the The Platforms and/or the Services.
2. ask us to correct any incorrect or incomplete information about you.
3. request that your personal data be erased (however, we ask you here to note that this right is limited and Healthcare Providers have certain obligations by law to save certain personal data, particularly related to Patient Data, including keeping medical records in connection to use of the Services). At your request, all Patient Data which we do not have a legal obligation to retain will be erased.
4. ask us to restrict the processing of your personal data temporarily or temporarily where you believe such data to be inaccurate; our processing is unlawful; or we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it.
05. object to the processing of your personal data where the legal justification for our processing of your personal data is our legitimate interest. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
06. if we use your personal data on the basis of your consent, you have the right to withdraw your consent at any time, free of charge. This includes where you wish to opt out from marketing messages. Withdrawal of consent does not affect the providers of healthcare service’s obligation to keep medical records, or to process your personal data in accordance with the applicable law; or
07. request that your personal data be moved to another controller of personal data by receiving your personal data, to the extent it has been provided by you, in an electronic format which is generally used in order to be able to transfer it to another party (the right of data portability).
8. request to not be subject to a decision based solely on automated decision making, including profiling, where the decision would have a legal effect on you or produce a similarly significant effect.
Should you wish to contact us regarding any of the rights above, we encourage you to contact us via our website, or by sending an email to hagleyrd@crestpharmacy.com. If you have a request related to the processing of your personal data by a Third-Party Healthcare Provider, please contact it directly.
11. Your rights as a patient
As well as your rights as a data subject under data protection law in the UK, you may also have certain rights as a patient.
This includes your right to object to the sharing of your confidential medical data with others who are providing your care. If you exercise this right, our healthcare professionals can explain the potential impact of your objection on your care including, for example, not being able to refer you to a specialist or arrange further treatment.
12. Right to file a complaint with the Data Protection Authority
With this Privacy Notice we truly hope that we have made it clear to you how we handle your personal data. However, should you still have any questions, please feel free to contact us via the contact details provided in Section 9 above. We would also like to inform you that, should you believe that the processing of your personal data is incorrect or does not comply with legal requirements, you have the right to file a complaint with the UK Information Commissioner’s Office.
The Information Commissioner’s Office can be contacted as follows:
Telephone: +44 0303 123 1113
Email: casework@ico.org.uk
Website: www.ico.org.uk
Web-form: www.ico.org.uk/make-a-complaint/
Address: Water Lane, Wycliffe House, Wilmslow, Cheshire, SK9 5A