Version 1.1: April 2018
Index Medical Ltd are committed to the highest standards of data privacy and protection.
We collect personal information required to process and deliver your request for healthcare; and standard technical information to better understand how our website is used.
Lawful basis for processing data
Personal health and medical data is a special category of data and subject to specific provisions and exemptions.
The lawful basis for processing data is as follows:
GDPR Article 6 (1)(c): processing is necessary for compliance with a legal obligation.
Index Medical Ltd is legally obliged to abide by regulations governing healthcare which require accurate medical records.
GDPR Article 9 (2)(h): processing of special categories of personal data
processing is necessary for the purposes of preventive or occupational medicine, ... medical diagnosis, the provision of health or social care or treatment ....
Index Medical Ltd does NOT rely on user consent to lawfully process their data. Consent cannot be effectively freely given, or withdrawn. Requesting consent as a lawful basis would therefore be misleading.
Payment card data is processed subject to financial transaction regulations.
Data such as product and service reviews provided by patients, and technical data such as device and network data that help better understand how a website is used is processed under a legitimate business interest.
This privacy statement applies to Index Medical Ltd (the 'data controller') trading as Dr Fox.
Please contact the data officer Mr Daniel Broughton, Technical Director (email email@example.com) for any issues regarding your personal data.
We respect your privacy and are transparent about how your data is collected, stored, processed, and shared. Please review the following documents:
Information required to provide treatment
Index Medical Ltd provides health advice and treatment on prescription by postal service and for collection at pharmacies and must abide by the legal requirements for the supply of prescription medicine, and the collection, processing, and sharing of data is necessary for compliance. These legal requirements include confirming your identity, keeping accurate personal and medical records, and informing your regular doctor of treatment provided where necessary.
Confirming your identity
To confirm a person's identity for a prescription requires the correct following information:
- Gender (at birth)
- Full first name and surname
- Date of birth
- Address we can verify with financial records
Where identity cannot be sufficiently verified with financial records, additional proof of identity will be required, such as providing a copy of a photo identity document (passport, driving licence, national identity card, 18+ card).
Administrators may update patient's personal details to match photo ID supplied.
Once identity has been established patients re-confirm their identity each time they login to their account using their email address and chosen password. Measures are in place to protect against malicious use of a patient's account should their email address become compromised.
To request treatment on prescription requires patients to answer medical questions. The answers to these questions are recorded and form part of the medical consultation with our doctors. Previous prescriptions supplied are considered when issuing new prescriptions, and also form part of the patient record.
Doctors or administrators may request or respond to additional information from the patient. This information also forms part of the patient record.
Effective communication is required to facilitate the provision of healthcare remotely, and is achieved by patients providing their email and telephone number(s). Primary communication is via email, with secondary contact by phone or SMS TXT. Patients are notified to login to their account to view messages from doctors or administrators. Sensitive details are not sent by email, unless requested via email where consent to reply via email is implied, unless stated otherwise.
Patients provide a payment card billing address and delivery address if different. Each address provided will be stored and recorded.
Your GP details
Patients should keep their regular GP/doctor informed of treatment provided by Index Medical Ltd. This ensures your regular doctor is aware of all treatments you are using, particularly important if new treatment is prescribed.
If patients provide contact details of their GP, we will notify them directly (online or by letter). In some instances our prescribing protocols will require patients provide GP details and consent to notification.
Where necessary Index Medical Ltd staff will update incorrect or incomplete GP details provided by patients.
Changes to patient data
Any change made to patient data is recorded (what data, when changed, and by whom).
Our pharmacy additionally enters patient and prescription data into a pharmacy prescribing system which serves as a separate independent record of treatment supplied, and is standard practice for UK pharmacies. The Pharmacy also makes a printed copy of each electronic prescription from Index Medical Ltd as a secondary record, which is stored according to GPhC standards.
Automated notification emails are sent to users:
- When making an order
- If you have a new message for doctors or administrators
- After a doctor has processed your prescription
- When the pharmacy has processed order for delivery
- Delivery updates from Royal Mail
Email notifications from Dr Fox regarding requests for prescriptions are required in order to provide an effective service. Patients using the service cannot opt out of receiving these emails.
When registering an account with Dr Fox patients are given the option to subscribe to an e-newsletter. E-newsletters are sent less than once per month on average using Campaign Monitor, a 3rd party mailing provider. Patients agree to data being shared with Campaign Monitor when opting to receive e-newsletters. Each e-newsletter sent will include a simple method to unsubscribe from the mailing. Patients can request their data is permanently deleted from Campaign Monitor servers, please contact the data officer.
Index Medical Ltd reserves the right to send non-commercial mass emails regarding drug safety and important service updates to all registered users of the service.
Support and administration
Index Medical Ltd staff use G-Suite to administer the service including Gmail for managing support emails.
The www.doctorfox.co.uk website uses Google Analytics website visitor tracking service to enable us to understand how users interact with our website and improve our service, and also to report on trends and sales.
Browser can be configured or add-ons can be downloaded to opt out of Google Analytics if patients prefer.
Our website server also retains similar technical and geographical visitor data for a period of 7 days only.
Cookie use policy
Retention of your data
Your data will be retained indefinitely, or 10 years after notification of the death of a patient, in a secure data centre, as required by regulation regarding healthcare provision. This also protects both the patient and doctor in case of legal proceedings.
Patient's account login can be disabled on request however.
Printed copies of prescriptions are retained by the pharmacy for a mandatory 2 years before being destroyed as confidential waste.
Payment card data is required to be kept for 5 years.
Photo ID documents are deleted after 3 months.
Technical personal data (device and network information) is deleted from Index Medical Ltd server after 7 days, and from Google Analytics server after 14 months.
Automated decision making
The medical questionnaires for each treatment area will automatically exclude patients from requesting treatment if the following is identified:
- 'Red flag' signs and symptoms
- Incorrect gender
- Excessive order quantities
Where the remote provision of treatment is not suitable, patients are advised to contact their regular doctor or visit a health centre. Patients can seek advice, and discuss symptoms and treatment with our doctors via a secure messaging system.
Patient access to data
Patients can access and update their personal profile and medical record by logging-in to their Dr Fox account.
Patients can request a copy of all stored data relating to themselves by contacting the Data Officer. The data will be provided in a common format for portability to other data systems.
Who has access to the personal data we collect?
Please review the data sharing policy for full details.
3rd party organisations process data provided by Index Medical Ltd solely for the purpose of delivering or supporting the healthcare service provided.
All organisations operate strict UK/EU compliant confidentiality, privacy, and data protection procedures.
Index Medical Ltd has not and will never sell any patient data to third parties.
People with concerns about privacy and data held by Index Medical Ltd should contact the data officer, Mr Daniel Broughton, Technical Director (email firstname.lastname@example.org) in the first instance.
If the response is not to your satisfaction you can make a complaint with the Information Commissioner's Office.
EU General Data Protection Regulation
The EU General Data Protection Regulation (GDPR) is now a legal requirement in the UK. Compliance required by 25 May 2018 (date of enforcement).
The GDPR includes the following rights for individuals:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability
- the right to object
- the right not to be subject to automated decision-making including profiling
If you wish to exercise any of these rights please contact the data officer. Please note GDPR regulation provides exceptions to these rights in relation to health, where the retention of data is required for legitimate medical and legal reasons.