Privacy policy

Version 1.1: April 2018

Summary

Index Medical Ltd are committed to the highest standards of data privacy and protection.

We collect personal information required to process and deliver your request for healthcare; and standard technical information to better understand how our website is used.

Lawful basis for processing data

Health data

Personal health and medical data is a special category of data and subject to specific provisions and exemptions.

The lawful basis for processing data is as follows:

  • GDPR Article 6 (1)(c): processing is necessary for compliance with a legal obligation.
    Index Medical Ltd is legally obliged to abide by regulations governing healthcare which require accurate medical records.

  • GDPR Article 9 (2)(h): processing of special categories of personal data
    Specifically: processing is necessary for the purposes of preventive or occupational medicine, ... medical diagnosis, the provision of health or social care or treatment ....

Index Medical Ltd does NOT rely on user consent to lawfully process their data. Consent cannot be effectively freely given, or withdrawn. Requesting consent as a lawful basis would therefore be misleading.

Payment data

Payment card data is processed subject to financial transaction regulations.

Other data

Data such as product and service reviews provided by patients, and technical data such as device and network data that help better understand how a website is used is processed under a legitimate business interest.

Statement

This privacy statement applies to Index Medical Ltd (the 'data controller') trading as Dr Fox and Fast Doctor.

Please contact the data officer Mr Daniel Broughton, Technical Director (email privacy@doctorfox.co.uk) for any issues regarding your personal data.

We respect your privacy and are transparent about how your data is collected, stored, processed, and shared. Please review the following documents:

We abide by all current data regulation – see our Information Commissioner's Office's Register Entry Report certificate details here.

Information required to provide treatment

Index Medical Ltd provides health advice and treatment on prescription by postal service and for collection at pharmacies and must abide by the legal requirements for the supply of prescription medicine, and the collection, processing, and sharing of data is necessary for compliance. These legal requirements include confirming your identity, keeping accurate personal and medical records, and informing your regular doctor of treatment provided where necessary.

Confirming your identity

To confirm a person's identity for a prescription requires the correct following information:

  • Gender (at birth)
  • Full first name and surname
  • Date of birth
  • Address we can verify with financial records

Where identity cannot be sufficiently verified with financial records, additional proof of identity will be required, such as providing a copy of a photo identity document (passport, driving licence, national identity card, 18+ card).

Administrators may update patient's personal details to match photo ID supplied.

Once identity has been established patients re-confirm their identity each time they login to their account using their email address and chosen password. Measures are in place to protect against malicious use of a patient's account should their email address become compromised.

Medical records

To request treatment on prescription requires patients to answer medical questions. The answers to these questions are recorded and form part of the medical consultation with our doctors. Previous prescriptions supplied are considered when issuing new prescriptions, and also form part of the patient record.

Confidential messages

Doctors or administrators may request or respond to additional information from the patient. This information also forms part of the patient record.

Communication

Effective communication is required to facilitate the provision of healthcare remotely, and is achieved by patients providing their email and telephone number(s). Primary communication is via email, with secondary contact by phone or SMS TXT. Patients are notified to login to their account to view messages from doctors or administrators. Sensitive details are not sent by email, unless requested via email where consent to reply via email is implied, unless stated otherwise.

Addresses

Patients provide a payment card billing address and delivery address if different. Each address provided will be stored and recorded.

Your GP details

Patients should keep their regular GP/doctor informed of treatment provided by Index Medical Ltd. This ensures your regular doctor is aware of all treatments you are using, particularly important if new treatment is prescribed.

If patients provide contact details of their GP, we will notify them directly (online or by letter). In some instances our prescribing protocols will require patients provide GP details and consent to notification.

Changes to patient data

Any change made to patient data is recorded (what data, when changed, and by whom).

Pharmacy records

Our pharmacy additionally enters patient and prescription data into a pharmacy prescribing system which serves as a separate independent record of treatment supplied, and is standard practice for UK pharmacies. The Pharmacy also makes a printed copy of each electronic prescription from Index Medical Ltd as a secondary record, which is stored according to GPhC standards.

Emails

Automated notification emails are sent to users:

  • When making an order
  • If you have a new message for doctors or administrators
  • After a doctor has processed your prescription
  • When the pharmacy has processed order for delivery
  • Delivery updates from Royal Mail

Email notifications from Dr Fox / Fast Doctor regarding requests for prescriptions are required in order to provide an effective service. Patients using the service cannot opt out of receiving these emails.

Supplementary emails

When registering an account with Dr Fox or Fast Doctor patients are given the option to subscribe to an e-newsletter. E-newsletters are sent less than once per month on average using Campaign Monitor, a 3rd party mailing provider. Patients agree to data being shared with Campaign Monitor when opting to receive e-newsletters. Each e-newsletter sent will include a simple method to unsubscribe from the mailing. Patients can request their data is permanently deleted from Campaign Monitor servers, please contact the data officer.

Index Medical Ltd reserves the right to send non-commercial mass emails regarding drug safety and important service updates to all registered users of the service.

Support and administration

Index Medical Ltd staff use G-Suite to administer the service including Gmail for managing support emails.

Visitor tracking

www.doctorfox.co.uk and www.fastdr.com websites use Google Analytics website visitor tracking service to enable us to understand how users interact with our website and improve our service, and also to report on trends and sales.

You can find out more about how this service works by visiting Google Analytics Overview.

Browser can be configured or add-ons can be downloaded to opt out of Google Analytics if patients prefer.

Our website server also retains similar technical and geographical visitor data for a period of 7 days only.

Cookie use policy

Visiting the www.doctorfox.co.uk and www.fastdr.com websites will result in cookies being stored on your computer or mobile device's web browser. These cookies support and facilitate patients to use the service. By using these websites you consent to these cookies being installed on your device. For further information, including details on how to remove cookies, please read our full cookie policy.

Retention of your data

Your data will be retained indefinitely, or 10 years after notification of the death of a patient, in a secure data centre, as required by regulation regarding healthcare provision. This also protects both the patient and doctor in case of legal proceedings.

Patient's account login can be disabled on request however.

Printed copies of prescriptions are retained by the pharmacy for a mandatory 2 years before being destroyed as confidential waste.

Payment card data is required to be kept for 5 years.

Photo ID documents are deleted after 3 months.

Technical personal data (device and network information) is deleted from Index Medical Ltd server after 7 days, and from Google Analytics server after 14 months.

Automated decision making

The medical questionnaires for each treatment area will automatically exclude patients from requesting treatment if the following is identified:

  • Contraindicated
  • 'Red flag' signs and symptoms
  • Incorrect gender
  • Excessive order quantities

Where the remote provision of treatment is not suitable, patients are advised to contact their regular doctor or visit a health centre. Patients can seek advice, and discuss symptoms and treatment with our doctors via a secure messaging system.

Patient access to data

Patients can access and update their personal profile and medical record by logging-in to their Dr Fox / Fast Doctor account.

Patients can request a copy of all stored data relating to themselves by contacting the Data Officer. The data will be provided in a common format for portability to other data systems.

Who has access to the personal data we collect?

Please review the data sharing policy for full details.

3rd party organisations process data provided by Index Medical Ltd solely for the purpose of delivering or supporting the healthcare service provided.

All organisations operate strict UK/EU compliant confidentiality, privacy, and data protection procedures.

Index Medical Ltd has not and will never sell any patient data to third parties.

Complaints

People with concerns about privacy and data held by Index Medical Ltd should contact the data officer, Mr Daniel Broughton, Technical Director (email privacy@doctorfox.co.uk) in the first instance.

If the response is not to your satisfaction you can make a complaint with the Information Commissioner's Office.

EU General Data Protection Regulation

The EU General Data Protection Regulation (GDPR) is now a legal requirement in the UK. Compliance required by 25 May 2018 (date of enforcement).

The GDPR includes the following rights for individuals:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • the right not to be subject to automated decision-making including profiling

If you wish to exercise any of these rights please contact the data officer. Please note GDPR regulation provides exceptions to these rights in relation to health, where the retention of data is required for legitimate medical and legal reasons.