We care about your privacy
Hi, we’re ICNH Limited trading as ‘DrDoctor’. We operate this website to inform our clients about the services we provide.
Here at DrDoctor, we care deeply about your privacy and we also want our practices to be ethical. We believe it is paramount that you understand how your data is managed when you use this site.
1. This Privacy Policy
This Privacy Policy sets out the way in which we use any personal information that is collected from you whilst using https://www.drdoctor.co.uk (“Site”). It also sets out the way we use your personal information when accessing drdoctor.thirdparty.nhs.uk, my.drdoctor.co.uk and video.drdoctor.co.uk (collectively “Patient Platform”). Finally, this Privacy Policy also sets out how we use your personal data whilst accessing our service through the NHS App or when using NHS login details.
Personal data means information relating to an individual who can be identified, directly or indirectly, from that piece of information. Examples of personal data include but are not limited to: your name, email address, phone number and occasionally other contact details.
You are provided with access to this Privacy Policy when you register with us and it is available on our Site and Patient Platform at all times.
References to “us”/“we”/“our” in this Privacy Policy means DrDoctor (registered: ICNH Ltd.) which is registered in England and Wales under company number 08149394. Our trading address is DrDoctor, The Grain House, 46 Loman Street, London SE1 0EH. We are registered at the UK Information Commissioner’s Office under number Z3313550.
2. The Relationship between DrDoctor, you, your healthcare provider and NHS England
Where DrDoctor act as a Data Processor
For all of DrDoctor’s services to your healthcare provider, we act as a data processor. Your healthcare provider acts as a data controller, and gives us specific instructions how to process your information so you are able to receive the best care possible. These instructions are captured in a contract between us and your healthcare provider.
Where we process personal data in this manner, we do not need a lawful basis to process your data as this is defined by your healthcare provider.
If you have any questions around how your healthcare provider captures and uses your personal data then you can read their Privacy Policy which should be on their website.
Where DrDoctor act as a Data Controller or Joint Data Controller
There are limited circumstances where we act as a data controller. These cases are separate to those where we obtain and process data on behalf of healthcare providers.
We act as a Data Controller where service users provide us with personal data in order for us to undertake services other than for your direct care and which are not expressly required from your healthcare provider.
In all these circumstances, we obtain personal data from you directly rather than from your healthcare provider.
One example of when DrDoctor act as a data controller can include surveys that we collect through our Patient Platform, (https://my.drdoctor.co.uk).
However, where we wish to collect this information and become a data controller then we will obtain your explicit consent. If you don’t wish to give consent then you are still able to access the services your healthcare provider has contracted us to provide.
Where you use the NHS App
Please note that if you access our services using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose.
For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. For further information you can view NHS login’s privacy notice, and NHS App’s privacy notice on the NHS website. This restriction does not apply to the personal information you provide to us separately.
Further, if you are an NHS App user, we may send you messages relating to your health and care on behalf of your healthcare provider through the NHS App Messaging Service. The NHS App Messaging Service is provided by NHS England. For further information see the NHS App and Account privacy policy: https://www.nhs.uk/nhs-app/nhs-app-legal-and-cookies/nhs-app-privacy-policy/messaging-services/
3. What personal information do we collect and process?
We collect different types of personal information from different sources. We do not have access to your full medical or health records and information we collect is limited to what is listed below.
Personal information you give us to identify you as a patient of a healthcare provider
You give us personal data about yourself when you log in to our Patient Platform so that we can verify your patient records:
- Name
- Date of Birth
- Address details
You give us the following personal data to pass back to your healthcare provider(s):
- Appointment booking or change requests
- Medical assessment responses
- Feedback on the service
Personal information we collect automatically when you visit our Patient Platform
We may also collect certain information by automated means, such as cookies and web beacons whenever you visit our Patient Platform. This could include IP address, browser type, operating system, referring URLs, information on actions taken on, and dates and times of visits.
Some cookies we collect are strictly necessary for the Patient Platform to function correctly. Without these cookies the functionality may be impaired so we automatically apply them but you are informed about them when you log in.
Currently, we do not collect any analytical cookies or any cookies other than those strictly necessary for the Patient Platform to function. Please note that any cookies collected are not designed to identify you, it is all aggregated and therefore strictly anonymised.
Personal information we collect from your healthcare provider
We collect personal data about you from healthcare providers to facilitate your use of the services. This information can include:
- Name
- Gender
- Date of birth
- Date of death
- Phone number
- NHS Number
- Medical Reference Number (e.g. hospital number)
- Postal Address
- Default language preference
- Consent to contact
- Referral and appointment letters
- Clinical report information (including diagnoses, outcomes, procedure codes and follow up information for each appointment)
- Appointment details
- Waiting list details (including information on if you are waiting for a confirmed appointment with a healthcare provider, the doctor to be seen by you for each appointment, as well as information on repeat and follow up appointments needed)
- Referral data (including your details, the healthcare provider you are being referred from and doctor making the referral, the healthcare provider you are referred to and the reason for the referral, along with tracking details used nationally
Personal information we process through the NHS App or NHS Login
NHS England provides a service to NHS patients in England through the NHS App and NHS website to securely view summary details of their scheduled secondary care appointments with acute NHS Trusts, and to enable them to access further details about those appointments from the NHS App. If your healthcare provider has signed up for this, we will process personal data for this purpose and share your data with NHS England.
If you are accessing our services through the NHS App, we are required to process your information to authenticate your credentials and provide you with the necessary information you need to access the service and be able to review and manage your appointments. The data we collect will include:
- Name
- Date of birth
- Date of death
- Medical Reference Number (e.g. hospital number)
- NHS Number
- Gender
- Appointment details
- Configuration session details
Personal information you give us when making a marketing enquiry on our Site
You give us the following personal information about yourself into the ‘Get in Touch’ section of our Site where we provide individuals the opportunity to declare their interest in the Patient Platform and our services:
- Name
- Telephone Number
4. How does DrDoctor use your personal information?
Where we are acting as a data processor on behalf of your healthcare provider (the data controller), we use your personal data for the following purposes:
- To send you communications from your healthcare provider via email and SMS
- To register you onto our Patient Platform and services and manage your profile, including asking you how you would prefer to be contacted (different channels and contact details), language preferences, etc
- To allow you and your healthcare providers to book and reschedule appointments and to manage any cancellations
- To provide you with information about the care you receive from your healthcare provider. This includes leaflets, videos, text and supporting information
- To allow you to change or cancel appointments and interact with your healthcare provider
- To allow you to request that a healthcare provider update the details they hold on record for you
- To record information on how your care is progressing.
- To maintain your account and registration which we need to do to provide the services to you
- To allow us to investigate and address queries, questions and complaints and respond to any feedback from your healthcare provider
- To understand the effectiveness of the services provided by the healthcare provider and allow a healthcare provider to benchmark against other healthcare providers
- Subject to the authorisation from your healthcare provider, to de-identify your personal data, i.e. to anonymise, and use it for research to improve our ability to provide patient care in the future.
Where we are acting as a data processor for both NHS England and your healthcare provider for use of the NHS app:
- Authenticating you as a user to make sure that the credentials are correct
- Ensuring that you are provided with the correct information about your appointment
- Making appointment booking change requests to your healthcare provider
Where we are acting as a data controller then we may use your personal data for the following purposes:
- To develop and improve our products by seeing how you use our services and Patient Platform
- To improve your experience when using our Patient Platform and services
- To update you on any developments or information about our services. These are strictly service emails and do not include marketing
Use of our Patient Platform by minors
Users of our services need to be over 16 years old. If you are under 16 then the service may only be used by your parent or legal guardian.
Do we make automated decisions about you?
No we don’t make automated decisions about you.
5. What is our lawful basis for processing your personal data?
Where DrDoctor act as a Data Processor (see section 2 of this Privacy Policy for further information), which is the majority of the time, we do not rely on a lawful basis for processing your personal data. In these circumstances, we act purely on express instructions from your healthcare provider, who are responsible for the appropriate lawful basis to process your personal data. You should visit their Privacy Policy to find out more information.
Where DrDoctor act as a Data Controller for your personal data, we rely on the following lawful bases to process your personal data under the UK General Data Protection Regulation:
For non-special categories of personal data:
- Article 6(1)(a) - Consent
For special categories of personal data:
- Article 9(2)(a) - Explicit consent
- Article 9(2)(f) - Defence of legal claims
6. How do we protect your personal information?
All the data we collect about you as an individual is protected with multiple levels of security including industry leading encryption and access controls.
Your data is stored in our data centres that are accredited to the standards set out by the NHS and GCHQ/CESG for protecting the healthcare information of UK citizens. We use Microsoft Azure UK data centres which meet a broad set of international and industry specific compliancy standards such as ISO 27001, HIPAA, FedRAMP and SOC 2. We use Azure ExpressRoute to connect to the health and social care network. All data traffic which flows through this route is securely encrypted.
When you use the Patient Platform and services your access is controlled using 2-factor authentication unless you have been given the option to disable this when using a username and password.
We ensure that all data is backed up and we have a comprehensive Business Continuity Planning & Disaster Recovery plan in place in the event of an unexpected disruption in service or business operations.
7. Who do we share your personal information with?
Please note that we do not and never will sell your personal data to third parties.
Your personal data is available to you as well as clinical and administration staff working at your relevant healthcare providers.
In order for us to effectively deliver our services, we use third party suppliers. If those suppliers process personal data, they will act as Data Sub-processors. We use the following Sub-processors who process limited amounts of personal data as strictly necessary for them to provide their service:
DrDoctor Patient Platform
Sub-Processor Name | Purpose of Sub-Processor |
---|---|
Microsoft | Provides database and cloud storage hosting (Microsoft Azure) |
MessageBird B.V | Provides SMS messaging, interactive voice messages and automated email services |
BT (British Telecommunications plc) | Provides SMS messaging |
Whereby AS | Video consultation platform to facilitate video streaming between patients and clinicians |
Moneypenny (Callitech Limited) | Provides a receptionist and helpline service |
HubSpot Inc | Provides ticketing support system for queries made to DrDoctor requiring support assistance |
Atlassian Pty Ltd | Provides an issue and project tracking tool for use within tech support |
Mail providers | Send you printed letters (depending on your healthcare provider) |
NHS app
For the processing of your personal data and functioning with the NHS app, we use the following sub-processors to provide our service:
Sub-Processor Name | Purpose of Sub-Processor |
---|---|
Microsoft | Provides database and cloud storage hosting (Microsoft Azure) |
Whereby AS | Video consultation platform to facilitate video streaming between patients and clinicians |
MessageBird B.V | Provides automated emails to notify Trusts of appointment change requests from patients who have requested an appointment change through the NHS App |
For the NHS app, we also share your personal data with the following organisations in order for the NHS app to effectively function:
- Servita – Technology provider which ingests personal data into an aggregator by an API before sending to NHS England
- NHS England – Host of the NHS App
Please note that we may be legally required to share your personal data with law enforcement agencies, regulators, courts or other public authorities.
8. Do we transfer your personal information outside the UK/EEA?
The safety and integrity of our service user’s data is very important to us. Your healthcare provider will have signed off the use of all of our sub-processors, with their information governance and data protection teams being happy with their use.
At DrDoctor, we risk assess each data sub-processor we use and where possible, we also ensure that all security measures and appropriate safeguards are put in place to protect your information and comply with the data protection legislation.
Our main storage and data platform is hosted within the UK.
Some of our sub-processors are organisations whose processing activities take place within the EEA. Transfers from the UK to the EEA are deemed lawful on the basis of adequacy regulations, i.e. without the need for a lawful transfer mechanism under Article 46 of the UK GDPR.
We have one sub-processor whose processing activities are based outside of the EEA. We have in place Standard Contractual Clauses (SCCs) with them to lawfully transfer the data under Article 46(2) UK GDPR.
Further details on where your data is sent can be seen below:
Third Party | Location of Processing Activities | What is the purpose of the third party |
---|---|---|
Microsoft | UK | Cloud hosting and backup services |
MessageBird B.V | The Netherlands and The Republic of Ireland (EEA) | Allow DrDoctor to send text messages and interactive voice message to patients and automated emails to booking teams and patients |
Whereby AS | Luxembourg and Republic of Ireland(EEA) | Video Platform service for patient – clinician consultations |
HubSpot Inc | USA | Ticketing service for enquiries sent to our general support help service |
Moneypenny (Callitech Limited) | UK | Helpline support and receptionist service |
Atlassian Pty Ltd | Germany (EEA) | Tracking tool for use within tech support |
Mail providers | UK | Printed letters |
9. How long do we keep your personal information?
Where we act as a Data Processor, your personal data is stored until your healthcare provider ceases to be a DrDoctor client. In that case your data will be deleted or anonymised within 30 days of the end of the contractual relationship.
We will keep your information for no longer than is necessary and as required to fulfil our legal obligations. If your data is no longer needed, we delete or anonymise it where we have the appropriate lawful basis to do so.
If we rely on consent to process your personal data then we will only retain your data for as long as you consent to us holding it.
When determining the relevant retention periods for personal data we hold on you, we will take the following factors into account:
- Our contractual obligations and rights in relation to the information involved
- Whether we have consent from the data subject to retain the personal data
- Legal obligation(s) under applicable law to retain data for a certain period of time
- Statute of limitations under applicable law(s)
- Legal claims or potential disputes
- If you have made a request to have your information deleted
- Guidelines issued by relevant data protection authorities
10. What are my rights?
By law, you have a number of rights (subject to certain conditions) when it comes to your personal data. For more information about your rights, you can visit the Information Commissioner’s Office website
Where we are a Data Processor acting on behalf of healthcare providers
In relation to personal data we process as data processors, you will need to contact your relevant healthcare provider to exercise or enquire about these rights. You are welcome to provide your data subject request to us, but after we confirm your identity we will forward your query onto your healthcare provider to action.
Where we act as a Data Controller for your information
You have the following rights:
- The right to object to processing.
- You have the right to object to certain types of processing, including processing for direct marketing (i.e. receiving emails from us notifying you about other services we have which we think will be of interest to you or being contacted with varying potential opportunities).
- The right to be informed.
- You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this Policy.
- The right of access.
- You have the right to obtain access to your information.
- The right to rectification.
- You can request that we rectify any errors in information if it is inaccurate or incomplete.
- The right to erasure.
- This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information.
- The right to restrict processing.
- You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but will not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in the future.
- The right to data portability.
- You have rights to obtain and reuse your information for your own purposes across different services. For example, if you decide to switch to a new provider, this enables you to move, copy or transfer your information easily between our IT systems and theirs safely and securely, without affecting its usability.
- The right to lodge a complaint.
- You have the right to lodge a complaint about the way we handle or process your information with your national data protection regulator.
- The right to withdraw consent.
- If you have given your consent to anything we do with your information (i.e. we rely on consent as a legal basis for processing your information), you have the right to withdraw your consent at any time. This will prohibit us from using your information in the future but does not invalidate any past processing.
You can exercise any of the above rights by contacting us at support@drdoctor.co.uk
Other information:
We usually act on requests and provide information free of charge. In some cases, we may charge a reasonable fee to cover our administrative costs or refuse to act on the request if it is excessive, repeated or manifestly unfounded. We may also ask for confirmation of your identity as part of the process.
We will always aim to respond to your request as soon as we can. Generally, this will be within one month from when we receive your request. We are entitled to extend the time to respond to your request where it is complex but will notify you if it is going to take longer to deal with.
11. How do I opt out of the DrDoctor services?
As a patient, you can opt out of DrDoctor in a number of ways depending on what is required. Please note that you can opt-out only where we use your personal data to provide you with a service related to your direct care and where an alternative service is available. You are encouraged to talk to your healthcare provider in such circumstances to understand your opting-out options.
Where applicable, you can opt-out of DrDoctor’s services in the following circumstances:
- If you would like to update your contact preferences or remove a contact method from use, then this can be set by using our web portal
- If you would like to stop all notifications to your phone, then this can be achieved by replying ‘STOP’ to any message
- If you would like to stop any information being shared with DrDoctor then you will need to contact your healthcare provider who will make this change so long as they can continue to provide you with direct care through an alternative means
12. Contacting us or making a complaint
We’re always happy to talk. If you have any questions, concerns or complaints about how your personal data is being used, then please email support@drdoctor.co.uk and we’ll do everything we can to help.
We have a designated Data Protection Officer. You can contact our Data Protection Officer at dpo@drdoctor.co.uk.
Alternatively, you can also contact the ICO, the UK’s independent regulatory office in charge of upholding information rights for further information or to make a complaint. You can contact the ICO by post, by calling their helpline 0303 123 1113 (local rate) or 01625 545 745 or as directed on their website at https://ico.org.uk/make-a-complaint/.
Last update: