Privacy policy
Including our Freedom of Information Policy
About Us
Pharmacy2U, also trading under the name of “Chemist Direct”, is a UK online pharmacy registered with the General Pharmaceutical Council (GPhC). You can review our GPhC registration details at:
www.pharmacyregulation.org/registers/pharmacy/registrationnumber/9010146
Who handles our data processing activities
A member of our team, called the Data Protection Officer, oversees our data processing activities and how we handle your personal data. You can contact our Data Protection Officer by:
Email: [email protected]
Phone: 0113 265 0222
Post through our head office:
Pharmacy2U Limited,
Lumina,
Park Approach,
Thorpe Park,
Leeds
LS15 8GB
If you have any questions about this policy or our approach to data protection and privacy, please contact our Data Protection Officer.
Purpose and scope of this privacy policy
We use this privacy policy to give you information about how we handle information about you when you visit our websites (pharmacy2u.co.uk, shop.pharmacy2u.co.uk, chemistdirect.co.uk and health.royalmail.com) and mobile apps or use our services, apply to work at Pharmacy2U or use our vaccination and health services centres.
We know that our privacy policy provides you with a lot of information, so we have organised it into sections to make it easier for you to read and understand. Some information is in expandable sections to make it easier to read. You just need to click on the sub-heading and more information about the section this will drop down for you to read.
Your privacy matters to us, so whether you are new to Pharmacy2U or a long-time patient, please do take the time to read this policy. If you have any questions, please let us know by using the contact details provided above.
We respect your right to privacy and are committed to explaining clearly and honestly how we use any information that we have about you. This privacy policy will help you to understand what information we collect, why we collect it, and what we do with it.
To register and access certain services on this site, individuals under the age of 18 may do so for services where UK law permits access without parental consent, such as sexual health services, mental health support, and substance misuse advice. While minors may have the capacity to give informed consent for these services, as acknowledged by UK law and NHS guidelines, we reserve the right to evaluate such capacity to ensure informed consent is appropriately obtained. It is the user's duty to provide true and accurate information when registering. Should we be unable to affirmatively determine a minor's capacity to consent, we maintain the discretion to refuse the creation of an account or provision of services. Users are responsible for their own use of this site and any associated orders. It is crucial for users to protect their login details against unauthorized use. When services necessitate parental or legal guardian consent for users under 18, we require such consent to be verified, with the parent or legal guardian assuming responsibility in alignment with our terms. Pharmacy2U endeavours to ensure the accuracy of this website's content; however, within legal limits, Pharmacy2U disclaims all warranties related to the content herein.
How we use your data on our online servers and services
The information we collect, how and why we use it
Purpose | Personal Information Used | How we collect this information | Lawful Basis |
---|---|---|---|
To help us understand how people use our website and access our services so that we can ensure they are developed to meet customer needs. | Information about your visit, including information about which pages you visit and for how long, the website you came from and went to before and after visiting our website, and information about the device you used to access our websites such as the type of phone/PC, operating system, and IP address. | With your consent, cookies are placed on your device which collects this data. | These cookies are only used where we have your consent. |
To record Website and App registration to help deliver services to registered users. | Information that you submit using our data collection forms, which will include your name, address, and contact information. | You provide us with this information when you complete our data collection forms. | We have a legitimate interest in enabling you to create an account so you can access our services. |
To fulfil the orders that you place with us, we must first verify your identity and then receive your order information and details to complete your order. | Information to confirm your identity, your medication, payment details, delivery address, your feedback (if you provide it), safe place for deliveries (if you provide it) | You provide us with this information when communicating with Pharmacy2U to place your order. | This information is collected to fulfil our contract with you. |
To fulfil orders for bespoke medications, tailor-made medical equipment, or appliances and ensuring the best levels of service from our Dispensing Appliance partner | Contact details for affected patients shared with relevant suppliers (e.g., Ostomed Healthcare Ltd) who download medical data directly from the central NHS system | You provide us with this information when communicating with Pharmacy2U to place your order. | Necessary for the provision of health care/treatment and to fulfil the prescription as quickly as possible |
To document phone conversations between you and us and record these to: • Check and review quality of care • Prevent, detect, investigate and prosecute allegations, complaints, claims and / or fraud relating to patients, customers, other organisations or P2U staff • Protect staff and patients | Any information that you provide to us over the phone may be recorded on our systems, this may include information about your health and prescriptions. | You provide us with this information when communicating with Pharmacy2U. | To document phone conversations between you and us and record these to: • Check and review quality of care • Prevent, detect, investigate and prosecute allegations, complaints, claims and / or fraud relating to patients, customers, other organisations or P2U staff • Protect staff and patients Any information that you provide to us over the phone may be recorded on our systems, this may include information about your health and prescriptions. You provide us with this information when communicating with Pharmacy2U. We have a legitimate interest to process the information about yourself that you provide to us to address your queries. We record the conversation for quality management purposes under the legitimate interest of continuously improving the standard of service that we are providing you with. Any health or ‘special category data’ that you provide to us is processed for purposes of ensuring the quality and safety of health care and of medicinal products or medical devices and establishing facts in case of future legal claims. |
*To determine if you would be a suitable participant in a clinical trial and to inform you of this. | Information relevant to the requirements of the trial, this may be: gender, age band, geographic location, details of health conditions or medications they are researching. | We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. | We will only provide your information directly to the requesting clinical trial provider where we have your explicit consent to do so. There is a public interest in making you aware of your eligibility for a clinical trial as clinical trials help to ensure the quality and safety of health care and of medicinal products or medical devices.. |
*To identify, invite, and manage participation in the Our Future Health research programme | Your name, date of birth, address, medical data, health information, and list of invited individuals | We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. | Necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (Data Protection Act 2018 Section 19, and Schedule 1 Section 2 and Section 4). |
*To send automated service messages to you about a current contract, services you have requested or past purchases. | Your name, contact details, history of your relationship with Pharmacy2U. | We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. | We have a legitimate interest in keeping our customer base up to date and informed about the service. We also must communicate some information to you in order to fulfil our contract with you. |
To send messages to account users to remind them to check their account details are up to date. | Name and contact details. | We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. | If we do this directly on request of the NHS then this is done under the basis of the public interest. If we do this without being directly instructed, it is under the basis of our legitimate interests to ensure that you are informed of public health services relevant to you. |
Sometimes we will process your data to send you messages about public health services that may be relevant to you (e.g. COVID-19 or seasonal flu vaccinations). | Name, contact details, relevant details on your eligibility for the relevant service. | We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. | If we do this directly on request of the NHS then this is done under the basis of the public interest. If we do this without being directly instructed, it is under the basis of our legitimate interests to ensure that you are informed of public health services relevant to you. |
To send you an e-mail reminder if you only partially complete the registration or subscription order process on our website or app. | Name, contact details such as your email address, information related to your partially completed registration or subscription order. | We collect this data directly from you when you begin the registration or order process and leave it partially completed. The information is stored in our secure database, which also contains data from our previous interactions with you and information that you have willingly submitted to us through our website or app. | We process this information under our legitimate interest to ensure the completion of the registration or order process, provide you with important reminders, improve our services, and enhance your experience with our platform. |
To send you direct marketing information about our products and services that we think will be relevant to you. We may do this by post, e-mail, SMS or telephone. | Name and contact details. | We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. | We will only undertake electronically communicated marketing (e.g. e-mail and SMS) with your consent. Telephone and postal marketing will be done under our legitimate interests to inform you of our products and services. We will check the TPS before we contact you. We will always provide you with an option to opt-out of receiving these communications. |
To undertake direct marketing activities on behalf of other organisations in the following categories: Healthcare Products and Services, Retail, Financial Services, Leisure, Charities, Clinical Trial Operators and Research Organisations. We may send to you direct marketing about the products and services that we offer. | Name and contact details. | We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. | We will only undertake this marketing by electronic means where we have your consent. Telephone and postal marketing will be done under our legitimate interests to inform you of products and services that may be of interest to you. We will check the TPS before we contact you. |
To undertake market research about our product on social media to help us develop our products and services. | Information that has been uploaded onto social media channels, such as usernames. Social media channels such as Facebook and Twitter may be used for this. | This information is collected from content which has been uploaded to social media channels. | We process this information under our legitimate interests to expand and develop our products and services. If you have consented to marketing, we may use your personal data to generate targeted marketing on social media sites. |
To enable us to provide you with our Online Doctor Service. | Your name, address e-mail address, phone number, relevant health information and other details relevant | To enable us to provide you with our Online Doctor Service. Your name, address e-mail address, phone number, relevant health information and other details relevant You provide this information to us at the point of registration. As outlined below, we process this information under the lawful bases of our legitimate interests of providing our services to you, to fulfil our contract with you, to comply with legal obligations and with your consent. | As outlined below, we process this information under the lawful bases of our legitimate interests of providing our services to you, to fulfil our contract with you, to comply with legal obligations and with your consent. |
To provide a telemedicine platform for remote consultations between pharmacists, GPs, and patients | Personal and medical information relevant to the consultation | Collected via the Ummanu Health Limited telemedicine platform during remote consultations | To provide a telemedicine platform for remote consultations between pharmacists, GPs, and patients. Personal and medical information relevant to the consultation Collected via the Ummanu Health Limited telemedicine platform during remote consultations Article 6(1)(e) of the UK GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and Article 9(2)(h) – processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professional |
Service Transition from LloydsDirect | Name, contact details, prescription information | Provided by you during LloydsDirect service use, your opening of a Pharmacy2U account and consented data sharing at the point of migration | Consent (UK GDPR Article 6(1)(a)) and for the performance of a contract (UK GDPR Article 6(1)(b)) |
Preparatory Data Sharing for Service Continuity and Integration into Pharmacy2U Services | Non-sensitive data such as contact details | Early transfer of selected data to Pharmacy2U's CRM systems for ensuring service continuity | Legitimate interests for ensuring continuity and quality of service and providing a seamless service experience (UK GDPR Article 6(1)(f)) |
Group Collaboration for Enhanced Service Delivery | Name, contact details, service usage data | Shared within the Pharmacy2U Group entities to facilitate integrated services | Necessary for our legitimate interests in efficient group operations (UK GDPR Article 6(1)(f)) |
Community Pharmacist Consultation Service (CPCS): To consult with patients for minor ailments or urgent medication supplies without the need for a GP appointment | Name, NHS number, health concerns, medication details | Direct referrals from NHS and patient consultations | Necessary for the provision of health care services (GDPR Article 9(2)(h)) |
Pharmacy Contraception Service (PCS) : To provide confidential advice and supply of contraception to eligible patients | Name, date of birth, medical history, contraception requirements | Patient consultations and health records | Necessary for the provision of health care services (GDPR Article 9(2)(h)) |
New Medicine Service (NMS) To offer support and monitor the effectiveness of newly prescribed medicines for chronic conditions | Name, NHS number, prescription information, health conditions | NHS prescriptions and patient interactions | Necessary for the provision of health care services (GDPR Article 9(2)(h)) |
Vaccinations: To administer vaccinations as per national health guidelines to protect public health | Name, health information, vaccination status and history | Patient consent and health records during vaccination | Necessary for the provision of health care services (GDPR Article 9(2)(h)) |
Hypertension : To assist in the monitoring and management of patients diagnosed with hypertension | Name, health information, blood pressure readings | Health monitoring sessions and patient records | Necessary for the provision of health care services (GDPR Article 9(2)(h)) |
Discharge Medicine Service (DMS) : To ensure medication continuity and accuracy post-hospital discharge, reducing readmission risks | Name, NHS number, hospital discharge information, medication details | Hospital discharge notes and follow-up patient consultations | Necessary for the provision of health care services (GDPR Article 9(2)(h)) |
Automated decision making and Profiling
The above information marked with an asterisk (*) may be used for automated decision making or profiling purposes. We do this to:
Help us to understand our customers and to help us identify and market to customers with similar characteristics.
Enable us to determine if you might be interested in other products and services we provide.
Enable us to determine if products and services of other organisations are likely to be of interest to you.
Enable us to determine if you are likely to be suitable to take part in clinical trials and medical research we may be involved with from time to time (please refer to the section below).
Determine if our products and services of other organisations similar products and services may be of interest to you.
The law allows us to collect and use this information on the basis that it is in our legitimate interests of operating and improving our commercial pharmacy services.
We do not use any medical data, information about your health, or any other sensitive personal data for profiling and segmentation, except in some circumstances. Segmentation is the process of creating individual lists or groups based on select criteria. The circumstances where we may undertake profiling of medical data will be to undertake the provision of healthcare and treatment (e.g. establishing if you require flu jabs, vaccinations, eligibility for condition-specific information, or clinical trials). The specifics on this are outlined above.
We will use information about the products and services you order for profiling purposes to help improve our marketing.
The automated decision making that we undertake does not have any legal or other similarly significant effects on our patients. This is because every decision is reviewed by a suitable person before being put into effect. What this means is that we will not make decisions about you that are only determined by computers.
You have the right to object to any processing that is based on our claim of our “legitimate interests” including profiling and automated decision making as outlined in the Your Rights section below.
Online Doctor Service
Pharmacy2U's online doctor services are provided in collaboration with HealthHero Solutions Ltd (“HealthHero”) and Metabolic Healthcare Ltd (“MHL”).
Pharmacy2U offers its service users an online doctor service through contractual agreements with the following third-party service providers:
(1) HealthHero, which provides the clinical and prescribing service; and
(2) MHL, which dispenses and dispatches the prescribed medications.
Data Control and Processing
HealthHero Solutions Ltd: As the data controller for clinical data, HealthHero manages your personal data strictly for the purpose of delivering the clinical and prescribing services. HealthHero operates in compliance with UK data protection laws. For further information on how HealthHero processes your personal data, please consult the HealthHero Privacy Policy.
Pharmacy2U Ltd: In conjunction with HealthHero and MHL, Pharmacy2U also acts as a data controller, processing data that is necessary to manage your overall care and facilitate your access to: (1) clinical and prescribing services which are provided by HealthHero; and (ii) pharmacy services, including the dispensing and dispatch of prescribed medications pursuant to a private prescription, which are provided by MHL.
Metabolic Healthcare Ltd: As the data controller for dispensing data, MHL manages your personal data strictly for the purpose of dispensing and dispatching prescribed medications. MHL operates in compliance with UK data protection laws. For further information on how MHL processes your personal data, please consult the MHL Privacy Policy.
How We Use Your Data
Patient Record Management: We maintain patient records to manage your treatment effectively.
Identity Verification: We conduct identity checks using public databases and LexisNexis Identity Verification Services to meet regulatory requirements. You have the right to access records held by credit reference and fraud prevention agencies, including LexisNexis. Visit the LexisNexis page for more information on how to exercise these rights.
Service Delivery: We use your information to deliver services, manage treatments, gather feedback, and handle inquiries or complaints. This usage is underpinned by our contractual and legal obligations, and our legitimate business interests in providing a high quality service.
Communication: We contact you about service availability, order queries, or issues for record-keeping.
Consent-Based Activities: With your consent, we engage in:
Market research to enhance our services.
Marketing communications through various channels about promotions, tailored offers, and other relevant information. You may withdraw your consent at any time as detailed in the 'Your Rights' section below.
Quality and Security Measures: With your consent, we may monitor calls for training and quality assurance. We also analyse website activity to maintain security.
Legal Compliance: We process data as required by law, for instance in response to legal requests from courts or regulatory bodies.
Registration with Regulatory Bodies
HealthHero Solutions Ltd is regulated by the Care Quality Commission in England.
Healthcare professionals providing services are registered with the General Medical Council or the General Pharmaceutical Council in the UK.
Company information and registration with regulatory bodies
HealthHero Solutions Ltd is a company registered in England and Wales with company number 03766413 and its registered office at 10 Upper Berkeley Street, London, W1H 7PE. It is registered with and regulated by the Care Quality Commission in England. https://www.cqc.org.uk/provider/1-1837286653
Metabolic Healthcare Ltd is a company registered in England and Wales with company number 09668487 and its registered office at Lumina Park Approach, Thorpe Park, Leeds, England, LS15 8GB. It is registered with and regulated by the General Pharmaceutical Council (GPhC number: 9011437). https://www.pharmacyregulation.org/registers/pharmacy/9011437
Healthcare professionals who are engaged by HealthHero and MHL provide clinical and prescribing and pharmaceutical services to you are registered with the General Medical Council or the General Pharmaceutical Council, as applicable, in the UK.
Your Rights and How to Exercise Them
Your rights regarding your personal information are detailed in this Privacy Policy. It outlines how to contact us or supervisory authorities if you have complaints or queries about your data rights.
For further information, please review our complete Privacy Policy and the HealthHero Privacy Policy and Terms and Conditions and MHL privacy notice.
Retention of your information
We only keep your personal details for as long as we need it to:
Provide you with our services;
Send you marketing and promotional materials;
Meet our legal obligations and/or protect or defend our business.
We keep a document which tells us how long we need to keep this information for in order to meet the above purposes. If you want more detail on this, please get in touch using the contact details given in the ‘Contact us’ section.
Disclosing your personal information
In order to provide you with our products and services, we use other organisations to help carry out some of the processing activities on our behalf.
These types of organisations may include:
Laboratories;
Technology hosts;
Printing companies;
Providers of digital advertising services;
Providers of marketing and sales software solutions;
Mailing houses; and
Identity verification partners.
In these circumstances, we will ensure that personal information is properly protected and that it is only used in accordance with this Privacy Policy.
We also collect, use and share Aggregated/Anonymised Data such as statistical or demographic data for any purpose.
Aggregated Data may be produced from your personal data, however it does not individually identify you, directly or indirectly, and so it is not considered to be personal data. For example, we may aggregate your usage data with other users’ data to calculate the percentage of users accessing a specific website page. Additionally, we may aggregate your data to create marketing personas/lookalikes to help improve our advertising.
However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data. This combined data will be used in accordance with this privacy policy.
Please note, where we aggregate data for marketing purposes, it will not be combined with your personal data, and you will not be able to be directly or indirectly identified as a result.
Transitioning to a Soft Opt-In Approach: Enhancing Our Communication
As Pharmacy2U expands its operations, we're broaden the application of our customer-focused marketing strategy across various platforms, including ChemistDirect.co.uk, the P2U Shop, and our main website that offers an array of NHS and private health services. Our commitment to your privacy and preferences remains steadfast, which is why we've adopted a 'soft opt-in' approach to keep you informed about products and services you truly care about.
Our Soft Opt-In Approach Explained:
We respect your choices and interests. By employing a 'soft opt-in' strategy, we ensure that communications about marketing are only sent to you if they relate to products or services you've shown interest in or purchased from us in the past. This approach is now extended across Pharmacy2U's offerings, including our main website and the P2U Shop, ensuring a cohesive and respectful communication practice throughout our services.
Transparent Communication:
When you share your details with us, we'll be crystal clear about how we plan to use them, especially regarding marketing communications. You'll always know when you're opting in or out, and we provide a simple and direct way for you to decline these communications if you prefer.
Marketing Messages — Always In Your Control:
Each message we send will include an easy opt-out option, affirming your ability to control your preferences at any time. Furthermore, we've made managing your communication preferences even simpler with the introduction of our Communication Preference Centre accessible directly from your account. This means you have the flexibility to opt-out of specific channels, such as text, email, or post, or even tailor your interests to ensure you receive only the most relevant information. Our aim is to empower you with complete control over how we communicate with you, making it easy to customize your preferences to suit your individual needs and interests.
Broadening Our Definition:
Within the 'soft opt-in' scope, we consider 'similar goods and services' to encompass the extensive range of health and wellness services and products we offer, including but not limited to:
NHS services and initiatives like PharmacyFirst
Contraception and New Medicine Services
A variety of vaccinations and face to face health services in your area
Consumer health items, including over-the-counter medications and wellness and beauty products
Private healthcare services such as private prescriptions and consultations in collaboration with contracted external healthcare professionals
Your engagement with any of these services signals your interest in maintaining or enhancing your health and wellness, allowing us to inform you about our comprehensive solutions tailored to improve your overall healthcare experience.
Specific Consent for PetHealth Services:
Communications about our PetHealth services will require explicit interest from you, such as through actions like providing pet details in your account or directly expressing your interest in these services. This ensures we only send you information that's relevant and of interest to you.
Our extended marketing strategy across Pharmacy2U’s platforms is designed with your best interests in mind, ensuring that we keep you informed about relevant and beneficial health and wellness solutions, all while respecting your choices and maintaining transparency in every communication.
Unified Data Management within Pharmacy2U Group
As part of the Pharmacy2U Group's commitment to enhanced patient services following the acquisition of LloydsDirect ,a trading name of Metabolic Healthcare Ltd, we are integrating our processes to improve the prescription experience. Your data might be collaboratively managed across the group to facilitate superior and streamlined services under the unified Pharmacy2U brand. This may involve sharing your data within the group entities to fulfil our service obligations and to support our continuous improvement. With your consent, we're transferring customer data from LloydsDirect to Pharmacy2U, ensuring a continuous, high-quality service. Preliminary non-sensitive data sharing lays the groundwork for a seamless integration into the Pharmacy2U environment. Rest assured, any internal data processing will strictly adhere to the highest standards of data protection, ensuring the security and confidentiality of your personal information.
Sharing of Prescription Data with IQVIA
In line with practices common among larger pharmacies, we share prescription and prescriber information with IQVIA Ltd, a company incorporated in England and Wales (Registered Address: 3 Forbury Place, 23 Forbury Road, Reading, RG1 3JH; Company Registration Number: 03022416). This sharing of information is based on the legitimate interest for supporting enhanced healthcare analytics and research, contributing to the broader objectives of healthcare improvement and innovation.
The information shared is in the form of anonymous or aggregated data and does not include any personal data of our customers receiving prescriptions. The prescriber information we share consists only of publicly available data, such as the name and workplace address of prescribers, and is considered non-sensitive.
We believe that this practice presents a very low risk of harm and aligns with the NHS's policy of releasing prescribing information by GP practice.
Our Future Health research programme
Our Future Health is the UK’s largest-ever health research programme. It is designed to help people live healthier lives for longer through the discovery and testing of more effective approaches to prevention, earlier detection and treatment of diseases.
Millions of people, from all backgrounds and from right across the UK, are invited to take part. Volunteers will provide information about their health and lifestyles to create an incredibly detailed picture that represents the whole of the UK.
By developing a more detailed understanding of what makes certain people more likely to develop a disease - plus what to look out for before any symptoms appear - Our Future Health has the potential to help to develop far more effective approaches to both prevention and treatment.
Pharmacy2U has been asked to identify people who are eligible and to invite them to join the Our Future Health research programme. We will use the data we hold to identify suitable people and send them an invitation to take part. The data used will include name, date of birth and address. Your personal data will not be shared directly with the research programme.
The programme is organised by Our Future Health is a company limited by guarantee registered in England and Wales (number 12212468) and a charity registered with the Charity Commission for England and Wales (charity number 1189681) and OSCR, Scottish Charity Regulator (charity number SC050917). Registered office: 2 New Bailey, 6 Stanley Street, Manchester M3 5GS.
It will always be entirely your decision whether or not to participate in Our Future Health. Your decision will not have any effect on the services we provide to you. We won’t disclose any information about you which allows you to be identified to Our Future Health or the NHS without your explicit consent.
The research programme has requested that all eligible people be contacted once only. To manage the invitation process, we will need to keep the list of people who have been invited until six months after the research programme recruitment is complete. This is to ensure that you are not invited if you have told us you do not want to be contacted, and that no one is invited more than once.
The Health Research Authority has provided legal support to the Our Future Health research programme under Section 251 of the NHS Act 2006 and Regulation 5 of The Health Service (Control of Patient Information) Regulations 2002 which enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be processed by NHS Digital on behalf of the programme. This support provides the legal basis for suitable participants to be invited to join the research programme. This is following advice from the Confidentiality Advisory Group, an advisory body which provides independent expert advice on the use of confidential patient information without consent in England and Wales.
More information is available at https://ourfuturehealth.org.uk/ .
Clinical research, medical trials and studies and automated decision-making
As a respected medical business, we are often approached by other professional organisations looking for people to participate in medical research, clinical trials of new treatments for example, or other medical studies. We believe that it is vitally important such trials take place and aim to support them as far as we can.
This is how we determine if you would be a suitable participant in a clinical trial:
Sponsors of trials approach us with a profile of people they are seeking to participate. This may include information such as gender, age band, geographic location and details of health conditions or medications they are researching.
We will look at our database of patients to find people who meet the participant profile using the information we hold about each patient.
We will provide all those individuals who have been identified as suitable to participate in a trial with information about it and will, subject always to consent, disclose their contact information to the trial sponsor.
It will always be entirely your decision whether or not to participate in a clinical trial. Your decision will not have any effect on the services we provide to you. We won’t disclose any information about you which allows you to be identified to any trial sponsor without your explicit consent.
The law allows us to undertake profiling and automated decision making in pursuit of our interests of promoting our business as a leading provider of pharmaceutical services and maintaining a database of patients for our commercial benefit. The law also allows us to undertake this type of processing to support the interests of sponsors of clinical trials and research. The law (Data Protection Act 2018 Section 19, and Schedule 1 Section 2 and Section 4) permits us to use medical data and health information for the listed purposes as it is necessary for medical research, and the provision of health care/treatment. The UK introduced a national data opt-out (https://digital.nhs.uk/services/national-data-opt-out) in May 2018 whereby all UK NHS patients were automatically opted into a scheme allowing NHS organisations to share patient information for the purposes of research and planning. You may choose to opt out. For further information please visit https://www.nhs.uk/your-nhs-data-matters/manage-your-choice.
We may process your data to help us identify patients based on the clinical trial eligibility criteria of the specific trial. The automated decision making that we undertake does not have any legal or other similarly significant effects on our patients because every decision is reviewed by a suitable person before being implemented. What this means is that we will not make decisions about you that are wholly determined by computers alone.
You have the right to object to any processing that is based on our claim of our “legitimate interests” including profiling and automated decision making as outlined in the Your Rights section below.
We retain information about which clinical trials we think you are suitable for and the basis of our decision making only for as long as we need it. The high-level profile information is shared with clinical research companies to allow them to determine if we are likely to have any suitable research/trial candidates. We will ordinarily only disclose information about those people who meet the trial person profile specification with explicit consent unless the research program is so generic that it does not require the disclosure of any data concerning health in which case we may choose to disclose a list of candidates on the basis of the legitimate interests of the trial sponsor. We may also disclose information about our customers' participation in clinical trials and medical research to our professional and medical advisors.
The ICO has produced wider guidance on direct marketing for the public sector. Pharmacy2U, as is the case with other commercial pharmacies, provides pharmaceutical services under the National Health Service Act 2006 and is therefore considered a public authority specified in respect of information relating to those services. This guidance specifically considers the rules on direct marketing in the context of health and care communications. It includes some case studies at the end.
While direct marketing communication sent by electronic mail or text will need the consent of the individual prior to sending that communication. Following NHS England guidance messages and communications about:
Communications about research participation from organisations whose tasks and functions include the conduct of health and social care research
Information to an individual to inform them about a health or social care research project they may be eligible to participate in
These would be seen as necessary for your organisation's task and function, so are NOT direct marketing.
You have the right to object to any communication about health and social care research, please contact any member of staff or email us at [email protected].
Communication
Service Messages
We send automated communications to customers in addition to manual communications which react to a specific inquiry or order. In line with ICO guidance, routine customer service messages do not count as direct marketing – in other words, correspondence with customers to provide the information they need about a current contract, services they requested, or past purchases. You will receive these messages, even if you have not opted into marketing or unsubscribed from our email communication.
The ICO also clarifies that general branding, logos, or straplines in these messages do not count as marketing. The sending of service messages without explicit consent is lawful as it is communication in regards to the fulfilment of our contract with you and it is in our legitimate interest to keep our customer base up to date and informed about the service, pursuant to Art.6.1(f) UK GDPR, whereby processing is lawful where it is necessary for the legitimate interest of the controller. Further information is also available on the ICO website.
NHS Service Information Messages
As part of our commitment to providing high-quality healthcare services, Pharmacy2U may send communications to patients about relevant NHS services, such as our new NHS oral contraception service. These messages are sent in compliance with NHS direct marketing guidance and are considered necessary communications regarding available NHS services pertinent to your healthcare. They are not classified as 'direct marketing' but are vital to inform you about relevant healthcare options and services that you are eligible for.
The legal basis for sending these NHS Service Information Messages is our legitimate interest in keeping our customers informed about essential healthcare services, as outlined in Article 6(1)(f) of the UK GDPR. This interest aligns with ensuring that you have access to the most relevant and beneficial healthcare services available to you.
While these communications are part of our effort to ensure you are informed about healthcare services that may benefit you, we respect your preference regarding such communications. If you wish not to receive informational messages about NHS services, you may contact our Data Protection Officer at [email protected].
Data Accuracy Messages
If you have registered with Pharmacy2U for the NHS Repeat Prescription Service, but are not actively using the account you will periodically receive a message and askes to review and update your account details.
For clinical reasons and under the Data Protection Act 2018 we have a legal obligation to ensure that our patient data is ‘accurate‘ and is up to date and gets delivered to the right delivery address. The guidance of the Information Commissioner’s Office (ICO) also says, “It may be sensible to periodically ask individuals to update their own details”. Please see Pharmacy2U’s privacy policy for further information.
Public Health Messages
Occasionally, we process your personal data for purposes directly connected with ensuring that you receive high-quality healthcare through the NHS and informing you of services that may be relevant to you. This includes information about the COVID-19 vaccination programme and the seasonal flu vaccination programme.
If we do this directly on the request of the NHS to support their statutory functions, this can be done without your consent as the NHS is established by Act of Parliament and is required by law to carry out these functions, under Data Protection law they are allowed to process your personal data because the processing is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.‘.
If not instructed directly, the legal basis for sending these messages is legitimate interest.
Partially completed order messages
As part of our clinical responsibility to patients, we may also send you emails if you only partially complete a prescription order on our website or app. We assessed that informing the patient about an incomplete prescription order is both in the interest of the patient, as well as in our interest as the registered pharmacy. The legal basis for sending these messages is therefore legitimate interest.
Marketing
Pharmacy2U is a commercial business and our success is based not only on the trust of our customers but on adopting a responsible approach to marketing. We use the information we hold about our customers for direct marketing purposes including sending direct marketing materials about our products and services that we believe may be of interest to you via mail, email, SMS, and telemarketing. We also may customise the adverts you see on our website. Usually, adverts are customised through automated decision making, based on the pages you have visited on our site previously.
The law allows us to undertake direct marketing in pursuit of our interests in promoting our business. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.
We will only send direct marketing materials to you via email or other electronic messaging if you have consented to us to do so or if they relate to our own products and services similar to those that you have previously expressed an interest in or ordered. We maintain records of consent: you may withdraw your consent at any time.
When we undertake direct marketing by telephone, we will always check whether you are registered on the telephone preference service (TPS), the UK’s register of numbers that may not be used for telephone marketing.
We retain information about your interaction with our direct marketing activities only for as long as we need it which is generally no longer than 2 years from the end of a campaign. We may retain anonymised campaign statistics for a longer period of time to allow us to monitor our direct marketing activities year on year. Like many organisations, we use specialist service providers to help us to carry out our direct marketing including marketing agencies, printing and mailing companies, email/SMS broadcasting providers, telephone marketing agencies and other similar professional advisors which means information about you may be disclosed to them.
When we undertake customer surveys or email broadcasting, we may use specialist services providers in other countries including for example SurveyMonkey and Sailthru both of which are based in the USA. Whenever we transfer information about you overseas, we will make sure that we implement suitable safeguards including for example using appropriate contracts which hold our suppliers to account and provide protection to your rights and freedoms. For further information about international transfers of personal data please contact our Data Protection Officer.
Marketing for others
We also use the information we hold to undertake direct marketing activities on behalf of other organisations.
We will not send any direct marketing materials to you by email or other electronic methods about any third party without your specific consent.
We retain information about your interaction with the direct marketing activities we undertake only for as long as we need it which is as long as you are a customer with us, and once you are not, for 3 months beyond then.
We also use the information we hold to undertake direct marketing activities on behalf of other organisations, including the NHS. For example, where we have your consent, we may send you the information in the form of specific emails or newsletters about specific partners whose offers we believe may be relevant to you. These may include organisations in these categories:
Healthcare products and services
Retail
Financial services
Leisure
Charities
Clinical trial operators and research organisations
The law allows us to send to you direct marketing materials on behalf of other organisations on the basis of their commercial interests. You may object to our using information about you for direct marketing purposes as outlined in the Your Rights section below.
We will not send any direct marketing materials to you by email or other electronic methods to any third party without your consent.
We retain information about your interaction with the direct marketing activities we undertake only for as long as we need it which is generally no more than 2 years after a campaign.
In general, whilst we may undertake direct marketing on behalf of others, we will not disclose any information about you to third parties for them to undertake direct marketing. In that way we retain control over the uses of information about you for direct marketing giving you one point of contact should you wish to object to such use.
We will never share your personal information unless we have legitimate and lawful grounds to do so. We do not sell your data to third parties.
Social media
We may obtain information about you from social media channels including Facebook and Twitter. We use content aggregators such as Hootsuite to manage social media content that refers to us so that we can monitor market sentiment towards our brand and address any complaints or brand issues raised on social media.
We may also process your data in order to identify people like you to send them marketing information. Should we use your data in this way your personal information will be anonymised.
If you have consented to marketing, we may use your personal data to generate targeted marketing on social media sites, for example, Facebook. We send pseudonymised data in a way that only the intended end user can understand. We recommend you routinely review the privacy notices and preference settings that are available to you on social media platforms. If you do not wish to receive such targeted marketing generally, you are able to switch this off within the social media site.
The law allows us to undertake the listed activities on the basis of our legitimate interests of protecting and developing our business. We retain information on our social media pages and aggregators for no more than 2 years. Some of the social media channels we use to transfer personal data to the USA. Whenever we transfer information about you overseas, we will make sure that we implement suitable safeguards including for example using appropriate contracts which hold our suppliers to account and provide protection to your rights and freedoms. For further information about international transfers of personal data please contact our Data Protection Officer.
Our Recruitment Process
The information we collect, how and why we use it
Information | |||
---|---|---|---|
To allow us to assess your application during the shortlist stage | • Your name and contact details (ie address, home and mobile phone numbers, email address); • Details of your qualifications, experience, employment history (including job titles, salary and working hours) and interests; • Information regarding your criminal record; • Details of your referees | We collect this information from you when you make your application to us. | We collect information relating to your criminal record on the basis of your consent. We process the rest of this information under our legitimate interest to review job applications to ensure that we interview candidates who are appropriate for the available job. |
To allow us to assess your application after the shortlisting stage and before making a final decision to recruit. | • Information about your previous academic and/or employment history, including details of any conduct, grievance or performance issues, appraisals, • Time and attendance, from references obtained about you from previous employers and/or education providers; • Information regarding your academic and professional qualifications; • Information regarding your criminal record, in Disclosure and Barring Service (DBS) checks and enhanced Disclosure and Barring Service (DBS) checks • Your nationality and immigration status and information from related documents, such as your passport or other identification and immigration information; • A copy of your driving licence. | We may collect this information from you, your referees (details of whom you will have provided), your education provider, the relevant professional body, the Disclosure and Barring Service (DBS), the Home Office | We process this information for the following reasons: • We have a legitimate interest in ensuring that we are recruiting individuals who are suitable for the available job; • To take steps to enter into a contract; • For the performance of a task carried out in the public interest; • For compliance with a legal obligation (e.g. our obligation to check that you are eligible to work in the United Kingdom). |
Retention of your information
We only keep your personal details for no longer than is necessary for the purposes for which it is processed. For information relating to your recruitment (including interview notes) we will take into account the limitation periods for potential claims such as race or sex discrimination, after which the information will be destroyed.
If there is a clear business reason for keeping recruitment records for longer than the recruitment period, we may do so. However, we shall first consider whether the records can be anonymised, and the longer period for which they will be kept.
If your application is successful, we will keep only the recruitment information that is necessary in relation to your employment. For further information, see our data protection privacy notice employment.
We keep a document which tells us how long we need to keep this information for in order to meet the above purposes. If you want more detail on this, please get in touch using the contact details given in the ‘Contact us’ section.
Disclosing your personal information
We may also need to share some of the above categories of personal information with other parties, such as HR consultants and professional advisers.
Usually, information will be anonymised but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.
We may also be required to share some personal information with our regulators or as required to comply with the law. In these circumstances, we will ensure that personal information is properly protected and that it is only used in accordance with this Privacy Policy.
Sensitive personal information and criminal records information
Further details on how we handle sensitive personal information and information relating to criminal convictions and offences are set out in our PY056 Data Protection Criminal Records Information Policy.
This policy is available from our HR department or DPT or within the confluence library. Alternatively you can contact us using the contact details below to ask us for a copy of this policy.
Vaccination Services
Pharmacy2U is proud to be part of the national response to the coronavirus (COVID-19) pandemic and is operating vaccination centres across England as a ‘lead provider’ under the National Immunisation Management Service (NIMS). The NIMS is the NHS England’s centralised service for the management of both the COVID-19 and seasonal flu vaccination programmes.
The key purposes of this central NHS system are to enable identification of priority groups, to send invitations to book appointments for vaccination, to manage and monitor the progress of the programme. Further information can be found at: https://www.england.nhs.uk/contact-us/privacy-notice/national-flu-vaccination-programme/
The list of people that have been identified and invited by the NIMS for a COVID-19 vaccination is sent to the NHS National Booking System, which invitees can use to book an appointment online. This system is managed by NHS Digital (data controller). You can contact NHS Digital at: [email protected] or call 0300 303 5678.
NHS Digital is sharing the details of the individuals booked for a specific time at this vaccination centre with Pharmacy2U (data processor). You can contact Pharmacy2U’s information governance team at: [email protected].
NHS Digital sends daily updates to GP systems to allow them to update their local record and monitor progress for their patients.
The information we collect, how and why we use it
Purpose | Personal Information Used | How we collect this information | Lawful Basis |
---|---|---|---|
To record details of vaccinations administered and any adverse reactions. Information is entered onto applications provided by NHS England. The NIMS is updated with this information. These applications obtain details of the current immunisation status from the NIMS so that the immuniser can make an informed decision on whether it is safe to administer the immunisation or not. Vaccination providers that use these applications are able to obtain reports from them on the people they have vaccinated, to enable them to conduct the second dose COVID vaccination recall. | • Carer • Social care worker • Health care worker • Care home worker • Care home resident • Ethnic category • Vaccination location • Care home details • Emergency contact details | We collect this information from you at the point of care (providing you with the vaccination). | We collect this information for the following reasons: • To comply with a legal obligation; • To perform official tasks in the public interest in providing and managing a health service; • For the management of health/social care systems or services; • For reasons of public interest in public health; • For health or social care purposes; |
Please note that Pharmacy2U does not process or store any information gained under the NIMS for any other purpose than administering the vaccination (including pre-vaccination and post-vaccination communication) and does not share it internally or externally for any other services or purposes.
Your rights
Right of Access
You have the right to obtain confirmation from Pharmacy2U as to whether personal data concerning you are being processed and, where that is the case, access to that data.
Right to Rectification
You have the right to oblige Pharmacy2U to rectify inaccurate personal data concerning you. Taking into account the purposes of the processing, you have the right to have incomplete personal data completed by providing a supplementary statement.
Right to Erasure (Right to be Forgotten)
You have the right (in some circumstances, but not all) to oblige Pharmacy2U to erase personal data concerning you.
Right to Restriction of Processing
You have the right (in some circumstances, but not all) to oblige Pharmacy2U to restrict processing of your personal data. For example, you may request this if you are contesting the accuracy of personal data held about you.
Right to Data Portability
You have the right (in some circumstances, but not all) to oblige Pharmacy2U to provide you with the personal data about you which you have provided to Pharmacy2U in a structured, commonly-used and machine-readable format.
You also have a right to oblige Pharmacy2U to transmit those data to another controller.
Right to Withdraw Consent
If the lawful basis for processing is consent, you have the right to withdraw that consent.
Right to Object to Direct Marketing
Where your personal data is processed for direct marketing purposes, you have the right to object at any time to processing of your personal data for marketing, which includes profiling to the extent that it is related to such direct marketing.
Rights in Relation to Automated Decision-Making and Profiling
Pharmacy2U may perform some automated decision-making based on personal data, as outlined above in the ‘Automated decision-making and profiling’ section. However, this will not produce any legal effects on you.
You should note that some of these rights, for example the right to require us to transfer your data to another service provider or the right to object to automated decision making, may not apply to you. This is because they have specific requirements and exemptions which apply to them and they may not apply to personal information recorded and stored by us. For example, any automated decision making that we carry out in relation to your personal data does not have any legal effects on you. However, some rights will always apply. For example, your right to withdraw consent or object to processing for direct marketing are absolute rights.
NHS National data opt-out for research and planning purposes
You may choose to opt out of the NHS using your data for planning and research purposes – details are obtained by:
• visiting the www.nhs.uk/your-nhs-data-matters website portal; using the NHS App; or
• writing an email to [email protected], or
• writing by post to National Data Opt Out, Contact Centre, NHS Digital, HM Government, 7 and 8 Wellington Place, Leeds, LS1 4AP; or by
• calling the NHS Digital contact centre - 0300 303 5678 (open workdays Monday-Friday, 9am-5pm).
Your Right to Lodge a Complaint with a Supervisory Authority
If you wish to exercise any of your rights concerning your personal data, you should contact Pharmacy2U’s Data Protection Officer at the address shown below in the ‘Contact us’ section.
If you are not happy with the response you receive, you have the right to lodge a complaint with the supervisory authority. In the United Kingdom this is:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
e-mail: [email protected]
You can find out more information about your legal rights can be found on the Information Commissioner’s website at: https://ico.org.uk/for-the-public/
Privacy Policy for Partnerships
Pharmacy2U acknowledges and respects the importance of your privacy. We have partnered with various service providers to offer you an expanded range of services. While using these services, your data protection remains a priority for us.
When you sign up for services through our partnership program, please note the following:
Data Sharing: Upon registration to our partner services, our partners will share information with Pharmacy2U regarding your sign-up and the specific services you have requested. This shared information is limited to your registration status and service requests.
Legitimate Business Interest: The data shared between Pharmacy2U and our partners is done based on legitimate interest. This allows us to understand and cater to your needs better and enables us to provide a more personalized experience for you.
We assure you that this data sharing respects all applicable laws and regulations regarding data protection and privacy. It is carried out with the utmost level of security and confidentiality.
By signing up for our partner services, you acknowledge and accept these terms related to data sharing and privacy. For any further queries or concerns, you may contact us at [email protected].
Our partnership services are:
‘Pharmacy2U Pet Health’ located at ‘pethealth.pharmacy2u.co.uk’: This service is operated by The PharmPet Co Limited, a company registered in England and Wales with company number 10026316. Their registered office is situated at Unit 7 Stirlin Point, Sadler Court, Sadler Road, Lincoln. LN6 3RG. The PharmPet Co Limited operates under the regulatory supervision of The General Pharmaceutical Council (GPhC).
‘Pharmacy2U Medical Letters’ located at ‘medical-letters.pharmacy2u.co.uk’: This service is provided by ZoomDoc Limited, a company incorporated and registered in England and Wales, with a company registration number of 09540794. Their registered office is located at 2 Chanin Mews, London NW2 4AQ. The doctors associated with this service are registered with the General Medical Council, and ZoomDoc Limited is regulated by the Care Quality Commission.
Changes to this policy
We may change our privacy policy from time to time.
If we change anything important (the information we collect, how we use it or why), we will undertake reasonable efforts to make you aware of the changes such as by providing a link to the change on the website or telling you by email.
Contact us
You can phone us on 0113 265 0222 or webchat with us from our website at www.pharmacy2u.co.uk/help-and-support.
If you have any questions about our privacy policy or our approach to data protection and privacy you may send an email to [email protected], phone us or write to us.
Cookie policy
We, Pharmacy2U Limited, run our website at pharmacy2u.co.uk (our site). Our site uses cookies to help differentiate you from other users. Please find further information in our Cookie Policy.
Freedom of Information Policy
The Freedom of Information Policy ensures that Pharmacy2U acts in compliance to the Freedom of Information Act 2000 (FoIA). As we are a privately owned company, FoIA does not apply to the majority of the work that we undertake. However, FoIA does apply to the work that we do on behalf of NHS and so we will respond to FoIA requests in line with this policy.
Scope - Policy Aim
The aim of this Policy is to;
Promote more openness;
Promote a better informed public debate;
Improve public confidence in operations of public healthcare services;
Improve decision making to promote accountability;
Improve regulation;
Increase public participation to enhance democracy;
Promote the FoIA, in terms of accuracy and objectivity;
Improve information management;
FoIA Summary
The FOIA provides public access to information held by us in relation to activities we do on behalf of the NHS. It does this in two ways:
Pharmacy2U have to publish certain information about our activities on the NHS services we offer; and
Members of the public are entitled to request information from Pharmacy2U’s NHS services.
The Freedom of Information Act covers any documented information held by a public authority. However, FoIA does not give people access to their own personal data. If you would like access to this, please follow the process outlined above in the Privacy Policy.
Pharmacy2U has continued to demonstrate its commitment to all aspects of the FOIA and will continue to promote its values and ensure that it is compliant with legislation.
Policy Statement
Pharmacy2U will take efforts to ensure that it maintains the principles of openness, transparency and accountability and will continue to improve access to information.
How to make a FoIA Request
A request for information under the FOIA must be:
in writing;
Stating the name of the applicant and an address to communicate through;
Description the information requested;
Fees
Wherever possible, Pharmacy2U will provide information, for which FoIA applies, free of charge. However, in some cases this may not be possible and so we may charge you for information under Section 9 of the FoIA. Pharmacy2U will issue a Fees notice which must be paid within three months. If no payment is received, we will close the request for information. Please contact [email protected] for details of our charges or a copy of our charging guidance.
Our Response Time
Pharmacy2U aims to comply with requests for information as quickly as possible. The law tells us that we must respond to a request promptly and, in any event, no later than 20 working day after the date of receipt. Working day means any day other than Saturday, Sunday or bank holidays. This time limit for compliance may change if:
Pharmacy2U seeks clarification under Section 1(3) of the FoIA.
There is a need for an extension to consider the Public Interest Test under Section 10(3) of the FOIA, or
A fees notice is issued under Section 9.
Appropriate Costs Limit
Under Section 12 of the FOIA, Pharmacy2U does not have to comply with requests where the cost of complying with exceeds the appropriate limit. Section 12 applies if the following factors would cost the council more than £450 or 18 hours of officer time:
Determine whether the information is held.
Locating the information.
Retrieving the information.
Extracting the information.
Under Section 13 of the FOIA and the Freedom of Information and Data Protection (Appropriate Limit and Fees) Regulations 2004 Pharmacy2U can charge for the costs of expenses.
Vexatious or Repeated Requests
FoIA provides an exemption for Pharmacy2U to not comply with ‘vexatious’ requests where there is a strong likelihood that the request is being made to intentionally cause disproportionate or unjustified levels of disruption, irritation or distress.
Pharmacy2U will not complete a request if we have already received an identical or similar request from the same individual unless a reasonable amount of time has passed since the original request was responded to and the new request was made.
Advice and Assistance
Pharmacy2U will provide advice and assistance to all requests for information, as far as reasonably practicable.
Codes of Practice with FoIA
The FoIA is supported by two codes of practice:
Access Code (Section 45) - Outlines good practice for Freedom of Information.
Lord Chancellors Code (Section 46) – Outlines good practice for record management.
Pharmacy2U will take steps to ensure that the codes of practice are applied wherever possible.
Freedom of Information Refusals
In some cases, Pharmacy2U may refuse requests for information under Section 17 of the FoIA. Pharmacy2U may issue a refusal notice if:
Information is not held; or
An exemption applies to this information.
In some cases we may not hold the information requested - it may be that it is held by another party, most likely the NHS. If possible, Pharmacy2U will provide the requestor with information to redirect the request. However, Pharmacy2U are unable to not transfer the FoI request themselves to the other organisation.
Exemptions
There are some circumstances where Pharmacy2U is not obliged to release information. Pharmacy2U may decide to apply exemptions under the FoIA and not provide the requestor with some information. If Pharmacy2U rely upon an exemption it will be explained to you in our refusal notice.
A list of the exemptions to the FOIA can be found on the Information Commissioner’s Office website.
Some of the exemptions are 'absolute', and so the exemption applies to all information which falls under the exemption. Other exemptions are 'qualified' and so will require a public interest test to determine if the exemption applies. Pharmacy2U will ensure that the public interest test is carried out for each of the qualified exemptions. If an exemption is applied it will be authorised by a senior officer.
Internal Review
If you are unhappy with a decision that Pharmacy2U has made, you can request for us to complete an internal review. Pharmacy2U’s internal review will be undertaken by a senior officer. Pharmacy2U has 20 working days to complete the review.
Data Protection
A FoI request may include personal data of the requestor or third parties. Pharmacy2U may refuse the request if disclosing the information in relation to third parties would be an actionable breach of confidence or data protection law.
In cases where the request relates to personal data of the requestor, Pharmacy2U will refuse the request under the FoIA and shall ask for the request to be submitted as a Data Subject Access Request. This process is detailed in the above Privacy Policy, in the section titled ‘Your Rights’.
Re-use of Public Sector Information Regulations 2005
The regulations implement an EU directive that encourages the re-use of public information for purposes other than its original purpose.
The regulations do not oblige Pharmacy2U to make their information available for re-use unless there is a statutory obligation to do so.
The regulations apply to any recorded information (Freedom of Information), including whole or part of documents. Requests for re-use should be in writing and Pharmacy2U will aim to respond within 20 working days.
Information Commissioner’s Office
Pharmacy2U will consult with the Information Commissioner’s Office (ICO) when necessary. Pharmacy2U will refer to the ICO guidance and ensure that it is compliant with any measures of good practice that the ICO promotes. The ICO will investigate complaints in relation to Freedom of Information.
Freedom of Information Publications Scheme
Every public authority has a duty to have and maintain a Publication Scheme in order to allow for pro-active release of information. Pharmacy2U’s Publication scheme is available to view below. Our Publication Scheme contains the following types of information:
Who we are and what we do.
What we spend and how we spend it.
What our priorities are and how we are doing.
How we make decisions.
Our polices and procedures.
List and register.
The service we offer.
Version Control
Date | |
---|---|
11 June 2015 | First draft in current format with substantial changes since the previous version. |
20 July 2015 | Additions to the ‘Getting to know you better’ section to make it clear that we may share your personal information and the profiling information with service providers to help us identify prospective customers. |
24 September 2015 | Addition of the summary of main points, to make key information more easily available. Minor changes to wording, following a review by the Plain English Campaign, to make sure this document is clear and understandable. |
12 August 2016 | Addition relating to marketing the products and services of other companies in our group of companies. |
29 November 2016 | Addition of provision to market products and services of selected partners. |
24 May 2018 | Privacy Policy updated to include GDPR (EU) 2016/679 legislation. |
16 April 2019 | Addition relating to marketing consent for our group of companies and selected partners. |
23 April 2019 | Added information on the Freedom of Information Act 2000. |
31 October 2019 | Added table explaining data processing and revise the layout of policy. |
20 April 2020 | Updated information on data usage for NHS's Real Time Exemption Checking. |
19 October 2020 | Updated information to include profiling and extended amends to the privacy policy. |
28 March 2022 | Further information about communication and phone recording added. |
22 November 2022 | Merge between Pharmacy2U and Chemist Direct Privacy Policy. |
20 December 2022 | Inclusion of Pharmacy2U Shor/Chemist Direct & P2U Services into privacy policy. |
20 January 2023 | Including information about Dispensing Appliance Partner and the Our Future Health research programme. |
11 December 2023 | Inclusion of information relating to NHS Service Information Messages. |
21 April 2023 | Revision and correction of merge between Pharmacy2U and Chemist Direct Privacy Policy. |
25 April 2023 | Implemented soft opt-in for ChemistDirect marketing. |
20 June 2023 | Clarification on data use for email reminder. |
15 March 2024 | Updated minor consent verification and account service refusal policy for underage users. |
20 March 2024 | Update on Transitioning to a Soft Opt-In Approach and our Unified Data Management within Pharmacy2U Group. |
16 August 2024 | Update on Private Online Doctor Service in partnership with HealthHero and MHL |