Personal data means data from which you may be identified, directly or indirectly, in particular by reference to an identifier such as your name or any user id that we allocate to you. We may process the following types of personal data about you:
The main purpose for which we use your personal data is to provide you with our services, connecting you with either your own local GP practice via the Docly Platform, or enabling you to receive a medical consultation with one of our own GPs. We use your personal data:
The Data Protection Laws define certain personal data as falling into ‘special categories of personal data’ such as personal data regarding your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a person, data concerning your health (including mental and physical health), or data concerning your sex life or sexual orientation.
Your Health Data will therefore be classed as "Special category data". As we note above, either you or your GP provides Health Data to us that we need in order to diagnose and prescribe safe and effective treatment for you. We will only use this personal data for this purpose, and for the purposes of keeping your NHS record up to date, to enable us to improve the service we are able to give you, and to improve the service the NHS is able to provide to both you and other patients.
We will only process such data (in accordance with Data Protection Laws) where it is necessary for the purposes of medical diagnosis, the provision of health care or treatment, the management our health system, or for scientific research purposes.
We may share your Health Data with your GP practice and with other health care professionals for the reasons above, and where it is needed to protect your vital interests (or someone else's interests) and you are not capable of giving your consent. We may also process Health Data in order to make reasonable adjustments in the provision of our services, or where it is otherwise permitted or required by law.
In addition, we may process other special category personal data to ensure meaningful equal opportunity monitoring and reporting. We make every effort to anonymise such information.
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances
We may also use your personal data in the following situations, which are likely to be rare:
There may also be circumstances in which we will only use your personal data with your consent. Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.
We will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will contact you and explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above, where this is required or permitted by law.
When you register for our service a contract between you and us will have been entered into. In order for us to fulfil our obligations under this contract and to provide our services to you, we will need to collect, and process your Account Information. If you do not provide the personal information we need when you register with us (or if applicable, you later object to our using the personal information or ask us to delete it), we will not be able to provide our service to you.
There may be circumstances when it is necessary for us to process your personal information in order to comply with a legal obligation. For example, we may be required by the Equality Act to monitor and ensure equal opportunity, which may mean that we need to collect and process data in relation to disability, or to monitor the diversity of those who use our service.
We process Digital Behaviour information where it is necessary for the purposes of our legitimate interests in improving the Platform, understanding and analysing users' behaviour and improving the user experience.
We process Technical Data where it is necessary for the purposes of our legitimate interests in understanding users, and enabling us to build a profile about you and your interaction with our services.
We have a legitimate interest in processing your personal data in order to provide the service and its benefits to you, and to develop and improve that service. We will process your personal data only so far as is necessary to achieve the purposes outlined in this policy and in a way which we consider does not unreasonably intrude on your privacy.
We may, on occasion, send you marketing messages about other similar services we offer. This is only in circumstances where you have not unsubscribed and where you have purchased similar services from us, or where you have otherwise consented. If you have consented, we may share your details with third parties for marketing purposes. You can opt out of marketing at any time by contacting us via support at www.docly.uk/support.
We may also process your special category personal data in circumstances where you have explicitly consented for us to do so.
You have the right to withdraw your consent to processing of this nature at any time.
We may also ask for your consent to treatment. This is separate to the consent we may ask you to give under the Data Protection Laws. If you are under the age of 16, it may be the case that you are unable to give valid consent. We will make an assessment about this based on the information we receive from your GP.
Personal data is kept for no longer than necessary in order to fulfil the purpose for which it was collected (including the purpose of fulfilling our legal obligations). If we are processing your personal data on the basis of your consent it will be deleted if you withdraw your consent, unless we are required to retain the information to comply with applicable laws.
To determine the appropriate amount of time for which we will keep your personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Where we have to retain your information for a minimum period required by law (such as retaining records for HMRC purposes) we comply with that minimum period plus a period of up to 12 months to allow time for us to anonymise or delete information in accordance with our internal data management processes.
In the event that our service ceases to trade, any medical records including all identifiable data would be held for 24 months from the date the service ceases. After this date it will be securely destroyed, provided this is in line with applicable legislation.
Once personal data is no longer needed for the purpose it was collected we may anonymise the data and retain it for business development research into automised healthcare. Anonymised data can no longer be traced back to you, and we may use such data without further notice to you. Data which has been properly anonymised is not considered to be personal data and is not subject to the Data Protection Laws.
In order to enable improvements to our services and your online experience, our software automatically collects information from your computer (or mobile device), your web browser, including your public IP address and domain name, cookie information, hardware properties (e.g. your device's ID), websites you have visited or been referred from, videos and images you have viewed on our website, URLs of the websites' referral traffic and after navigating to our websites, date and time of your visit and your geographical location. The data is collected in order to help us develop a better understanding of behavioural patterns and trends within our services. In order to do so, we use web logs or apps that recognise your computer and gather information about its activity online. We also work together with certain third parties in order to collect and analyse parts of this information.
We use both session and permanent cookies on our websites.
We may share your personal data with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We employ a clinical team, who are part of Docly. They will need to access your medical records so that we can provide you with services, for example if you have a query or concern about your consultation or treatment, or if the information is needed to assist our Chief Medical Officer with quality assurance. Only those employees of Docly who need access to information in order to do their jobs are allowed access.
Our Docly GPs are responsible for maintaining the privacy of your personal information. All Docly GPs have to demonstrate they have completed training in personal information handling before they can start consulting with our patients.
As noted above, we also provide information back to your GP surgery, so that they have a record of what we have done. That personal information will be handled in accordance with your GP surgery's policies.
We may also use your information to help other organisations delivering NHS or social care to provide you with services.
We also need to share information with partner organisations that help administer Docly accounts. For example:
We have vetted these organisations to ensure that they will deal with your personal data responsibly.
We may also share information with our partner organisations who provide data analysis services, to help improve our services.
Sometimes we need to share information with regulators like the Care Quality Commission, the General Medical Council, NHS Digital, the Information Commissioner's Office and the Health Service Ombudsman.
With your agreement, information can be shared with relatives, partners or friends who act as a carer for you. We will only share information once the person you have asked us to share the information with has provided us with proof of their identity. We may share information with anyone you have given as an emergency contact, for example your next of kin. You can find out more by contacting us at firstname.lastname@example.org or 020 3995 4945.
We may share your information with third parties for the purpose of providing the service to you including:
We may disclose your personal data to third parties:
Where we share your information with third parties as data controllers they are responsible to you for their use of your personal data and compliance with data protection legislation.
If you object to our sharing or continuing to use your personal data with any specific third party please contact us at email@example.com.
The following activities are carried out by third-party service providers ("data processors") on our behalf:
All our data processors are required to take appropriate security measures to protect your personal data in line with our policies.
We may share personal data with our data processors for the reasons given above. Some of these data processors may be established outside the European Economic Area (EEA). We ensure that the data processors we work with maintain an adequate security standard. In order to guarantee an adequate security standard, we only transfer information outside the EEA where adequate security measures are in place, such as adopting the EU Standard Contractual Clauses for the transfer of personal data, or (if data is transferred to the USA) by ensuring that the data processor is certified as Privacy Shield compliant.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are available upon request.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
You are entitled to withdraw your consent for the processing of personal data which is based on your consent.
You are entitled to information if we process your personal data, if such personal data is transferred to a third country and, if relevant, who has received your personal data.
You are entitled to have any incorrect information about you corrected. In certain circumstances, including when it is confirmed that we are processing personal data without legal grounds or if the processing is no longer necessary in order to fulfil the purpose, you will be entitled to have the data deleted (the right to be forgotten). If the accuracy of the personal data or the legal basis for data processing is questioned, you can request that data processing be restricted.
You are entitled to object to data processing that takes place on the basis of Docly's legitimate interests. In case of such an objection, we are obliged to show legal grounds for continued processing of the personal data.
You can state at any time that your data may not be used for marketing purposes and we will then cease to process it for such purposes.
You are entitled, in certain circumstances, to receive any of the personal data you have provided to us in a commonly used electronic format, and to request that we transmit this data directly to another controller. You are also entitled to transfer such data to another controller yourself.
We are obliged to conduct our activities in accordance with the principles as set out above in order to ensure that the confidentiality of your personal data is protected and maintained.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
If you have any questions, want to exercise your rights or need further information about what we do with personal information, we can be contacted by email at firstname.lastname@example.org.
In order to update, correct or delete data we have about you, exercise your rights according to the above, or to get in touch with our personal data compliance officer, please contact us at email@example.com.
If you have any concerns regarding our processing of your personal data, or are not satisfied with our handing of any request may by you, or would otherwise like to make a complaint, please contact us at firstname.lastname@example.org so that we can do our very best to sort out the problem.
You can also contact the Information Commissioner's Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF www.ico.org.uk.
This policy was last reviewed and updated in February 2020.