PRIVACY POLICY

MD INTERNATIONAL LTD, 38 BERKELEY SQUARE, LONDON, W1J 5AE, ("Docly" or "we") is a company established in England and Wales, and as such, we comply with applicable data protection legislation in the UK, comprising the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

We believe that personal privacy is important and we take your privacy extremely seriously.

We explain in our privacy policy what types of personal data we might be processing and why. We also explain the lawful basis for our processing of personal data and your rights in this regard.

SCOPE OF THE PRIVACY POLICY

Please note that this privacy policy relates to the processing of personal data for which Docly is the data controller. This privacy policy applies when you register with us or share your personal data directly or indirectly with Docly when you visit our website at www.docly.uk or use any of our services via mobile and/or tablet application (together, the 'Platform'). This privacy policy applies to your use of the Platform, whether you register with us or not, and is supplemental to our Terms of Service at www.docly.uk/tos.

You can also contact us at privacy@docly.uk or via support at www.docly.uk/support if you have any questions about our processing of personal data on behalf of other data controllers.

PERSONAL DATA THAT IS PROCESSED

Personal data means data from which you may be identified, directly or indirectly, in particular by reference to an identifier such as your name or any user id that we allocate to you. We may process the following types of personal data about you:

  • Contact details ("Account Information") such as name, e-mail address and telephone number.
  • Users' online behaviour including digital behaviour (for example, behaviour within the app, how you use the search functions) ("Digital Behaviour").
  • Technical data (for example, the unit's ID, IP address) ("Technical Data").

Our lawful basis for processing this information is set out below.

HEALTH DATA

As part of the service we process details about your previous and current physical and mental health. These details may include, without being limited to, information that you are suffering from a disease, your medical history or your physiological or biomedical condition ("Health Data").

We only use Health Data as permitted by law, primarily for the purpose of medical diagnosis and the management a health system pursuant to a contract with a healthcare professional subject to obligations of professional confidentiality. Further lawful basis for why we may use your Health Data are set out below.

We use the information you provide on registration to create a patient record detailing the treatment you have received via our Service, and the continuous provision of care. We also use this information to manage the patient relationship.

We are provided with your health profile by you or your GP. We use this information to provide you with the service.

We will access information about you that is stored on your NHS GP's records. We will ask for your agreement before we do this.

We access NHS systems so that we can see your full medical record. This means that we can see any information that your NHS GP can see. This will include contact information and detailed health information like family health history, past diagnoses, treatment plans, medication, body measurements and test results.

The medical record of your appointment (including any diagnosis or treatment prescribed by the Docly service) will be stored in your NHS medical record that is held by your GP practice. However, Docly GPs do provide us with summary information about your online appointment.

We do not share Health Data with third parties outside our service, except as set out below and where such provision is in accordance with the law or where we are instructed to do so in accordance with our contract with Your Practice.

PURPOSE OF THE PROCESSING AND LEGAL BASIS

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform our contract with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Where we rely on legitimate interests for our processing, the relevant interest is identified above.
  • Where we need to comply with a legal obligation.
  • Otherwise, with your consent.

We may also use your personal data in the following situations, which are likely to be rare:

  • Where we need to protect your vital interests (or someone else's interests).
  • Where it is needed in the public interest.

Some of the above grounds for processing will overlap and there may be several grounds which justify our use of your personal data.

We will only use your personal data for the purposes for which we collect it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will contact you and explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Special categories of particularly sensitive data require higher levels of protection. We need to have further justification for collecting, storing and using the following types of personal data.

  • physical or mental health, including any medical condition or disability;
  • genetic information and biometric data.

We may process special category information:

  • relating to a health condition or disability in order to make reasonable adjustments in the provision of our services;
  • where it is needed to protect your vital interests (or someone else's interests) and you are not capable of giving your consent, or
  • where you have already made the information public; and
  • to ensure meaningful equal opportunity monitoring and reporting. We make every effort to anonymise such information.

The purpose of data processing and the legal basis for processing of various personal data categories are as follows:

  • We process Account information in order to be able to offer Docly's services (i.e. in order to be able to fulfil the agreement between us), also allowing us to contact you in order e.g. to follow up on your user experience. If you agree, we may also use Account information for our legitimate interests in conducting marketing activities, e.g. for distribution of newsletters.
  • We also use this information for carrying out quality assurance of our systems and services and for development of our systems and services.
  • If you have contracted with us to provide services, we may use your contact details to provide you with marketing information about other similar services we offer and, if you have consented, we may share your details with third parties for marketing purposes. You can opt out of marketing at any time by contacting us via support at www.docly.uk/support.
  • We process Digital Behaviour information for our legitimate interests in improving the Platform and the mobile app, understanding and analysing users' behaviour and in order to improve the user experience.
  • We process Technical Data based on our legitimate interests in understanding users, we may use this information to build a profile about you and your interaction with our services which we may use for marketing purposes (provided we have the appropriate consent).

STORING DATA

Personal data is kept for no longer than necessary in order to fulfil the purpose for which it was collected (including the purpose of fulfilling Docly's legal obligations). Personal data stored on the basis of your consent will be deleted if consent is withdrawn, unless we are required to retain the information to comply with applicable laws.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Where a minimum retention period is required by law (such as retaining records for HMRC purposes) we comply with that minimum period plus up to 12 months to allow time for us to anonymise or delete information in accordance with our internal data management processes.

In the event that our service ceases to trade any medical records including all identifiable data would be held for 24 months from the date the service ceases. After this date it will be securely destroyed, provided this is in line with applicable legislation.

Once personal data is no longer needed for the purpose it was collected we may anonymise the data and retain it for business development research into automised healthcare. Anonymised data can no longer be traced back to you, and we may use such data without further notice to you.

Once personal data is no longer needed for the purpose it was collected we may anonymise the data and retain it for business development research into automised healthcare. Anonymised data can no longer be traced back to you, and we may use such data without further notice to you.

TRACING

In order to enable improvements to our services and your online experience, our software automatically collects information from your computer (or mobile device), your web browser, including your public IP address and domain name, cookie information, hardware properties (e.g. the unit's ID), websites you have visited or been referred from, videos and images you have viewed on our website, URLs of the websites' referral traffic and after navigating to our websites, date and time of your visit and your geographical location. The data is collected in order to help us develop a better understanding of behavioural patterns and trends within our services. In order to do so, we use web logs or apps that recognise your computer and gather information about its activity online. We also work together with certain third parties in order to collect and analyse parts of this information.

We use both sessions and permanent cookies on our websites.

SHARING INFORMATION WITHIN THE COMPANY, WITH THIRD PARTIES AND TRANSFERS TO THIRD COUNTRIES

We may share your personal data with any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

We employ a clinical team, who are part of Docly. They will need to access your medical records so that we can provide you with services, for example if you have a query or concern about your consultation or treatment, or if the information is needed to assist our Chief Medical Officer with quality assurance. Only those employees of Docly who need access to information in order to do their jobs are allowed access.

Our Docly GPs are responsible for maintaining the privacy of your personal information. All Docly clinicians have to demonstrate they have completed NHS training in personal information handling before they can start consulting with our patients.

We also provide information back to your GP surgery, so that they have a record of what we have done. That personal information will be handled in accordance with your GP surgery's policies.

We may also use your information to help other organisations delivering NHS or social care to provide you with services.

We also need to share information with partner organisations that help administer Docly accounts. For example:

  • Our IT suppliers, including suppliers of data storage services
  • Contractors who provide our telephone services
  • Suppliers of web hosting services
  • Organisations that we use to obtain feedback from patients who have agreed to do this

We have vetted these organisations to ensure that they will deal with your personal information responsibly.

We may also share information with our partner organisations who provide data analysis services, to help improve our services. This does not include information about your health.

Sometimes we need to share information with regulators like the Care Quality Commission, the General Medical Council, NHS Digital, the Information Commissioner's Office and the Health Service Ombudsman.

With your agreement, information can be shared with relatives, partners or friends who act as a carer for you. We will only share information once the person you have asked us to share the information with has provided us with proof of their identity. We may share information with anyone you have given as an emergency contact, for example your next of kin. You can find out more by contacting us at support@docly.com or 020 3995 4945.

We may share your information with third parties for the purpose of providing the service to you including:

  • Your Practice and any other medical practice from which you receive services via the Platform.

We may disclose your personal data to third parties:

  • if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or
  • in order to enforce or
  • apply our terms of use and other agreements;
  • for the purposes of fraud protection and credit risk reduction.

Where we share your information with third parties as data controllers they are responsible to you for their use of your personal data and compliance with data protection legislation.

If you object to our sharing or continuing to use your personal data with any specific third party please contact us at privacy@docly.uk.

The following activities are carried out by third-party service providers ("data processors") on our behalf: IT support and maintenance; hosting our website (including analytics); marketing campaigns; carrying out surveys and obtaining feedback on our services; archiving and records management; confidential waste disposal.

All our data processors are required to take appropriate security measures to protect your personal data in line with our policies.

We may share personal data with our data processors for the reasons given above. Some of these data processors may be established outside the European Economic Area (EEA). We ensure that the data processors we work with maintain an adequate security standard. In order to guarantee an adequate security standard, we only transfer information outside the EEA where adequate security measures are in place, such as adopting the EU standard clauses for the transfer of personal data, or (if data is transferred to the USA) by ensuring that the data processor is certified as Privacy Shield compliant.

DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are available upon request.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

YOUR RIGHTS

You are entitled to withdraw your consent for the processing of personal data which is based on your consent.

You are entitled to information if we process your personal data, if such personal data is transferred to a third country and, if relevant, who has received your personal data.

You are entitled to have any incorrect information about you corrected. In certain circumstances, including when it is confirmed that we are processing personal data without legal grounds or if the processing is no longer necessary in order to fulfil the purpose, you will be entitled to have the data deleted (the right to be forgotten). If the accuracy of the personal data or the legal basis for data processing is questioned, you can request that data processing be restricted.

You are entitled to object to data processing that takes place on the basis of Docly's legitimate interests. In case of such an objection, Docly is obliged to show legal grounds for continued processing of the personal data.

You can state at any time that your data may not be used for marketing purposes.

You are entitled to receive any of the personal data you have provided, in a commonly used electronic format. You are entitled to transfer such data to another personal data processor.

We are obliged to conduct our activities in accordance with the principles as set out above in order to ensure that the confidentiality of your personal data is protected and maintained.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

CONTACT US

If you have any questions, want to exercise your rights or need further information about what we do with personal information, we can be contacted by email at privacy@docly.uk.

In order to update, correct or delete data we have about you, exercise your rights according to the above, or to get in touch with our personal data compliance officer, please contact us at privacy@docly.uk.

© 2019 Docly is part of Docly Healthcare AB