img

Privacy Policy

Who we are

‘We’ are Doctorcall Ltd. Our head office and address is 47 Nottingham Place, London, W1U 5LZ.

Company Registration Number: 02352745

Introduction

At Doctorcall Ltd, we want you to be confident that your information is kept safe and secure with us and understand how we use it to provide great care and a more personalised experience.

This privacy policy explains how we use any personal information we collect about you when you enquire about or use our services, visit this website or apply to work for us.

What information do we collect about you?

Personal data that you provide such as such as your name, age and contact details when you contact us through our website, by phone, email, post, face to face or social media.

Information collected from our website – e.g. IP addresses and browsing behaviour from our website and any supporting apps you may use (please see more in our cookie section)

Basic recruitment information such as your education, qualifications, identification documents and right to work confirmations if you are applying for a position with us. More information on this will be given at the time of application.

Basic information about you such as your name, date of birth, postal and billing address, telephone numbers, next of kin, GP practice

Information about your health and wellbeing, treatment and care. This may also include information about your marital status, ethnicity and sexual orientation and results of X-Rays, scans and laboratory tests.

Video images if you use our video consultation service

Bank information for payment (this is retained by our third party payment service)

Your employers details (if we are providing occupational health services or providing them with a medical report)

Your health insurer where applicable

Information from compliments, complaints and incidents

Your feedback and contribution to our client questionnaires and surveys

Information from other sources

We work closely with third parties in the delivery of our healthcare services, including those providing pathology services, sexual health services, scans and X-rays. We may therefore, receive information from them relating to your health and care such as referrals, reports and test results.

We may also receive information about you from who third parties which provide technical support, including payment services and analytics. This could be confirmation of payment for your health and care services and information about your browsing behaviour on our websites and supporting applications.

How will we use the information about you?

This section explains how and why we use your personal data:

We need to process your personal data to manage our services, to carry out our obligations arising from any contracts entered into between us and you, to provide you with information or services you have requested and to help you with any payments or refunds you may require.

To ensure that you receive the best possible care, your health record will also contain more sensitive information and reports about your health including details of any appointments, illness, tests and other treatments you receive. This may be shared with those who have a legal and legitimate need to see it to support your care.

We use cookies and similar technologies on our website to improve your experience (please see our cookie section for more information) and ensure that the content is presented in the most effective and helpful way for you.

We may share minimal and relevant non-medical information within other organisations in order to provide effective information technology, financial, legal and governance support.

We use personal or anonymised data to monitor how effective our services are and to make sure that the treatments and services we provide are meeting the needs of our clients.

We use your personal data to send you our newsletters and information about products and services, which you may be interested in if you have given us consent to do so. You can opt out of this at any time.

We may use your personal contact details to notify you about changes to our service.

If you purchase any products or services via Doctorcall.co.uk, you will be required to provide the following information:

  1. Mobile number
  2. Email address
  3. Date of birth
  4. Preferred contact method
  5. First Name
  6. Surname
  7. Billing Address
  8. Delivery Address

You may also choose to provide us with additional information (e.g. your company name, if applicable).

The details you provide during the purchasing process are collected for the sole purpose of processing and delivery of your products and services. Additionally, we may contact you after your products and services have been delivered to ask you to review your experience. You will not be added to any mailing lists without your permission, and we will not send you any correspondence that is not related to your order.

You will also be required to provide some personal information in the course of completing a booking or form or activating a voucher. This information is collected for the sole purpose of processing your booking or enquiry. Again, you will not be added to any mailing lists without your permission, and we will not send you any correspondence that is unrelated to your reason for getting in touch.

We retain the email address provided and date activated for all electronic flu vouchers. Where your employer has purchased ‘Pay As You Go’ flu vouchers we will provide them with the email address and date of activation as proof of activation.

We try to ensure that all personal information we hold is accurate and up to date. We hold this information securely and in accordance with the relevant laws, including the General Data Protection Regulation (GDPR).

Customer accounts

You may choose to register an account on the Doctorcall website. Please note that you are not required to register an account if you do not wish to do so – to make a purchase without creating an account, simply select the ‘Continue without Registering’ option at the checkout stage.

If you choose to create a user account, you will be required to enter the following information:

Email address

First name

Surname

Telephone number (optional)

Password of your choice

 

All of this information is held securely and will not be shared with any other companies. The information you submit during the registration process will only be used for purposes directly related to your account and any orders you place while logged in.

Our mailing list

When you submit your details to Doctorcall, you will have the option to join our mailing list. Subscribers are sent promotional emails containing product information, special offers, and other updates from Doctorcall.

Once subscribed, you may unsubscribe from our mailing list at any time by clicking the ‘unsubscribe ‘link that appears in all of the promotional emails we send.

If you give us permission to add you to our mailing list, we will never share your email with any unaffiliated organisations or send you any emails that are not relevant to Doctorcall.

Google Analytics

Like many website owners, we used Google Analytics to anonymously monitor traffic and user behaviour on our website. This tool does not collect any personally identifiable information. However, if you do not want to be included in our Analytics data, you can opt out of Google Analytics using this browser add-on.

Information Security

We are committed to ensuring the security and confidentiality of your personal data. As a medical business, we recognise the importance of protecting sensitive medical information and have implemented robust security measures to safeguard your data. Our information security practices are designed to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Care Quality Commission.

Security Measures

To protect your personal data, we have established a comprehensive information security framework, which includes the following measures:

Technical Measures:

Access Controls: Access to personal data is restricted to authorised personnel only, based on their role and responsibilities. Passwords are changed monthly.

Firewalls and Intrusion Detection Systems: We use firewalls, intrusion detection, and prevention systems to protect our networks from unauthorised access and threats.

Regular Security Audits and Vulnerability Assessments: We conduct regular security audits and vulnerability assessments to identify and mitigate potential security risks.

Organisational Measures:

Data Protection Policies: We have implemented comprehensive data protection policies that outline our approach to data security and the responsibilities of our staff.

Staff Training: All employees receive regular training on data protection and information security best practices to ensure they understand their responsibilities in protecting personal data.

Incident Response Plan: We have an incident response plan in place to quickly and effectively address any data breaches or security incidents. This includes notifying affected individuals and the relevant authorities, as required by law.

Physical Measures:

Secure Premises: Our facilities are secured with access controls, surveillance cameras, and alarm systems to prevent unauthorised physical access to our data centers and offices.

Data Storage: Personal data is stored in secure environments with controlled access to prevent unauthorised access, disclosure, or loss.

Data Breach Notification

In the unlikely event of a data breach, we will promptly assess the risk to your rights and freedoms and notify you and the Information Commissioner’s Office (ICO) as required by law. Our incident response plan ensures that we can act quickly to contain the breach, mitigate any harm, and prevent future incidents.

Your Responsibilities

While we take extensive measures to protect your personal data, it is also important that you take steps to safeguard your information. This includes using strong, unique passwords for accessing our services and not sharing your login credentials with others.

Accountability and Compliance with GDPR

We are committed to ensuring the privacy and protection of your personal data in compliance with the General Data Protection Regulation (GDPR). As part of our commitment to accountability, we have implemented comprehensive measures to demonstrate our adherence to data protection principles and legal requirements.

Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee our data protection strategies and ensure compliance with GDPR. The DPO is responsible for advising on data protection obligations, monitoring compliance, and acting as a point of contact with supervisory authorities and data subjects.

Data Protection Impact Assessments (DPIAs)

We conduct Data Protection Impact Assessments for processing activities that are likely to result in a high risk to the rights and freedoms of individuals. DPIAs help us identify and mitigate potential privacy risks.

Data Processing Agreements

We have established written agreements with third-party processors to ensure that they comply with GDPR requirements. These agreements outline the nature and purpose of processing, the type of personal data involved, and the responsibilities of each party.

Record of Processing Activities (RoPA)

Our system records our processing activities, including the purposes of processing, personal data, data recipients and transfers to third countries. These records are available for inspection by supervisory authorities upon request.

Privacy by Design and Default

We integrate data protection principles into the development and operation of our systems, products, and services. By considering data protection at every stage of processing, we implement appropriate technical and organisational measures to safeguard personal data.

Policies and Procedures

We have developed and implemented comprehensive data protection policies and procedures, including policies on data retention, data security, breach notification, and data subject rights.

Training and Awareness

We provide regular training for our employees on data protection principles and practices to ensure they understand their responsibilities and the importance of protecting personal data.

Data Subject Rights

We facilitate and respond to data subject requests regarding their rights under GDPR, such as access, rectification, erasure, restriction of processing, data portability, and objection. We have established processes to handle these requests promptly and effectively.

Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. This includes measures to protect against unauthorised access, data breaches, and other security incidents.

Breach Notification

We have procedures in place for detecting, reporting, and investigating data breaches. We will notify the relevant supervisory authority of a breach within 72 hours and communicate the breach to affected data subjects when there is a high risk to their rights and freedoms.

Regular Audits and Reviews

We conduct regular audits and reviews of our data protection practices to ensure ongoing compliance with GDPR. We address any identified gaps or weaknesses promptly.

Transparency and Communication

We provide clear and transparent information to individuals about how their personal data is being processed. This privacy notices details the purposes of processing, legal bases, data retention periods, and the rights of data subjects.

Your Data Subject Rights

As a data subject, you have several rights concerning your personal data. We are committed to facilitating the exercise of these rights and ensuring that your privacy is protected. The following outlines your rights under applicable data protection laws, such as the General Data Protection Regulation (GDPR):

Right to Access: You have the right to request access to your personal data that we process. This includes obtaining information about the purpose of the processing, the categories of personal data involved, and the recipients or categories of recipients to whom your data has been or will be disclosed.

Right to Rectification: If you believe that the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete this data without undue delay.

Right to Erasure (“Right to be Forgotten”): You have the right to request the deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected, or if you withdraw your consent on which the processing is based.

Right to Restriction of Processing: You can request that we restrict the processing of your personal data under specific conditions, such as when you contest the accuracy of the data or object to its processing.

Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format. You also have the right to request the transfer of this data to another data controller.

Right to Object: You have the right to object to the processing of your personal data on grounds relating to your particular situation, including for direct marketing purposes and profiling related to direct marketing.

Rights Related to Automated Decision-Making and Profiling: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Right to Withdraw Consent: If you have provided consent for the processing of your personal data, you have the right to withdraw this consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Right to Lodge a Complaint: If you believe that your rights have been violated, you have the right to lodge a complaint with a supervisory authority, particularly in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

Lawful Bases for Processing Your Personal Data

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we must have a lawful basis to process your personal data. The lawful bases we rely on for processing your personal data include:

Consent:

We process your personal data with your explicit consent for specific purposes. You have the right to withdraw your consent at any time. To withdraw your consent please contact us.

Contract:

We process your personal data when it is necessary for the performance of a contract we have with you or your employer, or because you have asked us to take specific steps before entering into a contract.

Legal Obligation:

We process your personal data when it is necessary for compliance with a legal obligation to which we are subject.

Vital Interests:

We process your personal data when it is necessary to protect your vital interests or those of another person. This typically applies in emergency situations.

Public Task:

We process your personal data when it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

Legitimate Interests:

We process your personal data when it is necessary for our legitimate interests or the legitimate interests of a third party, provided that such interests are not overridden by your rights and freedoms. Our legitimate interests include, but not limited to, improving services, marketing and fraud prevention.

For special categories of personal data, we rely on additional conditions under Article 9 of the UK GDPR, such as your explicit consent, employment law obligations, protection of vital interests, and other conditions permitted by law.

Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process your data, and whether we can achieve those purposes through other means, and the applicable legal requirements.

GP medical records: In line with the British Medical Association guidelines, the minimum period for GPs to retain electronic patient records is 10 years after the patient’s death. Vaccination consent is part of your GP medical records.

Marketing Data: Until you withdraw your consent or opt-out of marketing communications.

After the retention period expires, we will securely delete or anonymise your personal data. If anonymisation is not possible (for example, because your personal data has been stored in backup archives), then we will securely store your personal data and isolate it from any further processing until deletion is possible.

To exercise any of these rights or any other matters relating to this policy, please contact us at team247@doctorcall.co.uk or write to us at The Data Protection Officer, Doctorcall, 47 Nottingham Place, London W1U 5LZ. We will respond to your request in accordance with applicable data protection laws.

Contacting the Information Commissioner’s Office (ICO)

If you have any concerns about how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

You can contact the ICO using the following details:

Address: Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
United Kingdom

Telephone: 0303 123 1113

Website: ico.org.uk

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.