BOOTS ONLINE DOCTOR SERVICE
Let’s talk about privacy
HOW TO CONTACT US
If you wish to correct your personal data held by us or to opt out at any time from receiving marketing correspondence from us or to alter your marketing preferences please contact us on 0800 031 8386.
If you need to contact us in connection with our use or processing of your personal data or to gain access to it, or if you wish to contact our Data Protection Officer, please send an email to firstname.lastname@example.org.
CATEGORIES OF PERSONAL DATA WE COLLECT
The categories of personal data about you that we may collect, use, store, share and transfer are:
Individual Data. This includes personal data which relates to your identity, such as your first name, middle name, last name, username or similar identifier, title, date of birth and gender and your contact details such as your billing address, delivery address, email address and telephone numbers;
Advertising Data. This includes personal data which relates to your advertising preferences, such as whether you open our emails (and if you do what links you click on), information about your preferences in receiving marketing materials from us and our third parties and your communication preferences as well as your personal interests;
Information Technology Data. This includes personal data which relates to your use of our website, such as your internet protocol (IP) address, login data, traffic data, weblogs and other communication data, browsing behaviour information, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices (which include computers as well as hand held devices such as mobile phones and tablets) that you use to access our website;
Account and Profile Data. This includes personal data which relates to your account or profile on our website, such as your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses;
Economic and Financial Data. This includes personal data which relates to your finances, such as your payment card details and information which we collect from you for the purposes of the prevention of fraud;
Sales Data. This includes personal data which relates to the transactions you have conducted with us, such as details about payments to and from you, details of prescriptions and other details of products and services you have purchased from us;
Health Data. This includes personal data relating to your current or former physical or mental health, including information about any healthcare you have received from us or other healthcare providers such as GPs, dentists or hospitals (private and/or NHS), which may include test results, referral letters, prescription or treatment details, photos, information you provide when communicating with our doctors, details of clinic and hospital visits, as well as medicines administered;
Market Research Data. This individual data which is gathered for the purposes of market research, such as price comparison information.
Data Relating to Recruitment. This includes personal data in Information Technology Data and Individual Data (above) as well as nationality, immigration status (including copies of your passport, biometric residence permit and other immigration documents), languages, marital status, information included in references and any other information included on CVs, application forms and covering letters including qualifications, skills (job-related and technical) and level of experience, education history, details of previous employment, employment dates, salary and benefits information and professional memberships.
Other recruitment data includes submissions for any assessment at interview stage and notes/results thereof, special arrangements required for interview, interview notes, notes from shortlisting exercises, assessment exercises and tests, building entry, exit records, post interview feedback.
THE SOURCES FROM WHICH WE OBTAIN YOUR PERSONAL DATA
We obtain your personal data from the following sources:
Directly from you, either via video calls, via our website or by telephone or via computers and hand held devices including mobile phones and tablets. This could include personal data which you provide when you:
- enter into a contract with us for the provision of healthcare services;
- use any healthcare services provided by us;
- create an account on our website;
- request information on our products or services or for other marketing to be sent to you;
- correspond with us by letter, email or telephone;
- complete a survey from us or give us feedback; and/or
- purchase a prescription from us for a product dispensed by Boots, the payment confirmation for which shall be sent to us by Stripe (or such other payment processor as we appoint from time to time).
Indirectly from other sources. We may also collect personal data about you from third parties when:
- you are referred to us for the provision of healthcare services (such as where you are referred to us by Boots);
- we liaise with the relevant pharmacist;
- we deal with experts (including medical experts) and other service providers about services you have received or are receiving from us (such as a laboratory);
- we liaise with credit reference agencies;
- we liaise with debt collection agencies; and/or
- we liaise with Government agencies, including the Home Office and HMRC.
From someone else, such as:
- analytics providers (such as Google Analytics);
- advertising networks (such as affiliate marketing networks);
- search information providers (such as Facebook, Google Ads and Microsoft Bing Ads);
- providers of technical, payment and delivery services (such as Stripe);
- providers of video conferencing and webinar software services for webinars we may provide (such as Zoom); and
- providers of social media platforms (such as Facebook, Twitter and Instagram) for example where you share our content through social media, for example by liking us on Facebook, following or tweeting about us on Twitter.
During our recruitment process from:
- Recruitment agencies, employment agencies and employment businesses;
- A third party portal which does the initial review of applicants currently being Lever;
- The Disclosure and Barring Service and any intermediaries we use to run background checks;
- Statutory or other official bodies such as the Home Office including UK Visas and Immigration;
- Professional advisers, past employers and referees;
- Analytics providers (such as Google analytics); and
- Public sources including social media.
HOW WE USE YOUR PERSONAL DATA
We collect personal data about you in order to:
perform our contractual obligations to you. This would include:
- registering you as a patient;
- providing you with healthcare and related services and to communicating with you in relation to the same (including in relation to complaints);
- providing any treatments or prescriptions which have been prescribed to you or referring you to Boots for the fulfilment of any prescriptions;
- communicating with any other individual that you ask us to update about your care, including family members and other healthcare professionals;
- orders placed by us where you are a supplier;
- using our systems to compile and organise your answers to our health questionnaire to enable our healthcare professionals to better understand your healthcare needs and provide you with any relevant prescriptions;
- making or receiving payments, fees and charges; and
- collecting and recovering money owed.
manage our relationship with you including:
- to provide you with important real-time information about healthcare services and prescriptions you have ordered from us (e.g. when your prescription is ready for collection or in the unlikely event that we have to change your appointment time); and
- to send you information you have requested;
- to deal with your enquiries; and
- to ask you to leave a review or feedback on us;
perform our recruitment process, including to:
- make a decision about your recruitment or appointment;
- determine the terms on which you will work for us if you are offered employment or engagement with us;
- check you are legally entitled to work in the UK;
- request references and other background checks;
- communicate with you about your application and the recruitment process;
- assess your skills, qualifications and suitability for a particular job or task;
- retain details about you in case there are future employment opportunities for which you may be suited; and
- deal with legal disputes (including litigation, claims, and defence or settlement of claims) involving you, or our employees, workers and contractors, including accidents on our premises;
administer our business and carry out business activities and operations, such as maintaining accounting records, analysis of financial results, internal audit requirements and receiving professional advice;
send you relevant communications where you start the process of registering as a patient with us but do not complete this process;
make suggestions and recommendations to you about goods or services that may be of interest to you, deliver relevant website content and advertisements to you and to measure or understand the effectiveness of our advertising;
for internal purposes to use data analytics, to identify usage trends, determine and measure the effectiveness of promotional campaigns and advertising and to improve our website, products/services, marketing, patient relationships and experiences;
protect our business including to deal with any misuse of our website and to comply with our security policies at our locations;
conduct or taking part in any medical audits (e.g. an audit carried out by us for the purposes of assessing outcomes for patients and identifying improvements which could be made for the future);
comply with our own legal and industry obligations e.g. to comply with health and safety requirements, or to assist in a police investigation;
perform an official role which we have been designated to carry out by an official authority (e.g. the government) or where we are otherwise carrying out tasks which are in the public interest (e.g. which have been designated as such by government, or which would otherwise be deemed in the public interest);
to detect and prevent fraud and other illegal activities (and to assist regulators, trade bodies and law enforcement agencies in relation to the same), for example we may use your personal data to prevent people from obtaining prescription medications fraudulently;
finance, restructure, sell, make ready for sale or dispose of our business in whole or in part including to any potential buyer or their advisers;
process your employment application (whether by CV and covering letter, application form or otherwise) to decide whether you meet the requirements to be shortlisted for the role or to consider if there is a vacancy which you may be suited for. We will then decide whether to invite you for an interview or to attend an assessment. If we decide to contact you for an interview or to attend an assessment, we will use the information you provide to us at the interview(s) and during any assessments to decide whether to offer you the role. If we decide to offer you the role, we will then take up references carry out a criminal record check if applicable before confirming your appointment; and
investigate and defend any third-party claims or allegations.
OUR LAWFUL BASIS FOR PROCESSING YOUR PERSONAL DATA
Where we may rely on consent
For certain purposes it may be appropriate for us to obtain your prior consent. The legal basis of consent is only used by us in relation to processing that is entirely voluntary – it is not used for processing that is necessary or obligatory in any way.
In the event that we rely on your consent, you may at any time withdraw the specific consent you give to our processing your personal data. Please contact us using the contact details set out in paragraph 2 to do so. Please note even if you withdraw consent for us to use your personal data for a particular purpose we may continue to rely on other lawful bases to process your personal data for other purposes.
Other legal bases we may rely on
Where we are relying on a basis other than your consent, the lawful basis for processing personal data will be one of the following:
the processing is necessary in order for us to comply with our legal obligations (such as compliance with medical legislation);
the processing is necessary for the performance of a contract you are party to or in order to take steps at your request prior to you entering into a contract;
processing is necessary for the establishment, exercise or defence of legal claims; or
the processing is necessary for the pursuit of our legitimate business interests. In particular, our legitimate interests include:
- the provision of our healthcare services and goods;
- the recovery of debt;
- the provision of administration and / or technology services;
- the security of our technology network;
- the prevention of fraud;
- marketing of goods and services and promotion of our business;
- the reorganisation or sale or refinancing of the business or a group restructure;
- the study in how to develop, update and improve our products and services;
- the development of our business strategy;
- protecting our business and property; or
- the management of the recruitment process and employment and engagement of staff in particular making decisions about who to offer employment or engagement to and on what terms;
the processing is necessary in order to protect the vital interests of an individual e.g. where there is a medical emergency; or
the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
Extra conditions for sensitive personal data
Where we are processing your sensitive / special category personal data one of the following conditions will also apply:
- you have given your explicit consent to the processing;
- the processing relates to personal data which are manifestly made public by you;
- the processing is necessary for the establishment, exercise or defence of legal claims;
- the processing is necessary for archiving purposes in the public interest; scientific or historical research purposes or statistical purposes;
- the processing is necessary to protect an individual’s vital interests where the individual cannot give consent;
- the processing is necessary for reasons of substantial public interest;
- processing is necessary in relation to your or our rights in the field of employment and social security and social protection law;
- processing by a not-for-profit body in certain circumstances;
- processing is necessary for the purposes of preventative or occupational medicine; and
- processing is necessary for reasons of public interest in the area of public health.
WHO RECEIVES YOUR PERSONAL DATA
We may disclose your personal data to:
- a doctor, nurse, carer or any other healthcare professional involved in your treatment, including your GP, pharmacist, dentist or other clinicians (including their medical secretaries);
- other members of support staff involved in the delivery of your care, such as admin staff;
- anyone that you ask us to communicate with or provide as an emergency contact (e.g. your next of kin or carer);
- NHS organisations, including NHS Resolution, NHS England, Department of Health;
- relevant parties if we have concerns about your wellbeing if you provide your consent or in order to protect your vital interests;
- private sector healthcare providers;
- third parties who assist in the administration of your healthcare, such as insurance companies or Boots;
- national and other professional research/audit programmes and registries;
- government bodies including the Home Office and HMRC as well as our regulators, like the Care Quality Commission, Regulation and Quality Improvement Authority, Health Inspectorate Wales and Healthcare Improvement Scotland;
- the police and other third parties where reasonably necessary for the prevention, investigation, prosecution or detection of crime;
- our insurers;
- debt collection agencies;
- credit referencing agencies;
- our third party services providers such as technology suppliers, actuaries, auditors, lawyers, marketing / PR agencies, document management providers and tax advisers.
- law enforcement agencies, courts or other relevant party, to the extent necessary for the establishment, exercise or defence of legal rights; and
- third parties which are considering or have decided to acquire some or all of our assets or shares, merge with us or to whom we may transfer our business (including in the event of a reorganisation, dissolution or liquidation);
- your named referees when requesting a reference; and
- members of our HR and recruitment team, interviewers involved in the recruitment process, senior staff within our business and IT staff if access to the data is necessary for the performance of their roles, as applicable.
PERSONAL DATA ABOUT OTHER PEOPLE WHICH YOU PROVIDE TO US
ACCURACY OF YOUR PERSONAL INFORMATION
It is important that the personal data we hold about you is accurate and current and we take all reasonable precautions to ensure that this is the case but we do not undertake to check or verify the accuracy of personal data provided by you. Please keep us informed if your personal data changes during your relationship with us either by logging onto your account on the website or by contacting us. We will not be responsible for any losses arising from any inaccurate, inauthentic, deficient or incomplete personal data that you provide to us.
INTERNATIONAL TRANSFERS OF PERSONAL DATA
Personal data we collect from you will be transferred, stored and/or processed outside the United Kingdom including to the USA and the EEA.
In connection with such transfers we will seek to ensure that:
- there are appropriate safeguards in place such as binding corporate rules or the standard data protection model contractual clauses between us and the recipient. A copy of the appropriate safeguard can be obtained by contacting us using the contact details set out in paragraph 2; or
- an adequacy decision has been made by the United Kingdom such that the data protection regime in the relevant location or jurisdiction ensures an adequate level of protection for personal data; or
- one of the derogations for specific situations in the first sub-paragraph of Article 49(1) GDPR (or the equivalent provisions of applicable data protection legislation in the UK) applies to the transfer, storage or processing.
HOW LONG WE WILL STORE YOUR PERSONAL DATA FOR
We will store your personal data for the time period which is appropriate in accordance with our record retention policy and applicable regulations.
For our recruitment process, we will usually retain the personal data of unsuccessful candidates for a period of 6 months after we have communicated to you the decision not to offer you a role.
CONTRACTUAL OR STATUTORY REQUIREMENTS ON YOU TO PROVIDE PERSONAL DATA
In certain circumstances the provision of personal data by you is a requirement to comply with the law or a contract, or necessary to enter into a contract.
It is your choice as to whether you provide us with your personal data necessary to enter into a contract or as part of a contractual requirement. If you do not provide your personal data then the consequences of failing to provide your personal data are that we may not be able to provide you with the healthcare you are seeking.
YOUR RIGHTS IN RELATION TO YOUR PERSONAL DATA
Subject to applicable law including relevant data protection laws, in addition to your ability to withdraw any consent you have given to our processing your personal data (see paragraph 6), you may have a number of rights in connection with the processing of your personal data, including:
- the right to request access to your personal data that we process or control;
- the right to request rectification of any inaccuracies in your personal data or, taking into account the purposes of our processing, to request that incomplete data is completed;
- the right to request, on legitimate grounds as specified in law:
- erasure of your personal data that we process or control; or
- restriction of processing of your personal data that we process or control;
- the right to object, on legitimate grounds as specified in law, to the processing of your personal data;
- the right to receive your personal data in a structured, commonly used and machine-readable format and to have your personal data transferred to another controller, to the extent applicable in law; and
- the right to lodge complaints regarding the processing of your personal data with the Information Commissioner’s Office or other relevant supervisory body. Please see https://ico.org.uk/concerns/ for how to do this.
If you would like to exercise any of the rights set out above, please contact us using the contact details set out in paragraph 2. Please note that as a regulated healthcare provider, we may not always be able to comply with requests relating to these rights.
LINKS TO OTHER WEBSITES