Dr. iQ Privacy Policy

Summary

Keeping your personal data safe is very important to us. Your personal data is stored in our secure systems, and only those who are involved in delivering your care have access to your personal data.

Your data will not be shared with anyone, unless we are obliged by law.

We will never share your personal information with marketing and advertising companies.

We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

A Privacy Policy is a statement that describes how an organisation collects, use, retain and disclose personal data, or special categories of personal data. Different organisations sometimes use different terms, and it can be referred to as a privacy statement, a fair processing notice or a privacy notice.

Being transparent and providing accessible information to individuals about how an organisation will use their personal information is a key element of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. To ensure that we process your personal data fairly, lawfully and transparently when using our application software or website application software, we are required by law to provide you with the following information:

  • What information we collect and process about you
  • How we process your personal data
  • The purpose of processing
  • Recipients or categories recipients of your personal data
  • The identity of our Data Protection Officer
  • How long we retain personal information about you
  • The lawful bases for processing
  • Your rights - to view, request access copies of your personal information, or object to the processing of your personal information

This Privacy Policy sets out the basis on which we process personal information about individuals in the following categories:

  • Healthcare provider staff whose organisations are licensed to use our Dr. iQ software application by way of contractual agreement and,
  • Patients who are registered to use our Dr. iQ mobile application or website application to communicate with their healthcare providers to access online services.

AT Technology Services is a technology solution provider that operates specialised software services used for managing analytical services, communication and information in healthcare systems, with the aim of improving healthcare services for patients/service users across multiple healthcare organisations.

Typically, we act as a Processor for healthcare organisations by way of Data Processing Agreements in connection with contractual agreements between us and our client who are mainly healthcare providers licensed to use our software applications to provide you with clinical services.

We can be contacted at:

AT Technology Services Limited
77 New Cavendish Street, London, England, W1W 6XB

If you have any questions or concerns regarding how your data is being processed, please write to our Data Protection Officer who can be contacted at:

Data Protection Officer
Rose House, Bell Lane Office Village
Bell Lane
Little Chalfont
Amersham
Buckinghamshire
HP6 6FA
Tel: 01494 690 999
Email: operosehealth.dpo@nhs.net

Dr. iQ is a free online mobile application software and website application software for NHS patients, providing fast, safe and effective online consultation with your GP.

Dr. iQ is specifically developed to enable direct online contact between patients and their healthcare providers (e.g. GP Practices). By using Dr. iQ (via our website or app software which is downloadable from Apple or Android Google Play store) patients/service users can:

  • Register with a GP practice that offers Dr. iQ to its patients
  • Book appointments
  • Conduct online consultations with a health professional
  • View medical records online
  • Order repeat prescriptions for collection at a preferred pharmacy

When you access any of the above services via Dr. iQ, we use personal information about you (such as name, date of birth, NHS number) and technical information (such as internet protocol address) to:

  • To allow you to participate in interactive features of our service, when you choose to do so.
  • To administer and maintain our website and app for internal operations, including troubleshooting, statistical and survey purposes.
  • To ensure that content from our app or website is presented in the most effective manner for you.
  • To notify you of any changes/update/upgrade to our system as part of our efforts to keep our website and app safe and secure.

We process the following categories of personal information about individuals using Dr. iQ:

Category Data Type
Identity data and contact details Such as name, date of birth, gender, NHS number, telephone number, postal address, postcode, email address etc.
Special categories of personal data concerning physical, social or mental health condition. Such as medical history, diagnosis, treatments, test results, appointment, attendances, referrals, care plans, medication etc.
Special categories of personal with protected characteristics Such as racial or ethnic origin, religious or philosophical beliefs, genetic data, sexual life or sexual orientation data, etc
Personal data of staff whose healthcare provider organisations are licensed to use our Dr. iQ software application by way of contractual agreement. Name, email-address, work telephone number and job role.
Aggregated data A combination of personal data, and special categories of personal data for the purpose of business intelligence and analytical services.
Usage data Our websites use cookies to distinguish you from other user when you access our online services. A cookie is a small file of letters and numbers that we store on your browser when you consent to use of our online services. This helps us to provide you with a good experience when you browse our site and enable us to improve our site.

Information you provide us - This is information that is provided by patients or healthcare staff when corresponding with us by telephone, e-mail, app or otherwise. It includes information provided by patients when they register to use our Dr. iQ app and when they report a problem with our website. The information given to us may include name, address, e-mail address, phone number and medical information.

Information we collect about you - When an individual visits our website or download our Dr. iQ app, to use any of the services listed above, we process the following online identifiers which also constitutes additional personal information of that individual:

  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page and any phone number used to call our customer service number.

Information we receive from other sources – This is information we receive about patients if they use any of the other websites we operate or the other services we provide. For example, where your healthcare provider is licensed to use our Dr. iQ software application to provide you with online consultation services, they provide us with information they hold about you so to ensure that you receive the best service, to administer and maintain our website and app. As a Processor we only ever act on their instructions as set out in a Data Processing Agreement.

We work closely with other organisations (including, for example, business partners, suppliers and sub-contractors) including your registered GP provider.

Information about healthcare staff that we process.

Healthcare staff can create a Dr. iQ account. When you do so, we process the following information:

  • Name
  • Work email address
  • Affiliated organisation
  • Job role
  • Work contact phone number
  • The content of communications with, or about, patients sent via Dr. iQ
  • Data about the way you have used Dr. iQ software, such as the functions you have used

We process healthcare staff data to create Dr. iQ account login, to enable health staff to communicate with patients effectively and to deliver the best possible direct care. The processing is in line with software services provision with health providers by way of a contractual agreement.

We will never share your personal information with marketing and advertising companies.

We hold your information securely in the UK at all times. Your information is not shared anywhere outside the UK.

In order for the processing of the personal, and special categories of personal data to comply with UK GDPR Article 5 and Section 86 of the 2018 Act, (principles of data protection) it must be fair, lawful and transparent, and must meet at least one of the Article 6 conditions as well as Article 9 (in the case of special categories of personal data). Therefore, the processing of the Personal Data for the purpose of Dr. iQ mobile application software and website application software is permitted under the following UK GDPR and the 2018 Act:

Grounds relied on under UK GDPR Article 6 Why the grounds are met
UK GDPR Article 6(1) (f) - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. For the following legitimate interest purposes, we process personal information about patients/service users who are registered to use our Dr. iQ applications to communicate with their healthcare providers to access clinical services:
  • To authenticate identity and administer accounts.
  • To deal with your enquiries and requests.
  • To analyse and create statistical reports based on the services we provide and our performance of those services.
Grounds relied on under GDPR Article 9 Why the grounds are met
UK GDPR Article 9 (2) (h) - processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of the domestic law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3. It is necessary to process special categories of personal data concerning health for the purpose of Direct Care to provide a safe and effective system of healthcare to individuals using our Dr. iQ applications to communicate with their healthcare providers to access online services:
Provisions relied on under DPA Section 10 Why the grounds are met
The lawfulness of sharing/processing of special categories of personal data set out in Article 9 (2) (h) of the UK GDPR (as above) is permitted under Section 10 of the 2018 Act (health and social care purposes) The grounds for the processing meets the following provisions set out in Part 1, Schedule 1 (2) of the 2018 Act: Health or social care purposes means the purposes of:
a) preventive or occupational medicine;
b) medical diagnosis;
c) the provision of health care or treatment;
d) the provision of social care, or
the management of health care systems or services or social care systems or services.
Provisions relied upon for obligation of professional secrecy Why the grounds are met
For the purposes of Article 9(2) (h) of the UKGDPR, the circumstances in which the processing of special categories of personal data is carried out is subject to the conditions and safeguards referred to in Article 9(3) (obligation of professional secrecy). Therefore, in accordance with Section 11(1) of the 2018 Act, these will include circumstances in which it is carried out –
(a) by or under the responsibility of a health professional or a social work professional, or
(b) by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
Access to special categories of personal data is carried out by registered healthcare professionals (e.g. doctors, nurses social care professional), and non-registered professionals (e.g. analysts or IT developers) who owe a duty of confidentiality by virtue of their employment contract.
Lawfulness for processing personal data of staff whose healthcare provider organisation is licensed to use the Dr. iQ software application
Grounds relied on under GDPR Article 6 Why the grounds are met
UK GDPR Article 6(1) (b) - processing is necessary for the performance of a contract to which the data subject is party. Personal information (such as a name) of a health staff (e.g. GP) whose healthcare provider organisation is licensed to use the Dr. iQ software application is included in a patient’s record to identify the health professional involved in the patient’s care therefore, it is necessary to process the personal data of the staff for performance of a contract, and to administer the Dr. iQ services. The processing is also necessary to create Dr. iQ account login for health provider staff, to enable them to communicate with their patients effectively and to deliver the best possible direct care. The processing is in line with software services provision with their health providers by way of a contractual agreement.

All records held by AT Technology Services will be kept for the duration specified in the Records Management Codes of Practice for Health and Social Care 2020 and supplemented by our Records Management Standards.

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. To determine the appropriate retention period for personal data, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements have all been considered.

Information provided to us is stored on our secure server. Only those who have legitimate reason to view personal information have access to it, and they only have access to the data items that they need to see. All users (including health staff and their patients) of Dr. iQ platform or services are responsible for keeping their passwords secure and confidential at all times. Passwords must never be shared.

We do not transfer personal data to any third countries or international organisations.

We only use information that may identify you in accordance with UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. These legislations require us to process your data only if there is a lawful basis for doing so and that any processing must be fair, lawful and transparent.

We also ensure the information we hold is kept in secure locations, restrict access to information to authorised personnel only, protect personal and confidential information held on equipment such as laptops with encryption (which masks data so that unauthorised users cannot see or make sense of it).

Our appropriate technical and security measures include:

  • The ability to ensure ongoing confidentiality, integrity, availability and resilience of our systems.
  • The ability to quickly restore availability and access to personal information in the event of a physical or technical incident; and
  • A process regularly testing, assessing and evaluating the effectiveness of security measures, and ensure they comply with the concept of privacy by design and default;
  • Encryption; Firewalls / VPN; Password protected files; Restricted Access Folders and System Audit.

Our websites use cookies to distinguish you from other user when you access our online services. A cookie is a small file of letters and numbers that we store on your browser when you consent to use of our online services. This helps us to provide you with a good experience when you browse our site and enable us to improve our websites.

We use the following cookies:

  • Strictly necessary cookies: These are cookies that are required for the operation of our site. They include, for example, cookies that enable you to login to secure areas of our websites.
  • Analytical/performance cookies: They allow us to recognise and count the number of visitors and to see how visitors move around our site when they are using it. This helps us to improve the way our websites work, for example, by ensuring that users are finding what they are looking for easily.
  • Functionality cookies: These are used to recognise you when you return to our site. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
  • Targeting cookies: These cookies record your visit to our site, the pages you have visited and the links you have followed. We will use this information to make our site more relevant to your interests. We may also share this information with third parties for this purpose.

You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

Except for essential cookies, all cookies will expire after 12 months.

Where information from which a data subject can be identified is held, they have the:

  • Right of access to view or request copies of the record
  • Right to rectification of inaccurate personal data or special categories of personal data
  • Right to restriction of the processing of your data where accuracy of the data is contested, processing is unlawful or where we no longer need the data for the purposes of the processing.
  • Right not to be subject to any automated individual decision-making.
  • Right to object to the processing of your personal data where we cannot demonstrate a legitimate.
  • Right to data portability by requesting the data which you provided to us (not data generated by us) in a structured, commonly used machine-readable format. Your right to portability shall apply only where:
    • data is processed by automated means, and
    • you provided consent to the processing or,
    • the processing is necessary for the fulfilment of a contract.

In line with the Data Protection Legislation, data subjects do not have the right to object to the processing of their personal information where:

  • The purpose of the processing is for direct provision of care or safeguarding concerns.
  • The processing is necessary for compliance with a legal obligation to which we are subject. This includes information we share with statutory organisations, law enforcement and regulatory bodies such as NHS Digital (statutory data collection), NHS Counter Fraud, the Police or Courts of Justice.

Under the data protection legislation, a data subject’s right to erasure (right to be forgotten) applies where he/she had given ‘consent’ to process their personal data and later withdrew the consent. Right to erasure does not apply to the extent where the processing of personal health data is necessary for:

  • Compliance with a legal obligation which we are subject to, under the UK law or, for the performance of a task carried out in the public interest or, in the exercise of official authority vested on us;
  • medical purposes and/or for reasons of public interest in the area of public health;
  • archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • the establishment, exercise or defence of legal claims.

Data subjects can exercise their rights at any time, or request to see or have copies of personal information we hold about them by writing to our Data Protection Officer at the address above.

Where a data subject is dissatisfied with the way we process their data, they should contact us using the details above, and we will try to resolve their complaint. Data subjects have the right to appeal/complain to the Information Commissioner (IC) who can be contacted at:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
Tel: 0303 123 1113 or 01625 545 745
Email: https://ico.org.uk/global/contact-us/