Our Privacy Notice describes the categories of personal data we process and for what purposes.
We will never sell your details to third parties for their own marketing purposes
Introduction and summary
At VSM Pharmacy, we know that your personal information is important to you. That’s why whenever we process it, we only use what we need to, and we do everything we can to ensure it is appropriately protected.
This notice explains the situations where we may process your personal data and the steps we take to protect it. In summary:
- Most of the personal information we collect is provided directly by you and is necessary to deliver the service you have requested. We only ask for the information that we absolutely need.
- We do collect some personal information automatically – such as IP addresses, pages viewed on our website and links you’ve clicked on. This is predominantly through the placement of cookies which are explained in detail later.
- We may acquire some personal information from commercially available data sources (e.g. the electoral roll) to keep your data accurate and help us better understand your needs.
- If you have given us appropriate permission to do so, we may send you information about products and services we offer. We will never sell your details to third parties for their own marketing purposes.
- To help you get the most out of our marketing, we may sometimes tailor it to you using your personal information. We will do this by building a profile about you, for example, to understand what services you currently use, or may have a future need for. You can object to this (explained later) and receive non-personalised marketing instead.
- We may share your information within our wider group of companies (explained later) where there is a legal need, or justified business need, to do so.
- We use selected third parties to provide some of our services (e.g. courier companies to deliver online orders) and will share the minimum personal data necessary with them to do so.
- Like most organisations, we use third parties to support the running of our business (e.g. using an application) and, in certain circumstances, these third parties may have access to your data. This may be from outside of the European Union. Where this is the case, we have appropriate protective measures in place to ensure your information is appropriately protected.
- With the exception of tailored marketing (as mentioned above) we do not make any automated decisions – i.e. a decision which does not involve a human providing an opinion – about you in delivering our services.
Updating this notice
Who are we?
VSM Pharmacy is the trading name for Hazel Hope Limited. When we say ‘we’ or ‘us’ we mean this company.
How can you contact us?
By email at email@example.com
By post to:
124 Frimley Road
If you specifically want to contact our Data Protection Officer, you can do so by emailing firstname.lastname@example.org.
Alternatively, you can write to them at:
Data Protection Officer
124 Frimley Road
What if you need to complain about how we have used your personal information?
You can make a complaint about how we have used your personal information to us by contacting our Data Protection Officer (using the details above).
You are also entitled to complain to the Data Protection Supervisory Authority – which in the UK is the Information Commissioner’s Office (ICO). You can find their contact details at https://ico.org.uk
What are your privacy rights and how can you exercise them?
Under law, you have the following rights:
- Right of Access: you have the right to know how we process your personal information (as explained in this notice) and also a right to receive a copy of your personal information.
- Right of Rectification: you can ask us to change or complete any inaccurate or incomplete personal information held about you.
- Right to Object: you have the right to object, in certain circumstances, to us processing your personal information. For example, you can object to us sending you marketing material or using your personal information to create a profile about you.
- Right to Erasure: in certain circumstances, you can ask us to delete your personal information. For example, where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
- Right of Portability: you have the right to ask us to send a copy of certain elements of your personal information (predominantly information you have shared directly with us) to another company.
- Right to Restrict: you can ask us to restrict the personal information we use about you where you have asked for it to be erased (and the erasure has not taken place or we were unable to erase the data when we should have) or where you have objected to our use of it.
To exercise the Right of Access, email us at email@example.com or by letter to:
124 Frimley Road
To exercise any other right, email our DPO or by post to:
Data Protection Officer
124 Frimley Road
Exercising your rights is free and we will respond to any request as quickly as we can. Under current law, we have up to a calendar month to respond to any request. We will endeavour to meet this. If we can’t, we’ll contact you to explain why and confirm when your request will be processed.
What personal information do we collect and how is it used?
What we collect and how we use it depends on how you interact with us and the specific services you’ve requested. This is outlined below.
- To fulfil your prescription – we capture your name, address, date of birth, NHS number and the medication required (this includes the name of the medication and the dosage instructions) as detailed on the prescription. Capturing this information is necessary to provide the service to you.
- If you are an online customer using our Click and Collect service then we will share information with your chosen VSM Pharmacy in order for them to receive your prescription and dispense the medication for you.
- To deliver our wider consultation services – In addition to the information referenced above we may need to understand wider information about your health and wellbeing, including any family history of medical conditions. If someone books such an appointment on your behalf for example your GP, GP practice nurse, then we will collect this information from them and verify it with you during the appointment.
- We process your payment card details to provide the services you have requested. We do not store these details. For any repeat orders of products or services made by you online via our website or app or if you opt to have your details stored for future payments, our third Party Processing Agency securely holds your payment card details and provides us with a unique token that represents that particular card; this token is only valid for payment to us.
- If you interact with us online (for example, when you use our website, digital services or post comments on our Facebook page) we will indirectly collect information about you. We collect certain usage information when you utilise our website such as Internet Protocol (“IP”) addresses, log files, unique device identifiers, pages viewed, browser type, any links you click on to leave or interact with our website and the products and services we offer, and other usage information collected from cookies and other tracking technologies. For example, we collect IP addresses to track and aggregate non-personal information, such as using IP addresses to monitor the regions from which users navigate our website. We collect this information for our own legitimate business interests to enable us to understand how digital services are used and how we can improve them.
- If you have an account with us online, we may collect your IP addresses as part of the log in process. This is a security feature to protect your account.
- If you use our mobile app, there is an option to enable location based-services. If you give your consent for this, we will collect your location data and/or motion data.
- If you have an account with us, we will purchase commercially available data about you from sources like the electoral roll and companies that collate and update data. We do this as part of our legitimate business interests to keep our records accurate and up to date, provide you with a seamless and consistent service and to build a clearer picture of our customers, both individually and as a group. By understanding you better we can offer you the best and most personalised service we can, but don’t worry – we will only send you marketing material if you have agreed that we can.
- If you have provided your consent to do so, and it is deemed clinically appropriate, we will collect your data from NHS bodies such as your GP/surgery or hospital and view your Electronic Health Records (E.g. NHS Summary Care Record) in order to provide the service you have requested.
- If you sign-up in one of our pharmacies, we will send you SMS messages as part of our prescription collection service. We may use your mobile phone number for carefully considered and specific purposes which are in our Legitimate Interests and help us to enhance our products and services, but which we believe also beneﬁt our customers, for example to send you an SMS message about our in-pharmacy services like flu vaccinations. Legitimate Interests means the interests of our company in conducting and managing our business to enable us to give you the best service/products.
When we process your personal information for our Legitimate Interests, we make sure we consider and balance any potential impacts on you (both positive and negative), and your rights under data protection laws. Our legitimate business interests do not automatically override your interests. We will not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). We will ensure that there is a facility to opt-out of any marketing messages we send. If you have any concerns about the processing of your personal data, you have the right to object to processing that is based on our Legitimate Interests. You can raise these concerns by emailing our DPO or by post to:
Data Protection Officer
124 Frimley Road
- If you are a customer of a pharmacy business that has been taken over by us, we will receive your personal information as part of the handover process. Where this happens, we will place a notice in the pharmacy to tell you that your personal information is changing hands.
- If we sell part of our business (e.g. one of our pharmacies) then we may need to share your personal data with the new owner. We will place a notice in the impacted pharmacy(ies), or notify you directly, to tell you that your personal information is being shared.
- If you call us, we may record or monitor the call. We do this for regulatory purposes, for training, to ensure and improve quality of service delivery, to ensure safety of our staff and customers, and to resolve queries or issues. Doing so is a legal obligation. Where we analyse calls to improve our service, we do so as a legitimate business interest.
- If you enter one of our premises, we may capture you on CCTV. We use CCTV to ensure the safety and security of our staff and customers. The images captured may be used to prevent and detect crime, and therefore may be shared with law enforcement. We carry out this processing activity either for our own legitimate interest or for the wider public interest (e.g. where it is shared with law enforcement).
- If you call us, we may record the conversation for training and monitoring purposes. We do this for our own legitimate interests, primarily to enable us to improve our customer experience.
- As part of delivering our service to you, we may use your personal information to contact you. For example, to send your reminders (e.g. about repeat prescriptions or service appointment) or to notify you of a change (e.g. that your prescription is ready to collect or out for delivery). We may also provide your telephone number to third party delivery services to allow them to contact you about your specific delivery. This could be, for example, to let you know that you were not in when we tried to deliver, or that we are unable to safely approach the house. Where we do so, we ensure the third party only uses the information for this specific purpose and processes it in accordance with an established legal contract.
- As part of our home delivery service (where you have asked one of our pharmacy branches to deliver your prescription to your home). We use your address to improve the efficiency of our delivery service, for example how many times a day/week we deliver to the same street, how many drivers we use, the efficiency of the route. We use a third party provider to analyse this data and we only provide them with the minimum information needed to perform this function, and they are not permitted to use it for other purposes. We always ensure that any third providers have the same levels of security controls in place as we do. In order to protect your individual privacy, the analysis of this information is only undertaken using pseudonymised data (where your name is replaced with a random numerical key reference), and we do not use any other data we hold about you (for example medication data) for this purpose. You have the right to object to the way we use your data if you believe our legitimate interest in doing it is outweighed by your right to privacy. This type of analysis is important in enabling us to operate efficiently and improve the service we provide to you, so we carry it out in a way that we believe it has no impact on your privacy.
- To fulfil our contractual requirements with the NHS, we need to share your personal information with your GP and others in the wider NHS, such as the NHS Business Services Authority, and sometimes Local Authorities to provide you with NHS or Local Authority funded services, to negotiate and check the accuracy of our payments with the NHS or Local Authorities and to ensure that we maintain appropriate professional and service standards and that your declarations and ours are accurate. This is necessary to perform the service and a legal requirement.
- If you have signed up to receive our health and wellbeing advice and information about our products and services, we will use your data to send this information to you via the channels you’ve given us data for. If you have expressed areas of specific interest, then we’ll use that to tailor the information you receive.
- We will use your health and medication information provided to dispense and deliver to you your prescriptions or provide other healthcare products and services you have requested. We will never use information about your prescriptions for marketing, although we may use it to advise you of other health services/products that might be useful or relevant to you, such as our new medicine service or a medicines use review.
- If you fall ill in our premises, we will share your personal information, if we have it, with medical professionals to allow them to deliver appropriate treatment to you.
- If you visit one of our offices as a guest (contractors, suppliers, guests, other non-customer individuals) on a one-time/ad-hoc basis or as part of a long-term agreement, your first name, surname, organisation/company name and vehicle registration will need to be recorded in our visitor system the purposes of site security and health and safety.
Who do we share your personal information with?
In the previous section we described particular instances where we share your personal information with others. There are also other third parties that we use to deliver services to you. In this section, we have summarised the categories of third parties who we may share your data with.
- Postal services and couriers – for typical business purposes, to deliver prescriptions by post, and to send your prescription scrip to the NHS (where a physical prescription is received)
- Third party content processors – for example, to deliver our health advice and information about our products and services to you (e.g. an email delivery service)
- Dispensing appliance contractors – where your prescription is for a medical appliance (e.g. colostomy bags, medical thermometers, pacemakers) we will pass your prescription, and the personal information on it, to our third party appliances contractor to process.
- Law Enforcement Agencies (LEA) – where we are required to do so by law, we will release personal data to LEA’s (e.g. the police). This will most likely be for the detection or prevention of crime, or to exercise or defend a legal claim.
Where do we process your personal data from?
We may need to transfer your information outside the UK to service providers, agents and subcontractors in countries where data protection laws may not provide the same level of protection as those in the European Economic Area, such as the USA. Where this happens, we agree specific assurances in our contracts with those providers to ensure there are appropriate controls in place to protect your data.
How long will we keep your personal information?
We will retain your personal information for as long as we are legally or contractually required to do so, or for a period which is justifiable to meet our business needs. The exact retention period varies depending on the type information and purpose for use, if you require any further information on retention periods please contact us at firstname.lastname@example.org
Marketing and profiling
If you have given your consent, we will contact you about the products and services we offer. Our expert pharmacists also produce advice, tips and useful information to help keep you healthy, which we may send to you if you have requested it.
We will send these communications to you by either email, post or both depending on what you signed up to. Every marketing communication we send will include instructions on how to opt-out. At any time, you can change your marketing preferences by emailing email@example.com or sending a letter to:
Data Protection Officer
124 Frimley Road
The marketing we send to you may be tailored to make it more relevant. This is done by analysing the data we hold on you (e.g. services previously used, age, address, previously stated health and wellbeing interests) to create a profile. If you want to receive marketing from us, but do not want this to be tailored then you can object to the profiling as described under “What are your privacy rights and how can you exercise them?”. Alternatively, unsubscribing from marketing will also cease the profiling activity we conduct.
If you have consented to marketing, you may also receive adverts from us online and on social media. We send pseudonymised data to companies such as Facebook and Google to do this. This means we send the data in a way that only the intended end user (e.g. Facebook, Google) can understand. We may also use your data to build profiles and/or custom audiences. When we do this, we anonymise your data. This means we send your data to platforms (e.g. Facebook, Google) in a way that means you cannot be identified by it.
We only work with companies who take privacy as seriously as we do.
Keeping you up to date
In order to deliver our services to you, it is necessary to contact you using the contact mechanisms you have given us. This may be by issuing an email to confirm your order, sending an SMS message to confirm a delivery slot, calling you to discuss an issue with your order or for other similar reasons. These communications are necessary, and we will use whichever communication method we can to ensure we provide you with the information you need. You can inform us of particular communication preferences (e.g. email rather than phone call) and we will endeavour to follow your preferred mechanism. However, we reserve the right to use any contact information we have to deliver necessary information to you.