Please note that any consent that is given for the purposes of medical consultation or examination is a separate consent from that granted for the processing of your personal data.
The Website is operated by ViTOX Limited (” ViTOX, “we”, “us” and “our”).
Our Registered Office is at One Mayfair Place, London, UK W1J 8AJ
Our Company Registration Number is 12579025
ViTOX operates a different policy for information processed in connection with any account that you might have with us both on our Platform and elsewhere.
For the purposes of the processing your personal data, we are the data controller (as set out under EU General Data Protection Regulation 2016 (GDPR). We are committed to protecting your privacy, both on-line and in the real world. We appreciate that you do not want the personal information you provide to us distributed indiscriminately and here we explain how we collect information, what we do with it and what controls you have over our processing of your information.
1. Information we may collect from you:
We may collect and process the following information about you:
• Registration: information (such as your name, date of birth, email address, postal address, telephone number, profile picture and NHS number) that you provide by completing forms on the Platform, including if you register as a user of the Platform, subscribe to any of our services or those of a third party hosted on the Platform, upload or submit any material via the Platform or request information from us;
• Payments and purchases: details of any transactions made by you through the Platform while logged into your account will be recorded;
• IP address and URL: your activity on our Website (automatically collected) when you use or log on to any of sites or Platforms and the site you exit to.
• When you contact us: communications you send to us, for example to report a problem or to submit queries, concerns or comments regarding the Platform or its content;
• Research and surveys: information from surveys that we may, from time to time, run on the Platform for research purposes, if you choose to respond to them;
• Use of the Platform: details of your visits to the Platform, the resources you access and any data you download;
• Insurance data: insurance policy numbers submitted by you on the Platform, for example where you access the platform via an account provided by an insurance provider;
• Health data: medical information about you including your medical history, illnesses, prescriptions, allergies, height, weight and other medical information which you might discuss with a doctor as part of your use of the services made available through the Platform. We also record the notes, video and telephone conversations of your consultations with our doctors on the Platform.
You are under no obligation to provide any such information. However, if you should choose to withhold requested information, we may not be able to provide you with certain services.
2. How we use and share your information to help you
We need to keep a record of the care you receive to ensure that:
· Professionals involved in your care have accurate and up-to-date information
· We have all the information necessary for assessing your needs and providing excellent care
· Your concerns can be properly investigated if you raise a complaint
· Accurate information about you is available if you:
✓ Move to another area
✓ Need to use another service
✓ See a different healthcare professional.
We have a duty to:
· Maintain full and accurate records of the care we provide to you
· Ensure that your records are confidential, secure and accurate
· Provide a copy at your request that is an accessible format (e.g. in large type if you are partially sighted). Your record may include some or all of the following:
✓ Your name, address and date of birth
✓ Contacts we have had with you, such as appointments
✓ Notes and reports on your health
✓ Details of treatment and care, images and test results
✓ Information on medicines, side effects and allergies
✓ Relevant information from people who care for you and know you well, such as health professionals and relatives.
✓ The staff who see you may also add notes on their professional opinion.
If you wish us to, and it is practical, we will discuss and agree with you what we are going to enter on your record and show you what we have recorded.
Identifying you as an individual
We have many patients/service users with similar names so it vitally important for all patients/service users to be properly identified as individuals.
In order to be absolutely sure that you have been correctly identified we may ask you for a number of pieces of information. Suitable items include:
· Full name
· Date of birth
· NHS number
· National Insurance number
· Passport as photo ID
· Driving licence as photo ID
· Permanent (home, not a temporary) address
How you can help us to keep your health record accurate
· Let us know when you change address, telephone number or name
· Tell us if any information in your record is incorrect
· Give your consent so that we can share information about you with other health professionals to make sure you receive the right healthcare
· Tell us if you change your mind about how we share the information in your record.
How ViTOX Limited uses your contact details
We take your privacy seriously so please let us know how you want us to contact you.
If you provide a mobile phone number: we may ring, leave a message or text you, so tell us if you do not want us to do so.
If you provide a landline: we may leave a message, so tell us if you do not want us to do so.
If you provide us with your email address: we may use it send confidential health information, unless you have told us not to do so.
Please read the following before providing us with your email address.
✓ Emails can be quick and convenient and will allow you to keep a record unlike a phone call). However, although our own systems are secure, it may be possible to intercept your email when it is being sent over the internet.
✓ Be aware also that if you share your computer others may read your emails.
✓ You could use email to contact staff in relation to a query or to ask about an appointment.
✓ d) Do not give more personal information than we need to process your request.
✓ e) Do not ask us to send you medical details that you would not want seen by other people.
If you have an urgent question or feel unwell after going home after treatment contact an emergency service e.g. 111 NHS emergency service or 999 for life threatening conditions by telephone, do NOT email.
3. How your records are kept
Our guiding principle is that we hold your records in strict confidence.
ViTOX Limited is registered under the Data Protection Act 1998. It abides by the law and observes good practice in maintaining confidentiality and appropriate information security.
We will fulfil its obligations under this Act to the fullest extent, including ensuring that the following eight principles governing the processing of personal data are observed.
i. personal data shall be processed fairly and lawfully;
ii. personal data shall be obtained only for specified and lawful purposes, and shall not be processed in any manner incompatible with those purposes;
iii. personal data shall be adequate, relevant and not excessive in relation to the purposes for which it is processed;
iv. personal data shall be accurate and, where necessary, kept up to date;
v. personal data shall be kept for no longer than is necessary for the purposes for which it is processed;
vi. personal data shall be processed in accordance with the rights of data subjects under the Act;
vii. personal data shall be subject to appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage;
viii. personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of data protection
VITOX Limited is also registered with the Care Quality Commission. This means that we are subject to ongoing inspection and regulation by the CQC. This includes checks by the CQC that we are observing all necessary and statutory guidelines for use of your data in line with Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 (Part 3).
Information about you and the services you receive may be held in a number of formats and will be kept for the specific retention periods outlined by the relevant professional bodies. We use secure electronic systems to store user records, images and details of prescriptions. Patient data held on paper or disk will be processed in accordance with the Data Protection Act and destroyed using secure documented procedures after the time periods set out by the Department of Health.
4. How your records are used
We use your records to:
· Ensure that any treatment or advisory services we provide to you are based
on accurate information.
· Send a letter about your care to your GP or other health professional at the end of your treatment, unless you tell us not to do so.
· Work effectively with other services providing you with treatment or advice.
· Monitor the quality of our care and help us to understand the outcomes of care.
· Investigate any concerns or complaints you or your family have about your health care.
· Provide information that is needed for financial transactions in relation to payment for treatment, such as billing. For private patients/service users this may include details shared with your insurance company. If you have any concerns about this, please contact your insurer.
We may remove your name and other details that could identify you so that we can use the information in your record anonymously to:
· Monitor and improve the quality of care received by patients/service users
· Protect the health of the general public, for example we may share anonymous and aggregated patient information with organisations such as the National Institute for Clinical Excellence and the Cancer Registry for research or statistical purposes
· Train and educate staff.
Wherever possible, we anonymise your data or use a quasi- identifier such as a patient number or NHS number.
5. Sharing your health record
ViTOX Limited has a designated Information Lead/Data Protection Officer who is responsible for protecting the confidentiality of patient information and making sure that information is shared where this is appropriate.
To make sure you receive all the care and treatment you need, we may need to share the information in your health record with other staff and organisations. This could include:
· Other healthcare professionals, such as doctors, pharmacists, and pathology
and radiology staff involved in the analysis and reporting of diagnostic tests
· Other hospitals and private sector organisations involved in your care
· Local authority departments
· Voluntary organisations providing on-going support
· Administrative support staff
Note that anyone who receives information from us also has a legal duty to keep it confidential.
We may also share information that identifies you where:
· You ask us to do so
· We ask for specific permission and you agree to this
· We are required to do this by law
· We have special permission because we believe that the reasons for sharing are so important that they override our obligation of confidentiality (e.g. to prevent someone from being seriously harmed).
We do not give the names and addresses of patients/service users to other organisations except under the circumstances described in this Privacy Notice.
Unless you have signed an additional consent, we will not contact you after your visit for purposes other than:
✓ Follow up of care
✓ Collecting your views about your stay with us
✓ Settlement of any account that may be due, if appropriate
✓ Complaints and concerns handling.
Sharing information with your family and friends
We will normally share information about the progress of your treatment with the person you name as your Emergency Contact, unless you have told us not to do so.
Your emergency contact should be someone that you trust and feel close to. It does not have to be a blood relative; it can be a good friend. We ask patients/service users to name their emergency contact so that we know who you would like us to keep informed about the care we provide or the decisions we need to make.
In identifying your emergency contact, you are giving us permission to keep her or him informed.
You can also name other people, with whom you would like us to share information about you. We make best efforts to ensure that information provided over the telephone is restricted to those you have named and we share on a need to know basis. Sometimes this means refusing to disclose information about you to someone who feels they should know about your treatment and progress. Please make your family and friends aware of this.
Sometimes we have a legal duty to provide information about people; examples are reporting some infectious diseases, and when a court order instructs us to do so.
Records may also be shared without the patient’s consent in exceptional situations, such as to safeguard adults or children.
The Care Quality Commission is the independent regulator of health care and they also protect the interests of people whose rights are restricted under the Mental Health Act.
They routinely inspect our premises to quality check information we hold and the services we provide in line with the Health & Social Care Acts. This is designed to ensure that patients/service users using services are protected and receive the care, treatment and support they need.
These inspectors have the authority to access personal information without the permission of patients/service users.
Sharing your records outside the EU
If your permanent address is outside the EU, or your treatment is continuing outside the EU, we may send details of your treatment to individuals based outside the EU specifically to promote your ongoing care. This would normally be the doctor who referred you to us for treatment. If you wish, we can give you the documents so that you have physical control over this information.
In the usual course of our business, we may use third parties to process and store your data on our behalf. We normally store your data on secure servers in the European Economic Area (EEA). Such processing is subject to contractual restrictions with regard to confidentiality and security in addition to the obligations imposed by the Data Protection Act 1998.
Exceptionally we may make use our suppliers are based outside the EEA for processing and storing your data. We have strict controls over how and why your data can be accessed. By submitting your personal data, you agree to this.
Where necessary we may transfer personal information overseas for processing to support the long- term effectiveness of treatment and monitor patient outcomes. Personal information will be processed in this way where it is not possible to achieve this purpose with the use of anonymised or pseudonymised information only.
How can I stop my information from being shared?
VITOX Limited acts to provide information principally for other health and social care professionals who have requested this since they require further detailed investigations on their patients/service users. So naturally we will normally need to share this information with your doctor who has referred you to our service.
If you do not want us to share your information with your GP, other healthcare providers or carers, please tell the team looking after you. But please note that not sharing your information may affect the care that can be provided for you.
You have the right to request that your confidential information is not used beyond your own care and treatment and to have your objections considered. Where your wishes cannot be followed you will be told the reasons including the legal basis. You may at any time withdraw any consent you have previously given to us to process information about you.
If you wish to exercise your right to opt-out, withdraw consent to use your information, or to speak to somebody to understand what impact this may have, please discuss your concerns with your professional, or email us typing ‘Opt Out Request’ in the subject line of the email.
Cookies are pieces of information that include a unique reference code that a website transfers to your device to store and sometimes track information about you. A number of cookies we use last only for the duration of your web session and expire when you close your browser.
Other cookies are used to remember you when you return to the Website and will last for longer.
• remember that you have used the Website before (this means we can identify the number of unique visitors we receive and allows us to make sure that we have enough capacity for the number of Users we get);
• allow you to navigate the Website more quickly and easily;
• remember your login session so you can move from one page to another within the Website;
• store your preferences;
• customise elements of the layout and/or content of the pages of the Website for you; and
• collect statistical information about how you use the Website so that we can improve the Website.
All cookies used on our Website are set by us.
Most computer and some mobile web browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set.
You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser.
Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the Website.
Our cookies will be used for:
• Essential session management
• creating a specific log-in session for a visitor to the Website in order that the Website remembers that a visitor is logged in and that their page requests are delivered in an effective, secure and consistent manner;
• recognising when a visitor to the Website has visited before allowing us to identify the number of unique visitors we receive to the Website and make sure we have enough capacity for the number of users that we get;
• recognising when a visitor to the Website is a registered member;
• we may also log information from your computer including the existence of cookies, your IP address and information about your browser program in order to allow us to diagnose problems, administer and track your usage of our services.
• customising elements of the promotional layout and/or content of the pages of the Website for example by storing a country code and providing users with content relevant to their country.
• These essential session management and functionality cookies are necessary in order for us to be able to provide our Platform to you.
Performance and measurement
• collecting statistical information about how our visitors use the Website so that we can improve the Website and learn which parts are most popular to visitors.
We have a legitimate interest in using any personal information collected through performance and measurement cookies, so that we can constantly improve our Platform and our services.
7. External links
The Platform may, from time to time, contain links to external sites affiliated to us or run by independent third parties.
8. Payment processing
Payments made on the Platform are made through our payment solutions provider Stripe at www.stripe.com, 3180 18th Street, Suite 100, San Francisco, CA 94110, USA.
You will be providing your email address and your credit or debit card information directly to “Stripe”, a company located in the USA and which operates a secure server to process payment details, encrypting your credit/debit card information and authorising payment.
We place great importance on the security of all personally identifiable information associated with our users.
We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control. our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal information.
Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it from occurring.
You should bear in mind that submission of information over the internet is never entirely secure and whilst we take appropriate technical and organisational measures to safeguard the personal information you provide to use, we cannot guarantee the security of information you submit via the Platform whilst it is in transit over the internet and any such submission is at your own risk.
You should always close your browser when you have finished your user session to help ensure others do not access your personal information, particularly if you use a shared computer or a computer in a public place.
10. Your legal rights
VITOX Limited is the Data Controller of the data it holds about its patients/service users and staff.
You have the right to confidentiality under the Data Protection Act 1998 (DPA), the Human Rights Act 1998 and the Common Law Duty of Confidentiality. The Equality Act 2010 may also apply.
You have the right to know what information we hold about you, what we use it for and if the information is to be shared, who it will be shared with.
You have the right to apply for access to the information we hold about you. Other people can also apply to access your health records on your behalf. These include anyone authorised by you in writing (such as a solicitor), or any person appointed by a court to manage your affairs where you cannot manage them yourself. Access covers:
· The right to obtain a copy of your record in permanent form;
· The right to have the information provided to you in a way you can understand, and explained where necessary, for example where abbreviations have been used. You would not be entitled to see information that:
a) Has been provided about you by someone else if they haven’t given permission for you to see it
b) Identifies another person who has not given permission for you to see the information about them
c) Relates to criminal offences
d) Is being used to detect or prevent crime
e) Could cause physical or mental harm to you or someone else.
If you are currently receiving services from us and wish to view the record without obtaining a copy, discuss your request with the professional in charge of your care.
11. Obtaining a copy of your record
If you wish to apply for access to the information we hold about you:
· You should send your request in writing to us.
· You should provide enough information to enable us to correctly identify your records – include your full name, address, date of birth, any unique identifier number/ NHS number (if known)
· We will take every reasonable step respond to you within 40 days of receiving your request
· You may be required to provide a form of ID before any information is released to you.
Once you receive your records, if you believe any information is inaccurate or incorrect, please inform us.
Address: ViTOX, One Mayfair Place, London, UK W1J 8AJ
Further information about data protection issues is at:
Information Commissioner’s Office (ICO)
The Information Commissioner’s Office Wycliffe House
Cheshire SK9 5AF
Helpline: 08456 30 60 60
General Data Protection Regulations (GDPR)
GDPR has applied in the UK since May 2018. In summary, the aim is to place a higher responsibility on organisations which hold data to use this correctly, to dispose of it when no longer needed, and to ensure full consent is obtained from the people whose data is being used.
ViTOX Limited undertakes to meet the GDPR requirements in full. The organisation will ensure that the following practical steps are in place at all times:
· Privacy Notices
Privacy Notices will be publicised covering details as to how data held on service users and staff including details of how data will be used, stored and disposed. The Notice will be reviewed on a regular basis and updated when necessary.
· Consents To Hold And Process Data
Service users will be requested to give the necessary consents for holding, use of, disposal of and sharing of data as an integral part of their initial consent to receiving services.
Similarly all staff including new applicants will be requested to give the necessary consents for holding, use of, disposal and sharing of their data.
Where applicable, ViTOX will process data within the grounds lawfully permitted under GDPR i.e.:
✓ “Legitimate interest of the data controller”
✓ “Necessity of performing a contract”.
✓ Compliance with a legal obligation”
✓ Protecting the vital interests of the data subject”
✓ “Necessity for the performance of a task carried out in the public interest”.
· Information Commissioners Office (ICO)
ViTOX will ensure continued registration with the Information Commissioners Office. Annual re-registrations will be made on an ongoing basis.
In so doing, ViTOX will ensure that the obligations of being registered with the ICO are met
· Subject Access
The organisation will ensure that the requirements of allowing service users and staff to access details of what information is held about them is followed, subject to the statutory exemptions permissible. No charges will be levied when responding to any such Subject Access requests.
· Data Protection Officer
ViTOX will ensure that a designated Information Lead/Data Protection Officer is in place at all times. The Lead will monitor compliance with the GDPR and other data protection laws, our data protection policies, as well as promoting awareness-raising, training, and audits regarding information.
· Data Retention Periods
The organisation will retain data strictly within time limits permitted by law. These will be modelled around Department Of Health data retention guidelines for records retention.
· Data Analysis
The organisation will hold details of all types of information held i.e. where stored, how stored, who is responsible, security access controls, etc.
· Email Accounts
All emails will be sent using appropriate wording as an email footer that ensures that the data will be kept confidential and returned/destroyed in the event of the email being sent incorrectly.
· Staff Training
Staff will be training in all relevant aspects concerning GDPR, in particular about how to respond to Subject Record Access requests and also how to respond in the event a data breach being discovered.
· Staff Records
Staff records will be held securely, including under lock-and-key for hard copy material and via use of firewalls/passwords/etc for material held electronically.
The organisation will develop and update as necessary all necessary policies concerning GDPR issues, to include
✓ Subject Access To Records
✓ Data Breaches
✓ Information Governance.
· Data Disposal
Any data disposal will be carried out in a strictly confidential way. Hard-copy material. Will be cross-shredded in ways and data will be destroyed by industry-standard destruction methodologies.
· Data Breaches
Any data breach, or suspected data breach, will be reported to the CQC Registered Manager via the Incident Reporting system. The Data Protection Officer will similarly routinely be notified as soon as possible. Subsequent external notifications about the breach will be made as necessary e.g. to the Information Commissioners Office, Commissioners, subjects, etc.
· Virus Checks/Firewalls
The organisation will ensure that virus checks and Firewall systems are appropriate, up-to-date and fully operational at all times in order to meet all necessary data protection issues under GDPR.
· Third Party Suppliers
Any data being processed on behalf of the organisation by third-parties (is recognised to continue to be our responsibility as the “Data Controller”. Written communication are therefore routinely put in place with any third-party suppliers in order to clarify responsibilities, as well as confirming indemnities and actions needed if data held by third-parties on or behalf is lost or destroyed..
Transport of User records
Records will only be transported by hand by the responsible professional or by those individuals who have been delegated to carry them. The records will not be left where they are accessible to the general public.
Our professional staff are obligated to make contemporaneous notes of any service user consultation, including:
· Examination and/or assessment
· Treatment recommendations
· Agreed treatment plan
· Any treatment provided
· Aftercare advice provided
· Arrangement for follow up
· A record of any relevant additional communication either by letter, email or telephone, including any communication related to the patient, with other healthcare professionals.
· Entries must be clear, legible, signed, dated and timed.
· Entries made in electronic records must be clearly attributable.