Privacy Policy
Derby Street Pharmacy 17 Derby Street, Hanley, Stoke-on-Trent, ST1 3LE
Document Reference: DSP-PP-2024-001 Effective Date: [INSERT DATE] Last Updated: December 2024 Version: 1.0
Introduction
Derby Street Pharmacy (“we”, “us”, “our”) is committed to protecting your privacy and handling your personal data responsibly and transparently.
This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our pharmacy services, visit our website (web.derbystreetpharmacy.org.uk), or otherwise interact with us.
We are registered with the General Pharmaceutical Council (GPhC) under registration number 9010282 and operate in accordance with UK data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
Data Controller
Derby Street Pharmacy is the data controller for the personal information we collect about you.
Registered Address: Derby Street Pharmacy 17 Derby Street Hanley Stoke-on-Trent ST1 3LE United Kingdom
Contact Details:
- Telephone: 01782 215215
- Email: contact@derbystreetpharmacy.org.uk
- Website:derbystreetpharmacy.org.uk
Data Protection Contact
For any data protection queries, please contact:
Data Protection Lead Derby Street Pharmacy 17 Derby Street Hanley Stoke-on-Trent ST1 3LE
Email: PharmacyFFT12@nhs.net (Subject: “Data Protection Query”)
Registration Details
Registration | Number/Details |
GPhC Pharmacy Registration | 9010282 |
NHS ODS Code | FFT12 |
VAT Registration | 150460836 |
2. Information We Collect
2.1 Personal Information
We collect the following categories of personal information:
Category | Examples |
Identity Data | Name, title, date of birth, NHS number |
Contact Data | Address, email address, telephone numbers |
Health Data | Medical conditions, allergies, medications, GP details |
Transaction Data | Purchases, prescriptions, services used |
Technical Data | IP address, browser type, device information |
Profile Data | Preferences, feedback, appointment history |
Marketing Data | Communication preferences |
2.2 Sources of Information
We collect information from:
Source | Type of Information |
You directly | When you register, place orders, book appointments |
Your GP/Prescriber | Prescription information, medical history |
NHS systems | Summary Care Record (with consent), electronic prescriptions |
Other healthcare providers | Referrals, discharge letters |
Our website | Cookies, analytics, form submissions |
Third-party platforms | Patient Access, Healthera, NHS App |
2.3 Information We Must Collect
Some information is legally or professionally required, including:
- Your identity and contact details (to provide services)
- Medical history and current medications (for safe dispensing)
- Allergy information (patient safety requirement)
- NHS number (for NHS services)
- Proof of exemption (for NHS prescription charges)
Failure to provide this information may mean we cannot provide pharmacy services.
3. How We Use Your Information
3.1 Purposes of Processing
Purpose | Description |
Providing healthcare services | Dispensing prescriptions, consultations, vaccinations |
Patient safety | Checking for drug interactions, allergies, contraindications |
NHS service delivery | Fulfilling NHS contractual obligations |
Appointment management | Booking, reminders, follow-ups |
Order fulfilment | Processing purchases, delivery |
Legal compliance | Controlled drugs registers, regulatory reporting |
Communication | Prescription collection reminders, service updates |
Business administration | Accounting, audit, training |
Service improvement | Quality monitoring, feedback analysis |
Marketing (with consent) | Promotional communications about services |
3.2 Automated Decision-Making
We do not use your personal data for automated decision-making or profiling that has legal effects on you.
Clinical decision support systems may suggest interventions, but all clinical decisions are made by qualified healthcare professionals.
4. Legal Basis for Processing
Under UK GDPR, we must have a valid legal basis to process your personal data. We rely on the following:
4.1 For Standard Personal Data
Legal Basis | When We Use It |
Contract (Art. 6(1)(b)) | To provide services you’ve requested (appointments, orders) |
Legal Obligation (Art. 6(1)(c)) | Controlled drugs records, NHS reporting, regulatory requirements |
Legitimate Interests (Art. 6(1)(f)) | Service improvement, fraud prevention, IT security |
Consent (Art. 6(1)(a)) | Marketing communications, non-essential cookies |
4.2 Legitimate Interests Assessment
Where we rely on legitimate interests, we have assessed that:
- Processing is necessary for our interests
- Processing does not override your rights and freedoms
- You would reasonably expect such processing
Our legitimate interests include:
- Running and improving our pharmacy services
- Preventing fraud and maintaining security
- Marketing similar services to existing customers
- Efficient business administration
5. Special Category Data (Health Information)
5.1 Why We Process Health Data
As a healthcare provider, we process special category health data to:
- Dispense prescriptions safely
- Provide clinical consultations
- Administer vaccinations
- Deliver minor ailment services
- Monitor treatment outcomes
5.2 Legal Basis for Health Data
We process health data under:
Legal Basis | Reference |
Healthcare provision | UK GDPR Article 9(2)(h) |
Public health | UK GDPR Article 9(2)(i) |
Vital interests (emergencies) | UK GDPR Article 9(2)(c) |
Explicit consent (where appropriate) | UK GDPR Article 9(2)(a) |
5.3 DPA 2018 Conditions
We process health data under Schedule 1, Part 1, Paragraph 2 of the Data Protection Act 2018 (health or social care purposes condition).
We satisfy Schedule 1 of the DPA 2018 by maintaining an appropriate policy document covering:
- Procedures for compliance
- Retention and erasure policies
- How we meet data protection principles
- Caldicott Guardian principles for patient confidentiality
5.4 Caldicott Principles
We adhere to the eight Caldicott Principles:
- Justify the purpose(s) for using confidential information
- Use confidential information only when necessary
- Use the minimum necessary confidential information
- Access to confidential information should be on a strict need-to-know basis
- Everyone with access must understand their responsibilities
- Comply with the law
- The duty to share information for individual care is as important as the duty to protect confidentiality
- Inform patients about how their confidential information is used
5.5 Accessing Your Health Records
Your pharmacy records are part of your healthcare record. You can:
- Ask to see your records at any time
- Request copies of your records
- Ask for corrections to inaccurate information
Some information may be withheld if disclosure would cause serious harm (very rare in pharmacy context).
6. Who We Share Your Information With
6.1 Categories of Recipients
Recipient | Purpose | Legal Basis |
Your GP practice | Clinical updates, medication queries | Healthcare provision |
NHS England/BSA | NHS service claims, statistics | Legal obligation |
Other healthcare providers | Care coordination (with consent) | Healthcare provision |
Wholesalers | Ordering medicines (limited data) | Contract |
Delivery services | Delivering orders | Contract |
Payment processors | Processing payments | Contract |
IT service providers | System maintenance (data processor agreements in place) | Legitimate interests |
Regulatory bodies | GPhC, MHRA (when required) | Legal obligation |
Professional advisors | Legal, accounting (if necessary) | Legitimate interests |
6.2 NHS Summary Care Record
With your consent, we may access your NHS Summary Care Record (SCR) which contains:
- Current medications
- Allergies and adverse reactions
- Additional information (if you’ve consented to extended SCR)
You can opt out of having an SCR by contacting your GP.
6.3 Law Enforcement
We may share information with police or other authorities:
- If required by law or court order
- To protect life or prevent serious harm
- For crime prevention (controlled drugs)
We will only disclose the minimum information necessary.
6.4 No Selling of Data
We never sell your personal data.
7. International Transfers
7.1 Where Your Data Is Stored
Your personal data is primarily processed and stored in the United Kingdom.
7.2 Transfers Outside the UK
Some service providers (e.g., cloud hosting, email) may process data in countries outside the UK. Where this occurs, we ensure appropriate safeguards are in place:
Safeguard | Description |
UK adequacy decision | Country has adequate protection |
Standard Contractual Clauses | EU/UK approved contract terms |
Binding Corporate Rules | Approved internal data transfer rules |
UK International Data Transfer Agreement | UK-specific transfer mechanism |
You can request details of safeguards used by contacting us.
8. How Long We Keep Your Information
8.1 Retention Periods
Data Type | Retention Period | Reason |
Prescription/dispensing records | 10 years after last interaction | NHS Records Management Code |
Patient Medication Records (PMR) | 10 years after last entry | Professional retention |
Children’s health records | Until age 25, or 10 years after last entry (whichever is longer) | NHS requirements |
Controlled drugs registers | 2 years from date of last entry | Misuse of Drugs Regulations 2001 |
Private prescription records | 2 years from date of supply | Medicines (Pharmacies) Regulations |
Emergency supply records | 2 years from date of supply | Human Medicines Regulations 2012 |
Vaccination records | 10 years | NHS requirements |
Clinical consultation records | 10 years after last interaction | NHS Records Management Code |
Order/purchase records | 6 years + current year | Tax and commercial law |
Website analytics | 26 months | Legitimate interests |
Marketing consent records | Duration of consent + 2 years | Evidence of consent |
Complaint records | 10 years | NHS Complaints Regulations |
CCTV footage | 31 days (unless incident) | ICO CCTV Code of Practice |
8.2 After Retention Period
When data reaches the end of its retention period:
- Paper records are securely shredded
- Electronic records are securely deleted
- Data in backups is deleted when backups expire
9. Your Rights
9.1 Summary of Rights
Under UK GDPR, you have the following rights:
Right | Description |
Access | Request a copy of your personal data |
Rectification | Request correction of inaccurate data |
Erasure | Request deletion of data (with some exceptions) |
Restriction | Request limitation of processing |
Data Portability | Receive data in machine-readable format |
Objection | Object to processing based on legitimate interests |
Withdraw Consent | Withdraw consent at any time (where consent is the basis) |
Automated Decisions | Not be subject to solely automated decisions with legal effects |
9.2 Right of Access (Subject Access Request)
To access your personal data:
- Submit a request in writing (email or post)
- Provide ID verification (to protect your data)
- Receive response within 1 month
- Free of charge (unless excessive or repetitive)
How to make a request:
- Email: PharmacyFFT12@nhs.net (Subject: “Subject Access Request”)
- Post: Derby Street Pharmacy, 17 Derby Street, Hanley, Stoke-on-Trent, ST1 3LE
9.3 Right to Erasure (Right to be Forgotten)
You can request deletion of your data, but we may refuse if:
- We need the data for healthcare provision
- Legal retention requirements apply
- Data is needed to defend legal claims
- Public health obligations require retention
We will explain any refusal and your options.
9.4 Right to Object
You can object to processing based on legitimate interests. We will stop unless:
- We have compelling legitimate grounds
- Processing is for legal claims
You can always object to direct marketing, and we will stop immediately.
9.5 Exercising Your Rights
To exercise any right:
- Contact us by email or post (details above)
- Provide proof of identity
- Specify the right you wish to exercise
- Provide any relevant details
We will respond within one month (may extend to 3 months for complex requests).
10. Cookies and Website Tracking
10.1 What Are Cookies
Cookies are small text files placed on your device when you visit our website. They help the website function and provide us with usage information.
10.2 Types of Cookies We Use
Cookie Type | Purpose | Consent Required |
Strictly Necessary | Essential website functions | No |
Functional | Remember preferences | Yes |
Analytics | Understand usage patterns | Yes |
Marketing | Targeted advertising | Yes |
10.3 Managing Cookies
You can:
- Use our cookie consent banner to manage preferences
- Adjust browser settings to block cookies
- Delete existing cookies
Please see our separate Cookie Policy for full details.
10.4 Third-Party Analytics
We may use:
- Google Analytics (website usage)
- Meta Pixel (if using Facebook advertising)
These services have their own privacy policies.
11. Data Security
11.1 Security Measures
We protect your data through:
Measure | Description |
Encryption | HTTPS/TLS for data in transit; encrypted storage |
Access Controls | Role-based access, unique logins |
Password Protection | Strong password policies |
Staff Training | Regular data protection training |
Physical Security | Secure premises, locked storage |
System Updates | Regular software patching |
Backups | Encrypted, tested backups |
Incident Response | Data breach procedures |
11.2 NHS Data Security Standards
We comply with the NHS Data Security and Protection Toolkit (DSPT), which demonstrates our adherence to national data security standards.
11.3 Reporting Breaches
If we discover a data breach that poses a risk to your rights:
- We will notify the ICO within 72 hours
- We will inform you without undue delay if there is high risk to you
- We will document the breach and our response
12. Children’s Privacy
12.1 Children Under 16
We may process children’s health data for healthcare provision with appropriate safeguards.
For online services requiring consent (e.g., marketing), we require parental consent for children under 13.
12.2 Gillick Competence
Young people assessed as Gillick competent may consent to their own healthcare and associated data processing. We assess competence on a case-by-case basis.
12.3 Safeguarding
We have safeguarding policies in place and will share information to protect children from harm, in line with statutory requirements.
13. Changes to This Policy
13.1 Updates
We may update this policy to reflect:
- Changes in our practices
- Changes in law or regulation
- Regulatory guidance updates
13.2 Notification
Significant changes will be communicated via:
- Website notice
- Email (if we have your address)
- In-pharmacy notices
13.3 Version History
Version | Date | Changes |
1.0 | December 2024 | Initial release |
14. Contact Us
14.1 General Queries
Derby Street Pharmacy 17 Derby Street Hanley Stoke-on-Trent ST1 3LE
Telephone: 01782 215215 Email: PharmacyFFT12@nhs.net
14.2 Data Protection Queries
For data protection specific queries: Email: PharmacyFFT12@nhs.net (Subject: “Data Protection”)
15. Complaints
15.1 Complaining to Us
If you are unhappy with how we handle your data:
- Contact us first – we want to resolve issues
- Provide details of your concern
- We will investigate and respond
15.2 Complaining to the ICO
You have the right to complain to the Information Commissioner’s Office:
Information Commissioner’s Office Wycliffe House Water Lane Wilmslow Cheshire SK9 5AF
Telephone: 0303 123 1113 Website: www.ico.org.uk
We would appreciate the opportunity to resolve your concerns before you contact the ICO.
Glossary
Term | Definition |
Data Controller | The organisation that determines how personal data is processed |
Data Processor | An organisation that processes data on behalf of the controller |
Personal Data | Information relating to an identified or identifiable person |
Special Category Data | Sensitive data including health information |
Processing | Any operation performed on personal data |
UK GDPR | UK General Data Protection Regulation |
Derby Street Pharmacy Expert Care Every Step of the Way
This Privacy Policy complies with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- GPhC Standards for Registered Pharmacies
- NHS Data Security and Protection Toolkit requirements