Table of Contents
- Information held – What we hold, how we obtain it, how we hold it and our responsibility for it
- Processing – What we do with your data
- Disclosure – Who we share data with and under what circumstances
- Retention and erasure – How long we hold it
- Marketing communications
- Links to other web sites
- Your rights
- 1.1 Information is gathered, processed and stored by Dr Morton’s in accordance with the highest standards of Internet security, using methods similar to those used in Internet banking. Data is stored on dedicated servers behind firewalls and in a separate tier to our website and applications. All data is encrypted end-to-end during transport. Our computer systems and databases are protected against unauthorised disclosure, use, loss and damage. We monitor and protect against emerging vulnerabilities and security exploits. Security measures in place have been tested against attack by hackers.
- 1.2 Whilst every effort is made by Dr Morton's to ensure confidentiality, Customers should nevertheless make sure that neither their phone calls nor internet access may be intercepted by others at the point of access where Information could otherwise be observed or overheard before it reaches Dr Morton's. If a Customer has shared use of a computer, it is strongly recommended that Customer account details are not stored in their internet browser. Customers must keep their user name and password secure and inform us promptly if there has been any breach.
2. Information held – What we hold, how we obtain it, how we hold it and our responsibility for it
- 2.1 Information held may comprise either Medical Information or Other Personal Information.
- 2.2 Medical Information which we collect from you and may process is the information about your health which you provide in answering questions at the point of registration or subsequently when you update your own medical records and history. It also includes information noted by Doctors during the course of medical consultations with you and copies of your email correspondence with a Doctor. With NHS Customers it may include information shared with Dr Morton’s by your NHS GP Surgery with your previous consent. Customers may access and review their own Medical Information at any time the Website is in operation by using their user name and password. Customers or Doctors may update Medical Information but earlier date specific versions of the Medical Information are nevertheless retained and not destroyed because these records form part of the data upon which medical consultations were given at that point in time and might need to be referred to later.
- 2.3 Dr Morton's may record Telephone calls with Customers for later access by Doctors needing confirmation of what was said and for training purposes. Electronic records of Telephone calls are kept confidential and may only be accessed by Dr Morton's. It is a condition of Service that the Customer consents to Dr Morton's recording and retaining this electronic record of Telephone calls. You should not use the Service if you do not give this consent.
- 2.4 Telephone calls may be extended with Customer permission to include video using WebRTC technology. Videos are not recorded or retained. Your voice is recorded but not the video.
- 2.5 During a Telephone call including video, the Doctor may request Customer permission to take an image at the point of diagnosis using a screen shot from the Customer’s camera. Such images, if taken, are retained within the Customers medical records which are accessible to you the Customer at any time.
- 2.6 Other Personal Information is non medical information that we collect from you, which you may provide us in making an enquiry, in response to a marketing promotion or survey or because you entered into correspondence with us or became a Customer. Other Personal Information may include your email address, home or delivery address, age or gender.
- 2.8 Dr Morton's will store and process Information which you give us in accordance with the UK Data Protection Act 2018 and the General Data Protection Regulations (“GDPR”) and protect your rights as a Customer under GDPR.
- 2.9 With Medical Information we follow the Caldicott Principles which are guidelines designed to ensure UK patient data remains confidential unless consented to otherwise.
- 2.10 For the purpose of GDPR, the data controller is Dr Morton's Limited. Our Director of Quality and Clinical Governance, Dr Tanya Lawson, is our Data Protection Officer and our Caldicott Guardian.
- 2.11 The registered address of Dr Morton's Limited and the contact address for our nominated representative is 201 Chapelier House, Eastfields Avenue, London SW18 1LR. Dr Morton’s Limited is a company incorporated in England with company number 08782411. Dr Morton’s Limited is registered with the UK Information Commissioners Office and regulated by the Care Quality Commission.
3. Processing – What we do with your data
- 3.1 We will primarily use Medical Information so that our Doctors know enough about you to be able to provide the Services which you request from us. Medical Information is also used to keep your own GP informed where you have either asked us to do so or you are an NHS Customer, to make referrals to Consultants or other medical professionals appropriate to your condition that may assist your health, for record keeping purposes and to comply with healthcare related regulation.
- 3.2 We will primarily use the Other Personal Information for record keeping purposes to fulfil orders, record bill and account for delivery of Services and to communicate with you in the event that any Services requested are unavailable or if there is a query or problem with your order. We may also use the Other Personal Information to carry out market research so that we can improve our Services to reach the maximum number of customers possible, to track and analyse activity on our Website or to create an individual profile for you so that we can enhance your user experience, to understand and respect your preferences and to provide details of relevant offers and opportunities or which we feel may interest you, but only where you have agreed to receive them.
- 3.3 In order to provide our Services in the most secure environment and efficient manner possible, Dr Morton's may need to store Information, or transfer into or out of computer servers based outside of the European Economic Area but will take steps to ensure that your Information is nevertheless protected. In the event that your Information is transferred to a country that has laws less extensive than those available in the United Kingdom to protect privacy, no transfer will knowingly be made until, having made reasonable enquiries, we are confident that an equivalent degree of protection may be afforded, such as that provided by the EU-US Security Shield. By completing your registration to become a Customer you acknowledge that we have informed you of this and give us your consent to store and process Information in this way.
- 3.4 In addition to medical diagnosis performed by GMC registered doctors, we may use Information to perform or enforce our contract with you, to provide a public task when acting for the NHS GP Surgery Customer, for legitimate business interests when your fundamental rights do not override this, to comply with requests from regulators such as the Care Quality Commission or to deal appropriately with any risk to public health.
- 3.5 When processing Medical Information that includes health data that represents a special category of data under GDPR, Dr Morton’s will rely on GDPR Article 9 (2) (h) where there are adequate safeguards and confidentiality obligations in place, and may also rely upon GDPR Article 9 (2) (a) explicit consent, (2) (f) establishment, exercise or defence of legal claims or (2) (g) substantial public interest.
- 3.6 In accessing the lawfulness of processing of Other Personal Information, Dr Morton’s may rely upon GDPR Article 6 (a) explicit consent, (b) in performance of a contract, (c) in compliance with a legal obligation, (d) to protect your vital interest, (e) public task, and (f) legitimate interests, for example if we have to deal with disputes and legal claims.
4. Disclosure – Who we share data with and under what circumstances
- 4.1 Our GMC registered Doctors have access to all of your Information in order to provide our Services to you.
- 4.2 When working on behalf of an NHS GP Surgery Customer our Doctors share your Information as NHS Customer back to the NHS GP Surgery that referred you in order to keep your NHS GP informed and in order that your NHS GP record remains complete.
- 4.3 When working for a private Customer or a Business Customer, Dr Morton's strongly recommends that you provide us with the name and address of your current GP and consent to keep your GP informed to ensure that your medical records are kept up to date. It is correct medical protocol for us to inform your GP of any significant medical problems about which we advise you and our Doctors may refuse to provide Services unless you provide this consent.
- 4.4 Doctors are required to follow GMC guidance on Confidentiality, which Confidentiality is an important ethical and legal duty but it is not absolute. The latest guidance is available at www.gmc-uk.org/ethical-guidance/ethical-guidance-for-doctors/confidentiality. Doctors may disclose personal information without breaching duties of Confidentiality when any of the following circumstances applies:
- The Customer consents, whether implicitly for the sake of their care, or explicitly, for other purposes.
- The disclosure is of overall benefit to a Customer who lacks the capacity to consent.
- The disclosure is required by law, or the disclosure is permitted or has been approved under a statutory process that sets aside the common-law duty of Confidentiality.
- The disclosure can be justified in the public interest, where the disclosure may protect individuals or society from risks of serious harm.
- Customers may be put at risk if those who provide their care do not have access to relevant, accurate and up to date information about them.
- 4.5 There may be circumstances when a Customer, who has capacity to make decisions, may object to the disclosure of personal information that a Doctor is convinced is essential to provide safe care. Under such circumstances the Doctor will explain that they are unable to provide Services without also disclosing that information.
- 4.6 Our Partner Pharmacy has access to private Prescriptions written by our Doctors in order dispense and dispatch medication to you and in processing Prescription requests will occasionally ask for more information or clarification from our Doctors before they are able to safely dispense. To dispatch medication and enable you to track delivery, your delivery address is shared by our Partner Pharmacy with the delivery partner (currently Royal Mail).
- 4.7 Our Partner Laboratory has access to your name and delivery address in order to deliver Test Kits ordered by you or our Doctors and, following processing in the laboratory, upload the result of testing directly into the secure Patient Portal for review by our Doctors before you are notified that our Doctors have done so.
- 4.8 Companies as B2B Customers that contract with Dr Morton’s to provide services to employees as Business Customers have no access to Medical Information specific to their employee without the specific consent of their employee as Business Customer. Employers are not informed when a consultation with their employee has taken place. Information is aggregated by Dr Morton’s to report the overall number of consultations with employees that have taken place and information at a summary level concerning consultations by type (eg colds and flu) that does not identify a Business Customer in person is provided to B2B Customers, except that information is redacted if volumes by type of consultation are low enough to pose any risk of re-matching of identity.
- 4.9 Medical Information held on our database is otherwise only accessible by the Customer or Dr Morton's medical or specifically authorised administrative staff each of whom may only access such data by providing their authentication credentials.
- 4.10 In settling account enquiries it may occasionally be necessary for Customer Services to request information from our Doctors as to the nature of Services provided to you. Our Customer Services representative reports to and is supervised by our Medical Director, who is a Doctor. We may disclose such Information as we consider appropriate to the circumstances in order to protect our legitimate business interests when your fundamental rights do not override this, to enforce or apply our Terms and Conditions, to protect the rights, property, or safety of Dr Morton's, the Doctors, our Customers, or others, or in order to comply with any legal duty or regulatory obligation of disclosure. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
5. Retention and erasure – How long we hold it
- 5.1 Medical Information is retained for as long as required under UK regulatory codes of practice on records management, which may be updated from time to time, and as required by data processing laws. The latest code recommended by the NHS is The Records Management Code of Practice for Health and Social Care 2016 which was published by the Information Governance Alliance (IGA) for the Department of Health (the “Code”) and is available at https://digital.nhs.uk/data-and-information/looking-after-information/data-security-and-information-governance/codes-of-practice-for-handling-information-in-health-and-care/records-management-code-of-practice-for-health-and-social-care-2016. For primary care the Code stipulates a standard retention period for GP records of 10 years after death (with exceptions set out in the Code). For obstetric, maternity, antenatal and post natal records the Code stipulates a standard retention period of 25 years from when the patient was last seen or discharged.
6. Marketing communications
- 6.1 You have the right to ask us not to process your Information for marketing purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your Information on our Website.
- 6.2 Where you have consented, by ticking the relevant section of our Website, we or carefully selected third parties may contact you or any person whose information you provide us with to tell you about offers and opportunities that are available. We may do so in a number of ways, including by post, telephone, email, text, picture or video message. Details of how to opt in to or opt out of receiving details of offers are on relevant pages of this Website and you may reset your preferences at any time by contacting us.
- 6.3 We may collect and store email addresses submitted to us by users voluntarily, other than by way of registration to become a Customer. We also may pass on such email addresses to a third party supplier to assist us in our marketing. When we work with third party suppliers and partners we ask them to abide by standard business practices and GDPR and we work with them in good faith taking their assurances that they will do so.
7. Links to other web sites
- 7.1 This Website site may, from time to time, contain links to and from the websites or apps of our partner networks, advertisers and affiliates. If you follow a link to any of these websites or apps, please note that these websites or apps have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites. We will not transmit your personal details automatically to such partner networks, advertisers or affiliates.
9. Your rights
Under GDPR You have the right to:
- 9.1 Access the Information we hold about you, which as a Customer you may do at any time using your User Name and Password to Log In;
- 9.2 Update and correct any out-of-date information or errors in that information free of charge. You can do this yourself as a Customer or ask us to do so for you;
- 9.3 Object to our use of your personal information for certain purposes;
- 9.4 Erase your personal information; and transfer to you or (where technically possible) or another organisation a copy of the personal information about you that has been provided to us. In order to balance your right to be forgotten under article 17 with article 9 of GDPR concerning medical diagnosis, the provision of health or social care or treatment, ensuring high standards of quality and safety of health care and taking into account the obligation of professional secrecy placed upon a Doctor or health professional, if as a Customer you ask us to delete your records we make sure that they are normally inaccessible to our Doctors and to you as Customer but meet UK regulatory codes of practice for archive storage as set out at 5 above.
- 9.5 Withdraw your consent which you may do at any time by contacting us using the details at 2.11 above or on the Contact Us section of our web site, subject to our Terms and Conditions and the regulatory and legal requirements for Dr Morton’s to retain certain information on your medical history and your doctor consultation notes UK regulatory codes of practice for archive storage as set out at 5 above in case subsequently required.
- 9.6 Lodge a complaint at any time about our treatment of your personal information with a relevant supervisory authority, including the UK Information Commissioner's Office, for which see https://ico.org.uk/global/contact-us/
- 9.7 Challenge a decision made by Automated Decision-Making and Profiling and request human intervention, express your own point of view and obtain an explanation of the decision in the event that Dr Morton’s has used personal data for the purposes of automated decision-making and those decisions have a legal (or similarly significant effect) on you, except where the decision is necessary for the entry into, or performance of the contract between Dr Morton’s and you, the decision is authorised by law, or you have given your explicit consent. Where Dr Morton’s uses your personal Information for profiling purposes, we will explain the profiling including its significance and the likely consequences, use appropriate mathematical or statistical procedures, apply technical and organisational measures to minimise the risk of errors and to enable such errors to be easily corrected and strive to prevent any discriminatory effects arising out of profiling.
This page was last updated on 1 February 2019. Changes were made to:
- Introduce subject headings designed to make it easier to review or digest content at a glance or in more detail
- Provide cross references to UK regulatory codes of practice
- Clarify topics in more detail for the benefit of the reader and list your rights under GDPR