Short on time? Here’s the highlights!
- PocDoc and PocDoc Pro are Apps provided by Vital Signs Solutions Ltd
- By reviewing the privacy notice and proceeding, you are raising no objections to us processing your personal and special category data as described
- Data remains within the United Kingdom
- You can ask questions or raise concerns at support@mypocdoc.com
- We will share your information with your healthcare provider, if your test is supplied or performed by a healthcare provider. We may share your data with the NHS / your GP, if your test is supplied or performed by a healthcare provider
- We share your data with Patients Know Best, so that your results can be seen in the NHS App
- We use Amazon Web Services to store your data
Our privacy commitment
Vital Signs Solutions takes your privacy very seriously. This Privacy Notice explains how we collect, use, disclose, and protect your personal data, ensuring transparency and compliance with the UK GDPR and the ICO's guidelines for health data transparency.
You should read this policy alongside our terms and conditions.
We are registered with the Information Commissioner as a Data Controller and our registration number is ZA762054.
If you have any questions or wish to make a request in relation to your information, please contact the Data Protection Officer at: emma.cooper35@nhs.net
What do we do?
PocDoc and PocDoc Pro are our digital health platforms, dedicated to enabling you to monitor and manage your health and help you make positive lifestyle changes to control or help prevent disease, including cardiovascular, metabolic and renal diseases.
PocDoc is a self-test kit and a free App you can download from the Apple App or Google Play stores. You can purchase the kit from a pharmacy or retail store, or you may be sent the kit from a healthcare provider. Where the kit is provided by a healthcare provider, the results will be shared with and may be stored by them, to provide you with healthcare services related to the test.
PocDoc Pro is used by healthcare professionals, who will perform the test on you. They will review the results with you and may store the results as a record of the healthcare service relating to the test. During the test, you may optionally provide an email address, which will be used to send an email with instructions about how to access the test result.
Where the test has been provided or performed by a healthcare provider, your result may also be securely shared with your registered GP.
What data do we collect and why?
We collect the following types of personal data to provide you with our services and improve your experience:
When you create an account and sign in, we process;
- Full name
- Email address and password
To perform a test, we ask for;
- Assigned sex at birth
- Age, height, weight
- Ethnicity
- Postcode
- Information about your health such as pregnancy status, diabetes, blood pressure, family health history and information about diagnosis and medication.
This will allow us to give you your test results;
- Biological results of your test such as your cholesterol
- Calculated insights from your test like your healthy heart age
- Body Mass Index (BMI)
We will also collect the feedback data you provide about how you found the service.
We collect user device information such as IP addresses, language and time zone.
How do we use your data?
We use your data for the following purposes:
- Registration: To set up an account for you so you can access your previous tests and take new ones.
- Data Storage: Storing your profile and test data so we can retrieve it and present it to you.
- Data Sharing: Sending your test data to your healthcare provider, Patients Know Best and in some cases your GP.
- Communication: To send you updates and respond to your enquiries.
- Research and development: To enhance our app's functionality and develop new features (in de-identified form).
- Compliance and security: To comply with regulatory and legal obligations and ensure the security of your data (For example, collecting IP addresses, language, time zone) so we can investigate a cyber-attack.
- User analytics (cookies): To understand how users engage with our website and software (with consent). Please see our cookie policy for more information.
Is it legal?
Yes. Our legal basis will depend on whether you are using PocDoc or PocDoc Pro and who supplied the test to you.
Purchasing a self-test kit
If you purchased your self-test kit test from a pharmacy or retailer, we use your consent to set up an account and provide the services.
Legitimate Interests: Some data, like IP addresses, test results, device type and location, we process for improving our services and ensuring security, provided these interests do not override your rights and freedoms.
Provided by a healthcare provider
If your self-test kit was provided by a healthcare provider, or you have a test performed by a healthcare provider, we process your data because it is necessary for delivering a public task and for medical purposes. This is because the healthcare provider is gathering the data for their healthcare purposes.
Legitimate Interests: Some data, like IP addresses, test results, device type and location, we process for improving our services and ensuring security, provided these interests do not override your rights and freedoms.
Who do we share with?
We share your data with:
- Amazon Web Services: Cloud storage providers.
- Healthcare Providers: We will share your data with your healthcare providers to enhance your care. In some cases, this may also include the NHS/ your GP.
- Patients Know Best: We will share data with Patients Know Best including your personal health record (name, contact details, DOB, racial/ethnic origin, assigned sex at birth, questionnaire and test outcomes) so that the results can be seen on their patient portal and the NHS App.
- Legal Authorities (police or the courts): When required or permitted by law or to protect our legal rights.
What are your rights?
You may have the following rights regarding your data (depending on the situation):
- Access: Request access to your personal data.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your data under certain conditions.
- Restriction: Request restriction of processing under certain circumstances.
- Portability: Request transfer of your data to another service provider.
- Objection: Object to processing based on legitimate interests or direct marketing.
Is it secure?
We implement robust security measures to protect your data, including encryption in transit and at rest, access controls, and regular security audits. We train our staff regularly and provide policies for them to follow.
How long do we keep your data?
We retain your data only as long as necessary for the purposes outlined in this notice or as required by law. When no longer needed, we will securely delete or anonymise your data.
- User account and test results including audit logs for the user i.e. password changes and activity logs: Until the user requests deletion at which point the data remains but in anonymised form
- System meta data (OS Version, App Version, Lipid Pipeline: Until the user withdraws consent at which point the data remains but in anonymised form
Version, Device Model, LFD Lot Number) - Admin account record including audit logs for the user i.e. password changes and activity logs: 7 years to allow for investigation of incidents and response to claims arising
- Records of consent: Until the user withdraws consent at which point the data remains but in anonymised form.
However, a separate log will be retained to evidence that the user did provide consent for the system at some time. These will be retained for 7 years.
Children and young people
We do not knowingly collect Personal Data from children under the age of fourteen. If you are under the age of sixteen, you must ask your parent or guardian for permission to use our websites. Our Apps and test kits are only permitted for use if you are 18 or older.
Changes to this privacy notice
We may update this Privacy Notice from time to time. We will notify you of significant changes by posting a notice on our app or contacting you directly.
Contact us
If you have any questions or concerns about this Privacy Notice or our data practices, please contact us at: support@mypocdoc.com
Thank you for trusting PocDoc / PocDoc Pro with your health data. Your privacy and trust are paramount to us.
The following sections have been included because we use some NHS data services to identify your NHS number and, in some cases, share your results with your GP.
PDS FHIR API
If you are receiving care from a health or care organisation, that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number the health and care organisations can work together more closely to improve your care and support.
Your NHS number is accessed through an NHS England service called the Personal Demographic Service (PDS). A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS number. Once retrieved from the PDS, the NHS number is stored in our case management system. These data are retained in line with our record retention policies and in accordance with the Data Protection Act 2018, Government record retention regulations and best practice. Further information is available on our website.
We will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional, and where the user has a direct care relationship with you.
The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process, because hospital staff will know who to talk to.
Your rights
You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care, but will result in the benefits outlined above not being realised. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options that you have.
If you wish to opt-out from the use of your NHS number in this way, you can contact us by emailing support@mypocdoc.com.
NHS Care Identity Authentication (CIA)
Please note that if you access our service using your NHS Care Identity credentials, the identity access and management services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get a national digital identity and authenticate your claim to that identity, and uses that personal information solely for that single purpose. For any personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, view the NHS Care Identity Service 2 page. This restriction does not apply to the personal information you provide to us separately which is managed in accordance with our Privacy Policy.
GP Connect
We use a facility called GP Connect to support your direct care. GP Connect makes patient information available to all appropriate clinicians when and where they need it, to support direct patients care, leading to improvements in both care and outcomes. GP Connect is not used for any purpose other than direct care.
Authorised Clinicians such as GPs, NHS 111 Clinicians, Care Home Nurses (if you are in a Care Home), Secondary Care Trusts, Social Care Clinicians are able to access the GP records of the patients they are treating via a secure NHS Digital service called GP connect.
The NHS 111 service (and other services determined locally e.g. Other GP practices in a Primary Care Network) will be able to book appointments for patients at GP practices and other local services.
Legal basis for sharing this data
In order for your Personal Data to be shared or processed, an appropriate “legal basis” needs to be in place and recorded. The legal bases for direct care via GP Connect is the same as the legal bases for the care you would receive from your own GP, or another healthcare provider:
- for the processing of personal data: Article 6.1 (e) of the UK GDPR: “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
- for the processing of “Special Category Data” (which includes your medical information): Article 9.2 (h) of the UK GDPR: “processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.
Your rights
Because the legal bases used for your care using GP Connect are the same as used in other direct care situations, the legal rights you have over this data under UK GDPR will also be the same- these are listed elsewhere in our privacy notice.