This privacy notice tells you about the information we collect from you when you use our website and services. In collecting this information, we are acting as a data controller and, by law, we are required to provide you with information about us, about why and how we use your data, and about the rights you have over your data.
Who are we?
We are The Medical Cannabis Clinics (“the Clinic”).
The Clinic collects and uses your information in order to provide our services to you. We are a data controller in relation to the processing of personal information that you provide us when using our services.
This policy explains:
- The types of information we collect about you
- The purposes for which we use that information
- Who we may share your information with
- How long we keep information about you for
- Where the information about you is stored
- The rights you have under data protection legislation
- Contact details if you have any queries or concerns about what is said in this notice
“Clinic Team”. The Clinic Team is made up of the clinicians who directly provide or support your care at the Clinic and may also include administrative colleagues.
“personal data”. Personal data is any information relating to a living individual who can be identified from the information.
“special personal data” or “special category data”, this is data that is deemed to be more sensitive than the above personal data. It includes for example data about your health (including mental health), genetic data and biometric data where processed to uniquely identify an individual; your gender and ethnicity.
We set out below the bases we rely upon to process your personal data:
Consent: where we ask for your consent to process your data for a specific purpose. Such as when we ask you to complete a medical questionnaire or when we ask for your consent to contact your GP to obtain your medical records. As a patient you may be asked for consent to allow us to collect sensitive personal data about you to ensure your safe treatment and care.
Contractual obligations: where we need your data to fulfil our contractual obligations, i.e. your contact details and address to process payment and secure your booking.
Legal compliance: where we are required by law or regulatory bodies to process your data for example proof of ID and age where the law requires.
Legitimate Interests: where we require your data to pursue our interests in a way which might reasonably be expected as part of running our business and which does not significantly impact your rights or freedom. We will use the contact details you provide, to call/SMS/email you regarding your enquiry and provide you with targeted relevant information. We may also combine and anonymise your data with that of other customers to help make improvements to our service and business.
What information does the Clinic use?
The personal data/information the Clinic uses and stores about you includes:
- Personal contact details such as name, title, addresses, telephone numbers, and personal email addresses.
- Biographical information like your date of birth, nationality and gender.
- Information about your next of kin and carers (including their contact details and emergency contact information).
- Your NHS number.
- Communications with or about you, for example letters and emails between the Clinic and you, letters we send to your GP to inform them of your treatment or letters you ask us to write to your employer.
The Clinic may also collect, use and store the following special personal data about you:
- Notes and reports relevant to your health, including any information you have told us about your health.
- Details of your treatment and care, including the professional opinion of the staff caring for you.
- Results of investigations, such as laboratory tests and x-rays.
- Relevant information from health and social care professionals, relatives or those who care for you.
- Information about your ethnicity, sexual orientation, sex life, religious beliefs or opinion or genetic data where this is relevant to your care or is information that you have provided to us as part of your care.
- Equality and diversity information about you. This may include details of your ethnicity, sexual orientation, religious or philosophical beliefs or any disability.
How do we use your information?
We only use this data for the purposes of your treatment and to ensure you care and safety as a patient. We will usually ask for your consent to collect or process this data, though there may be instances where we are required or permitted to do so by applicable law (eg. To comply with public health requirements).
We never use your sensitive personal data for marketing. When you arrive for an appointment or contact the clinic to arrange further services, the clinic team may check your details to ensure our records are accurate. We ask that you notify us promptly of any inaccuracies in the information or changes to your personal details.
We may use your information to:
- Provide you with treatments for your condition or symptoms.
- Communicate with you and, if appropriate your next of kin and/or carer(s), about your care.
- Carry out internal audits and monitor the care the Clinic provides to ensure it is of the highest standard.
- Get feedback on our service and respond to any complaint from you.
- Keep you up to date about a change, cancellation or postponement of any appointment
- Respond to queries from regulators or if there is a legal requirement for us to do so.
- Conduct legal claims, comply with a court order or other legal obligation, seek legal advice or advice about
- Insurance coverage or other assistance from our professional advisors.
- Provide information to national registries that systematically collect data about particular conditions to help research or evaluation.
- Prevent or manage risks to public health.
- Ask you whether or not you want to participate in research projects.
- Produce anonymous information that we can use to train and educate the Clinic’s staff. We will only use information from which you can be identified for training purposes if you have agreed to this beforehand.
- If you ask us to, to provide a letter about your treatment to your employer.
How is information about me stored?
Your information will be stored electronically on a patient information system. From time to time some of your data may be stored temporarily in other systems in order to provide patient services and support.
We take the security of your data seriously and take all appropriate steps, including encryption in transit and at rest, and multi-factor authentication, to protect it from unauthorised access, loss and misuse. We never sell any of your personal data for any purpose.
We further restrict access to any sensitive personal data we may collect (such as medical records) and it is never used for marketing purposes.
To help us give you the best possible experience, our websites and emails contain cookies, and similar technologies. Cookies are small text files that are downloaded to your computer/device when you visit websites. They serve a range of purposes such as helping us understand our website usage, activity and user behaviour.
When you use our website you will be provided the option to consent to all cookies, only essential cookies, or customise your cookie options.
Does the Clinic share my personal information?
As part of providing you with care we may need to share your information. This includes sharing information with:
- Your referring healthcare professional
- Organisations that provide diagnostic tests;
- Organisations that provide private ambulance or patient transport services
The Clinic is a subsidiary of LYPHE Group Limited. Sometimes your data will be shared with another group company, including LYPHE Group itself, or LYPHE Group’s Pharmacy subsidiary, Dispensary Green. Data will only be shared where necessary, such as to provide you with the services you have asked us to, or to help us make decisions or improve our services. All LYPHE Group subsidiaries are subject to the same processes and procedures and protections so your data will be protected in the same way it is by the Clinic.
With your agreement, information can be shared with relatives, partners or friends who act as a carer for you. We may share information with anyone you have given as an emergency contact, for example your next of kin.
Sharing your information for other purposes
Usually the Clinic will not share information about you and your health with other organisations unless they are involved in your care or you have agreed to the data sharing, such as when instructing us to send your prescription to a pharmacy.
However, there are some limited circumstances where we may share information with other organisations who are not directly involved in your care. For example:
- We may share information with the police, fire and rescue services if:
⁃ There is an immediate risk of harm to you or other people
⁃ There is a legal requirement to do so e.g. the police have obtained a court order requiring us to provide information
- We may share information with our professional advisors, including lawyers and accountants, if this is necessary to take and receive professional advice (including legal advice) and with insurers,
- We may share information with individuals or organisations specified in a court order.
- Where we, or substantially all of our assets, are merged or acquired by a third party, in which case this information may form part of the transferred or merged assets
How long will the Clinic keep personal data about me for?
Your personal data will be held by the Clinic for as long as is necessary to fulfil the purpose for which it was collected. It will then be stored for a period of 10 years. At the end of that period, your data will either be deleted or anonymised so that it can be used in a non-identifiable way for statistical analysis which helps us make improvements to our service and business.
Will the Clinic transfer my data outside of the EU?
In most instances, your data will be stored on servers located in the UK or EU. One of the software providers we use, MailChimp, has servers located in the United States.
As part of our contractual agreement with Mailchimp, they are bound to comply with the GDPR requirements and your data is subject to the same safeguards as if it were held in the EU.
What rights do I have?
Both the UK General Data Protection Regulation (GDPR) and Data Protection (Jersey) Law 2018 gives individuals rights about their personal data:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information the Clinic holds about you and to check that the Clinic is lawfully processing it.
- Request correction of the personal information that the Clinic holds about you. This enables you to have any incomplete or inaccurate information the Clinic holds about you corrected.
- Request erasure of your personal information. This enables you to ask the Clinic to delete or remove personal information where there is no good reason for the Clinic continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where the Clinic is relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Request the restriction of processing of your personal information. This enables you to ask the Clinic to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
Please note there may be instances where we refuse your request for any of the above (unless otherwise stated) where we have a strong overriding reason or are legally obliged to.
If you wish to exercise any of your rights, have a complaint or questions about this policy, please contact our Data Protection Officer at the contact details specified in the section below.
You can find out more about your rights under the GDPR and Data Protection (Jersey) Law through the Information Commissioner’s Office for the UK: https://ico.org.uk/ or for Jersey: https://jerseyoic.org/
Who can I contact at the Clinic in relation to my data?
If you have any questions about how the Clinic uses your personal data, your rights or the content of this notice, the Clinic has appointed a Data Protection Officer (“DPO”). Please contact the DPO at email@example.com
If you do not think that the Clinic has complied with your data protection rights or legislation you can contact the Information Commissioner’s Office at https://ico.org.uk/ or for Jersey: https://jerseyoic.org/