“Check My Record” is a service which accesses and uses your GP records to provide information relating to your health. Usually, the service is used because an organisation has questions it requires answers to (such as whether you smoke). We call these organisations (including insurers, government departments, research organisations and other similar organisations) “Third Party Requestors”. If you consent, we will access and search your GP records and share the answers to the questions with you. Next, and only with your permission, we will share those answers with the Third Party Requestors.
Please read this notice carefully. If you have any questions, please let us know using the “Contacting us” details below.
What is the purpose of this privacy notice?
We are iGPR Technologies Limited (referred to in this privacy notice as “iGPR”, “we” and “us”). To provide the Check My Record service, we will collect, store and use your personal data. Sometimes this we will do this as a processor on behalf of other organisations and other times directly under your instructions as a controller. This privacy notice sets out how we will process your personal data in the course of providing the Check My Record service.
We are committed to safeguarding your personal data. Whenever you provide personal data to us, we are legally obliged to use it in accordance with all laws concerning the protection of personal data, including the UK Data Protection Act 2018 and UK General Data Protection Regulation (we refer to these laws collectively in this privacy notice as the “data protection laws”).
How does our Check My Record service work?
If you are accessing Check My Record, it will be because you have made contact with a Third Party Requestor who has health-related questions about you. As a result, you will have received an email or text from a Third Party Requestor containing a link to our software. When you click the link, and give permission to us, we will access your health information through NHS England’s Patient Facing Service. We will only access your medical record to the extent necessary to fulfil your requests.
Once our software has generated answers to the questions, we will securely provide these to you and ask for your permission to we send the results on to the Third Party Requestor. You are not required to grant your permission but please note that your choice to withhold your consent will affect our ability to provide our services to you and it is also likely to affect your arrangements with the Third Party Requestor.
iGPRs role in relation to your personal data
| iGPR’s role | Details of processing |
| Processor for Third Party Requestors | When we collect and provide the answers to health-related questions to you for the Third Party Requestor to use. The Third Party Requestor will be the controller and will have their own privacy notice. Please contact the Third Party Requestor and/or refer to their privacy notice to find out more. |
| Processor for NHS England | Where you access Check My Record using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. |
| Controller | When showing you the answers to the questions raised through Check My Record and when displaying a coded version of your medical record to you if you wish to view it. |
What information will we process about you?
Personal data means any information about an individual from which that individual can be identified. Personal data includes data which is processed so that it cannot be attributed to an individual without the use of additional information. If it is impossible to identify an individual from data, such data is considered anonymous and not personal data.
Our Check My Record service processes the following categories of personal data about you:
- Full name and title
- Phone number
- Email address
- Postal address
- Technical data relating to your use of and access to our service and software.
We may anonymise the technical data and use and share it for internal business purposes. For example, we may use this information to assess usage rates of the software. As mentioned above, when data is anonymised it is not personal data, and therefore this privacy notice does not apply to our use of such data.
We also process the following categories of special category personal data in the course of providing the Check My Record service, which are afforded higher levels of protection under UK data protection laws:
Special category personal data:
- A coded version of your medical record
- NHS number
How will we collect and use your personal data?
We use different methods to collect data from and about you as follows:
- From your GP through NHS England: As described above, we will (with your permission) obtain access to your medical record from your GP via NHS England’s Patient Facing Service (PFS). For more information about this service, please refer to the relevant NHS England webpage.
- Third Party Requestor: To access our Check My Record service, you will have received a test or email from a Third Party Requestor. We may receive certain information about you (eg identity data) from the Third Party Requestor.
- Automated technologies or interactions. As you interact with our Check My Record software, we may automatically collect technical data about your device and use of our software. We collect this personal data by using cookies, server logs and other similar technologies. We may also use analytics services providers such as Google.
Purposes for which we will use your personal data
We will only use your personal data when the law allows us to. Our legal bases for processing your personal data are:
| Purpose/Activity | Lawful basis for processing |
| To provide the Check My Record service to you by enabling you (i) to view a coded version of your medical record and (ii) to check the questions posed by the Third Party Requestor and the answers pulled through from your medical record by our software (and allow you to decide whether you wish to share those answers with the Third Party Requestor). | Consent. We will ask for your consent to: (i) interrogate your medical record to obtain answers to the questions posed by the Third Party Requestor and, once the answers have been obtained, we will ask for your consent to disclose the answers to the Third Party Requestor). |
| To administer and protect our business and Check My Record software (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). | Legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud etc.)
To comply with a legal obligation |
| To use data analytics and similar technologies to improve our software, products/services, and customer relationships and experiences. | Legitimate interests (to keep our software updated and relevant, to study how customers use our products/services, to develop them, and to grow our business) |
You may withdraw your consent. Where our lawful basis for processing is your consent, you may withdraw your consent at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to. This will not affect the lawfulness of any processing carried out before you withdrew your consent.
How we use cookies when you access our software
Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences.
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the website may become inaccessible or not function properly.
How will we share and disclose your personal data?
We may share your personal data where required by law, where it is necessary to deliver our services to you, or where we have another lawful basis for doing so. In addition to NHS England and Third Party Requestors, we may share your personal data with the following:
- Our professional advisors who provide consultancy, legal and accounting services.
- Our third-party service providers supplying IT and system administration services and other technical IT services including data analytics. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. Where the third parties we use are data controllers in their own right (for example, the payment processors we use) then they will be required to comply with data protection laws.
International transfers
We will not transfer your personal data outside of the United Kingdom (UK).
Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality. Further details of these measures may be obtained from us using the details in the “Contacting us” section below.
We have also put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
How long will we keep your personal data?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. We hold the personal data we receive from your medical record, as set out in this privacy notice, for 14 days after which it is deleted.
Although we may access your medical record to enable you to view it, we will not retain a copy of your medical record.
However, by law we have to keep basic information about our customers for six years after they cease being customers for tax and other legal purposes. We may retain your contact details for these purposes.
In some circumstances you can ask us to delete your data: see section below for further information.
Please note that we may also anonymise your identity and service usage information (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your data protection rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including the right to:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate personal data we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data. This right applies where we are relying on our legitimate interests (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party (known as the “right to data portability”).
If you wish to exercise any of the rights set out above, please contact us using the details in our “Contacting us” section below.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Data Protection Authority
You have the right to make a complaint at any time to the UK supervisory authority for data protection issues. This is the Information Commissioner’s Office (ICO) whose details can be accessed via the ICO website at https://ico.org.uk/global/contact-us/
We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please do get in touch using the details in our “Contacting us” section below.
Changes to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.
Contacting us
Our details are as follows:
iGPR Technologies Limited
11 Aston Court
Bromsgrove Technology Park
Bromsgrove
B60 3AL
Tel: 01527 570 005
Email: hello@igpr.co.uk