Quilliam Care Privacy Policy

Quilliam Care Ltd (“Quilliam Care”, “we”, “us”, or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard personal information in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and other applicable laws and professional standards.

This policy applies to personal data processed through our website https://www.quilliamcare.com, related digital services, and in the provision of our NHS and private pharmacy services (collectively, the “Services”).

1. Who We Are (Controller)

Controller: Quilliam Care Ltd

Registered Address: 128 City Road, London, United Kingdom, EC1V 2NX

Email: info@quilliamcare.com

Telephone: 0800 999 4888

Data Protection Lead: Mr Sajid Khan, Superintendent Pharmacist. Quilliam Care Ltd does not require a formal Data Protection Officer under Article 37 UK GDPR. All data protection matters are overseen by our Superintendent Pharmacist and can be contacted at privacy@quilliamcare.com.

We act as the Data Controller for the personal information we process about our patients, website visitors, and service users.

2. Information We Collect

We may collect and process the following categories of personal data:

2.1 Personal Data

• Identity information: name, date of birth, NHS number, gender.
• Contact details: address, telephone number, email address.
• Health information: prescription details, medical history, allergies, vaccination status (necessary for providing pharmacy services).

2.2 Transactional Data

• Records of prescriptions, orders, payments, and delivery details.

2.3 Technical and Usage Data

• IP address, browser type, device identifiers, operating system, access times, and browsing activity on our site.

2.4 Financial Data

• Limited payment details for private services (processed securely via third‑party payment providers; we do not store full card details).

2.5 Special Category Data (Health)

• Required to safely provide NHS and private pharmacy services.
• Processed under Article 9(2)(h) UK GDPR and Schedule 1, Part 1(2)(h) DPA 2018 (health or social care purposes).

2.6 Children’s Data

Where pharmacy services relate to children, we may collect limited data from parents/guardians or directly from the child where appropriate.

3. Legal Bases for Processing

We process personal data lawfully under the following bases:

• Contractual necessity — to fulfil our obligations in providing pharmacy services.
• Legal obligation — to comply with NHS regulations, GPhC standards, HMRC requirements, and safeguarding duties.
• Legitimate interests — to improve our services, prevent fraud, and ensure security (balanced against your rights).
• Consent — for optional marketing communications or non‑essential cookies.
• Public interest in healthcare / Provision of health or social care — for special category (health) data under Article 9(2)(h) UK GDPR and Schedule 1, Part 1(2)(h) DPA 2018.

4. How We Use Your Information

• Dispensing and delivering NHS and private prescriptions.
• Providing pharmacy services including Pharmacy First, medicines use reviews, and public health campaigns.
• Communicating with you regarding your medicines, care, or account.
• Maintaining accurate pharmacy records as required by NHS and GPhC.
• Processing payments, refunds, and managing transactions.
• Sending service updates, health campaigns, or newsletters (if you opt in).
• Ensuring safety, preventing fraud, and protecting against misuse.
• Meeting regulatory and audit obligations, including the NHS DSP Toolkit.

5. Data Retention

We retain personal information only as long as necessary for the purposes set out in this policy and to meet professional or legal obligations:

• NHS prescription records: at least 2 years from the date of dispensing (5 years for controlled drugs).
• Private prescription records: at least 2 years.
• Patient medication records (PMRs): typically 10 years.
• Financial/transaction records: 6 years (HMRC).
• Website account data: retained until you request deletion.

6. Disclosure of Your Information

We may share your information with:

• NHS bodies (e.g., NHSBSA, ICBs) for payment and audit.
• Healthcare professionals involved in your care.
• Regulators such as the GPhC or MHRA where required.
• Service providers (couriers, IT support, payment processors) under written data processing agreements.
• Law enforcement or courts if legally required.

We do not sell personal data to third parties.

7. International Transfers

We do not routinely transfer data outside the UK. Where an international transfer is necessary (e.g., cloud hosting), we ensure appropriate safeguards, such as UK GDPR standard contractual clauses or adequacy regulations.

8. Security of Your Information

We implement physical, technical, and administrative safeguards to protect your data, including encrypted storage, secure servers, role‑based access controls, staff training, and secure prescription delivery systems. We complete the NHS Data Security and Protection (DSP) Toolkit annually.

9. Your Rights

You have the right to:

• Access the data we hold about you.
• Request correction or deletion.
• Restrict or object to certain processing.
• Request transfer of your data (data portability).
• Withdraw consent at any time (where consent is the legal basis).

We respond to all valid requests within one calendar month. We may need to verify your identity before providing access to personal data to protect confidentiality. To exercise your rights, contact info@quilliamcare.com or privacy@quilliamcare.com.

10. Cookies and Tracking

We use essential cookies for site security and session management. Non‑essential cookies (e.g., analytics) are used only with your consent via our cookie banner. For full details, see our Cookie Policy, which lists each cookie, its purpose, and expiry. You can change or withdraw consent at any time via “Cookie settings”.

11. Accountability & Training

All staff handling personal data receive annual data protection and confidentiality training. We maintain records of processing activities (RoPA) in line with Article 30 UK GDPR and operate policies and procedures to evidence accountability.

12. Complaints

If you are unhappy with how we process your data, please contact us first so we can resolve your concerns.

If you remain dissatisfied, you may complain to the Information Commissioner’s Office (ICO):

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

13. Contact Us

If you have questions about this Privacy Policy or how we handle your information:

Email: info@quilliamcare.com
Phone: 0800 999 4888
Address: Quilliam Care Ltd, 128 City Road, London, United Kingdom, EC1V 2NX