LloydsDirect

Privacy Policy

Introduction

We take our responsibilities as custodians of your data very seriously. This privacy policy explains what personal information we collect, we obtain, how we use it and your rights with regards to this data. You may have heard of the EU General Data Protection Regulation (“GDPR”), which sets out some of the most important rules about how we treat your information. There is also another set of guidelines called the Caldicott principles , specifically designed to ensure that UK patient data remains confidential. We have developed our systems and processes to ensure that we meet or exceed the standards set out in both documents. LloydsDirect is listed as ‘Metabolic Healthcare Ltd’ on the NHS Digital Caldicott Guardian register (ODS: FN849 ). For more information about who LloydsDirect is in relation to Metabolic Healthcare Ltd. - see the next section. Who controls your information? LloydsDirect is a trading name of Metabolic Healthcare Ltd, a company with registered number 09668487 based at 17 Wadsworth Road, Perivale, UB6 7JD. LloydsDirect is the “controller of the information it collects. LloydsDirect runs apps and services and also “LloydsDirect”, a Pharmacy which is registered with the General Pharmaceutical Council as Metabolic Healthcare Ltd under registration number 9011008. This Privacy Policy covers all of those services. LloydsDirect (“we”, “us”) takes overall responsibility for managing your data. We are what is known as a ‘data controller’ – you can read more about our responsibilities by visiting the Information Commissioner’s Office website here .

What types of information do we collect?

We collect information that you give us to process your order and to better understand how our services are used. We’ve outlined the main types of information that we handle below. There are some essential pieces of information that we require in order to process your prescriptions. If you fail to provide this information we will be unable to process your prescriptions for you or the person you are account holder for. References to “your” in this privacy policy will refer to both you and the patient you are acting on behalf of as relevant.

  • Personal information - such as name, address, date of birth and GP details.

  • Contact information - including phone number and email address. Your email address will be shared with our live chat platform, Intercom. You can read about Intercom’s security credentials here .

  • NHS Number - details will then be verified directly with the NHS Personal Demographic Service (PDS) or via Proscript, our dispensary management system. When details have been successfully verified, your NHS number will be added to your profile.

  • Details regarding the medication you require - this includes information about your health that is considered sensitive.

  • Exemption details - if you do not pay for your prescriptions.

  • Electronic proof of your consent - so that LloydsDirect can request prescriptions on your behalf.

  • Payment details - for prescription charges if you pay for your medication. Please note that LloydsDirect does not store your credit/debit card details, which are instead managed by our payment handler Stripe. You can read about Stripe’s security credentials here .

  • Preferred delivery address information and contact details - which we pass on to Royal Mail to facilitate delivery. Please note that we will never share any other information with Royal Mail.

NHS Login

NHS Login is an identity verification service provided by the NHS. As a patient, you are able to use it to login to LloydsDirect. If you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provide to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately. We also collect the following information:

  • Your GP’s address - if you choose to turn on your location, location information from your phone will be used to make it easier for you to search for your GP and automatically populate address fields in the app. If you do not choose to turn on your location, you are able to enter your GP address manually.

  • Behavioural data - such as when you accessed LloydsDirect and what actions you took within the app. This is to continually improve our service for our users.

  • Technical information - such as glitches and crash data so we can understand when things break and improve the service.

How do we collect your information? We collect your information when you provide it to us through the LloydsDirect app or when you communicate with us in other ways (for example, from your GP when you use a partner app and select for your prescription to be prepared and processed by us, or by using the NHS Login service).

  • Personal information - collected upon completing the registration to use LloydsDirect.

  • Contact information - collected upon completing the registration to use LloydsDirect.

  • NHS Number – obtained from NHS Personal Demographic system or using Proscript, our dispensary management system upon completing registration.

  • Details regarding the medication you require - collected upon completing the registration to use LloydsDirect or from your GP when using a partner app. If details are not entered during registration they will only be collected once the user enters them.

  • Your registered GP practice, collected from you and verified against NHS Personal Demographic service when you place orders with us

  • Exemption details - collected upon completing the registration to use LloydsDirect. If details are not entered during registration they will only be collected once the user enters them.

  • Electronic proof of your consent - collected upon completing the registration to use LloydsDirect.

  • Payment details - collected at the point of payment or when you save your payment details to your account.

  • Preferred delivery address information and contact details - collected at the point of the prescription request.

  • Your GP’s address - collected upon completing the registration to use LloydsDirect.

  • Behavioural data - collected once you have completed the registration to use LloydsDirect and throughout the time you use LloydsDirect.

  • Technical information - collected once you have completed the registration to use LloydsDirect and throughout the time you use LloydsDirect.

If you are an account holder acting on behalf of another patient, you may be providing data on behalf of that patient in the ways set out above. It is your responsibility to ensure that you are authorised to provide this data on their behalf and that you make them aware of their rights and how the data will be used as set out in this Privacy Policy.

Why do we process your information?

In general, LloydsDirect only collects your information to provide you with our services – to help you order and keep track of your prescriptions and to dispense your prescriptions. We take our data protection responsibilities very seriously and will only process your information for clear and lawful purposes. We will only process your information where we have a lawful basis for doing so. This will be the case if:

  • You have given us your consent to process the data.

  • We need to process the data to perform our contractual obligations or to take steps in order to enter a contract (ie we need certain contact details and details of your prescription in order to provide the service to you).

  • We have to process your information to meet our legal obligations as a data controller (ie VAT and tax accounting rules).

  • We have a legitimate interest in processing your data (see the next section below for more details).

We collect and process your information for a variety of purposes, but in general to provide the services you request of us. These purposes include:

  • Storing your data in databases so that we can create and maintain your account.

  • Verifying your identity so that we can complete your registration

  • Communicating with GP surgeries and internally so that your orders can be processed and your prescriptions dispensed.

  • Auditing and analysis of your data, in particular to help us respond to issues and improve our services.

  • Managing returns and confidential waste.

  • Communicating to you via in-app messaging services and logging these communications to ensure we give you the best customer experience.

  • Communicating to you via email, push alerts and in-app notifications so that you are fully updated with the progress of your order and any related communications.

  • Operating our ‘Mailer Sign-Up Programme’ (which allows you to introduce a friend to LloydsDirect and invite them to join LloydsDirect’s mailing list), as described in our Terms and Conditions.

  • On the rare occasion, we may need to contact you by phone; this would only be in relation to your order or a query you have raised.

Please be aware if you are uncomfortable with the methods of communication we may use to send information to you that have been outlined directly above, please do not use this service.

Legitimate interest

We have a legitimate interest in improving our service from a technical perspective. In order to do this we collect technical information so we can carry out service improvement related research. Furthermore, this information is also used for auditing and ad hoc issue investigation. We have a legitimate interest in improving our service for you, the user. In order to do this we collect behavioural information so we can see what actions you take within the app so we can continually improve the service for you. You are entitled to receive more information about our legitimate interests on request. If you would like to receive more information please contact us using the details set out below.

Who your data is shared with

LloydsDirect does not sell, trade or rent your information to third parties. We will share your information to service providers working on our behalf, or to meet certain other requirements, such as to comply with the law. We will never share your information with any third parties for marketing or advertising. We may share your information externally to organisations which process data on our behalf. For example, we will need to share your address with Royal Mail to get your prescriptions delivered. Whenever you become entitled to a voucher as part of our ‘Mailer Sign-Up Programme’ (as described in our Terms and Conditions), we may share your name and email address with our rewards partner (which is currently Tremendous Rewards) so that they can generate that voucher and send it to you. Whenever you introduce a friend to LloydsDirect through our Mailer Sign-Up Programme and that friend accesses the sign-up link that you send to them, we may also share your name with that friend. Please note that we are obliged to share information as necessary to comply with UK law and regulations. For example, we might need to share your information with regulators. For further information about who your personal information is shared with, please get in contact with us using the details set out below.

Marketing

You have the choice to opt in or out of being contacted by LloydsDirect for marketing via post or email. If you decide to opt in, you will occasionally receive our e-newsletters. If you decide you no longer want to receive this e-newsletter, you can click on the link at the bottom of any email we have sent you to opt out on that particular type of email. Cookies may be used to deliver adverts that are more relevant to you as well as to limit the number of times you see a particular advertisement and to measure the effectiveness of advertising campaigns. We may analyse your personal information, including the products you view and buy, your browsing habits and other ways you interact with LloydsDirect. We will do this to evaluate the effectiveness of our advertising and to help us provide you with more relevant offers, advice and information. For further information on cookies please see the “How we use cookies on our website” section.

Do we transfer your data to other countries?

Given the worldwide nature of online communications and services, it is very common for users’ data on sites like ours to be transferred outside of the country in which it was collected. For example, the servers which host our sites could be located abroad. Where we transfer your data to countries outside of the European Economic Area (“EEA”), we will only do so if measures to maintain to protect your data and its privacy have been put in place. LloydsDirect transfers your information to the United States where some of its service providers are based. However, LloydsDirect ensures that the organisations to whom your information is transferred have adequate safeguards in place to protect your data, in particular, through being “Privacy Shield” certified. You can obtain more information on what this means here .

How your data is kept secure

LloydsDirect recognises the importance of keeping safe and secure the information collected about you. We have therefore taken time to put in place effective security features. We use 256-AES SSL encryption to transfer your information between your phone and our servers. Access to this information is restricted to our authorised personnel. Your data is kept within the EEA (European Economic Area) or with “Privacy Shield” certified providers or using agreed model clauses approved by the European Commission if the organisation is based outside of the EEA.

How we use cookies on our website

LloydsDirect uses a technology called ‘cookies’ across all of its websites in order to deliver the best possible user experience. Cookies are files that are stored on your device every time you visit a website and enable us to understand your preferences and habits. Cookies do not contain person-identifiable information such as medical information, credit/debit card or personal contact details. Our websites are set to ‘allow cookies’ and if you browse our sites you consent to this. If you would prefer to deactivate cookies, you can do so by updating your browser settings. Please note that disabling cookies will limit the service that we can provide. For more information on how to update your settings, visit the Information Commissioner’s Office website here . LloydsDirect uses three types of cookie: Session cookies: These enable us to track your movement across our websites and save information to make life easier. For instance, a session cookie might save an item to your shopping basket, without which you would be forced to order each item separately. *Persistent cookies:*These enable us to remember your preferences and settings each time you visit our websites. This makes using the site faster and reduces the need to re-enter data. Third party cookies: These enable us to track user activity outside our websites and better optimise campaigns and analytics.

Your data, your choice

At LloydsDirect, we want to make sure you find it easy to access and amend the data we hold about you. Subject to limitations, you can also make certain requests about that data. Please contact us using the details set out below if you wish to exercise your data rights, or contact the data protection regulator to find out more about them. Contact details can be found on their website . The right to be informed. You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we’re providing you with the information in this Privacy Notice. The right of access. You have the right to obtain access to your information (if we’re processing it), and certain other information (similar to that provided in this Privacy Notice). This is so you’re aware and can check that we’re using your information in accordance with data protection law. *The right to rectification.*You are entitled to have your information corrected if it is inaccurate or incomplete. You can update your profile by going to Setting > Personal information or otherwise by contacting us using the details set out below. The right to erasure. This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information that we hold. The right to restrict processing. You have rights to ‘block’ or suppress further use of your information. When processing is restricted, we can still store your information, but will not use it further. The right to object to processing. You have the right to object to certain types of processing, including processing for direct marketing (i.e. receiving information about LloydsDirect’s products and services which may be of interest to you via email or post). The right to data portability. You have the right to obtain and reuse your information for your own purposes across different services. To our best ability we will provide your information in an easily accessible format. *The right to lodge a complaint.*You have the right to lodge a complaint about the way we handle or process your information with the national data protection regulator. The right to withdraw consent. If you have given your consent to anything we do with your information (i.e. we rely on consent as a legal basis for processing your information), you have the right to withdraw that consent at any time. Please note that withdrawing your consent does not make unlawful what we have done with your personal data up to that point (when your consent was active).

Retaining your data

We will not store or process your data for any longer than necessary. In general we only retain your data for as long as is necessary so that we can provide you the services you request, meet our legal obligations (such as rules on the retention of medical data) and defend claims made against us. For more information about how long and/or how we decide how long to store your data, please contact us using the details set out below.

How to contact LloydsDirect

If you have any questions about this Privacy Policy, please contact via email at data.protection@mckesson.uk. LloydsDirect can be contacted in writing at 17 Wadsworth Road, Perivale, UB6 7JD, by email at help@lloydsdirect.co.uk.

Updates to the Privacy Notice

From time to time we may need to update these terms in order to comply with changes in legislation so we suggest that you check this page periodically. When we make any material updates to the privacy policy notice we will notify you with an email sent to the email address you have registered with your account.  
 

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here . This restriction does not apply to the personal information you provide to us separately.