The Information Commissioner’s Office (ICO) has established clear rules on which parties are the data controller when providing certain services to end consumers. A party does not choose to be a data controller; it becomes defined as the data controller and bears its obligations when it provides the services that puts it within the ICO’s definitions, which usually involve any type of decision-making (whether manual or automated) with user data.
Both Healthera and our pharmacy partners are data controllers under different circumstances. For example, the pharmacy is the data controller when processing patients’ personal and clinical info to dispense the correct medication. Healthera is the data controller by virtue of being the platform that (automatically) decides on the method to channel patient requests to their designated GP and pharmacy, and reconciling medication data when synchronising with GP records.
We are also the data processor when we are, for example, instructed to send a group of patients a broadcast message that the pharmacy has composed.
The rules and regulations can be found here.
If a supplier denies that they are the data controller, but they clearly provide services such as processing prescriptions and scraping user medication data for sale to third parties, you may wish to consult your information governance lawyer.
Healthera’s Business Model
We work with well over 1000 pharmacies across the UK, from independents to large national corporates, and membership organisations (who have all had legal teams extensively audit our data protection, IT security, and policies). Our value lies in the pharmacy contractor network we have assembled, and we would have no value to offer to patients without the trust of these pharmacies. Of course, we have no expertise in running the logistics and administration, or the clinical aspects, of a pharmacy. We exclusively focus on the digital product, which removes any potential conflict with our partners and makes us a trusted provider.
All confidential or private customer data is encrypted using 2048-bit next generation universally compatible SSL certificates, as used by companies and organisations such as NHS, BBC, and Vodafone. Data is securely backed up nightly in multiple locations for security. In addition, all repeat prescription orders and patient consent nomination forms are also sent to relevant pharmacy partners via email for additional back up.
As a pharmacy partner, all customers will remain your customers while they are connected to you on the Healthera app. The only third parties who can view your customers’ data are GP practices (for the approval of prescriptions) or any of their approved contractors or subcontractors (through Prescription Ordering Direct).
We can assure you that we do not offer any competing parties access to your customers under any circumstances.
We do retain the right to collaborate with you in occasionally offering them appropriate information pertinent to their health or targeted offers from your online store. Therefore, we will never pass on yours or your customers’ personally identifiable information unless it is necessary for providing your customers with prescriptions or services.
Healthera is GDPR compliant. We are listed on the NHS apps library, which means that Healthera exhibits care and security over patient data management to the standards of NHS Digital. Our app is also tested and assured by NHS Digital for public use.
Healthera takes your and your customers’ privacy and data protection very seriously. Every effort has been made to make sure our databases are secure and can only be accessed by you and trusted Healthera staff.
Healthera can provide a back-up of all customer content to the customer whenever there is a reasonable request. Healthera will also assist you with data back-up and migration should you choose an alternative supplier in the future.
CEO & Data Protection Officer