Our Privacy Policy

This policy explains how we use your data to deliver our healthcare, websites and services. This includes:

  • Our NHS primary care services
  • Our website ( www.gpathand.nhs.uk)
  • Some of our services we offer with our partners, or on behalf of them
  • The technology we use to support our partners’ services

GP at Hand is the controller of any health and medical data we may collect from you when you use our services, and may share this data with Babylon Healthcare Services Ltd (trading as eMed) as a processor on behalf of GP at Hand (for more information on this, see how and why we share your data below). This means that we’re responsible for how your personal data is handled and what it’s used for through these 2 companies. If you wish to exercise any of your rights, both companies act as one.

2. What data we hold and how we get it

Personal data is any information we have that can identify you, such as your name, medical history or credit card details.

Personal details

When you register with us, we’ll ask you for your:

  • Name
  • Date of birth
  • Address
  • Email address
  • NHS Number
  • A copy of your ID (identity documentation), such as a driving licence

The information you give us must be accurate. If you give us information about yourself or another person, you’re confirming that you’re authorised to do so.

Health and medical data

When you use our services, we collect information about your health, including:

  • General health
  • Symptoms, treatments and medications
  • Consultations, such as notes and recordings
  • Procedures, such as surgery, scans or X-rays

Some of this information comes directly from you, but it can also come from third parties, such as the NHS.

If you transfer your care to GP at Hand, we’ll get your medical history from your previous GP.

Details of your conversations with us

We may also keep a record of your consultations and your conversations with us. This is so we have an easy way to access your consultations to monitor the quality of our service and healthcare.

And, we may, in our legitimate interests, use your personal data (not health data) to improve our services and user experience. This may include:

  • Your emails, calls or live chat conversations with our support team
  •  your responses on the feedback survey or reviews
  • How you interact with our services including the website 

We keep your health and medical data secure by applying technical and organisational measures to protect it.

Data from other sources

We might also receive some data about you and your health from other apps, devices and services.

This will only happen if you’ve agreed to sharing that data with us. For example, if you decided to share information collected from your glucose monitors with us.

Credit and debit card information

If you make a payment to us for any private services, your credit and debit card details are processed by a third-party payment provider.

We don’t store any of your credit or debit card information and we only keep details of the transactions on our secure servers.

Technical information and analytics

When you use or visit our website, we may collect the following data, where this is allowed by your device or browser settings:

  • The IP address used to connect your mobile phone or other device to the internet
  • Your browser information, such as Google Chrome or Apple Safari
  • Login and operating system
  • The make and model of your device
  • Resettable device identifiers
  • Time zone, language and location settings
  • Your mobile network provider and your location (based on your IP address)
  • Information about your visit to our website or use of our app, for example when you first visited the site or how many times you’ve visited
  • Information about the products or services you viewed or used
  • Any phone number used to call our customer service number

We work with other companies that provide us with analytics. This is to:

  • Help us understand how people interact with our services
  • Measure the performance of our services 

Cookies

We also use ‘cookies’. Cookies are files saved on your phone, tablet or computer when you visit a website. They collect information about how you use the website and the pages you visit. We do not use cookies on your medical or health information.

You can find out more about how we use cookies in our cookie policy.

3. What we use your data for

This is how we use your data and the legal reasons for using it.

Providing you with a service

We need your personal information to enter into a contract with you and deliver services.

We use your financial details to charge you if you choose to ask us to provide a private service that is not part of the NHS.

We use your health and medical information to provide you with a healthcare service, including when it’s in your vital interests. This includes giving you health advice, as well as diagnosis and treatments if you use our clinical services (our video and audio consultations, where you can talk with one of our medical professionals).

This information is based on:

  • Providing you or planning for healthcare services in our ‘legitimate interest‘
  • Performing tasks in the public’s interest (for example, our NHS services)
  • Your consent (for example, when you use our private service and agree to sharing information with a third party for the purposes of your care)

The health and medical information we use includes information from your:

  • Consultations, like notes, recordings, and transcripts
  • Your previous NHS GP and NHS record

We might share this information with other health services. This is so we can give you the right care, including when it’s in your vital interests. These services include:

  • Our NHS or clinical service partners
  • Referral services like therapists, pharmacists and hospitals

We may use your location to recommend services near you, like pharmacies and hospitals.

Depending on how you access our services, we get your location from your phone, internet browser, IP address or postal address.

Helping health research

If you’ve given explicit consent, we use your data for health research. For example, to better understand health behaviour, disease risk or health outcomes.

We aim to publish our research results in peer-reviewed journals or by working with academics.

We may conduct research with partner organisations such as universities or other academic institutions.

The type of information we collect includes your:

  • Medical records
  • Consultation notes, recordings, and transcripts

We remove any details that could identify you from this information. This includes your name, address and contact information.

Our research follows the Declaration of Helsinki ethical principles, which were developed by the World Medical Association.

As part of our research, we may use your contact details to invite you to take part in clinical trials. These trials might be about things like how frequently we give you medicine reminders or what exercise has the greatest impact on mood.

Using your data when it’s in our ‘legitimate interest’

We sometimes analyse your data and how you use our products to help us manage our business better.

This could be things like fixing bugs on our website, understanding current user trends, or working out what users might want in the future.

This doesn’t involve making any decisions which would have a big effect on you. If this information is used alongside your personal data, we will make sure that our interests never come before your rights.

Keeping you up to date

We may contact you. This includes sending you feedback surveys or requests for customer reviews in our legitimate interest. You can out at any time by speaking to our Support Team

As part of providing you with a healthcare service or public service, we may send you health information by text message, email or in other ways. For example, we may send you public health messages or invite you to book an appointment for a free screening programme, such as cervical cancer screenings.

Regulating the quality and safety of our service

We use your health and medical information for safety, training, regulatory, and compliance purposes.

This means that:

  • If we’re legally required to, or asked by a regulator, we may need to share your information with regulatory bodies like the General Medical Council, or Care Quality Commission
  • We may audit how you use our services, for example to review the quality of results provided by our products

To detect and prevent fraud, we may need to share your personal and financial information with banks, financial institutions and fraud prevention services.

4. How we store and move your data

Personal health and medical information

Your personal health and medical information is stored on secure servers. This includes information like:

  • Your primary care information
  • Information about your medications
  • Any information about a diagnosis of illness or other problems

We don’t store any of this information on your mobile device.

If you’ve chosen a password or authentication method to access the NHS App as part of our service, you’re responsible for keeping this password and/or authentication method confidential. Please don’t share it with anyone.

We will take all steps reasonably necessary to make sure that your data is treated securely.

Credit and debit card information

We don’t store any of your credit or debit card information. Payments are processed through a third-party payment provider that follows strict industry data security standards. These are known as Level 1 Payment Card Industry (PCI) data security standards.

Any payments you make are encrypted using SSL technology (which converts the information into code to stop fraud).

Where we store and process your health data

Your health data will be stored and processed in the UK only. We may sometimes need to work with companies outside of the UK or European Economic Area (EEA) to help us deliver services to you. This will always be in line with applicable data protection laws and will include using appropriate safeguards such as the execution of appropriate data transfer agreements incorporating European Commission approved Standard Contractual Clauses along with other safeguards where appropriate or confirming other controls to comply with UK data protection requirements.

5. How and why we share your data

To help us deliver our services we share your personal data with Babylon Healthcare Services Ltd. (trading as eMed), or partner organisations (including our NHS partners) who we work jointly or in connection with to provide you a service.

Service providers

Some companies provide services to you on our behalf, such as the appointment booking triage service. We may share your personal data including health data with them so that they can process it to provide these services.

These companies can only use your data based on our instructions and they cannot use the data for their own purposes.

They also have to act in line with data protection laws and contractual terms that specify how they can process data on our behalf.

The categories of service providers (data processors) that we may use in providing the services to you are cloud service providers, smart triage service providers, electronic health record service providers, web hosting service providers, software telephony system providers. 

Other healthcare providers

If it’s needed for your treatment or care, we will share your data with your other health and social care providers. These include:

  • Our clinical partners (including our NHS partners) who we work jointly or in connection with to provide you a service
  • Your NHS GP
  • Specialist referral services
  • Therapists
  • Pharmacists
  • Hospitals
  • Accident and emergency services
  • Testing service providers
  • Diagnosis centres chosen by you for things like X-rays and other imaging
  • Other health and care bodies

By law, we may need to share information with these services to safeguard either you or others, or conduct a public task (in the case of our NHS services). We may need your consent, or to rely on our legitimate interests to provide you with healthcare before we can share this information.

We may need to share your personal data to help the NHS manage their medicines. This is because NHS bodies such as ICBs use pharmacists and prescribing advice services to support local GP practices. And they may need information that identifies you to be shared.

These pharmacists work with GP at Hand to provide advice on medicines, and to make sure that medicines are right for your needs, safe, and cost-effective.

Where we need to ask for specialist prescribing support as part of your care, the CCG medicines management team may help us to get medications on behalf of GP at Hand.

Protecting public health

We might process your health data to protect public health. Your data could be vital to help research, monitor, track and manage public health emergencies, like pandemics.

In a public health emergency, your information may be shared in a way that is appropriate and lawful with organisations such as:

  • NHS Digital
  • NHS England and Improvement
  • Public Health England
  • Local authorities
  • Health organisations
  • GPs

We will limit the use or sharing of data to the period of the emergency and will only share data to the extent necessary.

Aggregated or anonymous data

We may show on our website or share with our commercial partners data that does not personally identify you, but which shows general trends. This is ‘aggregated’ data and is not personal data.

This might include, for example, the number of users of our service or trends in a particular location.

Statistical data in the public’s interest

We may also use data that does not identify you personally as part of statistics that we collect on certain types of illness, symptoms and conditions. This might include us contributing medical data and participating in the Royal College of General Practitioners Research and Surveillance Scheme.

We may show these summarised statistics to our partners. They will always be anonymised. This is so we can improve our medical knowledge and help our members and the general public.

You can contact us directly if you do not want your data to be used in this way by email at: [email protected].


We collect your information to make sure you get the best possible care and treatment. The information we collect when you use our GP at Hand services can also be used for things beyond your individual care and if the law allows it. This could include improving quality and standards of care, research into the development of new treatments, and planning services. Most of the time, any data used for research and planning is anonymised, so that you cannot be identified. If this is the case, it means that we don’t use your confidential patient information

You have a choice about whether you want your confidential patient information to be used in this way. To find out more, or to register your choice to opt out, please visit this information page from the NHS. If you choose to opt out, your patient information will still be used to support your individual care.

Integrated care

We will share your records with North West London Whole Systems Integrated Care.

This gives other members of the scheme like NHS Trusts and the ambulance services access to your data. We do this to provide ‘integrated care’ for you. This is healthcare that’s delivered to you by different organisations that work separately.

It also helps with research and statistical studies, based on medical and public interest research.

Find out more more about whole systems integrated care (WSIC).

Your summary care records

Your summary care records are an electronic record of important patient information, created from GP medical records.

Your summary care records data can be seen by authorised staff in other areas of the health and care system involved in your direct care.

You can choose not to share this data at any time. To do this, complete and send an SCR opt-out form.

We may keep or share information about you, if we need to:

  • Comply with a law, regulation, legal process, or government request
  • State our legal rights or defend against legal claims
  • Stop, find, or look into illegal activity, fraud, abuse, breaking our terms, or threats to the security of our services or the physical safety of anyone

6. How long we keep your data

We follow advice from the Department of Health and the British Medical Association on how long to keep information found in your medical records. This is called a ‘retention period’.

We might also keep some information that doesn’t identify you to help improve our business and our services.

In some circumstances, we might keep data longer if the law says we have to.

Your informationHow long we keep it (its ‘retention period’)
GP records. This includes medical records and consultations.We keep your GP records for 10 years after your death or after you’ve permanently left the country. We may keep your records longer if there are genetic implications for your family. We work on the advice from clinicians in this situation. Electronic patient records can’t be destroyed or deleted for the foreseeable future.
Video consultationsWe do not store video consultation recordings.
Voice (or audio) consultationsWe may record voice consultations. These are stored for 36 months from the date of the consultation. 

If you want to see any of this information while we have it (in its ‘retention period’), you can ask for it by emailing us at: [email protected]

7. Your rights

You’re in control of your personal information. Under data protection law, you have the right to:

  • Remove or change your consent at any time, if we are using your data in a certain way based on it.
  • Ask for a copy of the personal data we hold about you. Your data is stored in line with our legal and medical obligations.
  • Ask us to correct information that’s wrong, delete it, or ask that we only use it for certain purposes. There might be times when we’re not able to help, like if the law or our medical obligations say we can’t.
  • Ask us to restrict any automated (computer-made) decisions made with your data
  • Ask for your data to be provided in a portable format that allows you to move, copy or transfer it. Or ask us to send it in this format to someone else.

To do any of these things, please complete our online webform

Alternatively, please contact us on [email protected]
184 -192 Drummond St
London
NW1 3HP

We’ll ask you for a proof of identity. Data protection laws give us one month to get back to you.

We’re regulated by the Information Commissioner’s Office (ICO). If you’re not happy with any aspect of our data handling, you can complain to the ICO directly. You can contact them at:Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Phone: 0303 123 1113

8. Changes to this policy

We might update this policy from time to time.If we make any important changes, we’ll let you know, and give you the chance to review them.

If you agree to the changes, you don’t need to do anything. Just keep using our services with the updated policy and we’ll assume you are happy with the way we use your data.

If you don’t agree to the changes, then you can stop using our services at any time.

Page last reviewed: 5 December 2024