Patient Data and DrDoctor
We collect the following personal data about you when you log in to our Patient Platform so that we can verify your patient records:
- Full Name
- Date of birth
- Address details
We collect the following personal data to pass back to your healthcare provider(s):
- Medical information (e.g. diagnoses, allergies and medication)
- Wellness and lifestyle information
- Appointment booking or change requests
- Medical assessment responses
- Feedback on the service
- User preferences
Personal information we collect automatically when you visit our Patient Platform
We may also collect certain information by automated means, such as cookies and web beacons whenever you visit our Patient Platform. This could include IP address, browser type, operating system, referring URLs, information on actions taken on, and dates and times of visits.
Some cookies we collect are strictly necessary for the Patient Platform to function correctly. Without these cookies the functionality may be impaired so we automatically apply them, but you are informed about them when you log in.
Currently we do not collect any analytical cookies or any cookies other than those strictly necessary for the Patient Platform to function. Please note that any cookies collected are not designed to identify you, it is all aggregated and therefore strictly anonymised.
Personal information we collect from your healthcare provider
We collect personal data about you from healthcare providers to facilitate your use of the services. This information can include:
- Full Name
- Date of birth
- Date of death
- Demographics
- Contact details (e.g. postal address, phone number & email address)
- Medical information (e.g. NHS number, Medical Reference Number, appointment and consultation outcomes, diagnoses, allergies and medication)
- Wellness and lifestyle information
- User preferences (e.g. default language and consent to contact)
- Appointment, referral and waiting list details
On investigation we found that DrDoctor is a service implemented by a private company with share capital (i.e. a company which makes profit) called ICNH Ltd. Taking a closer look on Companies House website, the nature of the business is:
- 61900 - Other telecommunications activities
- 62012 - Business and domestic software development
- 72190 - Other research and experimental development on natural sciences and engineering
- 86900 - Other human health activities
So it appears this company conducts research as part of its activities. In order to establish whether your login data is being used for research and to in turn generate profit, we asked ICNH Ltd for clarification and were told they were not subject to Freedom of Information (FOI) requests so refused to tell us. They did however suggest we ask NHS England who are subject to FOI requests.
NHS England basically told us that under their NHS App privacy policy once you use DrDoctor your login information is in the public domain. And that’s that.
If you are unhappy with this situation then you can use MyMFT (MyChart App) to manage your hospital appointments and sidestep the need for DrDoctor. We are reliably informed by the Chief Operating Officer at MFT that the servers they use are safely firewalled and your data will not be given to a third party.
Our next steps with the use of patient data like this are as follows:
- To find out if our ICB (who signed up DrDoctor) put a Data Processing Agreement in place with them and if a Data Protection Impact Assessment was conducted.
- To report our concerns to the Information Commissioner’s Office
We’re also setting up a patient reference group around the use of patient data so if you’d like to get involved (or If you simply have any concerns/queries about either of the above Apps) then please drop us a line at info@healthwatchmanchester.co.uk with ‘Patient Data’ in the subject line. We’ll get back to you within 48 hours.
