Privacy Policy
This policy explains what personal data Veritas Pharmacy & Private Clinic collects, how we use it, who we share it with, and what your rights are under UK law. As an NHS-approved pharmacy contractor, we handle your health data with the same care we bring to your clinical care.
1. Who we are and how to contact us
Data Controller: Veritas Pharmacy & Private Clinic, trading as (Company No. , registered in England and Wales). Registered address: 2 Chester Road, .
We are a GPhC-registered independent pharmacy (GPhC registration ) and private clinic, operating under our superintendent pharmacist (). As an NHS-approved contractor, we operate under the NHS Community Pharmacy Contractual Framework and are accountable to NHS England, our Integrated Care Board, and the General Pharmaceutical Council.
Email: privacy@veritaspharmacy.co.uk
Post: Data Protection Officer, Veritas Pharmacy & Private Clinic, 2 Chester Road,
ICO Registration Number:
We comply fully with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the NHS Records Management Code of Practice 2021 (v3), NHS DSP Toolkit obligations, and all applicable GPhC professional standards.
2. Personal data we collect
2.1 Patient and clinical data
- Full name, date of birth, NHS number, and contact details (address, phone, email)
- Medical and clinical history, diagnoses, symptoms, and presenting complaints
- Prescription history, dispensing records, and medication details (dosage, frequency, prescriber)
- Allergy, adverse reaction, and contraindication records
- Blood test results, diagnostic data, vital signs, and clinical assessment notes
- Treatment plans, clinical correspondence, and referral letters
- Payment information for private services (processed by a third-party payment processor — we do not store full card details)
- NHS prescription exemption status and evidence of entitlement
- GP and referring clinician contact details where provided
2.2 Special category health data
Special category data we may process includes physical and mental health conditions; biometric data from blood tests; sexual health information (e.g. STI screening); and racial or ethnic origin where clinically relevant (e.g. hereditary condition screening).
2.3 Website, booking, and contact data
- Name, email, phone, and appointment preferences submitted via our contact or booking forms
- Appointment data processed via Halaxy, our clinical management and online booking platform (see Section 6)
- IP address, browser type, device type, and pages visited — collected via cookies (see Section 9)
2.4 Staff and contractor data
We process personal data about employees, contractors, and locum staff for HR, payroll, regulatory compliance, and DBS checking purposes. A separate Employee Privacy Notice is available on request.
3. How we use your personal data
- Pharmacy services — dispensing NHS and private prescriptions, Pharmacy First consultations, medication reviews, and repeat prescription management
- Clinical services — private consultations, blood testing, vitamin injections, telehealth, travel health, and all other clinic services
- Booking and appointment management — processing bookings via Halaxy, telephone, or in person; sending confirmations, reminders, and follow-up communications
- Clinical safety — allergy checking, drug interaction screening, and MHRA Yellow Card adverse-event reporting
- NHS contract compliance — reporting Pharmacy First activity, dispensing data, and other contracted-service metrics to NHS England, NHSBSA, and our ICB
- Regulatory compliance — maintaining clinical records in line with GPhC, CQC, and NHS Records Management Code requirements
- Referrals — sharing the minimum necessary clinical information with GPs, hospitals, or specialists where clinically indicated and appropriate consent obtained
- Quality improvement — internal clinical audits using anonymised or pseudonymised data wherever possible
- Marketing communications — service updates and health information to patients who have explicitly consented (see Section 4.4)
- Financial and administrative — processing payments, issuing invoices, managing memberships, and maintaining financial records
4. Lawful basis for processing
4.1 Healthcare provision (primary basis)
Our primary lawful basis is Article 6(1)(b) UK GDPR (contract — the patient-clinician relationship) and Article 9(2)(h) (health or social care purposes). Article 9(2)(h) covers medical diagnosis, the provision of health or social care, and the management of health or social care systems.
4.2 Legal obligations
We rely on Article 6(1)(c) (legal obligation) to comply with GPhC registration conditions, NHS contractual reporting, NHSBSA obligations, MHRA reporting, and statutory record-retention requirements.
4.3 Legitimate interests
We rely on Article 6(1)(f) (legitimate interests) for pseudonymised website analytics, internal quality audits, and fraud prevention. A Legitimate Interests Assessment (LIA) exists for each purpose and is available on request.
4.4 Consent
We rely on Articles 6(1)(a) and 9(2)(a) (explicit consent) for direct marketing communications and for sharing clinical data beyond your immediate care team for non-essential purposes.
5. NHS data-sharing obligations
As an NHS pharmacy contractor, we are required under our NHS Standard Contract to share certain data with NHS bodies under Articles 6(1)(c) and 9(2)(h). Organisations we share with include:
- NHS England — Pharmacy First records, Locally Commissioned Service activity, and contractual compliance data
- NHS Business Services Authority (NHSBSA) — prescription reimbursement claims and patient exemption verification
- NHS Spine — Electronic Prescription Service (EPS), Summary Care Record (SCR) with patient consent, and NHS demographic lookups
- Integrated Care Board (ICB) — performance and locally contracted-service reporting
- UK Health Security Agency (UKHSA) — notifiable-disease reporting as required by law
All NHS data sharing is governed by NHS data security standards, the DSP Toolkit, and NHS information governance requirements. We complete the annual DSP Toolkit assessment as part of our NHS contractor obligations.
6. Third-party processors and recipients
We share personal data with the following third parties, each bound by a Data Processing Agreement compliant with UK GDPR:
Clinical and operational systems
- Halaxy — our clinical management system and online booking platform processes patient booking data, appointment records, clinical notes, and contact information as our data processor. Halaxy is ISO 27001 certified and GDPR-compliant. Where data is processed outside the UK, appropriate safeguards (IDTAs or SCCs) are in place.
- Pharmacy Management Record (PMR) system — our dispensing software provider processes prescription data as a data processor
- NHS Spine / NHS Digital — see Section 5
Payment processing
- — processes card payments under PCI DSS compliance. We do not store full card details.
- Halaxy Payments — where payment collection is managed through the Halaxy platform
Clinical organisations
- GP practices — Pharmacy First consultation summaries shared as required by our NHS contract
- NHS and private specialists — minimum necessary clinical information shared where referral is made, with consent where required
Regulatory and statutory bodies
- General Pharmaceutical Council (GPhC) — registration and fitness-to-practise
- Care Quality Commission (CQC) — inspection and regulatory oversight
- Information Commissioner’s Office (ICO) — reportable breaches and regulatory enquiries
- Courts and law enforcement — where required by order or statute
Website and hosting
- Google Analytics — anonymised usage analytics with IP anonymisation enabled. Opt out via our Cookie Preference Centre.
- Kinsta (web hosting) — UK-region servers. Form submissions stored securely within stated retention periods.
7. How long we keep your data
Retention is governed primarily by the NHS Records Management Code of Practice 2021 (v3) and other applicable legislation. Data is retained only for as long as necessary.
| Data category | Retention period | Authority |
|---|---|---|
| Adult patient clinical records | 8 years from last contact | NHS Code of Practice 2021 |
| Children’s clinical records | Until age 25, or 8 years from last entry (whichever is longer) | NHS Code of Practice 2021 |
| Prescription records (NHS & private) | 2 years dispensed copy; 8 years clinical record | Medicines Act 1968; NHS Code |
| Blood test & diagnostic results | 8 years from last contact | NHS Code of Practice 2021 |
| Controlled drug registers | 2 years from last entry | Misuse of Drugs Regulations 2001 |
| Website contact form data | 12 months from submission | Legitimate interests |
| Marketing consent records | Until consent withdrawn + 3 years (audit trail) | ICO consent guidance |
| Financial and payment records | 6 years from end of financial year | HMRC; Companies Act 2006 |
On expiry, data is securely deleted or anonymised in accordance with our Data Retention and Disposal Policy.
8. How we protect your data
- Encrypted storage (AES-256) and transmission (TLS 1.2+)
- Role-based access controls — clinical data accessible only to staff with a direct operational need
- Multi-factor authentication on all clinical and administrative systems
- Annual NHS DSP Toolkit assessment and compliance review
- Mandatory data protection training for all staff on appointment and annually thereafter
- Data breach response procedure — ICO notification within 72 hours of a reportable breach; affected individuals notified without undue delay where the breach presents a high risk to their rights and freedoms
9. Cookies and tracking
Our website uses cookies. We operate a consent-first approach — no non-essential cookies are placed until you make a choice via our Cookie Preference Centre.
- Strictly necessary — required for security, session management, and the Halaxy booking widget to function. No consent required.
- Analytics (Google Analytics) — anonymised session and engagement data with IP anonymisation enabled. Consent required.
- Functional — remember your accessibility and preference settings. Consent required.
- Marketing / advertising — we do not currently use targeting or advertising cookies.
Full details are in our Cookie Policy. Update your preferences any time via the Cookie Preference Centre in our site footer.
Your data protection rights
Under UK GDPR you have eight rights in relation to your personal data. Some are absolute; others may be limited where our legal obligations as an NHS contractor require us to retain records for specified periods. We will always explain clearly if a right cannot be exercised in full.
Right of access (Subject Access Request)
Request a copy of the personal data we hold about you. We respond within one calendar month, free of charge in most cases.
Right to rectification
Ask us to correct inaccurate or incomplete personal data. We respond within one month.
Right to erasure (‘right to be forgotten’)
Ask us to delete your data in certain circumstances. Clinical records subject to statutory retention cannot be erased early — we will explain fully if this applies.
Right to restrict processing
Ask us to pause processing — for example, while an accuracy dispute is being resolved.
Right to data portability
Where processing is based on consent or contract and carried out by automated means, receive your data in a structured, machine-readable format.
Right to object
Object to processing based on legitimate interests, or to direct marketing — we stop direct marketing immediately on receipt of your objection.
Rights re. automated decision-making
Not to be subject to decisions made solely by automated processing producing significant effects. We always involve a qualified clinician in clinical decisions.
Right to complain to the ICO
If unhappy with how we handle your data, complain to the Information Commissioner’s Office: ico.org.uk · 0303 123 1113
Questions about how we
use your data?
DPO email:
privacy@veritaspharmacy.co.uk
Post: Data Protection Officer, Veritas Pharmacy & Private Clinic, 2 Chester Road,
ICO registration:
Last reviewed: May 2026 · Reviewed annually and after any material change to our processing
