Data sharing policy

Version 1.4: March 2021


Index Medical Ltd are committed to the highest standards of data privacy and protection.

We share your information with organisations as required solely for the purpose of processing your request for treatment and providing healthcare.

This data sharing policy applies to Index Medical Ltd (the 'data controller') trading as Dr Fox.

Who might have access to the personal data we collect?

Index Medical Ltd has not and will never sell any patient data to third parties.

The following organisations may process data provided by Index Medical Ltd (IML) solely for the purpose of providing or supporting the IML healthcare service. All organisations operate strict UK/EU compliant confidentiality, privacy, and data protection procedures.

  1. Index Medical Ltd (IML) staff.
    Data processed: full data access.
  2. The Pharmacy fulfilling patient orders. All pharmacies UK-based and GPhC registered.
    Data processed: name, address, gender, date of birth (DOB), telephone, email address, prescription details.
  3. Delivery companies Royal Mail and for restricted items APC courier.
    Data processed: title/gender, name, address, telephone.
  4. LexisNexis credit reference agency where required for the purpose of identity verification, with the patient's consent.
    Data processed: name, address, gender, DOB, IML patient number.
  5. Doctor's surgeries, medical services/providers as requested by patients or required by IML prescribing protocols and with patient's consent.
    Data processed: title/gender, name, address, telephone, DOB, prescription details, information in the medical record.
  6. PSL Print Management & Datagraphic Group - the services used to print and post letters to patient's doctor surgery if patient consent is given. Service is accredited and certified to NHS standards. Data deleted from servers within 14 days of letter sent.
    Data processed: title/gender, name, address, telephone, DOB, prescription details.
  7. Linode - website hosting company.
    Data processed: all data (encrypted).
  8. Trust Payments - service used to process payments.
    Data processed: title/gender, name, email address, payment card details including payment card address.
  9. Campaign Monitor - the service that sends the IML mass 'e-newsletters', if patients consent to receive, plus drug safety and important service update emails.
    Data processed: email address, gender, year of birth, country.
  10. Google - used by IML for email communications (Gmail), file & document storage, and website visitor statistics
    Data processed: email address, details sent by a patient by email to IML, and files sent by email. Internal IML report documents may include anonymised patient details. Visitor statistics provided by Google Analytics include: types and versions of device, operating system, web browser, geographical country location of visitor, referring web page, gender and age range of visitor, search term used to find IML website, IP address and network, pages visited on IML websites, record of purchase.
  11. Clicksend SMS text sending service.
    Data processed: telephone number.
  12. Trusted Shops - review collection service.
    Data processed: email address, order number, review text submitted.
  13. Wufoo - customer satisfaction survey and contact form provider - for patients that choose to complete these.
    Data processed: IP address plus anonymised survey feedback, and data entered into the contact form.
  14. Ring Central - answerphone service.
    Data processed: verbal details left on IML customer support telephone 0117 2050198 answerphone are recorded electronically and sent by email to IML and stored on Google.
  15. CQC/GPhC - UK healthcare regulators, when required for audit and inspection purposes.
    Data processed: full data access.
  16. Police - official 'Personal data requests' from Police forces will be considered subject to GMC guidance on patient confidentiality.
    Data processed: as requested.
  17. Banks - in cases of fraudulent card use only.
    Data processed: name, address, email, telephone.

Sending personal data by email

Patients that send emails containing or requesting personal data to IML consent to receive their personal data in a reply email sent to the 'reply to' email address of original, unless specifically requested to be supplied by some other method, by agreeing to this data sharing policy. Please note email is generally not considered a secure method to send confidential data.

Please contact the Data Officer (email for any issues regarding your personal data.