Privacy Policy

Corby Pharmacy is operated by Corby Patients Ltd (Companies House No. 16076309), trading as Corby Pharmacy at 8 Spencer Court, Corby, NN17 1NU.

As the Data Controller, we are responsible for deciding how and why your personal information is used. We are registered with the Information Commissioner's Office under registration number ZC074913.

• Data Contact: Rajiv Patel, dpo@corbypharmacy.com
• Telephone: 01536 264 014 (Mon–Fri 09:00–17:00)
• ICO Registration: ZC074913, verify on the ICO register

We collect and process different categories of personal information depending on the services you use.

Personal & contact information

• Full name & date of birth
• Home address
• Phone number & email
• NHS number
• Carer / representative details

Health & clinical data (special category)

• Prescription & medication details
• Allergies & adverse reactions
• Medical conditions & history
• Blood pressure & test results
• Weight, BMI & consultation notes
• Vaccination records & batch numbers

Website & booking data

• Appointment date, time & service type
• Contact form messages
• IP address & browser/device type

We use your personal information for the following purposes:

• Dispensing prescriptions, processing, dispensing and labelling NHS and private prescriptions, including allergy and drug interaction checks
• Clinical services, delivering Pharmacy First consultations, blood pressure checks, contraception services, blood testing and weight management
• Vaccinations, administering flu, COVID-19 and travel vaccines and recording batch numbers and vaccination history
• Patient safety, allergy screening, drug interaction monitoring, safeguarding, and reporting adverse reactions to the MHRA
• NHS payment & claims, submitting dispensing claims to NHS Business Services Authority (NHSBSA)
• Responding to enquiries, handling questions submitted via our website contact form or by phone
• Operational management, managing appointments, maintaining patient medication records (PMR), and communicating about prescriptions or service changes
• Quality improvement, internal audit and clinical governance, using anonymised data wherever possible

UK GDPR requires us to have a lawful basis before using your personal information. For health data (special category), we must also satisfy an additional condition under Article 9.

Article 6, General lawful bases

• Art 6(b), Contract: dispensing prescriptions, clinical services and vaccination appointments you have booked with us
• Art 6(c), Legal obligation: NHS prescription records, controlled drug registers, MHRA adverse reaction reporting and NHSBSA claims
• Art 6(d), Vital interests: patient safety and safeguarding situations
• Art 6(e), Public task: NHS vaccination programmes and public health activities
• Art 6(a), Consent: website enquiry forms and any optional communications

Article 9, Special category (health data) conditions

• Art 9(2)(h), Healthcare: provision of pharmacy services, medicines management and clinical consultations, carried out by or under the responsibility of a registered pharmacist bound by professional confidentiality
• Art 9(2)(i), Public health: vaccination programmes, adverse drug reaction reporting and disease surveillance
• Art 9(2)(c), Vital interests: situations involving immediate risk to health or life

We only retain personal information for as long as necessary for the purpose it was collected, or as required by law.

• Patient medication records (PMR), 10 years after last entry (NHS Records Management Code of Practice)
• NHS prescription records, 10 years
• Private prescription records, 2 years from date of dispensing (Human Medicines Regulations 2012)
• Controlled drug registers, 2 years from last entry (Misuse of Drugs Regulations 2001)
• Clinical service & consultation records, 10 years from last contact
• Vaccination records, 10 years (or as directed by NHS England)
• Website enquiry & contact form data, 12 months from submission
• Financial records (NHS claims, invoices), 6 years from end of financial year (Companies Act 2006)

We do not sell your data to any third party. We only share information where we have a clear lawful basis to do so.

NHS & healthcare organisations

• NHS Business Services Authority (NHSBSA), prescription payment, dispensing claims and fraud prevention
• NHS Spine / Electronic Prescription Service (EPS), electronic prescription transfer and EPS nomination
• NHS England / Integrated Care Boards, commissioning oversight, Pharmacy First and vaccination service management
• Your GP practice, sharing clinical information to support continuity of care (e.g. NMS outcomes, clinical interventions)

Regulatory & public health bodies

• MHRA, reporting suspected adverse drug reactions via the Yellow Card scheme (legal obligation)
• UK Health Security Agency (UKHSA), flu and COVID vaccination data submitted to national immunisation systems (legal obligation)
• Police or other authorities, disclosure where required by law, court order, or to prevent serious harm

Data processors (suppliers acting on our behalf)

• Positive Solutions (Analyst PMR), our pharmacy management system that hosts and processes patient medication records on our behalf
• Acuity Scheduling (Squarespace), online appointment booking system, processing appointment details on our behalf
• Squarespace Inc., website hosting, contact form submissions and website analytics

You have the following rights in relation to your personal data. Some rights may be limited where we have a legal obligation to retain your records for your safety and care.

• Right of access, request a copy of all personal data we hold about you (Subject Access Request). We will respond within 30 days, usually at no charge.
• Right to rectification, ask us to correct inaccurate or incomplete data, particularly important for allergy records and contact details.
• Right to erasure, ask us to delete your data where it is no longer needed. Note: we may be unable to comply where we are legally required to retain records.
• Right to restrict processing, ask us to stop using your data temporarily, for example while you dispute the accuracy of a record.
• Right to data portability, request your data in a structured, machine-readable format to transfer to another provider, where technically feasible.
• Right to object, object to processing for specific purposes such as direct communications or quality improvement activities.
• Rights re: automated decisions, our systems use automated drug interaction checks as safety controls. A qualified pharmacist always reviews the outcome. You may request human review of any automated safety flag.
• Right to withdraw consent, where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

If you are unhappy with how we have handled your personal data, we would always ask you to contact us first so we have the opportunity to resolve it.

If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator.