Information Charter

When you call Order Line Ltd we may collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness. The CLI data is stored in a secure system.

We may record phone calls for training and monitoring purposes. The recordings are stored in a secure system.

When we receive a complaint from a person we create a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information like the number of complaints we receive, but not in a form which identifies anyone.

We may have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for a limited period before closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will use the information supplied to us (as well as any relevant information from or systems) to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

If we take enforcement action against someone, we may publish the identity of the defendant in our Annual Report or elsewhere. Usually, we do not identify any complainants unless the details have already been made public.

In many circumstances, we will not disclose personal data without consent. However, when we investigate a complaint, for example, we will need to share personal information with the organisation concerned and with other relevant bodies.

Order Line Ltd offers various services to its customers and potential customers. For example, we send out publications and distribute an electronic newsletter. We may use a third parties to deal with some publication requests, but they are only allowed to use the information to send out the publications, not for their own use. For example, contractors which are used for e-newsletters are MailChimp and Zoho.

We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication to carry out a survey to find out if they are happy with the level of service they received. When people do subscribe to our services but change their mind later, they can cancel their customer account at any time and are given an easy way of doing this by contacting our customer services dept via the website contact us page.

Church Pharmacy tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

• Give you a description of it;
• Tell you why we are holding it;
• Tell you who could it be disclosed to; and
• Let you have a copy of the relevant information

To make a request to Church Pharmacy for any personal information we may hold you need to put the request in writing addressing it: D.P.O, Information Governance department, or writing to the address provided below.

If we do hold information about you which may be incorrect, you can ask us to correct any potential mistakes by, once again, contacting the Information Governance department. This request may take some time as we may need to verify the corrections that may be submitted by you including re-verifying your identity.

We keep our privacy notice under regular review, please check at the bottom of the Privacy Policy Page for when it has last been updated.

We may share certain information relating from your customer account (collected from you or the people that represent you) to approved third parties.

The reasons why this information may need to be shared to third parties would be on the grounds of legitimate interests – within the rules of the Data Protection Act and GDPR.

Most of the information we may share to third parties would be limited to the following:

1. Customer account name, the contact names given on the account, customer account postal addresses and contact details such as email/telephone listed on the customer account.

2. The products purchased on your customer account including batch/serial numbers and quantities.

3. Your profession (i.e. Doctor/Dentist/Nurse) and the status of your training and insurance certificates.

4. (See further below***)

The above information would generally be similar to what would appear on your customer invoice.

An example of the third parties which may need to have access to areas of the data outlined above includes:

A. Contractors to help Order Line Ltd carry out its requirements as a business including Courier companies (I.e. Royal Mail), software/operational support (I.e. SpaceStem Pvt Ltd), Locum Pharmacists, Bookkeeping and Accountants, Consultants (I.e. Solicitors, Regulatory affairs), - Credit Check Agencies (I.e. Experian) and Credit Card processing agents (I.e. Visa/Mastercard), etc

B. Regulatory Authorities (I.e. MHRA, GPHC, Police/Law Enforcement, PCI, etc)

C. Manufacturer's/Suppliers of the product(s) you may purchase from Order Line Ltd; further details below**

C**: Customer account information shared with Manufacturer's/Suppliers (based on the legitimate interests clause within the Data Protection Act/Recital 47 of the GDPR):-

Your purchasing statistics including product, quantities, batch/serial numbers (and possibly your account name/address) may be required by the supplier/manufacturer of the product(s) you purchase to aid them with any of the below requirements:

1. Stock traceability.

2. Anti-Fraud purposes.

3. Statistical analysis.

4. Supporting the Falsified Medicines Directive.

The above is required as part of a resource to help in overall auditing needs by the manufacturer/supplier related to the products they have supplied to Order Line Ltd and purchased by you. Any of the customer account data we share with the manufacturer/supplier will be under the following conditions:

• The customer purchasing account information (customer account name, account address, product(s) purchased, quantities purchased, batch/serial numbers of the product(s) purchased) shared with the manufacturer/supplier would only be related to the actual product(s) you may have purchased from us.
• The customer account information will be shared in a secure manner and the storage and handling of the data will be within GDPR rules by Order Line Ltd and the manufacturer/supplier.
• You may opt-out of any marketing related communications which the supplier/manufacturer may contact you directly - as per GDPR rules (Ref Recital 47 of the GDPR)
• We will only share the minimal amount of information to required by the manufacturer/supplier and would only share the information upon the manufacture/supplier sending a written and a valid request to Order Line Ltd for the information within the rules of the legitimate interests clause of the GDPR rules.
• All data transfers from Order Line Ltd to the manufacturer/supplier would be within the rules of the Data Protection Act and GDPR. All manufacturer's/suppliers we may share information with would have technical agreements/contracts in place to adhere to the Data Protection Act/GDPR and covering the importance of confidentiality.

***4. Disclosure of personal sensitive data to 3rd parties:

Sensitive information such as data which identifies a patient would be classed as sensitive information which would be shared to a limited number of third parties as follows:

• Regulatory Authorities – I.e. GPHC/MHRA/Law enforcement authorities based on legitimate interests – Ref Recital 47 of the GDPR
• SpaceStem Pvt Ltd – software and operational support to Order Line Ltd based on the needs of the business – Ref Principle 8 of the Data Protection Act.
• Locum Pharmacists and contracted staff - based on legitimate interests – Ref Recital 47 of the GDPR.
• Consultants contracted for regulatory support based on legitimate interests – Recital 47 of the GDPR.

All third parties have agreed on appropriate confidentiality rules/contracts to adhere to the Data Protection Act and GDPR rules. For further information, please refer to the Privacy Policy page which is part of this Information Charter.