The Rotherham Health App will no longer be available after 31st March 2024. Find out more

Updated 13/02/2023


This privacy policy relates to the service provided by Substrakt Health, giving you access to certain NHS services through our application PatientPack.

In this privacy policy we explain:

  1. Who we are
  2. The services available to you within PatientPack
  3. The key organisations controlling your personal data
  4. Your consent and the personal data we process for you
  5. Information sharing with other NHS and Non-NHS organisations
  6. Retaining and deleting personal data
  7. Your rights, points of contact for queries, objections and complaints

In this privacy policy the following terms have the following meanings:

  1. Controller: "The person or entity which alone or with others determines the purposes or means or processing of personal data"
  2. Processor: "Any person or legal entity who processes personal data on behalf of the controller"
  3. Special Category Data: "Sensitive personal data given special consideration in data protection law including personal data about your health"

1. Who we are

Substrakt Health Ltd are a software development company who work with and for NHS organisations. Our solution PatientPack is designed, created and maintained by us on behalf of your registered GP practice and associated integrated care board (ICB). We are committed to providing patients with high quality access to their healthcare data and services offered by their registered GP practices or accredited NHS partner organisations.

We take our duty to protect any personal information and confidentiality seriously and we are committed to comply with all relevant legislations. We take all reasonable measures to ensure the confidentiality and security of the personal data we are responsible for:

  • training all staff annually in data and security protection
  • monitoring our platform to keep your personal information secure
  • always using legally binding agreements with all organisations we use
  • having security and confidentiality policies in place across the organisation, to which staff must agree before they are given access to personal information
  • Anonymise any personal identifiable information where possible
  • restricting access to personal information to only those staff who need access to perform their role

1.1 Complying with UK GDPR

All sharing of such data will comply with the UK General Data Protection Regulation (UK GDPR), tailored by the Data Protection Act 2018 and NHS information governance rules. Substrakt Health will always request your explicit consent to do this providing you details of what data will be shared and with whom it is shared and for how long. To ensure that we comply with our UK General Data Protection Regulation (UK GDPR) responsibilities in keeping your information safe you will be asked to give your consent in the PatientPack app and in the physical service when the required clinician wishes to access your data.

We will not pass on your information to any third party without your explicit consent.

All of the personal data that we collect is processed within the United Kingdom.

2. Services available to you within PatientPack

The following services are available to you, depending on the level of access your GP surgery has granted:

2.1. With a limited account, you can:

  • book and manage one appointment at your GP practice
  • access your local services directory
  • fill in questionnaires, pre-appointment assessments and health reviews (if provided by your GP practice)
  • submit a support request to our help desk
  • send messages to your GP practice (if provided by your GP practice)
  • receive messages including general health messages, communications, public health announcements, and updates relating to your account and services available within it

2.2. With full access to the app, you can:

  • All services available to you with limited access
  • book and manage appointments at your GP practice
  • book and manage appointments at extended access hubs available in your area = view hospital (outpatient) appointment information (if available in your area)
  • order repeat prescriptions, and see your order status
  • view your GP medical record
  • use online consultation services (if provided by your GP practice)
  • use personal health record services, e.g. request fit notes or interest to participate in patient participation groups (if provided by your GP practice)
  • Use proxy access to add a child or adult to your account
  • get messages specific to you or your healthcare from your connected healthcare providers that use our application’s notification service, like your GP surgery
  • Receive push notifications to your mobile device. You can opt out of push notifications at any time, by disabling notifications on your mobile device, within your device settings. If you use the PatientPack app across more than one device, push notifications must be enabled on each device. Messages can continue to be sent and made available via your PatientPack account whether or not push notifications are activated, but opting out may limit the types of messages you can receive. For example, messages related to your healthcare may continue to be sent by other means. If you share the device you use to log into the PatientPack App with other people, they may see your notifications. Notifications may be sent to more than one user on the same device. The push notifications sent to you depend on what messaging services your GP surgery or healthcare providers have chosen.

3. The key organisations controlling your personal data

3.1. Your GP practice

Your GP practice provides primary care services to you and is the data controller for all personal data processed by PatientPack. Your GP practice is in charge of your personal information and decides what health information from your health record, appointments and prescriptions is displayed to you. GP practices can enable you to see your medical information, book appointments, order repeat prescriptions, access local services, and view personalised lifestyle data. Your GP practice may also provide additional services such as online consultation, personal health record, or referral services available to you.

The collection and processing of your personal data is carried out in accordance with their privacy policy with you. Your GP practice privacy notice is available on their website (please contact their reception if you would like a copy).

It is on the basis of the consents you have given to your GP practice, to NHS England and NHS Digital, and any additional permissions that you have given to PatientPack that we are able to provide you with services available within our application, PatientPack.

3.2. NHS England and NHS Digital

PatientPack integrates with NHS login which verifies your identity when you create an account to access services provided by your GP practice and local services. With your consent, your NHS login details (the details stored by NHS Digital associated with your NHS account) are used when you register for and sign in to PatientPack.

NHS Digital provides a public-facing service desk for user queries relating to the NHS login service, who manage your NHS login information.

Find out more about NHS login

If you have any concerns that your account could have been compromised (for example, someone could have discovered your password), you will need to follow the instructions on NHS account help and support to manage your NHS account and settings. Alternatively, you can contact our support help desk.

NHS England describe, in a legal direction to NHS Digital, what personal data is required to provide and manage your NHS account. For example, user registration details and audit data. NHS England and NHS Digital are joint controllers for this personal data.

3.3. Secondary care services

We work together with hospital trusts and Integrated Care Boards (ICB) who have directed Substrakt Health to display certain personal data in relation to hospital and secondary care appointments. This enables you to e.g. view upcoming and past hospital appointment information within your PatientPack application, if this has been enabled in your area.

The following list shows you who controls the data displayed within the app:

  • Information within your GP medical record: Your GP (as custodian of your records)
  • Appointment information: Your GP practice
  • Hospital appointment informations: Hospital trusts
  • NHS login account information: NHS England; NHS Digital (a separate service from your NHS account)
  • Self-referral information: Service providers
  • Online consultation responses (Symptom Checker): Your GP
  • Information relating to questionnaires submitted through the app: Your GP practice
  • Information in personal health records not supplied by you: Your GP, hospitals
  • Information in personal health records supplied by you (e.g. BP readings): Your GP or hospital(s) if you direct such data to be shared with them
  • Support ticket requests: Substrakt Health Ltd., Your GP practice, Integrated Care Boards (ICBs).

4. Your consent and the personal data we process for you

Substrakt Health Ltd process information on behalf of your GP practice and the services commissioned for your area by the integrated care board (ICB). The legal basis for our processing is your consent.

When registering for the PatientPack App, we will require your consent to access your GP medical record and registered GP practice system. This access will be limited to your GP practice and you (and where applicable any proxy accounts, should your GP practice have granted access to your child’s or other proxy account) with the data remaining under the control of your registered GP practice. No data will be shared with any other organisation unless your explicit consent has been provided. Substrakt Health Ltd. will only process the data to provide you with access to your data, if your explicit consent has been provided.

When you use any of our digital or physical healthcare services offered within the app and/or physical locations, you may be asked to provide consent different to the consent you gave when you registered for the PatientPack app. This consent is to enable us to share your data with the required NHS organisations or accredited partners who are responsible for delivering the requested NHS service you access (e.g. extended access services which are not located at your registered GP practice).

The legal basis for all our processing is for the purposes of performing the PatientPack services for you. PatientPack uses the following information:

4.1. Contact Data

We may process information that you or your medical health provider provide to us ("contact data") to deal with your requests. This contact data may include your name, telephone number, postal address, email address, date of birth, gender, the practice that you are registered with and your NHS Number. We will use this contact data during the course of providing our PatientPack services to you.

If you have created an NHS login you will already have verified who you are and you can use those details from your NHS login to create a PatientPack account.

4.2. Your Patient Data

If you use our services, we may process information that you or your GP surgery provide to us ("Patient data"). This Patient Data may include your Contact Data and also relevant information relating to your health which is applicable to the PatientPack services you choose to use. This may include:

To show and track your prescription requests:

  • When the medication was requested
  • The type and dose of medication requested
  • The practice’s response to your request

To manage online appointments:

  • Details of appointments and the type of appointment made through the PatientPack App
  • The time, date and location of the appointment

The legal basis for this processing is for the purposes of delivering PatientPack services to you. Certain data we process for you is special category personal data and we will only process it to support your GP practice’s provision of health and social care services to you.

Special category data may include:

  • Information about your health such as your symptoms, conditions, medication
  • Other details which are already held in your GP records and / or which you provide through the online consultation process

The legal basis for the processing of this data is for the purposes of supporting medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems.

4.3. Proxy data (linked accounts for children and adults)

"Proxy access" for linked accounts, enables you to view parts of the GP medical record, book or cancel appointments, order repeat prescriptions online, or send patient to practice messages in relation to someone else (for example, their child or someone you care for) as authorised by your GP.

Note: you can request new proxy access for children through your PatientPack account. To request proxy access for adults or change existing ones, please contact your GP practice.

You are responsible for any personal data that you access on behalf of the person you are using proxy access in respect of, and must keep it safe and secure.

You must, to the extent possible bearing in mind their age, condition and capacity:

  • make the person you are using proxy access on behalf of aware of, and seek their consent to, your proxy access and any steps you take on their behalf
  • make the person you are using proxy access on behalf of aware of this privacy policy and other applicable terms and conditions

4.4. Resolving support your support queries

Substrakt Health Ltd use Zendesk to manage support tickets that are raised via our help desk. We store a limited amount of personal information e.g. your name, email address, content of your request within Zendesk to operate the support desk with the aim of helping to solve your query. The access to personal information is restricted to only those staff who need access to perform their role, and help solve your query.

There are occasions where we may need to access your health record within PatientPack. If this is the case, you will be asked for your permission to do this. Zendesk do not have access to your health record or PatientPack as we operate Zendesk as a stand alone service to manage technical support requests.

When submitting a support request your personal data is processed and the requests you make are stored on our servers. This request is not shared with your GP practice, unless the nature of your request requires us to contact your GP practice e.g. change of personal details or moving GP practice.

We compile and publish statistics showing information about the support requests we receive and the use of PatientPack in general, but not in a form which identifies anyone.

4.5. Using data to improve user experience

In order to improve the usability of the app, we send anonymised information to an analytics service with an anonymised session-id, device information and the URL of pages visited to Google Analytics and Matomo. For auditing purposes we store pages accessed and events triggered in the application and the IP address the request was made from so that we can track access to functionality within the app.

The legal basis for this processing is our legitimate interest in providing better PatientPack services and improving our app’s experience.

4.6. Other processing that we may carry out

In addition to the specific purposes for which we may process your personal data set out above, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Please do not supply any other person's personal data to us, unless we prompt you to do so.

5. Information sharing with other NHS and Non-NHS organisations

For your benefit, we may also need to share information we hold about you with other organisations involved in your care such as other NHS organisations, Social Services or charitable and voluntary bodies working with us to improve your care. However, we will not disclose any information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of yourself or others is at risk or where the law requires it.

If we are asked to share information with a non-NHS organisation that does not directly relate to your care, we will always seek your explicit consent prior to any information being shared. If you choose not to consent to this when asked, then that decision will be recorded and respected.

These organisations are Data Controllers in their own rights, and where they do process your data will inform you directly or through their services such as a website about the data they hold and what processing they undertake.

All data is stored in the UK, under UK regulations and on encrypted databases.

6. Retaining and deleting personal data

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. We may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

7. Your rights, points of contact for queries, objections and complaints

7.1. Your rights of access to the information we hold

You can make your own application to see all information Substrakt Health Ltd holds about you, or you can authorise someone else to make an application for you. A parent or guardian, a patient representative, or a person appointed by the court may also apply. If you wish to access your personal data, then please contact:

Substrakt Health Ltd
Norfolk Clinical Park
Buxton, Norwich
Norfolk, NR10 5RH

7.2. Withholding information about you

As Substrakt Health Ltd provides the PatientPack App on behalf of your registered GP practice, we will be required to confirm with them that such data can be released to you. Information may be withheld by the registered GP practice if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health. We do not have to tell you that information has been withheld.

Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.

You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to:

(a) your request not being found to be unfounded or excessive, in which case a charge may apply; and

(b) the supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank, plus an original copy of a utility bill showing your current address).

We may withhold personal information that you request to the extent permitted by law.

7.3 The rights you have under data protection law are:

(a) the right to access your data;
(b) the right to rectification of data which is incorrect;
(c) the right to erasure/deletion;
(d) the right to restrict processing;
(e) the right to object to processing;
(f) the right to data portability;
(g) the right to complain to a supervisory authority; and
(h) the right to withdraw consent.


Due to the service we are providing, your exercise of these rights with us may be subject to such requests being performed by the applicable NHS Organisation who are the Data Controller of your personal data. If you ask us to remove certain information or withdraw consent, you may either not be able to make full use of the PatientPack services, or not use them at all.

7.3. (a) Your right to access your data. You have the right to ask us to confirm whether or not we process your personal data and to have access to the personal data, and any additional information. That additional information includes the purposes for which we process your data, the categories of personal data we hold and the recipients of that personal data. You may request a copy of your personal data. The first copy will be provided free of charge, but we may charge a reasonable fee for additional copies.

7.3. (b) Your right to rectification. If we hold any inaccurate personal data about you, you have the right to have these inaccuracies rectified. Where necessary for the purposes of the processing, you also have the right to have any incomplete personal data about you completed.

7.3. (c) Your right to erase. In certain circumstances you have the right to have personal data that we hold about you erased. This will be done without undue delay. These circumstances include the following: it is no longer necessary for us to hold those personal data in relation to the purposes for which they were originally collected or otherwise processed; you withdraw your consent to any processing which requires consent; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are certain general exclusions of the right to erasure, including where processing is necessary: for compliance with a legal obligation; or for establishing, exercising or defending legal claims.

7.3. (d) Your right to restrict processing. In certain circumstances you have the right for the processing of your personal data to be restricted. This is the case where: you do not think that the personal data we hold about you is accurate; your data is being processed unlawfully, but you do not want your data to be erased; it is no longer necessary for us to hold your personal data for the purposes of our processing, but you still require that personal data in relation to a legal claim; and you have objected to processing, and are waiting for that objection to be verified. Where processing has been restricted for one of these reasons, we may continue to store your personal data. However, we will only process it for other reasons: with your consent; in relation to a legal claim; for the protection of the rights of another natural or legal person; or for reasons of important public interest.

7.3. (e) Your right to object to processing. You can object to us processing your personal data on grounds relating to your particular situation, but only as far as our legal basis for the processing is that it is necessary for: the performance of a task carried out in the public interest, or in the exercise of any official authority vested in us; or the purposes of our legitimate interests or those of a third party. If you make an objection, we will stop processing your personal information unless we are able to: demonstrate compelling legitimate grounds for the processing, and that these legitimate grounds override your interests, rights and freedoms; or the processing is in relation to a legal claim.

7.3. (f) Your right to object for statistical purposes. You can object to us processing your personal data for statistical purposes on grounds relating to your particular situation, unless the processing is necessary for performing a task carried out for reasons of public interest.

7.3. (g) Complaining to a supervisory authority. If you think that our processing of your personal data infringes data protection laws, you can lodge a complaint with a supervisory authority responsible for data protection. You may do this in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

7.3. (h) Right to withdraw consent. To the extent that the legal basis we are relying on for processing your personal data is consent, you are entitled to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

You may exercise any of your rights in relation to your personal data by written notice to us in addition to the other methods specified above.