Updated 30/09/2021


This document explains how we use your personal data We are committed to ensuring your privacy. In this policy we explain how we hold, process and retain your personal data.

We take our duty to protect personal information and confidentiality very seriously and we are committed to comply with all relevant legislation and to take all reasonable measures to ensure the confidentiality and security of the personal data we are responsible for.

Your GP and the NHS are the data controller of your personal data

Your GP is the data controller in respect to all personal data processed by Patient Pack. The collection and processing of your personal data is carried out in accordance with their privacy policy with you. How we process your personal data in supporting your use of your GP’s online consultation service (Patient Pack) is described in this document.

Your GPs privacy notice is available on their website (please contact their reception if you would like a copy).

It is on the basis of the consents you have given to your GP and the NHS and any additional permissions that you have given to Patient Pack that we are able to provide you with the Patient Pack service.

Who are we?

Patient Pack is designed, created and maintained by Substrakt Health Ltd on behalf of your registered GP practice and associated Clinical Commissioning Group. Substrakt Health Ltd is committed to providing patients high quality access to their healthcare data and services offered by their registered GP practices or accredited NHS partners organisations

Our processing is based on your consent

When registering for the Patient Pack App, we will require your consent to access your GP medical record and Registered GP practice system. This access will be limited to your GP practice and you with the data remaining under the control of your Registered GP. No data will be shared with any other organisation unless your explicit consent has been provided. Substrakt Health will only process the data to provide you with access to the data unless your explicit consent has been provided.

When you use any of our digital or physical healthcare services offered within the app and/or physical locations, you may be asked to provide consent different to the consent you gave when you registered for the Patient Pack App.

This consent is to enable us to share your data with the required NHS organisations or accredited partners who are responsible for delivering the requested NHS service you access.

All sharing of such data will comply with the General Data Protection Regulation 2018 and NHS information governance rules. Substrakt Health will always request your explicit consent to do this providing you detail of what data will be shared and with whom it is shared and for how long.

To ensure that we comply with our General Data Protection Regulation responsibilities in keeping your information safe you will be asked to give your consent in the Patient Pack app and in the physical service when the required clinician wishes to access your data.

We will not pass on your information to any third party without your explicit consent.

Keeping your personal health data up to date

It is essential that the personal data you provide to us is accurate and up to date. Please inform us of any changes to personal data as soon as possible to minimize the risk of you not receiving important correspondence or other communications from us with regards to your health.

What Personal Information is used by Patient Pack?

Because this service is online, your GP’s need to ensure that they continue to provide you with a confidential and high-quality service. To do so, they need to properly identify you and accurately note both your request and their responses. If they were prevented from using this essential information, then they would be unable to provide the service securely and confidentially.

Information which is not needed for the service is not collected by Substrakt Health.

Contact Data

We may process information that you or your medical health provider provide to us ("contact data") to deal with your requests. This contact data may include your name, telephone number, postal address, email address, date of birth, gender, the practice that you are registered with and your NHS Number. We will use this contact data during the course of providing our Patient Pack services to you.

The legal basis for this processing is for the purposes of performing the Patient Pack services for you.

If you have created an NHS login account you will already have verified who you are and you can, if you wish, use those details from your NHS login account to save you time and avoid having to manually enter your details to re-identify yourself to use the Online Consultation service.

Your Patient Data

If you use our services, we may process information that you or your GP surgery provide to us ("Patient data"). This Patient Data may include your Contact Data and also relevant information relating to your health which is applicable to the Patient Pack services you choose to use.

This may include:

To show and track your prescription requests:

  • When the medication was requested
  • The type and dose of medication requested
  • The practice’s response to your request

To manage online appointments:

  • Details of appointments and the type of appointment made through the Patient Pack App
  • The time, date and location of the appointment

The legal basis for this processing is for the purposes of delivering Patient Pack services to you. Certain data we process for you is special category personal data and we will only process it to support in your GP Surgery’s provision of health and social care services to you.

This data may include:

  • Information about your health such as your symptoms, conditions, medication
  • Other details which are already held in your GP records and / or which you provide through the online consultation process

The legal basis for the processing of this data is for the purposes of supporting medical diagnosis, provision of healthcare and treatment, provision of social care and the management of healthcare systems or services or social care systems.

Information Sharing with Other NHS and Non-NHS Organizations

For your benefit, we may also need to share information we hold about you with other organizations involved in your care such as other NHS organisations, Social Services or charitable and voluntary bodies working with us to improve your care. However, we will not disclose any information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of yourself or others is at risk or where the law requires it.

If we are asked to share information with a non-NHS organisation that does not directly relate to your care, we will always seek your explicit consent prior to any information being shared. If you choose not to consent to this when asked, then that decision will be recorded and respected.

We will not disclose your information to any other third parties without your permission unless there are exceptional circumstances, such as if the health and safety of others is at risk or if the law requires us to pass on information.

These organisations are Data Controllers in their own rights, and where they do process your data will inform you directly or through their services such as a website about the data they hold and what processing they undertake.

All data is stored in the UK, under UK regulations and on encrypted databases.

Supporting you

Substrakt Health uses Zendesk to manage support tickets that are raised via our Helpdesk. We store a limited amount of personal information e.g. your name, NHS number and any unique identifiers within Zendesk to operate the support desk with the aim of helping to solve your query.

There are occasions where we may need to access your health record within Patient Pack. If this is the case, you will be asked for your permission to do this. Zendesk do not have access to any of your health record or Patient Pack as we operate Zendesk as a stand alone service to manage support tickets.

When submitting a support request your personal data is processed and the requests you make are stored on our servers.

We will only use the support data to process the support request and to check on the level of service we provide.

We do compile and publish statistics showing information about the support requests we receive and your use of Patient Pack generally, but not in a form which identifies anyone.

The legal basis for this processing is our legitimate interests in providing the Patient Pack services.

In order to improve the usability of the app, we send anonymised information to an analytics service with an anonymised session-id, device information and the URL of pages visited. For auditing purposes we store pages accessed and events triggered in the application and the IP address the request was made from so that we can track when elements of your health record were accessed.

Other processing that we may carry out

In addition to the specific purposes for which we may process your personal data set out above, we may also process any of your personal data where such processing is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

Please do not supply any other person's personal data to us, unless we prompt you to do so.

Transfers of your personal data outside of the European Economic Area All of the personal data that we collect is processed within the United Kingdom.

Retaining and deleting personal data

Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. We may retain your personal data where such retention is necessary for compliance with a legal obligation to which we are subject, or in order to protect your vital interests or the vital interests of another natural person.

All patient records are destroyed in accordance with the NHS Records Retention Schedule, which sets out the appropriate length of time each type of NHS record is retained.

Your rights of access to the information we hold

You can make your own application to see all information Substrakt Health holds about you, or you can authorize someone else to make an application for you. A parent or guardian, a patient representative, or a person appointed by the Court may also apply. If you wish to access your personal data, then please contact:

Substrakt Health Ltd
2a Victoria Works
Vittoria St
B1 3PE
Email: info@substrakthealth.com

Please note that Substrakt Health do not store or retain your Registered GP data longer than required, specifically your healthcare data, thus this may require an additional request to your Registered GP for such right of access.

Withholding information about you

As Substrakt Health Ltd provides the Patient Pack App on behalf of your Registered GP Practice, we will be required to confirm with them that such data can be released to you. Information may be withheld by the Registered GP Practice if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health. We do not have to tell you that information has been withheld.

Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.

Your rights

You may instruct us to provide you with any personal information we hold about you; provision of such information will be subject to:

(a) your request not being found to be unfounded or excessive, in which case a charge may apply; and

(b) the supply of appropriate evidence of your identity (for this purpose, we will usually accept a photocopy of your passport certified by a solicitor or bank plus an original copy of a utility bill showing your current address).

We may withhold personal information that you request to the extent permitted by law.

The rights you have under data protection law are:

(a) the right to access your data; (b) the right to rectification of data which is incorrect; (c) the right to erasure/deletion; (d) the right to restrict processing; (e) the right to object to processing; (f) the right to data portability; (g) the right to complain to a supervisory authority; and (h) the right to withdraw consent.


Due to the service we are providing your exercise of these rights with us may be subject to such requests being performed by the applicable NHS Organisation who are the Data Controller of your personal data. If you ask us to remove certain information or withdraw consent, you may either not be able to make full use of the Patient Pack services, or not use them at all.

1.1 Your right to access your data. You have the right to ask us to confirm whether or not we process your personal data and, to have access to the personal data, and any additional information. That additional information includes the purposes for which we process your data, the categories of personal data we hold and the recipients of that personal data. You may request a copy of your personal data. The first copy will be provided free of charge, but we may charge a reasonable fee for additional copies.

1.2 Your right to rectification. If we hold any inaccurate personal data about you, you have the right to have these inaccuracies rectified. Where necessary for the purposes of the processing, you also have the right to have any incomplete personal data about you completed.

1.3 Your right to erasure. In certain circumstances you have the right to have personal data that we hold about you erased. This will be done without undue delay. These circumstances include the following: it is no longer necessary for us to hold those personal data in relation to the purposes for which they were originally collected or otherwise processed; you withdraw your consent to any processing which requires consent; the processing is for direct marketing purposes; and the personal data have been unlawfully processed. However, there are certain general exclusions of the right to erasure, including where processing is necessary: for compliance with a legal obligation; or for establishing, exercising or defending legal claims.

1.4 Your right to restrict processing. In certain circumstances you have the right for the processing of your personal data to be restricted. This is the case where: you do not think that the personal data we hold about you is accurate; your data is being processed unlawfully, but you do not want your data to be erased; it is no longer necessary for us to hold your personal data for the purposes of our processing, but you still require that personal data in relation to a legal claim; and you have objected to processing, and are waiting for that objection to be verified. Where processing has been restricted for one of these reasons, we may continue to store your personal data. However, we will only process it for other reasons: with your consent; in relation to a legal claim; for the protection of the rights of another natural or legal person; or for reasons of important public interest.

1.5 Your right to object to processing. You can object to us processing your personal data on grounds relating to your particular situation, but only as far as our legal basis for the processing is that it is necessary for: the performance of a task carried out in the public interest, or in the exercise of any official authority vested in us; or the purposes of our legitimate interests or those of a third party. If you make an objection, we will stop processing your personal information unless we are able to: demonstrate compelling legitimate grounds for the processing, and that these legitimate grounds override your interests, rights and freedoms; or the processing is in relation to a legal claim.

1.6 Your right to object for statistical purposes. You can object to us processing your personal data for statistical purposes on grounds relating to your particular situation, unless the processing is necessary for performing a task carried out for reasons of public interest.

1.7 Complaining to a supervisory authority. If you think that our processing of your personal data infringes data protection laws, you can lodge a complaint with a supervisory authority responsible for data protection. You may do this in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.

1.8 Right to withdraw consent. To the extent that the legal basis we are relying on for processing your personal data is consent, you are entitled to withdraw that consent at any time. Withdrawal will not affect the lawfulness of processing before the withdrawal.

1.9 Exercising your rights. You may exercise any of your rights in relation to your personal data by written notice to us in addition to the other methods specified above.