Privacy notice

At Well we know that your personal data is important to you. That’s why, whenever we process it, we only use what we need to, and we do everything we can to ensure it is appropriately protected.

This notice explains the situations where we may process your personal data and the steps we take to protect it. If you are a locum pharmacist, this privacy notice does not cover Well’s use of personal data for this activity. You can find further information about this in your agreement, which you should have received when you signed up with Well. If you require a further copy, please contact LocumSchedulingTeam@well.co.uk. For all other personal data, Well’s use of this can be broadly summarised as follows:

• Most of the personal data we collect is provided directly by you and is necessary to deliver the service you have requested. We only ask for the information that we absolutely need.
• We do collect some personal data automatically – such as IP addresses, pages viewed on our website and links you’ve clicked on. This is predominantly through the placement of cookies which are explained in detail later.
• We may acquire some personal data from commercially available data sources (e.g. the electoral roll) to keep your data accurate and help us better understand your needs.
• If you have given us appropriate permission to do so, we may send you information about products and services we offer. We will never sell your details to third parties for their own marketing purposes.
• To help you get the most out of our marketing, we may sometimes tailor it to you using your personal data. We will do this by building a profile about you, for example, to understand what services you currently use, or may have a future need for. You can object to this (explained later) and receive non-personalised marketing instead, and we always weigh up whether this will have any negative impact on you before we proceed.
• We may share your information within our wider group of companies (explained later) where there is a legal need, or justified business need, to do so.
• We use selected third parties to provide some of our services (e.g. courier companies to deliver online orders) and will share the minimum personal data necessary with them to do so.
• Like most organisations, we use third parties to support the running of our business (e.g. using an application) and, in certain circumstances, these third parties may have access to your data. This may be from outside of the European Union. Where this is the case, we have appropriate protective measures in place to ensure your information is appropriately protected.
• With the exception of tailored marketing (as mentioned above) we do not make any automated decisions - i.e. a decision which does not involve a human providing an opinion - about you in delivering our services.

Well Pharmacy keeps its privacy policy under regular review and we may make changes to this notice at any time. Depending on the associated processing risks, we will either contact you with the modified terms, or we will post a copy of these on our website. Any changes will take effect 7 days after the date of our email, or the date on which we post the modified terms on our website, whichever is sooner. Please ensure you regularly check our website for any updated use of your personal data, alongside contact information in the event you have any further queries.

Well and Well Pharmacy are the trading names for the companies Bestway National Chemists Ltd (company number 09225457, registered address: Merchants Warehouse Castle Street, Castlefield, Manchester, M3 4LZ) and Bestway Belfast Chemists Ltd (company number NI626625, registered address: 70 Ballygomartin Road, Belfast, BT13 3NE). When we say ‘we’ or ‘us’ we mean these companies.

These companies are part of the wider Bestway Healthcare Group of companies. When we say ‘Group’ in this notice, we mean other members of our group of companies, including trading and subsidiary companies of Bestway Panacea Holdings Ltd (an English and Welsh registered company with company number 09225479, registered address: Merchants Warehouse Castle Street, Castlefield, Manchester, M3 4LZ).

By email: hello@well.co.uk

By post to:

Legal Department

Well Pharmacy

Merchants Warehouse

Castle Street

Castlefield

Manchester

M3 4LZ

If you specifically want to contact our Data Protection Officer, you can do so by emailing DPO@well.co.uk. Alternatively, you can write to them at:

Data Protection Officer

Well Pharmacy

Merchants Warehouse

Castle Street

Castlefield

Manchester

M3 4LZ

Finally, you are entitled to complain to the UK’s data protection supervisory authority – which is the Information Commissioner's Office (“ICO”). You can find out more information about how to contact the ICO using the following link: https://ico.org.uk/global/contact-us/contact-us-public/

Alternatively, the ICO can be reached here:

Tel: 0303 123 1113

Address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Under data protection law, you have the following rights:

• Right of Access (typically called a “Subject Access Request” or “SAR"): you have the right to know how we process your personal data (as explained in this notice) and also a right to receive a free copy of your personal data.
• Right to Rectification: you can ask us to change or complete any inaccurate or incomplete personal data held about you.
• Right to Object: you have the right to object, in certain circumstances, to us processing your personal data. For example, you can object to us sending you marketing material, or using your personal data to create a profile about you that is related to direct marketing.
• Right to Erasure: in certain circumstances, you can ask us to delete your personal data. For example, where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis to keep it.
• Right to Portability: you have the right to ask us to send a copy of certain elements of your personal data (predominantly information you have shared directly with us) to another company.
• Right to Restrict Processing: you can ask us to restrict the personal data we use about you where you have asked for it to be erased (and the erasure has not taken place, or we were unable to erase the data when we should have) or where you have objected to our use of it.

To make a subject access request, or to exercise any other data subject rights, you can email hello@well.co.uk, call us on 0333 010 2222, or write to us at the following address:

Data Protection Officer

Well Pharmacy

Merchants Warehouse

Castle Street

Castlefield

Manchester

M3 4LZ

It is free to exercise your privacy rights and we will respond to any request as quickly as we can. Under current data protection law, we have 30 days to respond to any request, unless an exemption applies. We will contact you as soon as we can where we are applying an exemption, which may extend the time Well has to process your request.

What personal data we collect and how we use it depends on how you interact with us and the specific services you’ve requested. Please be aware that we will never call you for payment related to medication and you should remain vigilant if you are suspicious about someone who has contacted you. You can also find out more about protecting yourself online by visiting https://ico.org.uk/for-the-public/online/

There are six legal bases Well may use to process your personal data:

• Consent: where you have given explicit permission.
• Contract: where we use your personal data to fulfil a contract we have with you.
• Legal obligation: where we use your personal data to comply with a common law or statutory obligation.
• Vital interests: where we use you personal data to protect your life.
• Public task: where there is a public interest in using your personal data, or if we are required to use this as part of our functions as a public authority.
• Legitimate interests: where we balance our interest in using your personal data against any impact if will have on you. You can find out more about this in the section labelled ‘legitimate interests’.

To put the above legal bases into context, the following list identifies the core ways we legally use your information at Well, , though this is list is not exhaustive. You should periodically check this notice for any new uses of your data, though we will always contact you if any new use of data has the potential to negatively impact you:

• To fulfil your prescription - we capture your name, address, date of birth, NHS number and the medication required (this includes the name of the medication and the dosage instructions) as detailed on the prescription. Capturing this information is necessary to provide the service to you. Additionally we would also capture the prescriber’s details.
• If you are an online customer using our ‘Click and Collect’ service, then we will share information with your chosen Well Pharmacy for them to receive your prescription and dispense the medication for you.
• If you are a patient using our digital service for services such as repeat prescriptions, we will share your personal data with Royal Mail to ensure the safe delivery of any medication. We also share your mobile number with Royal Mail so they can keep you updated via SMS (or ‘text message’) on the status of your delivery. This service is optional and you can let us know at anytime if you would prefer not to receive these updates. You can do this using the contact information found in this policy section ‘How you can contact us’.
• To deliver our wider consultation services - in addition to the information referenced above we may need to understand wider information about your health & wellbeing, including any family history of medical conditions. If someone books such an appointment on your behalf for example your GP, GP practice nurse, then we will collect this information from them and verify it with you during the appointment.
• We process your payment card details to provide the services you have requested. We do not store these details. For any repeat orders of products or services made by you online via our website or app, or if you opt to have your details stored for future payments, our third party processing agency securely holds your payment card details and provides us with a unique token that represents that particular card; this token is only valid for payment to us.
• If you interact with us online (for example, when you use our website, digital services, or post comments on our social media pages) it is likely we will indirectly collect information about you and how you interact with us. Where this engages wider legislation (specifically, the Privacy and Electronic Communications Regulations) we will require your consent to do this, as it usually means storing a cookie (or another similar technology) on your device. For further information about this, we have a separate Cookie Policy here: https://www.well.co.uk/about-us/policies/cookies
• If you have an account with us online, we may collect your IP addresses as part of the log in process. This is a security feature to protect your account.
• If you use our mobile app, there is an option to enable location based-services. If you give your consent for this, we will collect your location data and/or motion data to understand more about the patients we serve.
• If you have an account with us, we may periodically purchase commercially available data about you from sources like the electoral roll and companies that collate and update data. We do this as part of our legitimate business interests to keep our records accurate and up to date, provide you with a seamless and consistent service and to build a clearer picture of our customers, both individually and as a group. By understanding you better we can offer you the best and most personalised service we can.
• If you have provided your consent to do so, and it is deemed clinically appropriate, we will collect your data from NHS bodies such as your GP/surgery or hospital and view your Electronic Health Records (e.g. NHS Summary Care Record) in order to provide the service you have requested.
• If you sign-up in one of our pharmacies, we will send you SMS messages as part of our prescription collection service. We may also use your mobile phone number for carefully considered and specific purposes that are in our legitimate interests, or the wider public interest. For example, we may send you an SMS message about our in-pharmacy services like flu vaccinations, or where there is a Covid booster vaccination available for vulnerable patients. Whenever we use your personal data for any of reasons, we always conduct an assessment to ensure that our method of communication is not invasive, or that there are no overriding reasons for us not to use this information. If the assessment is ultimately inconclusive in terms of these key questions, we always err on the side of the data subject, and we do not use the data. Where we do contact you for the purposes described above, we always ensure you have the right to opt out in the first and all other subsequent communications sent.
• From time to time, we may run specific local services via our pharmacies where we require your consent if you wish to take up the service. This may mean that we verbally speak to you, either on the phone or in one of our pharmacies, to gather this consent. If this is a service that runs over a period of time, it may also be necessary to contact you using the email address we hold on file, if we are unable to get in touch with you by phone, or if you do not attend the pharmacy as part of the service. We would usually say we have a legitimate interest in delivering this service, as well as the wider requirement to deliver the service you requested or agreed to (this falls under the legal basis ‘contract’).
• If you purchase a product from our website, or use our online services, we may send requests for a review, which are usually via email from Trust Pilot, a trusted third party expert in this field. This helps us to gather data to improve our in-pharmacy experience. We will only ever send you one communication about this and we do not deem this marketing material.
• If you are a customer of a pharmacy business that has been taken over by us, we will receive your personal data as part of the handover process.
• If we sell part of our business (e.g., one of our pharmacies) then we may need to share your personal data with the new owner as part of this transaction.
• If you call us, we may record or monitor the call. We do this for regulatory purposes, for training, to ensure and improve quality of service delivery, to ensure safety of our staff and customers, and to resolve queries or issues. Where we analyse calls to improve our service, we do so as a legitimate business interest and we always consider methods of anonymising or pseudonymising data before use.
• If you enter one of our premises, we may capture you on CCTV. We use CCTV to ensure the safety and security of our staff and customers. The images captured may be used to prevent and detect crime, and therefore may be shared with law enforcement. We carry out this processing activity either for our own legitimate interest or for the wider public interest (i.e. to prevent a crime or potential crime). Every pharmacy in the Well estate must display a CCTV sign to inform customers and patients that we are recording.
• As part of our home delivery service (where you have asked one of our pharmacy branches to deliver your prescription to your home). We use your address to improve the efficiency of our delivery service, for example, how many times a day/week we deliver to the same street, how many drivers we use, or the efficiency of the route. We use a third party provider to analyse this data and we only provide them with the minimum information needed to perform this function, and they are not permitted to use it for other purposes. We always ensure that any third providers have the same levels of security controls in place as we do. In order to protect your individual privacy, the analysis of this information is only undertaken using pseudonymised data (where your name is replaced with a random numerical key reference), and we do not use any other data we hold about you (for example, medication data) for this purpose. You have the right to object to the way we use your data if you believe our legitimate interest in doing it is outweighed by your right to privacy. This type of analysis is important in enabling us to operate efficiently and improve the service we provide to you, so we carry it out in a way that we believe has no impact on your privacy.
• To fulfil our contractual requirements with the NHS, we need to share your personal data with your GP and others in the wider NHS, such as the NHS Business Services Authority, and sometimes Local Authorities to provide you with NHS or Local Authority funded services, to negotiate and check the accuracy of our payments with the NHS or Local Authorities and to ensure that we maintain appropriate professional and service standards and that your declarations and ours are accurate. This is necessary to perform the service and a legal requirement.
• If you have signed up to receive our health and wellbeing advice and information about our products and services, we will use your data to send this information to you via the channels you’ve given us data for. If you have expressed areas of specific interest, then we’ll use that to tailor the information you receive.
• If you fall ill in our premises, we will share your personal data, if we have it, with medical professionals to allow them to deliver appropriate treatment to you.
• If you visit one of our offices as a guest (contractors, suppliers, guests, other non-customer individuals) on a one-time/ad-hoc basis or as part of a long-term agreement, your first name, surname, organisation/company name and vehicle registration will need to be recorded in our visitor system the purposes of site security and health and safety. CCTV is also used across our Support Centre and warehouse premises.
• If you wish to purchase an age-restricted product from our website, we have a regulatory responsibility to verify that you are of a suitable age before completing the purchase. We do this alongside a trusted third party supplier. We only use your personal data for this very specific purpose and ensure there are security measures in place to protect your information.

Legitimate interests is a legal basis by which Well may use your personal data in a way that you are likely to expect, and that will have a minimal privacy impact on you. In practice, this means assessing our ‘legitimate interests’ in using your personal data, against any impact this might have on your privacy.

We always think carefully about using your personal data and will complete a ‘legitimate interests’ assessment’ to ensure we have measured any impact on you, versus what we are trying to achieve as a business.

There are three elements to the legitimate interests test which Well’s Data Protection Officer will always carry out:

1. Purpose test: what legitimate interest are we pursuing as a business?
2. Necessity test: is the use of your personal data necessary for our purpose?
3. Balancing test: do your interests override our legitimate interest – i.e. would you expect us to use your data this way?

Your privacy is always at the forefront of any decision made during our assessment and we will look at alternative ways we can pursue our legitimate interests without using lots of data – for example, by anonymising or pseudonymising data.

You can find more information about this legal basis on the Information Commissioner’s website here.

Special category data is personal data that might be more sensitive to you. This includes things like health information, ethnicity, religious beliefs, and sexual orientation. Well needs to use special category data to provide things like prescriptions and services in pharmacies, which we wouldn’t be able to do without using this data. Wherever this data is used, there are additional legal safeguards we must adhere to, which include:

• Establishing a legal basis to use this information, as well as an additional condition for our use.
• Depending on the condition selected to use this data, we may also be required to establish a further condition for use.
• Adhering to a specific ‘appropriate policy document’, which governs our compliance.
• Completing a data protection impact assessment to measure any risks to you, the data subject, as a result of the use of your data.

This is in addition to all other internal safeguards we take to protect your personal data.

Well will never knowingly process personal data related to children for any other purposes than the following:

• To provide a prescription or service, with the knowledge of a parent or guardian.
• In the course of servicing an information right exercised by the child directly, or with the appropriate consent for a parent or guardian to carry this out on their behalf.
• Where welfare or safeguarding concerns are raised about a child or children. This may involve Well liaising with local authorities to ensure the protection of those involved. Wherever this occurs, Well will always consider whether consent is appropriate and, if it is not, another legal basis will be established.
• Our website collects cookies, which may inadvertently relate to children who visit our website. However, the resulting cookie activity (e.g. to improve the functionality of our website) does not cause a sufficient level of harm to impact children.

Well also carries out ID verification on our website to protect against children purchasing goods that could be unsafe or are specifically for adults. We will continue to robustly review processes to ensure the safeguarding of children.

In the previous section we described particular instances where we share your personal data with others. There are also other third parties that we use to deliver services to you. In this section, we have summarised the categories of third parties who we may share your data with.

• Postal services and couriers – for typical business purposes, to deliver prescriptions by post, and to send your prescription scrip to the NHS (where a physical prescription is received)
• Third party content processors – for example, to deliver our health advice and information about our products and services to you (e.g. an email delivery service), or to collect reviews from our patients.
• Dispensing appliance contractors – where your prescription is for a medical appliance (e.g. colostomy bags, medical thermometers, pacemakers) we will pass your prescription, and the personal data on it, to our third party appliances contractor Wardles to process. Wardles are part of the Bestway Group.
• Law Enforcement Agencies (LEA) – where we are required to do so by law, we will release personal data to LEA’s (e.g. the police). This will most likely be for the detection or prevention of crime, or to exercise or defend a legal claim.
• Regulators – it may be necessary to share personal data at the request of applicable regulators, such as the General Pharmaceutical Council (GPhC). Where possible, Well will ensure that only the minimal amount of relevant information is disclosed and that data is securely deleted once no longer required.

Given Well’s core function is healthcare, there may be occasions where it becomes necessary to safeguard individuals, either from others or themselves. We always take any decision around sharing data of this nature with other authorities or bodies incredibly seriously, and we ensure that our internal policies also reflect this. Data protection laws are still applicable and, in serious cases, the sharing of personal data will likely be done using one or more of the following legal bases:

• Vital interests (to protect those of the data subject/s).
• Reasons of substantial public interest, which may include:
• Preventing or detecting unlawful acts.
• Protecting the public.
• Safeguarding of children and individuals at risk.
• Safeguarding of economic well-being of certain individuals.

We also have a responsibility to safeguard adults who lack mental capacity under the Mental Capacity Act (2005).

Well always weighs up the necessity of sharing any personal data for purposes above and beyond that which the data subject is already aware of and considers whether consent is an available option. Any personal data this is ultimately shared will be done so after internal consideration alongside Well’s Data Protection Officer and the Caldicott Guardian, and only the minimum amount of information is securely shared.

We may need to transfer your information outside the UK to service providers, agents, and subcontractors in countries where data protection laws may not provide the same level of protection as those in the European Economic Area. Where this happens, we agree specific safeguards and assurances in our contracts with those providers to ensure there are appropriate controls in place to protect your data. Where necessary, we also ensure we have conducted a full Transfer Risk Assessment alongside any necessary contractual obligations. This is an area of legislation that is subject to change, so we always ensure we are fully up to date with updates from the UK Government, the Information Commissioner’s Office, and the European Commission.

We will retain your personal data for as long as we are legally or contractually required to do so, or for a period which is justifiable to meet our business needs. The exact retention period varies depending on the type of information and purpose for use, if you require any further information on retention periods please contact us at DPO@well.co.uk

If you have given your consent, we will contact you about the products and services we offer. Our expert pharmacists also produce advice, tips and useful information to help keep you healthy, which we may send to you where you have requested it.

We will send these communications to you by either email, post or both depending on what you signed up to. Every marketing communication we send will include instructions about how to opt-out. At any time, you can change your marketing preferences by emailing DPO@well.co.uk or by sending a letter to the contact information shown later in this notice.

The marketing we send to you may be tailored to make it more relevant. This is done by analysing the data we hold about you (e.g. services previously used, age, address, previously stated health and wellbeing interests) to create a profile. If you want to receive marketing from us, but do not want this to be tailored then you can object to the profiling as described under "What are your privacy rights and how can you exercise them?". Alternatively, unsubscribing from marketing will also cease the profiling activity we conduct.

If you have consented to marketing, you may also receive adverts from us online and on social media. We send pseudonymised data to companies such as Facebook and Google to do this. This means we send the data in a way that only the intended end user (e.g. Facebook, Google) can understand. We may also use your data to build profiles and/or custom audiences. When we do this, we anonymise your data. This means we send your data to platforms (e.g. Facebook, Google) in a way that means you cannot be identified by it. The security of your personal data is at the forefront of any decisions we make around this type of marketing.

If you visit our website via an affiliate link, we will send some information about you to the affiliate network. The nature of the personal data processed is non-sensitive and largely technical. Our network partner uses cookies and other mechanisms to collect analytical information to help analyse the actions people take on affiliate websites and ours. They process this information to improve their understanding and to compile statistical reports regarding that activity. This information is not used by the network to develop a personal profile of you.

We only work with companies who take privacy as seriously as we do.