Our Privacy Notice describes the categories of personal data we process and for what purposes.
At Well we know that your personal data is important to you. That’s why, whenever we process it, we only use what we need to, and we do everything we can to ensure it is appropriately protected.
This notice explains the situations where we may process your personal data and the steps we take to protect it. If you are a locum pharmacist, this privacy notice does not cover Well’s use of personal data for this activity. You can find further information about this in your agreement, which you should have received when you signed up with Well. If you require a further copy, please contact LocumSchedulingTeam@well.co.uk . For all other personal data, Well’s use of this can be broadly summarised as follows:
- Most of the personal data we collect is provided directly by you and is necessary to deliver the service you have requested. We only ask for the information that we absolutely need.
- We do collect some personal data automatically – such as IP addresses, pages viewed on our website and links you’ve clicked on. This is predominantly through the placement of cookies which are explained in detail later.
- We may acquire some personal data from commercially available data sources (e.g. the electoral roll) to keep your data accurate and help us better understand your needs.
- If you have given us appropriate permission to do so, we may send you information about products and services we offer. We will never sell your details to third parties for their own marketing purposes.
- To help you get the most out of our marketing, we may sometimes tailor it to you using your personal data. We will do this by building a profile about you, for example, to understand what services you currently use, or may have a future need for. You can object to this (explained later) and receive non-personalised marketing instead.
- We may share your information within our wider group of companies (explained later) where there is a legal need, or justified business need, to do so.
- We use selected third parties to provide some of our services (e.g. courier companies to deliver online orders) and will share the minimum personal data necessary with them to do so.
- Like most organisations, we use third parties to support the running of our business (e.g. using an application) and, in certain circumstances, these third parties may have access to your data. This may be from outside of the European Union. Where this is the case, we have appropriate protective measures in place to ensure your information is appropriately protected.
- With the exception of tailored marketing (as mentioned above) we do not make any automated decisions - i.e. a decision which does not involve a human providing an opinion - about you in delivering our services.
Well and Well Pharmacy are the trading names for the companies Bestway National Chemists Ltd (company number 09225457, registered address: Merchants Warehouse Castle Street, Castlefield, Manchester, M3 4LZ) and Bestway Belfast Chemists Ltd (company number NI626625, registered address: 70 Ballygomartin Road, Belfast, BT13 3NE). When we say ‘we’ or ‘us’ we mean these companies.
These companies are part of the wider Bestway Healthcare Group of companies. When we say ‘Group’ in this notice, we mean other members of our group of companies, including trading and subsidiary companies of Bestway Panacea Holdings Ltd (an English and Welsh registered company with company number 09225479, registered address: Merchants Warehouse Castle Street, Castlefield, Manchester, M3 4LZ).
By email at firstname.lastname@example.org
By post to:
If you specifically want to contact our Data Protection Officer, you can do so by emailing DPO@well.co.uk. Alternatively, you can write to them at:
Data Protection Officer
Under data protection law, you have the following rights:
- Right of Access (typically called a “Subject Access Request” or “SAR"): you have the right to know how we process your personal data (as explained in this notice) and also a right to receive a free copy of your personal data.
- Right to Rectification: you can ask us to change or complete any inaccurate or incomplete personal data held about you.
- Right to Object: you have the right to object, in certain circumstances, to us processing your personal data. For example, you can object to us sending you marketing material, or using your personal data to create a profile about you that is related to direct marketing.
- Right to Erasure: in certain circumstances, you can ask us to delete your personal data. For example, where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis to keep it.
- Right to Portability: you have the right to ask us to send a copy of certain elements of your personal data (predominantly information you have shared directly with us) to another company.
- Right to Restrict Processing: you can ask us to restrict the personal data we use about you where you have asked for it to be erased (and the erasure has not taken place or we were unable to erase the data when we should have) or where you have objected to our use of it.
To make a subject access request, or to exercise any other data subject rights, you can email email@example.com, call us on 0333 010 2222 , or write to us at the following address:
Data Protection Officer
It is free to exercise your privacy rights and we will respond to any request as quickly as we can. Under current data protection law, we have 30 days to respond to any request, unless an exemption applies. We will contact you as soon as we can where we are applying an exemption, which may extend the time Well has to process your request.
What personal data we collect and how we use it depends on how you interact with us and the specific services you’ve requested. Please be aware that we will never call you for payment related to medication and you should remain vigilant if you are suspicious about someone who has contacted you. You can also find out more about protecting yourself online by visiting https://ico.org.uk/for-the-public/online/.
Well will use your personal data in the following ways:
- To fulfil your prescription - we capture your name, address, date of birth, NHS number and the medication required (this includes the name of the medication and the dosage instructions) as detailed on the prescription. Capturing this information is necessary to provide the service to you. Additionally we would also capture the prescriber’s details.
- If you are an online customer using our ‘Click and Collect’ service, then we will share information with your chosen Well Pharmacy for them to receive your prescription and dispense the medication for you.
- To deliver our wider consultation services - in addition to the information referenced above we may need to understand wider information about your health & wellbeing, including any family history of medical conditions. If someone books such an appointment on your behalf for example your GP, GP practice nurse, then we will collect this information from them and verify it with you during the appointment.
- We process your payment card details to provide the services you have requested. We do not store these details. For any repeat orders of products or services made by you online via our website or app, or if you opt to have your details stored for future payments, our third party processing agency securely holds your payment card details and provides us with a unique token that represents that particular card; this token is only valid for payment to us.
- If you have an account with us online, we may collect your IP addresses as part of the log in process. This is a security feature to protect your account.
- If you use our mobile app, there is an option to enable location based-services. If you give your consent for this, we will collect your location data and/or motion data to understand more about the patients we serve.
- If you have an account with us, we may periodically purchase commercially available data about you from sources like the electoral roll and companies that collate and update data. We do this as part of our legitimate business interests to keep our records accurate and up to date, provide you with a seamless and consistent service and to build a clearer picture of our customers, both individually and as a group. By understanding you better we can offer you the best and most personalised service we can.
- If you have provided your consent to do so, and it is deemed clinically appropriate, we will collect your data from NHS bodies such as your GP/surgery or hospital and view your Electronic Health Records (e.g. NHS Summary Care Record) in order to provide the service you have requested.
- If you sign-up in one of our pharmacies, we will send you SMS messages as part of our prescription collection service. We may also use your mobile phone number for carefully considered and specific purposes that are in our legitimate interests, or the wider public interest. For example, we may send you an SMS message about our in-pharmacy services like flu vaccinations, or where there is a Covid booster vaccination available for vulnerable patients. Whenever we use your personal data for any of reasons, we always conduct an assessment to ensure that our method of communication is not invasive, or that there are no overriding reasons for us not to use this information. If the assessment is ultimately inconclusive in terms of these key questions, we always err on the side of the data subject, and we do not use the data. Where we do contact you for the purposes described above, we always ensure you have the right to opt out in the first and all other subsequent communications sent.
- If you purchase a product from our website, or use our online services, we may send requests for a review, which are usually via email from Trust Pilot, a trusted third party expert in this field. This helps us to gather data to improve our in-pharmacy experience. We will only ever send you one communication about this and we do not deem this marketing material.
- If you are a customer of a pharmacy business that has been taken over by us, we will receive your personal data as part of the handover process.
- If we sell part of our business (e.g., one of our pharmacies) then we may need to share your personal data with the new owner as part of this transaction.
- If you call us, we may record or monitor the call. We do this for regulatory purposes, for training, to ensure and improve quality of service delivery, to ensure safety of our staff and customers, and to resolve queries or issues. Where we analyse calls to improve our service, we do so as a legitimate business interest and we always consider methods of anonymising or pseudonymising data before use.
- If you enter one of our premises, we may capture you on CCTV. We use CCTV to ensure the safety and security of our staff and customers. The images captured may be used to prevent and detect crime, and therefore may be shared with law enforcement. We carry out this processing activity either for our own legitimate interest or for the wider public interest (i.e. to prevent a crime or potential crime). Every pharmacy in the Well estate must display a CCTV sign to inform customers and patients that we are recording.
- As part of our home delivery service (where you have asked one of our pharmacy branches to deliver your prescription to your home). We use your address to improve the efficiency of our delivery service, for example, how many times a day/week we deliver to the same street, how many drivers we use, or the efficiency of the route. We use a third party provider to analyse this data and we only provide them with the minimum information needed to perform this function, and they are not permitted to use it for other purposes. We always ensure that any third providers have the same levels of security controls in place as we do. In order to protect your individual privacy, the analysis of this information is only undertaken using pseudonymised data (where your name is replaced with a random numerical key reference), and we do not use any other data we hold about you (for example, medication data) for this purpose. You have the right to object to the way we use your data if you believe our legitimate interest in doing it is outweighed by your right to privacy. This type of analysis is important in enabling us to operate efficiently and improve the service we provide to you, so we carry it out in a way that we believe has no impact on your privacy.
- To fulfil our contractual requirements with the NHS, we need to share your personal data with your GP and others in the wider NHS, such as the NHS Business Services Authority, and sometimes Local Authorities to provide you with NHS or Local Authority funded services, to negotiate and check the accuracy of our payments with the NHS or Local Authorities and to ensure that we maintain appropriate professional and service standards and that your declarations and ours are accurate. This is necessary to perform the service and a legal requirement.
- If you have signed up to receive our health and wellbeing advice and information about our products and services, we will use your data to send this information to you via the channels you’ve given us data for. If you have expressed areas of specific interest, then we’ll use that to tailor the information you receive.
- If you fall ill in our premises, we will share your personal data, if we have it, with medical professionals to allow them to deliver appropriate treatment to you.
- If you visit one of our offices as a guest (contractors, suppliers, guests, other non-customer individuals) on a one-time/ad-hoc basis or as part of a long-term agreement, your first name, surname, organisation/company name and vehicle registration will need to be recorded in our visitor system the purposes of site security and health and safety. CCTV is also used across our Support Centre and warehouse premises.
- If you wish to purchase an age-restricted product from our website, we have a regulatory responsibility to verify that you are of a suitable age before completing the purchase. We do this alongside a trusted third party supplier. We only use your personal data for this very specific purpose and ensure there are security measures in place to protect your information.
- Postal services and couriers – for typical business purposes, to deliver prescriptions by post, and to send your prescription scrip to the NHS (where a physical prescription is received)
- Third party content processors – for example, to deliver our health advice and information about our products and services to you (e.g. an email delivery service), or to collect reviews from our patients.
- Dispensing appliance contractors – where your prescription is for a medical appliance (e.g. colostomy bags, medical thermometers, pacemakers) we will pass your prescription, and the personal data on it, to our third party appliances contractor Wardles to process. Wardles are part of the Bestway Group.
- Law Enforcement Agencies (LEA) – where we are required to do so by law, we will release personal data to LEA’s (e.g. the police). This will most likely be for the detection or prevention of crime, or to exercise or defend a legal claim.
- Regulators – it may be necessary to share personal data at the request of applicable regulators, such as the General Pharmaceutical Council (GPhC). Where possible, Well will ensure that only the minimal amount of relevant information is disclosed and that data is securely deleted once no longer required.
Special category data is personal data that might be more sensitive to you. This includes things like health information, ethnicity, religious beliefs, and sexual orientation. Well needs to use special category data to provide things like prescriptions and services in pharmacies, which we wouldn’t be able to do without using this data. Wherever this data is used, there are additional legal safeguards we must adhere to, which include:
- Establishing a legal basis to use this information, as well as an additional condition for our use.
- Depending on the condition selected to use this data, we may also be required to establish a further condition for use.
- Adhering to a specific ‘appropriate policy document’, which governs our compliance.
- Completing a data protection impact assessment to measure any risks to you, the data subject, as a result of the use of your data.
This is in addition to all other internal safeguards we take to protect your personal data.
Well will never knowingly process personal data related to children for any other purposes than the following:
- To provide a prescription or service, with the knowledge of a parent or guardian.
- In the course of servicing an information right exercised by the child directly, or with the appropriate consent for a parent or guardian to carry this out on their behalf.
- Where welfare or safeguarding concerns are raised about a child or children. This may involve Well liaising with local authorities to ensure the protection of those involved. Wherever this occurs, Well will always consider whether consent is appropriate and, if it is not, another legal basis will be established.
- Our website collects cookies, which may inadvertently relate to children who visit our website. However, the resulting cookie activity (e.g. to improve the functionality of our website) does not cause a sufficient level of harm to impact children.
Well also carries out ID verification on our website to protect against children purchasing goods that could be unsafe or are specifically for adults. We will continue to robustly review processes to ensure the safeguarding of children.
Given Well’s core function is healthcare, there may be occasions where it becomes necessary to safeguard individuals, either from others or themselves. We always take any decision around sharing data of this nature with other authorities or bodies incredibly seriously, and we ensure that our internal policies also reflect this. Data protection laws are still applicable and, in serious cases, the sharing of personal data will likely be done using one or more of the following legal bases:
- Vital interests (to protect those of the data subject/s).
- Reasons of substantial public interest, which may include:
- Preventing or detecting unlawful acts.
- Protecting the public.
- Safeguarding of children and individuals at risk.
- Safeguarding of economic well-being of certain individuals.
We also have a responsibility to safeguard adults who lack mental capacity under the Mental Capacity Act (2005).
Well always weighs up the necessity of sharing any personal data for purposes above and beyond that which the data subject is already aware of and considers whether consent is an available option. Any personal data this is ultimately shared will be done so after internal consideration alongside Well’s Data Protection Officer and the Caldicott Guardian, and only the minimum amount of information is securely shared.
We may need to transfer your information outside the UK to service providers, agents, and subcontractors in countries where data protection laws may not provide the same level of protection as those in the European Economic Area. Where this happens, we agree specific safeguards and assurances in our contracts with those providers to ensure there are appropriate controls in place to protect your data. Where necessary, we also ensure we have conducted a full Transfer Risk Assessment alongside any necessary contractual obligations. This is an area of legislation that is subject to change, so we always ensure we are fully up to date with updates from the UK Government, the Information Commissioner’s Office, and the European Commission.
We will retain your personal information for as long as we are legally or contractually required to do so, or for a period which is justifiable to meet our business needs. The exact retention period varies depending on the type of information and purpose for use, if you require any further information on retention periods please contact us at DPO@well.co.uk
If you have given your consent, we will contact you about the products and services we offer. Our expert pharmacists also produce advice, tips and useful information to help keep you healthy, which we may send to you if you have requested it.
We will send these communications to you by either email, post or both depending on what you signed up to. Every marketing communication we send will include instructions on how to opt-out. At any time, you can change your marketing preferences by emailing DPO@well.co.uk or sending a letter to: Data Protection Officer, Well Pharmacy, Merchants Warehouse, Castle Street, Manchester, M3 4LZ.
The marketing we send to you may be tailored to make it more relevant. This is done by analysing the data we hold on you (e.g. services previously used, age, address, previously stated health and wellbeing interests) to create a profile. If you want to receive marketing from us, but do not want this to be tailored then you can object to the profiling as described under "What are your privacy rights and how can you exercise them?". Alternatively, unsubscribing from marketing will also cease the profiling activity we conduct.
If you have consented to marketing, you may also receive adverts from us online and on social media. We send pseudonymised data to companies such as Facebook and Google to do this. This means we send the data in a way that only the intended end user (e.g. Facebook, Google) can understand. We may also use your data to build profiles and/or custom audiences. When we do this, we anonymise your data. This means we send your data to platforms (e.g. Facebook, Google) in a way that means you cannot be identified by it.
We only work with companies who take privacy as seriously as we do.
In order to deliver our services to you, it is necessary to contact you using the contact mechanisms you have given us. This may be by issuing an email to confirm your order, sending an SMS message to confirm a delivery slot, calling you to discuss an issue with your order or for other similar reasons. These communications are necessary, and we will use whichever communication method we can to ensure we provide you with the information you need. You can inform us of particular communication preferences (e.g. email rather than phone call) and we will endeavour to follow your preferred mechanism. However, we reserve the right to use any contact information we have to deliver necessary information to you.
You can make a complaint about how we have used your personal information to us by contacting our Data Protection Officer at firstname.lastname@example.org
You are also entitled to complain to the data protection supervisory authority – which in the UK is the Information Commissioner's Office (ICO). You can find their contact details at https://ico.org.uk