Privacy Notice

Hampstead Heath Pharmacy, Travel Health & Vaccination Clinic
(Preentree Ltd – registered in England and Wales)

35 South End Road, London, NW3 2PY
Tel/Fax: 020 7435 7075 |
www.hhpharmacy.co.uk |
info@hhpharmacy.co.uk

This Privacy Notice explains how we collect, use, and protect your personal data in accordance with the
UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Further information about your data privacy rights can be found on the Information Commissioner’s Office (ICO) website:
www.ico.org.uk.

1. Who We Are and Our Role

Hampstead Heath Pharmacy, Travel Health & Vaccination Clinic (Preentree Ltd) is the data controller
for the personal data we collect and use in the course of providing our pharmacy, travel clinic, vaccination,
and other healthcare services.

If you have any questions about this notice, or about how we use your information, you can contact us using the
details above.

2. The Information We Process

We process personal data so that we can provide you with safe and effective healthcare services. This includes:

Basic details such as your name, date of birth, address, email address, and telephone number.
Details of your prescription medicines and medicines supplied to you, including NHS and private prescriptions.
Information about the services we provide to you, such as:
NHS and private pharmacy services, travel health consultations, vaccination and immunisation services,
blood tests and other clinic services, and any advice or information given.
Relevant health information you provide or that is shared with us by other healthcare professionals
(for example, medical history relevant to your medicines, allergies, vaccination history, and test results).

Much of the information we process is classed as special category data, because it relates to your health.

3. How We Obtain Your Information

We receive information about you in several ways, including:

Directly from you, for example when you visit the pharmacy, use our travel clinic or vaccination services, or contact us by phone or email.
From your GP practice and other NHS organisations, when this is necessary for your care.
From third parties involved in your care, such as other healthcare professionals, laboratories, and
commissioners or organisations who have arranged health services for you.
From our website (for example, if you use online forms or booking systems) and any online services we provide.

4. Why We Process Your Data (Legal Bases)

We process your personal data for the following purposes and on the following legal bases:

4.1 Provision of Healthcare and Pharmacy Services

For NHS pharmacy services, we process your personal data because it is necessary to perform a task in the
public interest and in the exercise of official authority (providing NHS healthcare services), and to
comply with our legal obligations.

For private services (such as our travel health and vaccination clinics, private prescriptions, and private tests),
we process your data because it is necessary for the performance of a contract with you or to take
steps at your request before entering into such a contract, and for our legitimate interests in running
a safe and effective healthcare service where these interests are not overridden by your rights.

When we process information about your health (special category data), we rely on the condition that processing is
necessary for the purposes of medical diagnosis, and the provision of health or social care or treatment, or the
management of health or social care systems and services, in accordance with UK GDPR Article 9(2)(h) and the
Data Protection Act 2018.

4.2 Communications and Queries

If you contact us with a query, we will use your contact details and any information you provide so that we can
respond. This is usually based on our legitimate interests in providing you with information about our services and
dealing with your request.

4.3 Management, Governance and Regulatory Requirements

We also process limited information to manage and improve our services, meet our regulatory obligations, and
demonstrate that we provide safe and effective care. This includes:

Audit, quality improvement, and clinical governance activities.
Responding to complaints, incidents, and safeguarding concerns.
Meeting legal and regulatory requirements set by bodies such as the NHS, GPhC, MHRA, and the ICO.

5. How We Use and Share Your Information

We use your information to:

Provide pharmacy and clinical care to you.
Dispense your medicines and provide advice on their safe and effective use.
Deliver travel health assessments, vaccinations, and other clinic services.
Arrange and report on tests and investigations where these are part of your care.

Where appropriate and necessary for your care, we may share information with:

Your GP practice and other NHS or private healthcare professionals involved in your care.
NHS organisations such as NHS England and the NHS Business Services Authority, and Local Authorities where required.
External laboratories and clinical service providers when they carry out tests or services you have agreed to,
and who act as independent controllers or processors under appropriate agreements.
Our IT system suppliers and service providers (for example, patient medication record systems, secure email providers,
booking platforms, and AI documentation providers) who act as data processors on our behalf under written contracts,
and who are required to keep your information secure.
Auditors, regulators, and other official bodies where we are required to share information by law.

We will never pass, sell, or share your personally identifiable data with third parties for marketing
purposes. We only share your information when it is necessary for your care, required by law, or where you have
specifically given us your consent to do so.

6. AI-Assisted Documentation

To help our clinicians focus on you during your consultation, we may use AI-assisted documentation tools, such as
Tandem Health, to help draft consultation notes.

When this is used, and with your agreement at the start of the consultation, audio from the consultation is processed
securely to create a written summary for your record. The clinician always reviews and confirms the final notes.

The legal basis for this processing is the same as for your care: it is necessary for the provision of health care and the
management of health services, and for processing special category data under Article 9(2)(h) UK GDPR.

Our AI provider processes data under strict contractual terms and healthcare-grade security standards. Patient data is
processed and stored within secure European data centres, audio is not retained longer than necessary to create the
written notes, and your data is not used to train AI models.

You can opt out of AI-assisted documentation at any time by telling your pharmacist or clinician, and this will not affect
the care you receive. In that case, we will make notes using our usual manual processes instead.

7. International Transfers

If we ever need to transfer your personal data outside the UK (for example, where one of our IT or technology providers
is based overseas), we will ensure that appropriate safeguards are in place in accordance with data protection law,
such as adequacy regulations or approved standard contractual clauses. You can contact us for more information about
these safeguards.

8. Data Retention and Security

We keep your information for as long as is necessary for the purposes described in this notice and in line with
applicable NHS and professional records management and retention guidelines.

Different types of records are kept for different periods (for example, prescription and dispensing records,
vaccination records, and clinic records). Further details of our retention periods are available on request.

We take the security and confidentiality of your information very seriously. Access to your information is restricted
to staff and contractors who need it to perform their roles and who are subject to confidentiality obligations.

If you email us, please be aware that while we take steps to keep our systems secure, no data transmission over the
internet can be guaranteed as 100% secure. You transmit information to us at your own risk.

9. Your Rights

Under UK data protection law, you have a number of rights in relation to your personal data, including the right to:

Request a copy of the information we hold about you.
Ask us to correct any information you believe is inaccurate or incomplete.
Object to certain types of processing, for example where we are relying on legitimate interests.
Ask us to erase your information or to restrict how it is used, in certain circumstances.
Ask for certain information you have given us to be provided to you or another organisation in a structured, commonly used and machine-readable format (data portability), where the legal basis and technical conditions allow.

Some of these rights are subject to limitations in a healthcare context, for example where we are required to keep
records for legal, regulatory, or patient safety reasons. If you would like to exercise any of these rights, please
contact us using the details at the top of this notice.

10. NHS National Data Opt-Out

You may choose to opt out of the NHS using your confidential patient data for wider planning and research purposes.
You can manage your choices and access this service via the NHS National Data Opt-out programme:

https://digital.nhs.uk/services/national-data-opt-out
.

11. Cookies and Our Website

Our website may use cookies and similar technologies to make the site work, to understand how it is used, and (where
applicable) to improve our services. Some cookies are essential for the site to function; others are optional.

For more information about the cookies we use and how to manage your preferences, please see our separate
Cookie Policy.

12. Automated Decision-Making

We do not make decisions about you based solely on automated processing (including profiling) that produce legal effects
or similarly significant effects for you. If this ever changes, we will update this notice and explain your rights in
relation to such processing.

13. Contact and Complaints

If you have any questions or concerns about how we use your information, or if you wish to exercise your rights,
please speak to us in the pharmacy or contact us using the details above.

Our designated Data Protection Officer is:

Kamlesh Patel
Hampstead Heath Pharmacy, Travel Health & Vaccination Clinic (Preentree Ltd)
35 South End Road, London, NW3 2PY

If you remain unsatisfied with how we have handled your personal data, you have the right to lodge a complaint with
the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
www.ico.org.uk

Last Updated: March 2026

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.