MyAccess Clinics Privacy Policy

Last Updated: 13 January 2021

This Privacy Policy describes how MMJ Clinic Group Limited (Company No. 11906622) (MAC UK) and any of its affiliates (collectively, we, us or our) collect and process your personal data in connection with our websites and/or services (collectively, Services).

This Privacy Policy does not apply to our employee and contractor records.

If you have any questions or concerns about our use of your personal data, please contact us using the contact details provided at the bottom of this Privacy Policy.

How we collect information

Broadly speaking, the way in which we collect personal data about you will depend on your relationship or interactions with us.

Information that you provide voluntarily

Certain parts of our Services may ask you to provide personal data voluntarily. For example, we may ask you to provide your contact details in order to book a consultation with us, to subscribe to marketing communications from us, or to submit enquiries to us. The personal data that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to you at the point we ask you to provide your personal data.

Information that we collect automatically

When you access our Services online, we may collect certain information automatically from your device. Specifically, the information we collect automatically may include your internet protocol (IP) address, your login data, browser type and version, time zone setting and location and other technical information. We may also collect information about how your device has interacted with our Services, including what was accessed and the links clicked.

Collecting this information enables us to better understand the users of our Services, where they come from, and what content is of interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our Services.

Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Online tracking and your choices” below.

Information that we obtain from third party sources

Where possible, we collect information directly from you. However, there may be occasions where we receive information about you from third parties, such as your treating healthcare professional if you are a patient, your patient if you are a healthcare professional, or third parties with whom we have a relationship.

Information we collect and why

The table below sets out the types of personal data we collect, why we use it, and where required under applicable law, the lawful basis for processing that personal data.

Data subject categoryData typeWhy do we use this information?Lawful basis
PatientsContact information: such as your name, email, phone number, and location, and where you access our services, more detailed information such as your gender, date of birth, next of kin, insurer’s details, NHS number, national identity or passport number.To arrange a consultation, treatment or follow up with you• Performance of a contract
• Our legitimate interests
Where your healthcare professional has provided your information to us in order to arrange a consultation with us, to contact you for referral purposes• Performance of a contract
• Our legitimate interests
To contact you to participate in a survey• Consent
Medical information: such as your diagnosis and medical health historyTo arrange a consultation, treatment or follow up with you• Performance of a contract
• Our legitimate interests
Health or social care (for the provision of healthcare or treatment)
To carry out analytics and create aggregate statistics for research purposes.• Our legitimate interests
• Scientific research purposes
Payment information: such as your payment details or details of your insurerTo take payment for our services• Performance of a contract
Adverse events or special situations: information about any untoward medical occurrence in a patient or clinical trial subject administered a medicinal product, with or without an adverse eventTo enable us to contact the reporter, if necessary, to clarify the information received• Legal obligation
For submission to regulatory authorities• Legal obligation
• Health or social care (for the provision of healthcare or treatment)
Survey information: any information you provide to us as part of your voluntary participation in a survey, which could include sensitive personal dataTo carry out analysis on users of our ServicesConsent
Guardians and/or carers of patientsContact information: such as your name, email and phone numberTo arrange a consultation, treatment or follow up for the patient• Performance of a contract
• Our legitimate interests
Healthcare professionalsContact information: such as your name, email and work address (i.e. clinic details)Where your patient has provided your information to us in order to book a consultation with us, to contact you in relation to the patient’s request• Performance of a contract
• Our legitimate interests
• Health or social care purposes (for the provision of healthcare or treatment)
To participate in surveys provided by us for research purposes• Consent
Professional information: such as your professional registration number, health practitioner type, your qualification, speciality and clinic detailsTo verify your details with the relevant regulatory body• Legal obligation
• Our legitimate interests
Visitors or users of our ServicesContact information: such as name, email, telephone number, address, content of free textTo respond to your queries and requests, to register you, and/or book a consultation• Our legitimate interests
Technical information: such as internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platformTo understand how you interact with our Services, as well as our content to enable us to improve service and functionality• Our legitimate interests
Information you disclose to us: any information you disclose to us through your communications with us which may include sensitive personal dataTo respond to you including your questions in relation to our products and services• Consent
Job applicantsIdentification data: such as your name, gender, photograph, date of birth, national identifiersTo identify you as the individual applying for a role with us• Performance of a contract
• Our legitimate interests
Contact information: such as home address, telephone number, email addressTo contact you about your application to us and invite you to participate in any assessments and interviews with respect to the role you have applied for• Performance of a contract
• Our legitimate interests
Employment details: such as employment history, application for role, third party referencesTo assess your job application to us and your suitability for the role• Performance of a contract
• Our legitimate interests
Background information: such as academic or professional qualifications, education, CV, criminal records data (for vetting purposes, where permissible and in accordance with applicable law)To assess your job application to us and your suitability for the role• Performance of a contract
• Our legitimate interests
• Employment (for the assessment of your working capacity)

Lawful basis for processing

The lawful basis for processing your personal data are as follows:

  • Consent: where you have given consent to the processing of your personal data for one or more specific purposes
  • Performance of a contract: where processing is necessary for the performance of a contract with you or in order to take steps at your request prior to entering into a contract
  • Legal obligation: where processing is necessary for compliance with our legal obligations
  • Legitimate interests: where processing is necessary for a legitimate interest, and that legitimate interest is not overridden by your interests or fundamental rights and freedoms

The lawful basis for processing your sensitive personal data are as follows:

  • Health or social care: where processing is necessary for the provision of healthcare or treatment
  • Employment: where processing is necessary for the assessment of your working capacity

Special category data

Some of the information we collect and process may include sensitive personal data (also known as special category data).

Special category data is a subset of personal data that is generally afforded a higher level of privacy protection. It includes health and genetic data and data about racial or ethnic origin, political opinions, membership of a political association, religious beliefs or affiliations, philosophical beliefs, membership of a professional or trade association, membership of a trade union, sexual preferences or practices, criminal record and some types of biometric data.

We will only collect special category data where it is reasonably necessary for our functions or activities, and where we have a lawful basis to do so under applicable laws as provided for in the table above.

Scientific research and statistical reporting of pseudonymised data

As set out in the table above we may also use your information for scientific research and statistical reporting. However, we have taken a number of measures to ensure that this data is pseudonymised and cannot directly identify an individual. We only have access to your medical and treatment data for this purpose only and cannot directly identify you from this data.

Online tracking and your choices

Like many websites, we may analyse log file information and other data collected through cookies, web beacons, and other tracking technology, to collect information about your browsing behaviour when you visit our websites. This includes, for example, your browser type, domains, page views, IP address, referring/exit pages, information about how you interact with our website and with third-party links, traffic and usage trends on the service.

We use session cookies to keep you logged in while you use features of our website; these disappear after you close your browser. We also use persistent cookies, which stay in your browser and allow us to recognise you when you return to the website. We use this to remember your information, so you will not have to re-enter it, to better understand how you use our Services, to diagnose and fix technology problems, and otherwise enhance our Services. In some of our email messages, we use a “click-through URL” linked to content on our website. We track this click-through data to help us measure the effectiveness of our customer communications.

We may collect analytics data directly or through third party analytics tools (including Google Analytics) to assist us with analysing and improving our service, and measure traffic and usage trends for our products and services. These tools collect information sent by your browser or mobile device, including the pages you visit and other information that assists us in improving our Services.

Most internet browsers automatically accept cookies, but you may be able to change the settings of your browser to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you set your browser to reject cookies, parts of our website may not work for you. Please note, depending on your type of device or browser, it may not be possible to delete or disable all tracking mechanisms on your device.

Your selection of the “Do Not Track” option provided by your browser may not have any effect on our collection of cookie information for analytic and internal purposes. The only way to completely “opt out” of the collection of any information through cookies or other tracking technology is to actively manage the settings on your browser or mobile device to delete and disable cookies and other tracking/recording tools. To learn more about cookies, clear gifs/web beacons and related technologies, you may wish to visit www.allaboutcookies.org.

For more information on our cookies and tracking technologies please see our Cookie Policy.

Data sharing

We may share your personal data to the following categories of recipients:

  • To your referrer where you are referred by another healthcare professional. For example, a summary of your care will be sent to your treating healthcare professional who referred you to us. Please inform us as soon as possible if you do not wish your data to be shared in this way.
  • To persons for whom we have your consent to share your personal data.
  • To our group companies for the purposes for which we are entitled to process your personal data under this Privacy Policy.
  • To third party service providers who work for us in the provision of our services and with whom we have contractual relationship. Your data may also be processed by a third party if required to deliver a service you have requested.
  • To any competent law enforcement body, regulatory, government agency, court or other third party where we believe it is necessary (i) as a matter of applicable law or regulation; (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person.
  • To an actual or potential buyer (and its agents and advisors) in connection with any actual or proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal data only for the purposes set out in this Privacy Policy.

We will check any third party that we use to ensure that they can provide sufficient guarantees regarding the confidentiality and security of your personal data.

We will have written contracts with them which provide assurances regarding the protections that they will give to your personal data and their compliance with our data security standards and international transfer restrictions.

Third-party sites and features

Our websites may contain links to other websites operated by third parties and may include social media features such as Facebook and Twitter buttons (such as “Like,” “Tweet” or “Pin”). These third-party sites may collect data about you if you click on a link and the social media sites may automatically record data about your browsing behaviour every time you visit a website that has a social media button. Your interactions with these features are governed by the privacy policy of the company providing the feature, not by this Privacy Policy. We do not control what data these third parties collect. Please review your privacy settings on your social media sites and think carefully before clicking on links which may take you to a third-party website.

Data security and retention

Security

We take security seriously and care about the integrity of your personal data. We use commercially reasonable physical, administrative, and technological methods to secure your personal data and protect it from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal data.

In the event that any data under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and where appropriate, notify those individuals whose data may have been compromised and take other steps, in accordance with any applicable laws and regulations.

Data retention

In order to deliver our core functions and to ensure we meet our legal data protection and privacy obligations, we will retain your data for at least as long as your account is active, as needed to provide you services, as long as is needed to fulfil the purpose for which it was collected (and any other linked purpose) or as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

When we have no ongoing legitimate business need to process your personal data (as described above), we will either delete or anonymise it or, if this is not possible (for example, because your personal data has been stored in backup archives), we will securely store your personal data and isolate it from any further processing until deletion is possible.

International transfers

Personal data collected from interactions with us is stored securely within the UK.

We will not transfer data collected and stored within the UK to any country that is not recognised as ensuring an adequate level of protection, without compliance with the relevant legal or regulatory requirements. Further details on our international transfer safeguards are available on request.

Your rights

You have the following data protection rights:

  • If you wish to access ofyour personal data, you can do so at any time by contacting us using the contact details provided under the “Contact Us” section below.
  • If you wish to correct or update your personal data you can do this by using the contact details provided under the “Contact Us” section below.

Where we are the controller of your personal data, you also have the following additional rights:

  • You can request deletion of your personal data by contacting us using the contact details provided under the “Contact Us” section below.
  • You can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data. Again, you can exercise these rights by contacting us using the contact details provided under the “Contact Us” section below.
  • You can opt-out of marketing communications we send you at any time by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you. To opt-out of other forms of marketing (such as postal marketing or telemarketing), then please contact us using the contact details provided under the “Contact Us” section below.
  • If we have collected and process your personal data with your consent, you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal data conducted in reliance on lawful processing grounds other than consent.
  • You have the right to complain to a data protection authority about our collection and use of your personal data. For more information, please see the UK Information Commissioner’s Office website at https://ico.org.uk/make-a-complaint.

Where you exercise your data protection rights, our response will depend on our role as a controller or processor, our legal basis for processing and whether or not any exemptions are available under applicable privacy or data protection laws.

We respond to all requests we receive from individuals wishing to exercise their rights in accordance with applicable privacy and data protection laws. In order to comply with a request, we may ask you to identify yourself. In such a situation, we will only request information to the extent required to confirm your identity. You also have the right not to identify yourself when dealing with us where it is lawful and practicable for us to allow it. However, if you do not provide us with your personal data when requested, we may not be able to respond to your request or provide you with the Service that you are seeking.

Contact us

If you have a question, comment or complaint about how we have collected or handled your personal data, please contact our privacy officer using the contact information below and provide details of the incident so that we can investigate it.

If you are making a complaint, we will treat your complaint confidentially, investigate your complaint and aim to ensure that we contact you and your complaint is resolved within a reasonable time (and in any event within the time required by applicable law).

ukprivacy@myaccessclinics.com   

Salisbury House

Station Road, Cambridge

Cambridgeshire, CB1 2LA

United Kingdom

The Information Commissioner’s Office (ICO) is our lead supervisory authority. Where you are concerned about the collection and use of your personal data by us, you have the right to make a complaint to the ICO. For more information, please see the UK Information Commissioner’s Office website at https://ico.org.uk/make-a-complaint.

ICO Registration No:

  • MMJ Clinic Group Limited – ZA519342

Changes to this Privacy Policy

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. You can see when this Privacy Policy was last updated by checking the last updated date displayed at the top of this Privacy Policy. You should check our website frequently to see any recent changes. Unless otherwise stated, our current Privacy Policy applies to all information that we have about you. We will not materially change our policies to make them less protective of personal data collected in the past without the consent of those affected.