Doctor Care Anywhere Privacy Policy

Welcome to the DCA Privacy Policy, which contains essential legal information informing you of how we process your personal data.

At DCA we have one purpose, to improve people’s lives. We do this by providing the highest quality healthcare, which is truly affordable, through our beautifully designed and easy to use technology.

Your personal data is central to us delivering quality healthcare and we are passionate about keeping it safe and protecting your privacy. We comply with the General Data Protection Regulation ("GDPR") and relevant implementing legislation and always challenge ourselves to be better, putting you, our patients, first and foremost.

This Privacy Policy explains how we use your personal data, to deliver our healthcare services and products to you from DCA or one of our brands, so that you can make informed choices and be in control of your personal data. This Privacy Policy also governs the use of your data through DCA’s websites and Apps (the “Platform”).

Please take some time to understand this Privacy Policy, which must be read in conjunction with our Terms and Conditions, which can be found here. It is important that you read this Privacy Policy together with any other fair processing notice that we may provide to you on specific occasions when we are collecting or processing personal data about you, so that you are fully aware of how and why we are using your data. This Privacy Policy supplements other privacy notices and is not intended to override them.

Changes to this Privacy Policy and your duty to inform us of changes to your personal data

We regularly review this Privacy Policy. We may update this Privacy Policy from time to time, and notify you if we make any material changes. This version was last updated on 1st April 2022. Historic versions can be obtained by contacting us. By continuing to use our products and services after you’ve received notification of material changes, you are agreeing to the updated Privacy Policy.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

Third party links

Our Platform may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their use of your personal data. When you leave our website, we encourage you to read the privacy policy of every website you visit.

What this Privacy Policy covers

This Privacy Policy covers the following areas. Click on each to find out more.

Who is Doctor Care Anywhere

Our healthcare services and products are delivered by:

Doctor Care Anywhere Limited and
Doctor Care Anywhere Ireland Limited;

Using our technology delivered by:

DCA Innovation Ltd.

which form part of the DCA Group PLC group companies ("DCA Group").

The registered office of the DCA Group is: Second Floor, Harmsworth House, 13-15 Bouverie Street, London, EC4Y 8DP.

Our healthcare services operate under the following brands:

Doctor Care Anywhere
Doctor@Hand
Perkbox Medical
Nuffield Health Virtual GP
Health Tracking from Doctor Care Anywhere.

Controller

When this Privacy Policy talks about ‘Doctor Care Anywhere’, ‘DCA’, ‘we’, ‘us’ or ‘our’, it means Doctor Care Anywhere Limited and Doctor Care Anywhere Ireland Limited, who act as joint controllers in relation to your personal data. Your relationship is with DCA, who is responsible for your personal data that is processed in connection with our healthcare services and products. We provide your personal data to other companies in the DCA Group who are data processors of your personal data, acting under instruction of DCA.

Contact details

We have appointed a Data Protection Officer ("DPO") who is responsible for overseeing questions in relation to this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the DPO using the details set out below.

By email: DPO@doctorcareanywhere.com
In writing: Data Protection Officer, Doctor Care Anywhere Limited, Second Floor, Harmsworth House, 13-15 Bouverie Street, London, EC4Y 8DP.

You have the right to make a complaint at any time to a data protection supervisory authority.

In the UK this is the Information Commissioner’s Office ("ICO") ww.ico.org.uk
In Europe this is the Irish Data Protection Commission ("DPC") www.dataprotection.ie.

We ask that you please attempt to resolve any issues with us before contacting the ICO or the DPC.

What we use your personal data for

How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

where we need to perform the contract;
where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests; and
where we need to comply with a legal obligation.

These circumstances are known as 'lawful bases’ and we explain these in more detail below.

Performance of a contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract with you.

Legitimate interests means the interests of our business in conducting and managing our business, to enable us to give you the best service/product and the most secure experience. We make sure we consider your rights and balance any potential impact on you (both positive and negative) before we process your personal data for our legitimate interests. We do not process your personal data for our legitimate interests where your rights or interests override ours. You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us (see contact details in section Who is Doctor Care Anywhere).

Compliance with a legal obligation means processing your personal data where it is necessary to ensure we comply with a legal obligation that we are subject to.

Purposes for which we will use your personal data

We have set out below a description of the purposes for which we use your personal data, and which of the lawful bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Providing you our healthcare service:

Purpose / Activity	Lawful Basis
We obtain and use your and your eligible under 18 family members personal data to manage your entitlements, establish and deliver our contract with you, to register you and your under 18 family member as a patient and administer patient records and personal data.	Performance of contract
We verify your identity and where applicable, your parental responsibility for any under 18 family member you add to your account.	Legal obligation / Performance of contrac
We obtain either directly from you, or a national electronic database, such as the NHS Personal Demographic Service, your healthcare number and current GP practice.	Performance of contract
We ask you to provide the name and contact details of an emergency contact that we process in order to protect your safety during an emergency.	Your consent / vital interests
We collect your financial information to verify and carry out financial transactions in relation to payments you make online.	Performance of contract
You provide the name and contact details of over 18 adults you invite to be members of your policy, which we may contact with instructions on how to register to become a patient.	Legitimate interests
We obtain and use your medical data as this is necessary for us to deliver effective and safe healthcare services to you.	Performance of contract
We are required to maintain a detailed record of the medical care you receive. It also allows our medical professionals to safely provide future care based on your medical history.	Legal obligation
We record all audio and video conversations with our medical professionals and patient experience team. This is so we have a record of the conversation, so we can audit and monitor the quality of service being delivered to you, for your safety and our regulatory and compliance obligations. Where a recording does not contain medical information, we may also use it for training and service improvement, after removing all your personal identifiers.	Performance of contract
Your personal and medical data may be used when we audit and monitor your information and our doctors delivering the service to you, to ensure quality of service, for your safety, our regulatory and compliance obligations.	Performance of contract
During an emergency, your personal data may be given to the emergency services and your emergency contact.	Your consent / vital interests
We send your personal data to your chosen pharmacist, enabling your medication to be dispensed to you.	Performance of contract
We may also share, with your explicit consent, relevant medical data in a referral approval request to your private medical insurer to process your claim and find an appropriate specialist.	Your consent
Your personal and medical data may also be shared between DCA and other healthcare professionals as necessary for the provision of your care, such as your GP, hospitals, diagnostic centres and secondary care specialists.	Your consent
Your personal data may also be shared between DCA and your Healthcare Scheme in order to facilitate the processing of a Healthcare Scheme regulatory complaint. This ensures that you receive all of your rights under the relevant regulation.	Performance of contract
We obtain data about your location during an appointment to ensure your safety, and our ability to seek help from emergency services if required. We also obtain location data to help you select your medical practitioner and direct you to your nearest pharmacy. We may derive your approximate location from your IP address.	Performance of contract
Ask for your feedback about our products and services.	Legitimate interests
Our patient experience team will use your personal data to communicate with you and help you in the best possible way.	Performance of contract
Where you receive our service as part of a benefit, we may share your data such as benefit ID, name, date of birth, email and postal address with your healthcare scheme to verify your eligibility, the fact you have registered, for billing or if either you or DCA terminate your relationship with us and the reason why. No medical data will be shared with your healthcare scheme without your explicit consent.	Performance of contract

Keeping you up to date:

Purpose / Activity	Lawful Basis
We use your email address to send you activation instructions for the Platform to enable you to activate your benefit.	Performance of contract
We send important transactional communications to you by email, text message and / or push notifications, such as when you have successfully activated, reminders about a booked appointment, triage messages from our doctors and confirmation when medical notes, prescriptions, fit notes, referrals or diagnostic results are ready to be viewed on the Platform.	Performance of contract
We use your email address to send you the occasional engagement email to promote our service where you have not opted out of receiving such communications. You can unsubscribe or opt out from your communication settings on the Platform at any time.	Legitimate interests
From time to time we may use your personal data to email, phone, post or push notify information to you about other offers and services, where you have consented to this type of communication. You can opt in or out at any time from your communication settings on the Platform	Consent

Research and analysis:

Based on our legitimate interests in managing our business and improving the Platform and services:

Purpose / Activity	Lawful Basis
We use medical data to conduct research to improve healthcare, our products and our services, so we can deliver better healthcare to you and other DCA patients. Personal identifiers such as your name, email, address and phone number are always removed.	Legitimate interest
Your personal data may be used to analyse your use of our products, services and troubleshoot bugs and defects within the Platform.	Legitimate interests
We learn how you use the Platform to improve the features, layout and content.	Legitimate interests
We monitor the demand and trends of our products and services to enable us to capacity plan.	Legitimate interest
We carry out research on our user demographics.	Legitimate interest
Aggregated and anonymised data may be shared with your healthcare scheme.	Legitimate interest

Sometimes we need to use your personal data to:

Purpose / Activity	Lawful Basis
Co-operate with our regulators, such as the Care Quality Commission, General Medical Council and the Information Commissioners Office, or the Data Protection Office.	Legal obligation
Comply with a legal obligation, such as a court order.	Legal obligation
Deal with disputes and legal claims.	Legal obligation
Appropriately respond to any risk to public health.	Public task
Send your personal and medical data to an insurance company, as per your instructions and those of your insurer acting on your behalf.	Your consent

If you fail to provide personal data or keep it up to date:

Where we need to process personal data to comply with the law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide our products / services to you. We may be required to cancel a product or service, however, we will notify you if this is the case at the time.

DCA takes reasonable steps to ensure that the personal data we hold about you is accurate and up to date. However, you have overall responsibility to provide us with correct data and keeping this up to date on the Platform. DCA has no responsibility and does not accept any liability for incorrect data entered by you in the case of your information being sent to the locations you have specified.

What data we hold and how we get it

We collect and use the following categories of data about you, which forms part of your patient record on the Platform.

Identity data:

When you register with us you will complete forms on the Platform and provide personal data about you, such as your name, date of birth, email address, postal address, telephone number, profile photo, and healthcare number.
We also validate your identity with the information you supply and where you also provide copy of your identity documentation. Identity verification is carried out by our digital verification partner(s) or our in-house patient experience team, who are subject to a duty of confidentiality. Your live photo will be used as your profile photo to ensure the ongoing security of your account.
If you register your under 18 family member, you will also provide their personal details along with proof of your parental responsibility.
When you invite an over 18 adult to your policy, you will provide their name, email and date of birth.
We collect the name and contact details of your emergency contact from you, to ensure we can reach someone in the event of an emergency. For example, if you were to pass out during an appointment with our doctor.
When you contact us, for example by email or phone, we will store information about you and details of the communication, including the phone number you called us on. Calls to our patient experience team are recorded (we explain our reasons for this in more detail in What we use your personal data for).
When you respond to research and surveys, we collect and store your responses.

Medical data:

You are under no obligation to share your medical data with us, however, should you choose to withhold requested information, we may not be able to provide you with certain services.

You can update your medical record on the Platform with your medical data. Once one of our doctors has confirmed these with you in an appointment, they will become a permanent part of your medical record.
When you book an appointment, you will provide medical data such as your health concern, answers to our triage questions and a description of your symptoms along with your consent to share your personal data with your GP.
When you use our healthcare services, our doctors will use your personal and medical data to add to your patient record. This includes data such as health concerns, general information about your health, symptoms, medical history, family history, allergies, social history, measurements, doctors' opinions, diagnoses, prescribed medications, fitness notes and onward referrals.
Data which you upload, such as photos and medical documents, may become a permanent part of your medical record, as determined by our doctors. When a doctor determines the upload is not required in the permanent record, it will be clearly described in the record and the upload will be deleted.
Following phlebotomy, cardiology and imaging diagnostic tests, your results will be stored, and a medical report will be prepared by a DCA specialist.
Recordings of your appointment (video and audio and audio-only) are retained in the Platform. This is to ensure we can audit and monitor our doctors delivering the service to you to ensure the quality of our service, for your safety, and to meet our regulatory and compliance obligations. Recordings are stored securely in accordance with our retention policy (see further information in How long we keep it).
When you use our medical tracking app, you provide your personal and medical data you wish to track.
We may also capture information about you and your health from other apps, devices and services, where you have consented to the data being shared with us. For example, medical data collected from your smart watch.

Financial data:

If you use one of our pay as you go or subscription services, your debit/credit card details are processed by a third-party processor that will store all payment and transaction data on their secure servers. We do not store your debit/credit card number on the Platform.

Technical data and analytics:

Your log in details and password are stored securely. You are responsible for maintaining your password to protect your account and we advise you to make use of security controls which are available to you.
Data from your activity on the Platform will be collected where we have your consent to do so, including your IP address, location (based on IP address), login information, operating system, device model, version, time zone, browser, language and mobile phone carrier.
Data such as how you use the Platform, the services you select, when you last logged on and how you interact with the Platform (such as button clicks).

Cookies:

We also use 'cookies'. Cookies are files saved on your devices such as computer, phone or tablet when you visit a website. They collect information about how you use the website and the pages you visit. We do not use cookies on your medical or health information. You can determine what cookies we collect and find out more about how we use cookies in our Cookie Policy, which you can access here.

Information from third parties:

Where you receive our service as part of a benefit, we collect from your healthcare scheme and store your personal data to enable you to activate on the Platform and manage your entitlement(s). This may include your benefit/membership ID, name, date of birth, email, postal address and personal data about your family members who also receive the benefit.
Your healthcare number and regular GP practice may be collected from a database such as the NHS Personal Demographic service.
Where applicable, your private medical insurance will send us the status of a claim and information about your specialist appointment, for a referral we have made.
We may receive data from other healthcare professionals about your care. For example, if you have diagnostic tests, the results will be returned. Or following a referral into specialist care, we receive the report from the specialist.

Who your data is shared with

Your privacy is paramount to us, so we only share your data when it is necessary and lawful to do so as described below. We require any party who we share your data with to respect the security of your data and to only process it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our written instructions.

We may share your personal data within the DCA Group. This ensures we can effectively deliver the services to you.
We may share your personal data with other companies we have contracted with to deliver parts of our service on our behalf. These companies either act as data controllers in their own right or as data processors acting on our behalf, as instructed by us and are governed by a contract in accordance with Article 28 GDPR. In such circumstances they are bound by strict confidentiality and security provisions.
- NHS Digital: for UK patients, your personal data as part of the verification process to obtain your healthcare number and as necessary during your contract with us to identify your current NHS GP practice for clinical safety purposes.
- Identify verification partner Onfido Limited: your personal data and verification documents will be shared for the purpose of verifying your identity. By accepting this Privacy Policy, you agree to be bound by Onfido’s Privacy Policy and Terms of Service, and for patients from the United States their Facial Scan Policy And Release
- Video, telephone, text and email partners: Some data from video, phone, text and email communications may be temporarily stored on servers located outside of the United Kingdom, European Union and European Economic Area, while the communication is occurring and while we transfer recordings from their system to your patient record. All partners are bound by a contract with us which incorporate the Standard Contractual Clauses (see more detail on this under 'International transfers' in section 2.4 below).
- Payment provider: Your financial information is securely shared directly with our payment provider, Stripe. You will be providing your email address and your credit or debit card information directly to “Stripe”, a company located in the USA and which operates a secure server to process payment details, encrypting your credit/debit card information and authorising payment. We do not store your debit/credit card number on the Platform.
We share your medical data with our doctors (all of whom are registered with the UK General Medical Council and/or Irish Medical Council), securely via the Platform. This enables them to assess your health conditions, advise you appropriately, and deliver the services that you request (in accordance with our Terms and Conditions). Our doctors are trained and registered in the UK and Ireland, but occasionally deliver appointments from outside of UK, EU and EEA.
For the purposes of user and medical research, we occasionally partner with third party organisations to combine medical data and insights. Personal identifiers such as your name, email, address and phone number are always removed.
Subject to your rights as set out in this policy, in the event that we undergo re-organisation or are sold to a third party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third party.
We may also need to disclose your personal information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Platform or the rights, property or personal safety of any person.

Healthcare providers:

We will, where it is necessary for the provision of your care and safety, share your personal and medical data with other healthcare providers, such as your GP, pharmacists, hospitals, pathology and imaging centres, secondary care specialists and emergency services. These providers may use your contact information to contact you about your care or medication.

Healthcare scheme:

Where you receive our service as part of a benefit via a healthcare scheme, we may share your data such as benefit ID, name, date of birth, email and postal address with your healthcare scheme to verify your eligibility, the fact you have registered, for billing or if either you or DCA terminate your relationship with us and the reason why. No medical data will be shared with your healthcare scheme without your explicit consent.
Following a referral, we may also share where applicable, with your explicit consent, relevant medical data in a referral approval request to your private medical insurer.
Following a specialist referral with diagnostic investigations as a benefit, we may also share where applicable, with your explicit consent, information appropriate to your insurance claim and operational care journey.
Following a Healthcare Scheme Complaint, dependent on the nature of the complaint, we may also share relevant data such as your Healthcare Scheme membership number, name, contact information and summary of complaint, to enable the Healthcare Scheme to meet their regulatory requirements.

Anonymised information:

We may disclose anonymous, aggregate statistics about visitors to the Platform, users and sales in order to describe our services to commercial partners, prospective partners, investors, advertisers, sponsors and other reputable third parties and for other lawful purposes, but these statistics will not include your personal data.

International transfers:

Whenever we transfer your personal data out of the UK and/or EEA, we ensure a sufficient degree of protection is afforded to it by ensuring the transfer is either to a country deemed adequate by the ICO or European Commission or subject to appropriate safeguards (Such as Standard Contractual Clauses and binding corporate rules).

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK and EEA.

Where your data is stored

Your data is stored in the UK and EEA, in secure data centres. We do not store your data on your device (e.g. PC, Laptop, Mac, Tablet or Phone) or that of our healthcare professionals.

Occasionally your data is processed on servers outside of the UK and EEA as described in this Privacy Policy. We ensure your personal data is protected in such circumstances by complying with transfer mechanisms as prescribed by the GDPR (see more detail on this under 'International transfers' in section 2.4 above).

How long we keep it

We will only retain your personal data for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of your personal data are set out below.

GP patient records:

We retain your medical records in accordance with the current legal requirements and professional best practice.

GP patient records, including recordings and communications, are retained for up to 10 years after the death of the patient.

Patient experience telephone recordings:

Recordings of telephone calls to our patient experience team are stored for 12 months to assist us with the monitoring of our service, the training of our staff and to assist with any claims or complaints.

Verification identity documents:

As your identity documents are only required for your initial verification, and in recognition of their sensitivity, they are only retained for 60 days.

If you have not used the service:

If you have registered and are no longer receiving the service as a benefit and have never used the service, no medical data would have been created for you. We will retain your personal data for up to 7 years.

If you have been invited by a family member but never activated your service with us, we will retain your personal data for up to 2 years.

If you have been invited by a healthcare scheme, never activated and are no longer eligible to receive the service, we will retain your personal data for up to 2 years following your last eligible date.

Security of your personal data

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach where we are legally required to do so.

We have adopted the following measures:

All data is encrypted whether it is in transit over the internet from our servers to your device or stored on our secure servers. We use Advanced Encryption Standards.
In line with best practice, we regularly test our system with penetration test partners, who simulate cyber-attacks on our system. This ensures our security is robust and continues to protect your data against the latest threats.
You will secure your account with a password and on valid devices you can also choose to use a pin or your biometric details, such as your registered fingerprint or face. We enforce a minimum standards for passwords to ensure they meet a certain level of strength. It is your responsibility to keep your password / pin to your device safe and confidential.
To enable the smooth operation on mobile devices, you can opt to keep yourself logged in after the application is closed. This will last for 2 minutes before you will be asked to log in again.

Your rights

You have specific rights under the GDPR, as set out below.

Access your information

Most information we hold about you is in your patient record, accessible from the Platform. However, you have the right to submit what is known as a ‘data subject access request’, which enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Rectify incorrect information

If you believe that any of your data is incorrect, you can ask us to rectify it. We make sure to do so if this is the case, however, we may need to verify the accuracy of the new data you provide to us.

Erase your information

This enables you to ask us to delete or remove personal data where there is no lawful basis for us to continue to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below). Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. In particular, our obligation under law to retain GP patient records means we cannot erase your medical record. If you have not created any medical information, your request will be reviewed and upheld where possible.

Object to our processing of your personal data

You can do this where we are relying on legitimate interests to process your data and you wish to object to such processing as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.

Restrict further processing of your data

This enables you to ask us to suspend the processing of your personal data in the following scenarios:

if you would like us to verify it is accurate;
where the data has been processed unlawfully, but you do not want us to erase it;
where you need us to hold the data even if we no longer require it to establish, exercise or defend legal claims;
you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.

Request transfer of your data to you or to a third party

Your data will be provided in a structured, commonly used, machine-readable format. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability. Note that this right only applies to information you have provided to us.

Withdraw your consent at any time

This is applicable where we are relying upon your consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Automated decision making

If we use your personal data for the purposes of automated decision-making (a decision solely by automated means without any human involvement) and those decisions have a legal (or similarly significant effect) on you, you have the right to challenge to such decisions under the GDPR. You may request human intervention, express your point of view, and obtain an explanation of the decision from us. This right does not apply in the following circumstances:

where the decision is necessary for the entry into, or performance of, a contract between DCA and you;
the decision is authorised by law; or
you have given your explicit consent to such processing.

Profiling

Where DCA uses your personal data for profiling purposes (automated processing of personal data to evaluate certain things about data subjects), the following shall apply:

clear information explaining the profiling will be provided, including its significance and the likely consequences;
appropriate mathematical or statistical procedures will be used;
technical and organisational measures necessary to minimise the risk of errors and to enable such errors to be easily corrected shall be implemented; and
all personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling.

Exercising your rights

If you wish to exercise any of the rights set out above, please contact us using the details set out in Who is Doctor Care anywhere.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Response time

We try to respond to all legitimate requests within one month of receiving the request. Occasionally, it may take us longer if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

This version was last updated on 1st April 2022.