Privacy Policy

Qrystal Pharmacy ("we", "us", "our") is a community pharmacy registered with the General Pharmaceutical Council (GPhC) and authorised to provide NHS and private clinical services. This policy explains how we handle the personal and health data of patients, website visitors, and care-home partners.

We are the data controller for personal information you provide to us. Our registered address and contact details are at the foot of this policy.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the NHS Data Security and Protection Toolkit. Where any term in this policy conflicts with those laws, the law prevails.

The information we hold depends on what you ask us to do. We may collect:

Personal identifiers

• Name, date of birth, sex
• Postal address, email address, phone number
• NHS number (where applicable)
• Photograph (only where you provide one for verification)

Health and clinical information

• Prescriptions issued by your GP or other prescribers
• Medication history, allergies, and adverse-reaction notes
• Symptoms or concerns you share during a consultation
• Results of clinical tests we perform (e.g. blood pressure, COVID/flu vaccinations)
• Pregnancy or maternity status (where relevant to clinical care)

Service-and-payment information

• Booking and consultation history
• Prescription-charge declarations and exemption codes
• Records of services we have provided to you
• Payment details for private services (we do not store card numbers — these are handled by our payment processor)

Website information

• Pages you view, links you follow, and approximate location (city-level)
• Device, browser, and screen-size information for accessibility and performance
• Cookies — see our Cookie section below

We process your information for specific purposes, each with a lawful basis under UK GDPR Article 6 and (for health data) Article 9.

To provide pharmacy services to you

Article 6(1)(b) — performance of a contract; Article 6(1)(c) — legal obligation under the Medicines Act 1968; Article 9(2)(h) — provision of health or social care. This covers dispensing prescriptions, conducting consultations, and providing NHS-commissioned services.

For NHS pharmacy services

Article 6(1)(e) — public task carried out under NHS legislation; Article 9(2)(h) — provision of health or social care. Includes Pharmacy First, the NHS Pharmacy Contraception Service, vaccination programmes, and the Electronic Prescription Service (EPS).

To meet legal and regulatory duties

Article 6(1)(c) — legal obligation. Includes record-keeping for the GPhC, MHRA reporting (suspected adverse drug reactions, controlled drugs), HMRC, anti-money-laundering, and CQC where applicable.

To improve our website and services

Article 6(1)(f) — legitimate interests of running an effective pharmacy website, balanced against your rights. We use anonymised analytics; we never use your health data for marketing.

Marketing, with your consent

Article 6(1)(a) — consent. If you opt in to our newsletter or service updates, we'll only contact you for those purposes. You can withdraw consent at any time.

We share information only where necessary to provide your care or where the law requires it. Recipients may include:

• Your registered GP — to keep your medical record up to date and to coordinate care (with your consent for non-NHS-commissioned services).
• NHS England and the NHS Business Services Authority (NHSBSA) — for prescription processing, payment, and prescription-charge verification.
• NHS England's Spine — to register pharmacy nominations and to send/receive electronic prescriptions.
• Other clinicians involved in your care, such as a specialist clinic we refer you to.
• Regulatory bodies — the GPhC, CQC, MHRA, ICO, HMRC, and law-enforcement agencies where there is a lawful basis to do so.
• Our IT and clinical-system suppliers, who act as data processors under written contracts and the NHS Data Security and Protection Toolkit.
• Our delivery partners (London courier services), who only see the minimum information needed to deliver your medication safely.

We never sell your data, and we do not share it for marketing purposes outside our own services.

Our website uses a small number of cookies. Strictly necessary cookies (which keep you signed in to forms, remember language preferences, etc.) are set automatically because the site cannot function without them. We do not use third-party advertising cookies.

We may use privacy-respecting analytics to understand which pages are useful and where the site can be improved. We do not link analytics data to any individual patient record, and IP addresses are anonymised before storage.

You can disable cookies in your browser settings. If you do, some features of the site (such as form auto-fill) may not work as expected.

We follow the NHS Data Security and Protection Toolkit — you can view our current Toolkit submission on the NHS DSPT register. Practical safeguards include:

• Encryption in transit (TLS) for all web traffic and clinical-system connections.
• Role-based access control — only the team members who need to see your data can do so.
• Audit trails on dispensing, consultations, and EPS prescription receipts.
• Smartcard authentication for staff accessing the NHS Spine.
• Regular staff training on information governance, confidentiality, and the Caldicott principles.
• Physical security of paper records (locked, time-limited retention).

We retain records for the periods set by NHS England, the GPhC, and applicable law:

• Clinical records (consultations, vaccinations, NHS-funded services): 8 years from the last entry, or to age 25 for under-18s.
• Prescription dispensing records: at least 2 years (NHS BSA requirement).
• Controlled-drug register entries: 7 years.
• Booking and contact records (non-clinical): typically 2 years.
• Marketing-consent records: until you withdraw consent, plus 2 years.

After the retention period we securely delete or fully anonymise records.

Under UK GDPR you have the right to:

• Be informed about how we use your data (this policy).
• Access a copy of the personal information we hold about you (Subject Access Request).
• Have inaccurate information corrected.
• Have data erased, where there is no overriding legal duty to keep it.
• Restrict or object to certain processing.
• Data portability for the information you provided to us.
• Withdraw consent at any time, where consent is the lawful basis.
• Not be subject to solely automated decision-making with significant effects (we do not do this).

To exercise any right, email us at the address below or write to our registered office. We respond within one calendar month.

Your data is stored on servers in the UK or the European Economic Area. Where a supplier necessarily processes data outside this region, we use the UK Information Commissioner's International Data Transfer Agreement and equivalent safeguards to ensure your information remains protected to UK GDPR standards.

If you have a concern about how we handle your data, please contact our Information Governance lead via the details below. We will investigate and respond within 30 days.

If you remain unhappy, you can complain directly to the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. You always have the right to escalate without contacting us first.

We may update this policy when our services, regulations, or technologies change. The "Last updated" date at the top of the page reflects the latest revision. We won't reduce your rights without contacting you first.

Information Governance Lead, Qrystal Pharmacy, 301 Borough High Street, London SE1 1JH.

Phone: 020 7403 2237. Email: Pharmacy.FCR97@nhs.net.