Privacy Policy

The Clinisupplies Group is an experienced healthcare organisation and among the UK’s leading providers of medical devices. We are committed to making a real difference to our customers’ lives with our range of high-quality products and services.

The companies within our group include Great Bear Healthcare and Nightingale Homecare services. Nightingale is a specialist delivery company for all Intermittent Self Catheter (ISC) and Urology/Continence products. Great Bear Healthcare manufacture Urology products and distribute these in the UK & Ireland

This website is operated by Clinisupplies Ltd (Referred as “Clinisupplies”, “Nightingale” “Great Bear Healthcare”, “we”, “our”, “us” in this, Privacy Policy)

We operate the following websites which are part of our group:

www.clinisupplies.co.uk

www.nightingaledelivery.co.uk

Clinisupplies is a private limited company registered in England and Wales under company number 04013240 and we have our registered office at

1 Blackmoor Lane, Croxley Park, Watford, Hertfordshire, WD18 8GA.

We have developed this privacy notice to inform you of the data we collect, what we do with your data, what we do to keep it secure as well as the rights and choices you have over your personal data.

Your personal data may be collected and received by us through several different ways such as email, SMS, telephone or via the website and used for the below purposes:

1. You contact us and provide the information directly
2. Your healthcare professional contacts us to provide the information on your behalf such as your GP, clinician, or carer.
3. You contact us in a professional capacity on behalf of a Care Home. (Applies to healthcare professionals only)
4. You participate in an Appliance Use Review (AUR) with one of our Clinical Nursing Team

Online or by Phone

Whatever your preferred way to contact us we will need to collect the following details:

Title, First Name, Last Name

Email

Telephone, Mobile

Contact preferences for delivery and service updates (Phone, Email, SMS)

GP Surgery (Name and Address)

Date of Birth

Prescription Status (exemptions)

Country of Residence (if living in Scotland)

NHS Number

Patient Consent to become their Dispensing Appliance Contractor

Electronic Prescription Service Consent

NHS Prescription Prepayment Certificate Number & Expiry Date (PPCs)

Home/Delivery Address

Contact preferences for news and surveys

Online or by Phone

We will need to collect some personal information and work information to register you as a healthcare professional:

Title, First Name, Last Name

Email

Work Telephone, Mobile

Hospital/DN Base Details

Ward (optional)

Patient Consent to become a Dispensing Appliance Contractor

Contact preferences for news and surveys

Online or by Phone

We will need to collect some personal information and work information to register the Care Home:

Title, First Name, Last Name

Email

Work Telephone, Mobile

Care Home Details (Name and Address)

Patient/Care Home Consent to become a Dispensing Appliance Contractor

Contact preferences for news and surveys

In addition to your registration information, we may also collect the following:

Financial Data includes bank name, sort code and account number, payment card details, VAT number.

Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us.

Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this site.

Profile Data includes any purchases or orders made by you, preferences, condition type, feedback, and survey responses.

Usage Data includes information about how you use our site, products, and services.

Marketing Data includes your preferences in receiving marketing from us and your communication preferences.

Communications data including emails, telephone calls and post which you receive from us or send to us, and your preferences in receiving information and being contacted by us.

Condition Type to help us offer a more personalised streamlined service, we’re asking our consumers for the medical reason leading them to use the products being supplied by Nightingale.

It’s completely optional whether you provide this information, and we will treat it confidentially; we don’t share this information with 3rd parties and it’s OK if you don’t want to provide this information. It will not affect the service you get from us if you don’t share this information. You can withdraw your Consent at any time.

If you fail to provide personal information

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

For processing to be lawful under the UK GDPR and Data Protection Act 2018, Nightingale is obliged to identify a lawful basis before it can process personal data. The obligation requires Nightingale to satisfy a condition under Article 6 and, where special category data (health information) is being processed, also under Article 9.

For Nightingale purposes, the following conditions, under Article 6, for lawful processing will apply: 6(1)(b) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’ and 6(1)(f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject’. There may be occasions when the data subject’s consent will provide the legal basis for the processing of their personal data: 6(1)(a) – Consent of the data subject.

For necessary processing of special categories, e.g., health information, the following condition, under Article 9, will apply: 9(2)(h) ‘Processing is necessary for the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or Member State law or a contract with a health professional’.

We use personal information collected about you for a variety of business purposes described below.

Establishing you as a Nightingale customer

If you sign up to become a Nightingale customer, we will need to collect and verify information about you and other relevant individuals to set up our products and services for you.

To process transactions and provide our services

We will use the information you provide to process any orders you make with us, arrange prescriptions with your GP and deliver products and services directly to you.

Checking if you are NHS exempt from paying prescription charges

We will use the information you provide to tell you if:

• you have a valid exemption certificate
• your exemption certificate expires within the next month
• your exemption certificate entitles you to free NHS prescriptions
• your age entitles you to free NHS prescriptions

In cases where individuals haven't provided their medical exemption status during registration, Nightingale kindly asks that they provide this information later. This contact may occur through various means, including email, SMS (text messages), or phone calls. The purpose of this contact is to obtain the necessary medical exemption information to ensure compliance with The National Health Service (Charges for Drugs and Appliances) Regulations 2015.

Integrated Care Record

Nightingale works with the NHS and other health and social care organisations to share information that will form part of your Integrated Care Record. The Integrated Care Record allows health and care professionals involved in your care to view your records to help them understand your needs and make the best decisions with you, and for you.

Clinical Nursing Services

Our Nurses work together with NHS professionals to deliver drop-in clinics and home visits, advice and guidance on products, clinical education, and training. Following a visit by the Nurse, feedback will be provided to your GP and your referring Nurse.

The Clinical Nursing Service works in conjunction with your referring NHS or independent sector nurse to ensure you get access to the best ongoing care, advice and support with your bladder and bowel management.

Our Nurses will undertake assessments and reviews for all people referred to the service and use your data to suggest an appropriate plan of care. The care package will be discussed and agreed with you and your referring Nurse.

Nightingale makes use of surveys for a variety of functions, including improvement of service provision and regulatory requirements.

In the case of customer satisfaction surveys and research, we will primarily use the data for internal purposes. In some cases, we may publish a summary report, but this will not contain any personal data.

In the case of consultations, we will publish a summary of the consultation responses and, in some cases, the responses themselves but these will not contain any personal data.

Please note that if you choose to provide contact details, your survey response will no longer be anonymous. However, your contact details will not be disclosed, and therefore your responses will be reported anonymously, and you will not be identifiable.

We process the information internally for the above stated purpose. We don't intend to share your personal data with any third party. Any specific requests from a third party for us to share your personal data with them will be dealt with in accordance with the provisions of the data protection laws.

We will retain consultation and survey response information until our work on the subject matter of the consultation is complete.

We may also use a third-party processor, to administer surveys on our behalf, and carry out statistical analyses of the survey results in accordance with our instructions. We will always ensure that we have a contract in place with these third-party processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. The third-party processors will not share your personal data with any organisation, except where we authorise them to do so. Third party processors will always have their own privacy policy which they will share with you on request.

Telephone recording including the use of Omni channel call management

We may record telephone calls you make to our customer contact centre to:

• check for mistakes
• train staff
• prevent, detect, investigate, and prosecute fraud
• help plan and make improvements to services

We do this in the interests of offering a good service to our customers.

If you object to this, you will need to end the call when you are told that calls may be recorded. Alternative methods of communication are available.

We will delete call recordings up to 6 months after the call was made. This ensures that any subsequent investigations can be completed.

Omni channel call management

We use various functions to allow our customer to interact with us in the best possible way. We do this by using automation and virtual assistance to:

• quickly answer common questions
• providing a virtual voice enabled assistant instead of a fixed options menu
• capturing information from you in advance and presenting this to our staff when they speak to you, reducing call times and confirming information needed to answer your query.
• providing us with call analysis information to help improve the service we provide

If you object to this, you can ask to speak to staff or use an alternative means of contacting us.

Live Chat

As part of our dedication to providing exceptional customer service, we utilise a live chat feature on our website. This feature allows us to offer real-time assistance and support to our customers.

How We Use Live Chat

• Our live chat feature is designed to provide you with immediate assistance, answer your questions, and address any concerns you may have regarding our products or services.
• During a live chat session, we may collect and store information that you voluntarily provide, such as your name, contact information or other personal details relevant to your inquiry. This information is used solely for the purpose of assisting you and improving our customer service.
• We may use data from live chat interactions to analyse trends, identify common customer issues, and enhance our website's usability and content.
• Any information you share during a live chat session is treated with the utmost confidentiality and is subject to the same stringent privacy and data protection policies outlined in this Privacy Notice

Marketing

When you consent, we will send you marketing communications and news concerning Nightingale products, services, events, and other promotions. You can opt-out at any time after you have given your consent.

If you are an existing customer of Nightingale (for example, if you are a service user), we may use the contact details you provided to send you marketing communications about similar Nightingale products or services, where permitted by applicable law (unless you have opted out).

We use various communication channels, including email, SMS text messages, phone calls, and postal mail, to contact you. You have the right to object at any time, and we will always provide a simple way for you to inform us if you prefer not to be contacted.

The Right to be Informed about our collection and use of personal data

You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal data protection policies and through our external website privacy notice. These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.

Right to Access Your Personal Information

You have the right to access the personal information that we hold about you in many circumstances, by making a request. This is sometimes termed ‘Subject Access Request’. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed.

We would ask for proof of identity and sufficient information about your interactions with us that we can locate your personal information.

If you would like to exercise this right, please contact us as set out below.

Right to Correction Your Personal Information

If any of the personal information we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it.

If you would like to exercise this right, please contact us as set out below.

Right to Stop or Limit Our Processing of Your Data

You have the right to object to us processing your personal information for particular purposes, to have your information deleted if we are keeping it too long or have its processing restricted in certain circumstances.

You can ask us to restrict processing your data, for example where:

• you’re contesting the accuracy of your personal data
• we no longer need to process your personal data, but you want us to keep it for use in legal claims
• you’ve objected to the processing by asking us to stop using your data, but you’re waiting for us to tell you if we have overriding grounds which mean we’re allowed to keep on using it

If you would like to exercise this right, please contact us as set out below.

Right to Erasure

You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. Where the right doesn’t apply, we’ll let you know why we can’t action your request.

This right may be applied where:

• • personal data is no longer necessary in relation to the purpose for which it was originally collected/processed
• • the processing was based on your consent which you withdraw (and there are no other legal grounds for processing that data)
• • you exercise your right to object and there are no overriding legitimate grounds for the processing
• • there is no lawful reason to retain personal data or if the personal data must be erased to comply with a legal obligation

If you would like to exercise this right, please contact us as set out below.

Right to Portability

The right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives them you the right to request that a controller transmits this data directly to another controller.

If you would like to exercise this right, please contact us as set out below.

We use plugins on our website from social media networks such as Facebook, LinkedIn, and Twitter. You can recognise these plugins by their logos. Our plugins will not collect personal data about you unless you click on these logos. If you click on them, these plugins are activated and automatically transmit data to the plugin provider.

We do not have any influence over which data these providers collect from you. If you would like more information about their data processing, this can be found in the respective privacy policies on the websites of these providers.

We may share your personal data with other organisations in the following circumstances:

• If the law or a public authority says we must share the personal data (Government bodies and agencies in the UK, e.g., the Financial Conduct Authority, the Information Commissioner’s Office).
• If we need to share personal data to establish, exercise or defend our legal rights (this includes providing personal data to others for the purposes of preventing fraud and reducing credit risk).
• Payment systems (e.g., Visa or Mastercard) and correspondent banks, who may transfer such personal data to others, as necessary to operate your service and for regulatory purposes, to process transactions, resolve disputes and for statistical purposes.
• We use data processors who are third parties who provide elements of services for us such as IT suppliers, database providers, cloud hosting services, email providers and mailing houses. We have Data Processing Agreements in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us or further sub-processors who must comply with our Data Processing Agreement. They will hold your personal data securely and retain it for the period we instruct.
• We may also transfer personal data we have about you in the event we sell or transfer all or a portion of our business or assets (including in the event of a reorganisation, spin-off, dissolution, or liquidation).

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Where the same record has to be kept for more than one purpose and there is a different retention period for each of those purposes, the record is kept for the longer period.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

The personal data that we hold about you will be stored in the UK. In limited circumstances may also be transferred to or stored at a destination outside the UK or European Economic Area (EEA).

If we transfer your data to third party service providers based outside the UK or EEA, we ensure a similar degree of protection is provided to the transfer by ensuring at least one of the following safeguards is implemented:

• we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK and/or the European Commission.
• where we use certain service providers, we may use specific contracts (known as Standard Data Protection Clauses) approved by the UK and/or European Commission which give personal data the same protection it has in UK and Europe, as well as any additional security measures as required.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or EEA.

We protect your information in the following ways:

Training

Staff are trained to understand their duty of confidentiality and their responsibilities regarding the security of patient information both on our premises and when out in the community. Staff must undertake annual mandatory training in information governance and data security awareness.

DSP Toolkit

We are required to complete an annual assessment of compliance with Data Protection and Security. Details of the assessments can be found here. https://www.dsptoolkit.nhs.uk/organisationsearch

Access controls

Any member of staff being given access to national systems holding patient information will need a special access card called a smartcard, along with a username and password. All other systems have security features that restrict access such as username, passwords, single sign-on and role based permission sets.

Audit trails

We keep an audit trail in our electronic record systems of anyone who has accessed a health record or added notes to it.

Records Management

All healthcare records are stored confidentially in a secure location.

Caldicott Guardian

There is a designated person named the ‘Caldicott Guardian’ whose responsibility it is to ensure that these laws are upheld.

Our Data Protection Officer is:

The DPO Centre Ltd
50 Liverpool Street
London
EC2M 7PY

Email: DPO@clinisupplies.co.uk

Phone: 0203 797 1289

Website: www.dpocentre.com

ICO

The Information Commissioner's Office (ICO) regulates data protection and privacy matters in the UK. They make a lot of information accessible to consumers on their website and they ensure that the registered details of all data controllers such as Nightingale are available publicly.

You can make a complaint to the ICO at any time about the way we use your information. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.

We welcome questions, comments and requests regarding this privacy policy and our processing of personal information. Please send them to the Compliance Manager, Clinisupplies Ltd, Mallard Court, Express Park, Bristol Road, Bridgwater, Somerset, TA6 4RN or email us on privacy@clinisupplies.co.uk.

You can also contact our Data Protection Officer by email: DPO@clinisupplies.co.uk