Patient Pack Platform Privacy Policy


All organisations that use personal information (personal data) must provide a clear description of how it is used and also provide any related information to ensure the processing is carried out lawfully and fairly. Your GP’s main Privacy Notice is available on their website (or please contact their reception).

The additional information provided below describes only the use of your information when you use your GP’s online consultation service (PatientPack).

Your information and how we use it

Patient Pack is designed, created and maintained by Substrakt Health Ltd on behalf of your registered GP practice and associated Clinical Commissioning Group. Substrakt Health Ltd is committed to providing patients high quality access to their healthcare data and services offered by their registered GP practices or accredited NHS partners organisations. Therefore, Substrakt Health offers a wide range of high quality digital health and social care services delivered via our PatientPack App on behalf of our NHS clients. Any use of the digital and underlying healthcare services provided on the PatientPack App will be offered under the NHS with patients remaining registered with their usual GP Practice.

What personal information is used by us?

We store personal information to allow you to create a secure account and match you to your GP record:

  • Name
  • Date of Birth
  • The practice you are registered at
  • An identification number to connect to your health record e.g. NHS number
  • Email address and/or phone number

In order to show and track prescription requests made on the website, we hold:

  • When the medication was requested
  • The type and dose of medication requested
  • The practice’s response to your request

In order to manage online appointments, we hold the details of appointments made through the website including the time, location and type of appointment made.

In order to only provide services that you have given your permission for, we track any acceptance or rejection of consents required within the application. These may differ per practice.

To resolve any issues we use an external support management tool for tracking issues raised on the app. When submitting a support request your account information is processed and the requests you make are stored on their servers.

In order to improve the usability of the app, we send anonymised information to an analytics service with an anonymised session-id, device information and the URL of pages visited.

For auditing purposes we store pages accessed and events triggered in the application and the IP address the request was made from so that we can track when elements of your health record were accessed.

All data is stored in the UK, under UK regulations and on encrypted databases.

What personal information is used for online consultations?

Because this service is online, your GP’s need to ensure that they continue to provide you with a confidential and high-quality service. To do so, they need to properly identify you and accurately note both your request and their responses. If they were prevented from using this essential information, then they would be unable to provide the service securely and confidentially.

Information which is not needed for the service is not collected by Substrakt Health.

Your GP uses the following information to identify and deal with your request.

Identity and Contact Information: includes name, gender, date of birth, NHS number, email address and telephone number, postal address.

If you have created an NHS login account you will already have verified who you are and you can, if you wish, use those details from your NHS login account to save you time and avoid having to manually enter your details to re-identify yourself to use the Online Consultation service.

Special Categories of Personal Information: your health information such as your symptoms, conditions, medication and other details which are already held in your GP records and / or which you provide through the online consultation process.

Support Desk 

Substrakt Health uses Zendesk to manage support tickets that are raised via our Helpdesk. We store a limited amount of personal information e.g your name, NHS number and any unique identifiers within Zendesk to operate the support desk with the aim of helping to solve your query. There are occasions where we may need to access your health record within Patient Pack. If this is the case you will be asked for your permission to do this. Zendesk do not have access to any of your health record or Patient Pack as we operate Zendesk as a stand alone service to manage support tickets.

What is the lawful basis for your GPs online consultation service?

The following legal bases set out in the General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 allow your GP to use your information when you use this online consultation service provided by them:

When using your Personal Information (Personal Data):

Article 6 (1) (e) of the GDPR, which permits us to process your personal information that is necessary to provide a service which is in the public interest

When using your Sensitive Personal Information (Sensitive Personal Data):

Article 9(2) (h) of the GDPR which permits us to process your health information which is necessary for the provision of health treatment.

Why we collect information about you

When registering for the PatientPack App, we will require your consent to access your GP medical record and Registered GP practice system. This access will be limited to GP practice and you with data remaining under the control of your Registered GP. No data will be shared with any other organisation unless your explicit consent has been provided. Substrakt Health will only process the data to provide you with access to the data unless your explicit consent has been provided.

When you use any of our digital or physical healthcare services offered within the app and/or physical locations, you may be asked to provide consent other than that of when you registered for the PatientPack App. This consent is to enable us to share your data with the required NHS organisations or accredited partners who are responsible for delivering the requested NHS service you access. All sharing of such data will comply with the General Data Protection Regulation 2018 and NHS information governance rules. Substrakt Health will always request your explicit consent to do this providing you detail of what data will be shared and with whom it is shared and for how long. Sharing of your data for use of the given health service will not prohibit nor infringe on your rights under the General Data Protection Regulation 2018.  To ensure that we comply with our General Data Protection Regulation responsibilities in keeping your information safe you will be asked to give your consent in the PatientPack app and in the physical service when the required clinician wishes to access your data. 

How we keep your records confidential

Everyone working for the NHS and Substrakt Health is subject to the Common Law Duty of Confidence. Information provided in confidence will only be used for the purposes stated and where the patient has given their explicit consent unless there are other circumstances covered by the law.

Information Sharing with Other NHS and Non-NHS Organizations

For your benefit, we may also need to share information we hold about you with other organizations involved in your care such as other NHS organisations, Social Services or charitable and voluntary bodies working with us to improve your care. However, we will not disclose any information to third parties without your explicit consent, unless there are exceptional circumstances, such as when the health or safety of yourself or others is at risk or where the law requires it.

If we are asked to share information with a non-NHS organisation that does not directly relate to your care, we will always seek your explicit consent prior to any information being shared. If you choose not to consent to this when asked, then that decision will be recorded and respected.

Right of Access to your Substrakt Health data

You can make your own application to see all information Substrakt Health holds about you, or you can authorize someone else to make an application for you. A parent or guardian, a patient representative, or a person appointed by the Court may also apply. If you wish to access your personal data, then please contact:

Substrakt Health Ltd, The Jointworks, 62-64 Albion Street, Birmingham, B1 3EA


Please note that Substrakt Health does not store or retain your Registered GP data longer than required, specifically your healthcare data, thus this may require an additional request to your Registered GP for such right of access.

In order for Substrakt Health to fulfil its responsibilities under the General Data Protection Regulation, you may be asked to provide proof of your identity, and any further information required to locate the record you have requested.

Witholding information about you

As Substrakt Health Ltd provides the PatientPack App on behalf of your Registered GP Practice, we will be required to confirm with them that such data can be released to you. Information may be withheld by the Registered GP Practice if the organisation believes that releasing the information to you could cause serious harm to your physical or mental health. We do not have to tell you that information has been withheld.

Information may also be withheld if another person (i.e. third party) is identified in the record, and they do not want their information disclosed to you. However, if the other person was acting in their professional capacity in caring for you, in normal circumstances they could not prevent you from having access to that information.

Correcting inaccurate information

Substrakt Health and all NHS organisations we act on behalf of have a duty to ensure your information is accurate and up to date to make certain we have the correct contact and treatment details about you.

If your information is not accurate and up-to-date, you can ask us to correct the record. If such a request is made to Substrakt Health, but we are not the responsible organisation holding the data, we will forward such requests to the required NHS organisation. If we/they agree that the information is inaccurate or incomplete, it will be corrected. If we/they do not agree that the information is inaccurate, we will ensure that a note is made in the record of the point you have drawn to the organisation’s attention.

Version: October 2020