Digipharm Privacy Notice

Who we are and what we do

Digipharm is an independent commercial specialist organisation wholly focussed on improving the way healthcare is commissioned and provided.  We passionately believe that patients have a right to access services that provide real benefits, in realistic timescales, delivered by the best providers in the business.We realise this passion by offering software and data processing facilities to our customers, who are commissioners, payers, providers and manufacturers.  Our customers use our software to negotiate and agree contracts, and provide us with de-identified data to monitor and operate the contracts.


Most commissioners, payers, providers and manufacturers aspire to provide better services more efficiently, and the industry as a whole recognises that a good approach to doing this is to measure the value of services provided.  This approach is known as Value Based Health Care (VBHC) our Outcomes Based Health Care (OBHC).  However, healthcare is normally commissioned and paid for on a fee-for-service basis, which rewards providers for the amount of work done rather than the quality of service provided.  In order to move towards a VBHC model, contracts need to specify clearly what outcomes will be rewarded and how those outcomes will be measured.


By using objective data about services actually provided, our customers gain insights into what services work best.  Further, the use of objective data to validate contract activity significantly reduces the administrative overheads normally associated with traditional ways of operating contracts.  By using the Digipharm platform to negotiate the contracts in the first place, AND to validate payments using objective data to evidence the quality of provision, our platform represents the first end-to-end facility for agreeing, measuring and paying for services that have real value to patients and providers alike.

What types of information do we collect?

Digipharm collects and processes 3 types of data:
Data collected by our staff, in the normal operations of our business. This includes personal details of prospective employees, current (and former) employees, people who contact us, and details of people and organisations with whom we do business or with whom we intend to do business with.

We call this “type 1” data.  Digipharm operates as Data Controller for this type of data.
Data entered onto our website or into our applications, by visitors, users and the general public. This includes personal information where relevant, including specific relevant characteristics of individuals.

We call this “type 2” data.  Digipharm operates as Data Controller for this type of data.
Data sent to us by our customers using our commercial services. This usually includes person-level data that has already been de-identified prior to its arrival at Digipharm.

We call this “type 3” data.  Digipharm acts as Data processor for this type of data, on behalf of (and under contract to) its Data Controller.

How we collect information

Some type 1 data is generated by our staff operating our internal corporate systems, and some is provided by third parties in the course of doing business with us.

Data about prospective employees is generated from documentation provided by candidates, including CVs, application forms, and emails.

Data about employees is captured from manually created records and details provided by the employee, including contact and address details, financial details for payroll and taxation, details of next of kin in case of emergencies and ongoing staff development. We also perform standard employment checks (including references, right to work and DBS) – we store these results in the employee record.

Data about people who contact us, and those with whom we do (or intend to do) business with, is collected from emails, written documentation, and notes taken during calls and meetings. This data is stored in various contact management and customer relationship management software applications.

Type 2 data is provided by the data subjects themselves, in accordance with the particular web site or application feature being used.

Type 3 data is uploaded into our systems by our customers during the normal operation of services we provide under contract.

What we do with information

We collect, store, use and manage data for a variety of purposes, as follows:

We use type 1 data to make decisions about our staff, including choosing which candidates we offer employment to, and for managing our ongoing relationships with employees.  We sometimes share personal information with external agencies in order to perform employment checks including right to work, following up on reference and DBS checks.  We use employee data on an ongoing basis for employee development and training.  We protect our business records (type 1 data) using roles-based access controls, secured through password-protected user accounts.  Personal data is accessible on a need-to-know basis only.  The lawful basis we use for type 1 data is the legitimate interests of our business as defined by GDPR.  

We use type 2 data to provide services to users.  This includes capturing various levels of personal data, depending on the service being accessed:

Users may opt to remain completely anonymous for access to a restricted set of materials and services.

Users may participate in some online activities (including completing questionnaires) by providing some personal information that doesn’t directly identify them as individuals such as age, gender, ethnicity and current state of health, which we use to rate and score questionnaires. We may publish statistical and quantitative information from questionnaires in various reports, charts and dashboards which we may offer commercially.

Users may optionally choose to create an account on our systems providing more personal information including name and contact details. Any activity carried out by a user while logged in to a Digipharm account will be associated with their account as a history of activity, and to show progression over time.  The lawful basis we use for this processing is consent; identified users can see what we hold, request updates/corrections as may be appropriate, and also request removal of their data.

Type 2 data that is not associated with a user account cannot be tied to a particular user, and is processed using the lawful basis of legitimate business interest.

We process type 3 data under contract to our customers. We do not own this data, but process it on behalf of the data controller (customer), under contract as data processors. Although type 3 data is usually person-specific, it does not provide enough information for us to identify which individual the data belongs to.  As such, we treat the data as anonymous.  As data processor, our processing becomes part of the process owned and operated by the data controller (our customer).  The lawful basis we use to collect and process this data is contract.

We protect data we collect commercially (type 2 and type 3 data) using encryption, and process it on secured, fault-tolerant, redundant systems. We further protect type 3 data by only sharing specific data elements with relevant contract participants, ensuring that data for different contracts and for different customers is kept segregated.

Who has access to your information?

Digipharm uses its own staff, sometimes supported by contractors to process information held on individuals. We will sometimes share type 1 data with external agencies for things like pre-employment checks, but we will only do so with consent of the data subject.

We will not sell or rent your personal information to third parties. We will not share your personal information with third parties for marketing purposes, and we will not use your personal information for our own marketing purposes without your consent.

Access to records may be also be undertaken under the provisions of the GDPR, the Data protection Act 2018, and under the Access to Health Records Act 1990 (in the case of the records of deceased individuals).What are your rights in relation the personal data we process?

Access – you can request copies of any personal information we hold about you, and you can access it directly from the “My Account” section of our website.

Rectification – you can ask us to correct any information you consider to be incorrect.  We will keep time-stamped records of any changes you ask us to make.

Deletion – you can ask us to delete your personal information.  We may refuse to delete information if there are legitimate and lawful reasons to do so.

Portability – you can ask us to transfer your personal data to different services or to you.

Right to object or restrict processing – for any data that we can specifically identify as data relating to or belonging to you, you have the right to object to how it is being used and how it is going to be used in the future.

Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.

How long will we keep your information for?

We keep and dispose of all records in line with our record retention schedule. We will comply with Data Protection legislation.

What security precautions in place to protect the loss, misuse or alteration of your information?

We are strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us. However, we cannot guarantee the security of any information you transmit to us. We recommend that you take every precaution to protect your personal information.

Keeping your data up to date

We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.