NHS Online: 111 privacy policy

NHS Online: 111 is a service provided for the NHS by Babylon. At Babylon our mission is to put an accessible and affordable health service in the hands of every person on earth. We are passionate about high-quality and convenient healthcare. We are also passionate about privacy. We strive to comply with the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA), and to be market leaders when it comes to healthcare and privacy.  

This policy explains how we use your personal data. We want to help you understand how we work with your data, so that you can make informed choices and be in control of your information. We invite you to spend a few moments understanding this policy. We may update this policy from time to time and we will notify you when we do so.

This policy explains how we use your personal data for our healthcare services and products. It also governs the use of your data through our App, or any of our websites (and any reference to our App in this policy shall also include a reference to our websites).

This policy covers:

  • Who we are;

  • What personal data we hold and how we get it;
  • What we use your personal data for;
  • Sharing your personal data;
  • Retention;
  • Data security and transfers; and
  • Your rights.
  • If you have any further questions about how we process your information, please don't hesitate to get in touch by contacting our Data Protection Officer:

    Address:           Data Protection Officer, Babylon Health, 60 Sloane Avenue, London, SW3 3DD

    Email:               DPO@Babylonhealth.com

    Who we are

     Our healthcare services are delivered by two companies within our group, which are both registered in England and Wales: Babylon Healthcare Services Limited (number 09229684) provides medical treatment, and Babylon Partners Limited (08493276) provides the technology that supports our services. The registered office and principal place of business for both companies is 60 Sloane Avenue, London, SW3 3DD.

    Your relationship is with Babylon Healthcare Services Limited. When this policy talks about ‘Babylon’, ‘us’ or ‘we’, it means Babylon Healthcare Services Limited. We remove personal identifiers, such as your name, address and contact details from your medical information, and provide some or all of this data to Babylon Partners Limited, which develops and maintains our software and artificial intelligence system.

    What personal data we hold and how we get it

    We use the following categories of personal data:

    Personal details

    When you register with us, you complete forms and provide us with basic information about yourself, such as your name, date of birth, physical address and email address.

    Health and medical information

    The main type of information we hold about you is health and medical information: information about your health, symptoms, treatments, medications and procedures. This includes details of your interactions with our digital services. We get this information directly from you, when you register with us and when you use our healthcare services. Any correspondence we receive from you is uploaded electronically to your Babylon medical record.

    Technical information and analytics

    When you use our App, we may automatically collect the following information where this is permitted by your device settings:

    • technical information, including the address used to connect your mobile phone or other device to the Internet, your login information, system and operating system type and version, browser or app version, time zone setting, operating system and platform, and your location (based on IP address); and
    • information about your visit, including products and services you viewed or used, App response times, interaction information (such as button presses) and any phone number used to call our customer service number.

    We work with partners who provide us with analytics. This includes helping us understand how users interact with our services, and measuring performance of our services. Cookies and similar technologies may be used to collect this information, such as your interactions with our services. 

    What we use your personal data for

     The purposes for which we use your personal data and the legal grounds on which we do so are as follows:

    • We obtain and use your personal details in order to establish and deliver our contract with you.
    • We obtain and use your medical information because this is necessary for medical purposes, including medical diagnosis and the provision of healthcare or treatment. This includes the information collected through our digital services. It may also include sharing information with other healthcare professionals as necessary for the provision of care to you, such as to NHS healthcare providers.
    • Where you have provided your explicit consent, we will use your medical information (always having removed personal identifiers, such as your name, address and contact details) to improve our healthcare products and services, and our artificial intelligence system, so that we can deliver better healthcare to you and other Babylon users. This medical information (de-identified in the way described above) may include your Babylon medical record and your interactions with our artificial intelligence services, such as our symptom checker. This does not involve making any decisions about you – it is only about improving our products, services and software so that we can deliver a better experience to you and other Babylon users, and help achieve our aim of making healthcare affordable and accessible to everyone. Strict confidentiality and data security provisions apply at all times.
    • We may obtain and use data about your precise location where you give your consent (through providing us access to your location), for example, to help direct you to the nearest pharmacy, or determine your eligibility to receive this service as commissioned by the NHS. We may also derive your approximate location from your IP address.
    • Based on our legitimate interest in managing and planning our business, we may analyse data about your use of our products and services to, for example, troubleshoot bugs within the App, forecast demand of service and to understand other trends in use, including which features users use the most and find most helpful, and what features users require from us. This does not involve making any decisions about you – it is only about improving our App so that we can deliver better services to you. Strict confidentiality and data security provisions will apply at all times.
    • Where necessary, we may need to share personal details for the purposes of fraud prevention and detection.
    • We also store your medical information, such as notes from consultations, and your interactions with our digital services, for safety, regulatory, and compliance purposes. For example, we may need to review your information and, where necessary, make disclosures in compliance with reasonable requests by regulatory bodies including the General Medical Council, MHRA, and Care Quality Commission, or as otherwise required by law or regulation.
    • Where necessary for safety, regulatory and/or compliance purposes, we may audit consultations and your other interactions with our services. Strict confidentiality and data security provisions will apply at all times to any such audit and access.

    Sharing your personal data with others

    • We may share your personal data with members of our corporate group and our partners (such as the GP at Hand partnership, where you access our NHS GP at Hand service). This is to help us deliver our services to you.
    • We may share your personal data with companies we have hired to provide services on our behalf, including those who act as data processors on our behalf, acting strictly under contract in accordance with Article 28 GDPR. Those data processors are bound by strict confidentiality and data security provisions, and they can only use your data in the ways specified by us.
    • We may share with our commercial partners aggregated data that does not personally identify you, but which shows general trends, for example, the number of users of our service. 
    • We will, where necessary for your treatment or care, share your information with your other health and social care providers. For example, your NHS GP (if you use our private service) and other NHS bodies, specialist referral services, therapists, pharmacists, hospitals, accident and emergency services, pathology service providers, diagnosis centres chosen by you for the purpose of imaging requests, and other health and care bodies. This may include sharing information with such services for safeguarding purposes in accordance with our legal obligations.
    • We may preserve or disclose information about you to comply with a law, regulation, legal process, or governmental request; to assert legal rights or defend against legal claims; or to prevent, detect, or investigate illegal activity, fraud, abuse, violations of our terms, or threats to the security of our services or the physical safety of any person.

    Except as described above, we will never share your personal information with any other party without your consent.

    Retention periods

    We retain your medical records in accordance with national best practice guidance – in particular, advice provided by the Department of Health (2006) Records management: NHS code of practice, and summary guidance issued by the British Medical Association. The below is a summary of our retention policy, but we may retain records for other periods as required by law or regulation. 

    Type of record Retention period
    GPs GP Records retained for 10 years after death or after the patient has permanently left the country unless the patient remains in the European Union. In the case of a child, if the illness or death could have potential relevance to adult conditions or have genetic implications for the family of the deceased, the advice of clinicians should be sought as to whether to retain the records for a longer period.

    Electronic patient records (EPRs) must not be destroyed, or deleted, for the foreseeable future.
    Maternity records 25 years after the birth of the last child
    Records relating to persons receiving treatment for a mental disorder within the meaning of mental health legislation 20 years after the date of the last contact; or 10 years after the patient's death if sooner

    Data storage, security and transfers

    We do not store your personal health data on your mobile device. We store all your personal health data – including your primary care information, medication information and diagnostic information – on secure servers.

    Where you have chosen a password that enables you to access certain parts of our App, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.

    We encrypt data transmitted to and from the App. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

    Your data may be processed or stored via destinations outside the European Economic Area, but always in accordance with data protection law and subject to strict safeguards. For example, we work with third parties to use their software platforms who have servers outside the UK or EEA to send communication emails to our users.  

    Your rights

    As indicated above, whenever we rely on your consent to process your personal data, you have the right to withdraw your consent at any time by accessing the privacy settings in the App.

    You also have specific rights under the GDPR and DPA to:

    • Wherever we process data based on your consent, withdraw that consent at any time. You can do this via the privacy section of our App;
    • Understand and request a copy of information we hold about you. You can make a request by email;
    • Ask us to rectify or erase information we hold about you, subject to limitations relating to our obligation to store medical records for prescribed periods of time;
    • Ask us to restrict our processing of your personal data or object to our processing; and
    • Ask for your data to be provided on a portable basis.

You may also contact the Information Commissioners Office (the data protection regulator in the UK): Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, telephone: 0303 123 1113 (local rate).


    Contact us

    For any questions or concerns, you can contact us by sending an email to DPO@babylonhealth.com