PRIVACY POLICY Using Rapid Health for online services

Hersham Surgery

 

PRIVACY POLICY

Using Rapid Health for online services

When you send a Rapid Health online request to us, you can do this from our

website or from the NHS App.

Looking after your information

We need to make sure you’re a registered patient at the practice and want

to make sure you know about any request we receive for you.

NHS login 

If you access Rapid Health using your NHS login details, the identity

verification services are managed by NHS England.

NHS England is the controller for any personal information you provided to

NHS England to get an NHS login account and verify your identity and uses

that personal information solely for that single purpose. For this personal

information, our role is a “data processor” only and we must act under the

instructions provided by NHS England (as the “data controller”) when

verifying your identity.

For more information on NHS login, see the NHS login privacy notice and NHS

login terms and conditions.

NHS App 

You can access Rapid Health on the NHS App using your NHS login details.

If you sign in using NHS login, we will ask your permission to share your NHS

login information with our service. This allows us to fill in some personal

details for you, such as your name, date of birth and contact details.

We will not use your NHS login information for any other purposes. You can

only share your NHS login information if you have proved your identity to

NHS login.

You can choose not to share your NHS login information with Rapid Health

but you will need to enter your information yourself whilst using the

service.

Other information you provide to Rapid Health

GP practices are the data controller and Rapid Health is a data processor for

information sent by patients to the practice using Rapid Health.

As data controller, the practice is responsible for keeping your information

safe and explaining how it uses your information. There is a How your

information is used box on the Rapid Health page where you give your name

for a request, and further detail below.

If you don’t have an email address on your record

We allow patients without an email address on their record to send

requests using Rapid Health but for your safety and security, these requests

can’t be offered appointment self-booking, as we need to check the patient

identity first.

Why we need an email address

We always email you to say we got your request. Something is wrong if

you don’t get a reply, so check your spam/junk folder if you don’t see one.

Send another request or call the practice if you don’t get a reply within 15

minutes of sending your request.

We need to reply to you when we get a request. This reply says we received

your request, what to expect and what to do if you are not well.

If you have an email address on your record, we can offer you self-booking,

using the email address you put on your request (if a self-booking

appointment is available).

Using a different email address

If you use a different email address for a request from the one on your patient

record at your GP practice, we’ll send replies to the email address you used

for the request, but will also send a security email to the email address on

your record.

Security emails say only that we got a request for you (or that an

appointment was

booked/changed/cancelled for you) and if this wasn’t you, to contact the

practice.

If a different email address is used for a request for a child from what is on

their record, a security email is sent to the email address on their record.

Shared email addresses and devices

If you want to keep your requests private from someone you share an email

address with, it’s best to change your email address on your record. [You can

send us an Update personal details request. Our reply will just say we

received a request from you – it will not say that you asked to change your

details.]

Our email replies

We send our reply and any appointment links to the email address you put on

the request.

Our standard emails never repeat what you said in a request [but if someone

at your GP practice replies personally to your request, their reply may reflect

information in your request]. This reply will go to the email address you gave

on your request.

The reply we send to the email address on a child’s record (if there is one and

it is different from an email address you use for a child request) just says we

got a request for them and if this is a mistake to let us know – it does not say

what kind of request.

Asking medical questions

If you want medical advice from the practice, we ask questions to check

how soon you need this or if we need to suggest A&E to you. We ask this

for your safety.

Why do you ask for Sex at Birth?

We ask this for your safety, so you can be asked the right medical questions.

Booking appointments online with us

There may be times when we send you a link to self-book an appointment

with us, or you might book an appointment such as for a vaccination. Or you

may want an appointment to discuss a medical concern.

Why do I need to provide information for these appointments?

When we send you a link to book into an appointment, we have ‘pre

qualified’ you for that appointment, so we only ask for some personal

details before you book it.

Where you come to the website to book a type of appointment such as a

vaccination or cervical smear test, we ask questions to check the appointment

is right and safe for you.

If you want an appointment because you have a medical need, we ask

questions to help us understand how soon to see you, or if we need to

suggest A&E for your safety.

Keeping your personal data safe

How is my information stored?

Rapid Health stores the data on Amazon Web Services (AWS) servers in

England. All data sent is encrypted when in transit (when it is sent) and at rest

(when it is stored).

Patient data is managed as described in the NHS Records Management Code

of Practice and stored on the practice system.

Rapid Health keeps a copy of requests for 400 days, for technical support

purposes. They are deleted after the 400 days.

Can Rapid Health access the information?

Rapid Health must be able to access the information to meet its legal

responsibilities as a data processor, for example to help the data controller

(the practice) in providing subject access and allowing data subjects to

exercise all their other rights under GDPR, and to provide technical support.

Only highly qualified technical staff with permission can access the data when

the data controller asks for this, or if there is a technical problem. Strong

controls are in place and a full audit trail kept.

Is Rapid Health NHS approved?

Yes. Rapid Health has passed all stages of assurance to interact with the

practice patient record system -  EMIS.

What security credentials does Rapid Health have?

Rapid Health has completed NHS Data Security and Protection Toolkit

assurance (under NHS ODS code 8KG49), and Cyber Essentials certification.

Rapid Health has successfully completed NHS Digital Technology Access

Criteria assurance (under NHS ODS code 8KG49).

Rapid Health is fully compliant with DCB0129, which is for manufacturers of

health IT software, and has a UKCA Class 1 medical device registered with the

MHRA.

Rapid Health systems are independently penetration tested by an accredited

CREST/CHECK supplier to CREST/CHECK standards at least once a year.

 

Is Rapid Health GDPR compliant? YES

Date Published: 9th April, 2026
Date Last Updated: 9th April, 2026