Privacy Policy
Applicable only if you accessed services directly provided by eMed on or before 17th March 2025. As of today, eMed does not offer private medical services directly.
We want you to understand what data we collect and how we use it.
When you use Babylon, you give us access to your data. We want to be transparent about what we collect, and how we use it to make our range of digital healthcare services work better.
The main types of data we collect are:
Who you are
When you register with one of our services, either privately or through GP at hand, we’ll receive the basic information you provide us with about yourself; like your name, date of birth, physical address and email address. For our GP at hand NHS service, we will also receive your medical records from your previous NHS GP.
Your medical information
You can see your medical information in our “clinical records” section. No medical information is stored on your phone, instead we use secure servers to hold all information about your symptoms, treatments, appointments and sessions, medications and procedures.
How you interact with us
When you use our services - for example our AI services - we process and store medical information you provide (such as the symptoms you enter into our symptom checker). We record the audio element of your appointments with us for quality and training purposes..
Data and the Babylon services
With your consent, we use data to build a better Babylon for all users - to make our services faster, smarter and more useful to you - so we can deliver better healthcare. When we use data to improve our products, we always remove personal identifiers (such as your name, contact details and address) to ensure that your privacy is protected.
Data improves the performance of our artificial intelligence, which in turn will provide you and our users with a better service.
Data provides your doctor with more information to help them give you with the best care possible, and assists with treatment and our healthcare operations.
Data helps forecast the service demand and schedule available doctors, so we can make sure you can get an appointment within the shortest possible time frame.
Who we share your data with:
Service providers
We use a number of service providers who act as data processors on our behalf. They are bound by strict confidentiality and data security provisions, and can only use your data in the ways specified by us.
Medical services providers
Where necessary, we’ll share your information with other medical services providers - for example NHS bodies, your doctor, hospitals and emergency services.
Insurance companies
If your Babylon access is funded by an insurance provider, we need to let them know details about your appointment with us and the outcome. This will only be done with your explicit consent.
Data control
Putting you in charge of your data
We put you in change of your data through our privacy control centre which can be accessed via our app.
Control your privacy settings
We are developing the Babylon app to give you quick access to your privacy preferences from one location. You’ll be able to manage your personal information and opt out of Babylon learning from your data at any time.
Discover what we know about you
You can access most of your data via our app (for example, medical notes and consultation recordings are readily accessible to you).
Security
eMed’s UK Information Security policy sets out eMed’s UK commitments and arrangements to ensure the security of internal, customer, patient and supplier information.
We take data security extremely seriously.
When you give us your data, you trust us to keep it secure. Any personal or sensitive information we hold about you is protected by strong encryption and held in our secure environment, protected with multiple layers of security controls.
Storing your data
We store all of your personal health data on secure servers. Health data includes your medical information (such as symptoms and treatment). Your data may be processed or stored via destinations outside the European Economic Area but always in accordance with data protection laws and subject to strict safeguards.
Protecting your data
We encrypt all data transmitted to and from the app, and use strict procedures and security features to try to prevent unauthorised access. Payments are processed via a third party payment provider that is fully compliant with Payment Card Industry (PCI) data security standards.
Securing your data
We regularly test our servers to make sure our security controls are the best, and we work with industry-leading hosting partners to ensure our infrastructure is protected. Within the app, strong authentication and access controls are in place to protect clinical records and robust audit processes are in place to ensure data is accessed securely and appropriately.
To keep your data protected, please:
- Make sure you have a strong password
- Change your password frequently
- Keep your password safe and only use it for your eMed account.
Please take the time to read our Information Security Policy
eMed’s UK Information Security policy sets out eMed’s UK commitments and arrangements to ensure the security of internal, customer, patient and supplier information.
This policy is an enabling mechanism for information sharing, for digital electronic operations and for reducing information related risks to acceptable levels. This policy applies to all eMed UK entities, including Babylon Healthcare Services Limited. Setting and complying with the security requirements, that form eMed’s UK Information Security Management System (ISMS), is essential to eMed’s UK commitment to safeguard our patients' well-being and privacy, our regulatory compliance position, the resilience of our services and accordingly, our reputation.
Information and information security requirements are consistently aligned with eMed’s UK goals. Information security objectives are set annually by eMed’s UK CISO & Security Management Team, and adopted by executive management, in consultation with eMed's Global Clinical Services Integrated Governance Committee to ensure that we are able to determine the effectiveness of the information security measures we have in place.
Information Security is controlled through the preservation of:
- Confidentiality - ensuring that information is only accessible to those authorised to access it and therefore to prevent both deliberate and accidental unauthorised access to eMed’s UK information.
- Integrity - safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental, partial or complete, destruction or unauthorised modification, of either physical assets or electronic data.
- Availability - information and associated assets should be accessible to authorised users when required.
In support of this Policy, eMed’s UK leadership are committed to:
- Manage and reduce information risk in an informed manner, with a program in place for regular risk review.
- Ensure compliance to all applicable legal and regulatory requirements, including Information Security Management System requirements. eMed UK must comply with all relevant data related legislation in those jurisdictions within which it operates.
- Provide adequate information security resources to ensure efficient and effective security management, compliance and control performance.
- Ensure all staff are made aware of their security responsibilities, with mandatory security onboarding and annual refresher training.
- Ensure that appropriate architecture principles, business continuity processes, disaster recovery plans and data backups are in place to ensure infrastructure and product resilience and contingency.
- Provide appropriate resources and measures to ensure rapid and effective management and response to incidents that threaten the security or continued availability of assets, particularly critical systems and information.
- Continual improvement of eMed’s UK information security management system, through cross functional security governance, internal and external audit.
Information security risk management is achieved through the use of a number of controls including policies, processes, procedures, software, and hardware functions. These controls are continually monitored, reviewed and improved to ensure that specific security and business objectives are met. These controls are operated in conjunction with other business management processes and incorporate industry best practices, taking into consideration the applicable statutory and contractual requirements. eMed UK continuously works to effectively operate and continually improve the security controls in order to:
- Take account of changes to business requirements and priorities.
- Consider new threats and vulnerabilities.
- Confirm that controls remain highly effective and appropriate.
Information security is everyone’s responsibility. All employees are empowered to identify any potential security weaknesses and incidents and report through the appropriate management channels.
Safety
We ensure clinical safety of Babylon products and services by meeting and exceeding industry and legal standards.
We carefully manage clinical risk for all Babylon Health products and services to ensure clinical safety.
Our product
We apply the clinical risk management process to all stages of the product lifecycle, from concept to deployment and eventually decommissioning, this ensures the clinical safety of our products and services.
The triage aspect of our AI service is registered as a class 1 device with the Medicines and Healthcare products Regulatory Authority (MHRA), the body responsible for regulating medical devices and pharmaceutical products in the UK.
Our doctors
Babylon only employs GMC registered doctors. All our doctors are trained and required to follow good practice in handling patient information. It is mandatory for all staff providing or supporting the Babylon clinical service to have regular training in Information Governance.
Medical records
- MEDICAL RECORD RETENTION -
We retain medical records in accordance with national best practice guidelines.
Our business revolves around delivering a better health service to every person on earth but, in order to do this, we need to be able to access medical information.
We retain your medical records in accordance with national best practice guidance. This includes advice provided by the Department of Health Records management (2006), NHS code of practice, and summary guidance issued by the British Medical Association.
Type of record
Maternity record retention period
25 years after the birth of the last child
GP records retention period
GP Records are kept for 10 years after death, or after the patient has permanently left the country unless the patient remains in the European Union. In the case of a child, if the illness or death could have potential relevance to adult conditions, or have genetic implications for the family of the deceased, the advice of clinicians should be sought as to whether to retain the records for a longer period.
Electronic patient records (EPRs) must not be destroyed, or deleted, for the foreseeable future.
Records relating to persons receiving treatment for a mental disorder within the meaning of mental health legislation retention period
20 years after the date of the last contact; or 10 years after the patient's death if sooner
Last Modified: March 2025