Privacy Policy

At RIVIAM, we take the privacy and security of your information very seriously. We believe it’s important you fully understand how your data is managed when you use this portal.

When we refer to 'RIVIAM' we are referring to RIVIAM Digital Care which provides this application and whose registered office is Cooper House, Lower Charlton Estate, Shepton Mallet, Somerset, England, BA4 5QE.

When we refer to ‘portal’ we are referring to the Patient Portal provided to you for the purpose of booking, cancelling, re-booking an appointment, and accessing outcome letters with your healthcare provider (the functionality for receiving outcome letters via the portal will be enabled in V1.1 of the portal in 2025).

Data protection framework

RIVIAM Digital Care is based within the United Kingdom and, as such, is registered with the Information Commissioner’s Office (ICO) with registration number Z8885675. We have aligned our Privacy Policy with the EU General Data Protection Regulation (GDPR) which came into effect on 25 May 2018, under the supervision of the ICO within the UK.

This privacy policy

This privacy policy sets out the way in which we process and use your personal data collected from you whilst using the portal. It also sets out how we use your personal data whilst accessing the service when using NHS login details.

Personal data means information related to an individual who can be identified directly or indirectly from that data. Examples of personal data include but are not limited to your name, email address, phone number or postcode. You can read the ICO’s definition of personal data for more detail.

This privacy policy is always available to view on the portal whether you wish to register or book/manage an appointment as an unregistered user.

The relationship between RIVIAM Digital Care, the healthcare provider and NHS England

For this portal provided by RIVIAM to your healthcare provider, RIVIAM is the data processor, and your healthcare provider is the data controller.

The data controller has given us instructions (captured in a contract) regarding how to process your information, so you receive the best care. The data controller is responsible for the appropriate lawful basis to process your data. If you have any questions about how your healthcare provider captures and uses your personal data, please visit their website to read their privacy policy.

NHS login provides you with a simple, secure, and re-usable way to access multiple digital health and care services. The NHS login service has been designed to keep your personal information secure. It meets the highest standards required by data protection regulation such as Data Protection Act 2018, the standards set by the National Data Guardian and by the Government Digital Services.

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

Who do we collect information from?

We collect the minimum set of data needed to provide you with the best service when using the portal.

Users of the portal need to be over the age of 16.

What personal data do we collect and process?

You give us the personal data about yourself when you choose to use the portal as an unregistered user so we can verify you are a patient of the healthcare provider:

Firstname
Surname
Date of birth
Postcode.

We collect personal data about you from your healthcare provider to enable you to book the right appointment for your needs. This data can include:

Firstname
Surname
Gender
Date of birth
Phone number
Email
NHS number
Postcode and address
Consent to contact you
Previous appointment details (including the clinicians seen for each previous appointment)
Waiting list information (including if your referral is urgent or routine)
Referral information (including the clinician who made the referral, the referral ID, the service and body part required).

Personal data processed via the NHS login

Once you have logged in and authenticated yourself using NHS login, so that RIVIAM can enable you to manage your appointments and match these with your referrals, we request the following data from the NHS login service:

NHS number
First name
Surname
Date of birth
Identity proofing level
Email address (and whether it has been verified)
Phone number (and whether it has been verified)
GP registration details.

You give us the following information to pass back to your healthcare provider when you choose and book an appointment using the portal as a registered or unregistered user, and when you view and download a outcome letter or document (the functionality for receiving outcome letters via the portal will be enabled in V1.1 of the portal in 2025):

Appointment booking, cancellation, re-booking
Document view and download.

Cookies

Only strictly necessary cookies are used for the portal to function optimally and provide you with the best service. The cookies do not collect personal data.

Links to other websites

The portal may contain links to other websites, e.g. the healthcare providers website. This policy does not cover the protection and privacy of your data should you provide any whilst visiting these sites. Please view the privacy policy of other websites you visit.

How does RIVIAM use your personal data?

As the data processor, we use your personal data only for the following purposes:

Authenticate you as a user to ensure you should be making a booking with the healthcare provider
Provide you with the correct appointment options to choose your appointment
Send you communications from your healthcare provider via SMS or email
Enable you and your healthcare providers to book, cancel and re-book appointments
Enable you to see previous appointments, the number of these and the clinician you saw
Provide you with outcome letters following your appointments (the functionality for receiving outcome letters via the portal will be enabled in V1.1 of the portal in 2025).

How do we protect your personal data?

We are committed to ensuring that your information is always secure. RIVIAM has robust security safeguards in place mandated by the NHS to protect the confidentiality, integrity and availability of your personal information.

Your data is stored in secure data centres run by Amazon Web Services in England. All personal information on RIVIAM is always encrypted. Data is backed up daily and we have a business continuity plan in place in the event of service disruptions.

Who do we share your personal data with?

We will never pass on your information to other suppliers unless you specifically consent to us doing so or we are specifically required to by law.

Your personal data is shared only with the data controller, the healthcare provider, for the purpose of providing you with their service and enabling you to book and manage appointments.

We use the following sub processors who process limited data to provide their service:

Amazon Web Services London region, provides secure cloud hosting services
BT, provides SMS messages enabling you to receive messages regarding appointments and documents to view
Mail providers, provide you with emails enabling you to receive messages regarding appointments and documents to view.

Do we transfer your personal data outside the UK/EEA?

Your personal data is stored in secure data centres run by Amazon Web Services in England, UK.

How long do we keep your personal data?

As the data processor, your personal data will be kept whilst the data controller, the healthcare provider, is a customer of RIVIAM.

Once the contract ends, unless instructed otherwise by the data controller, we will retain data in line with NHS Records Management Code of Practice. We will keep the data for no longer than is necessary to fulfil our contractual and legal obligations, unless you have a made a specific request to have your information deleted.

What are my rights?

As prescribed within data protection regulations, you have several rights connected to the use of your personal data. For more information about your rights please see the ICO’s website.

As we are the data processor, please contact the data controller, the healthcare provider, if you would like to exercise any of these rights.

You can submit a subject access request to RIVIAM via our Helpdesk by emailing support@riviam.zendesk.com. We will pass this on to the data controller, the healthcare provider.

How do I opt out of the portal?

If you would like to opt out of using the portal, please contact your healthcare provider
If you would like to update your communication preferences or remove a contact method from use, please contact your healthcare provider
If you would like to stop any information being shared from the data controller, the healthcare provider, to RIVIAM, the data processor, you will need to contact your healthcare provider who will need to make this update happen.

Contacting us or making a complaint

In the first instance an enquiry about information stored within RIVIAM should be directed to the data controller, the healthcare provider. If you have a problem identifying the data controller, then please contact RIVIAM via our Helpdesk by emailing support@riviam.zendesk.com.

If RIVIAM does not address your request or fails to provide you with a valid reason why it is unable to do so, you have the right to contact the Information Commissioner’s Office to make a complaint. They can be contacted via their website (www.ico.org.uk) or by telephone 0303 123 1113.

Changes to this privacy policy

We may change this privacy policy, and, if we do, we will add any changes on this page. If you continue to access the portal after those changes have come into effect, you will have agreed to the revised policy.

Last updated May 2025.