Book doctors, shop health and beauty products, and access trusted health content — in 110 languages. All in one place.

Your cart

Your cart is empty

Continue shopping

Consent Management & Biometric Data Policy

Last updated: 27/05/2025 Version: 1.2

This Executive Summary introduces our global, multi-jurisdictional commitment to lawful, transparent, and ethical data processing — with particular focus on sensitive categories such as biometric identifiers, health records, and identity documents.

CliniciansCheck operates under a ‘gold standard’ framework, compliant with — and often exceeding — the highest legal benchmarks worldwide. These include:

  • United Kingdom: UK GDPR (2021) and Data Protection Act 2018

  • European Union: EU GDPR (Regulation EU 2016/679)

United States:

  • Health Insurance Portability and Accountability Act (HIPAA)

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)

  • Illinois Biometric Information Privacy Act (BIPA)

  • Australia: Privacy Act 1988 and Health Records Act (Victoria)

  • Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)

  • India: Digital Personal Data Protection Act, 2023

  • Global: OECD Privacy Guidelines and ISO/IEC 27701:2019 framework for privacy information management

This policy applies to all users, collaborators, and partners engaging with the CliniciansCheck platform and services, including:

  • Patients and healthcare consumers

  • Registered clinicians and health professionals

  • Platform administrators and data processors

  • Advertisers, researchers, and insurance partners

  • API users, developers, and integrated systems

All data subjects interacting with CliniciansCheck must provide informed, explicit, and revocable consent before any processing of special category or biometric data occurs. Consent mechanisms, logging, jurisdictional restrictions, and audit controls are embedded by design.

This policy represents our ethical and legal commitment to:

  • Privacy by design and default

  • Accountability and data minimization

  • Consent as a living, user-controlled process

  • Regulatory readiness for audits and legal scrutiny in any jurisdiction

By engaging with our services, users acknowledge and agree to be bound by this policy, which is enforced globally and reviewed regularly to meet emerging legal obligations and ethical standards.

1. Informed Consent Principles

Consent Management & Biometric Data Policy

CliniciansCheck enforces a comprehensive consent management model that aligns with GDPR Article 4(11), UK ICO guidelines, HIPAA authorisation requirements, and global consent frameworks. Consent is not a one-time checkbox — it is a living, user-controlled right.

We follow the strictest interpretation of “informed consent,” which must be:

  • Informed – Delivered in clear, plain language understandable by the average user (reading age 12–14), with layered access to legal or clinical detail if needed.

  • Freely Given – No pre-ticked boxes, coercion, or bundling of unrelated services.

  • Specific – Linked to defined purposes; blanket consent is never permitted.

  • Granular – Users can choose what types of data to share (e.g. image upload yes, voice sample no).

  • Unambiguous – Requires a clear affirmative action (e.g. ticking a box, signing, verbal confirmation).

  • Reversible – Consent can be withdrawn at any time, without consequence, via user dashboard or written notice.

CliniciansCheck Protocols Consent is required before account activation, platform use, or any data transfer.

All consent events are timestamped, version-controlled, and stored in encrypted form.

Users can view, audit, or export their consent history at any time.

Minors or legally incapacitated individuals must have consent provided by a legally authorised guardian, as required by local law.

This consent framework is integrated across web, mobile, API, and any embedded third-party system, and enforced at every data entry or interaction point.

2. Sensitive & Special Category Data Handling

Explicit consent is required before processing:

  • Health data (e.g. diagnoses, prescriptions, assessments)

  • Identity documents (passports, licences, clinician registration numbers)

  • Biometric data (face scans, fingerprints, voice, retina, gait, keystroke dynamics)

  • Genetic data

  • Religion, ethnicity, and sexual orientation

Each instance of consent is logged in encrypted form. Data storage and processing meet all regional legal thresholds and undergo regular audit.

3. Biometric Data Usage & Restrictions

CliniciansCheck does not currently deploy biometric authentication or analysis as standard. If such features are introduced (e.g. identity verification via facial recognition, voice biometrics, or behavioural patterns), they will be governed by:

  • Opt-in only participation

  • Independent consent prompt (not bundled)

  • Encrypted storage separate from other identifiers

  • Deletion on request or after expiration

  • No profiling or automated clinical decisions using biometric data

All biometric operations are conducted with lawful purpose, transparency, and minimum necessary usage.

4. Jurisdiction-Specific Biometric Compliance

We respect enhanced restrictions and notify users accordingly. We geo-restrict biometric features based on IP and user address to ensure legal compliance.

Key Laws Observed:

  • USA – Illinois BIPA & California CPRA

  • UK/EU – GDPR Article 9: Special Categories of Data

  • Australia – Privacy Act: Sensitive Information provisions

  • India – DPDP Act 2023

  • Canada – PIPEDA (biometric identifiers)

  • South Africa – POPIA (biometric and health data protections)

Use of biometric data is disabled in jurisdictions where local laws prohibit it.

5. Audit Trails, Logging & Access Transparency

Every interaction related to consent or biometric data is logged with:

  • Timestamp

  • User identity

  • Purpose of access

  • Device and location details

Users can access their full consent history via dashboard. Any CliniciansCheck staff access to biometric or health data is strictly role-based and logged in an immutable audit trail.

6. Revocation, Expiry & Deletion

Users can revoke consent at any time via:

  • Their user dashboard

  • Written request to our Data Protection Officer

Upon withdrawal:

  • Data processing will cease immediately

  • Associated features will be disabled

  • Data will be erased (unless retention is legally required)

Biometric data is deleted automatically after 12 months if unused or when the user deactivates their account.

7. Third-Party Processors & Vendors

CliniciansCheck ensures all processors of biometric or sensitive data:

  • Sign a binding Data Processing Agreement (DPA)

  • Meet or exceed our encryption, storage, and access standards

  • Are verified for compliance under GDPR, HIPAA, and other local regulations

We prohibit all secondary use, re-identification, resale, or indirect profiling using any biometric or health data. Sub-processors are contractually bound to our Privacy & Data Transfer Policy.

8. Policy Review & Change Notification

This policy is reviewed:

  • At least annually

  • Immediately upon any legal or technical change

Any update that alters the way biometric or special category data is used will be:

  • Notified to all users

  • Logged in the policy changelog

  • Subject to renewed user consent

9. Governance & Enforcement

This policy is enforced by:

  • CliniciansCheck Board Governance Charter

  • Our Legal, Risk, and Compliance Teams

  • Our Data Protection Officers (DPOs) globally

Breaches or violations:

  • Trigger regulatory notification obligations (e.g., to the ICO, European DPA, or HHS)

  • May result in contract termination or legal action

  • Are subject to our Dispute Resolution & Accountability Framework

CliniciansCheck stands for ethical leadership, patient protection, and world-class digital trust.

This policy is not just a legal shield—it is a moral contract with every user we serve. Our platform reflects best-in-class global compliance, designed for public-sector collaboration, investor assurance, and end-user safety.