pH7 Compliance: Legal and Regulatory Information (UK)

1. General Medical Compliance

Portugal - INFARMED & ERS Regulations:

• Doctor Standards:

  All doctors using the pH7 platform comply with Portuguese regulations, specifically those outlined by INFARMED. Doctors must use the "special prescription model" required by Law no. 33/2018, which includes essential details like doctor and patient identification, cannabis substance details, quantity, dosage, and method of administration. Only doctors who comply with these regulations are allowed to operate on the platform.

• Verification and Clinical Guidelines:

  Prescriptions must follow INFARMED's list of approved therapeutic indications, as mandated by Decree-Law no. 8/2019. The platform ensures that all consultations are compliant with these guidelines, and doctors are responsible for adhering to the prescription model in all cases.

General Pharmaceutical Council (GPhC):

• Pharmacy Compliance:

  All cannabis-based products are dispensed through registered pharmacies in accordance with Decree-Law no. 176/2006. The platform ensures that pharmacies comply with all relevant regulations, including the verification of the purchaser's identity and the provision of necessary usage instructions. The dispensing process adheres strictly to the requirements set out by Portuguese law.

2. Data Protection and Privacy

General Data Protection Regulation (GDPR):

• Lawful Basis for Processing:

  The platform processes patient data based on explicit consent and legal necessity, as required under GDPR. Data is encrypted and anonymized, with clear T&Cs outlining data usage. Personal data is shared only between the patient and healthcare provider.

• Data Subject Rights and Security:

  Patients can access, correct, and erase their data as per GDPR regulations. The platform uses advanced encryption methods to protect data and ensures that these measures are regularly reviewed.

• Data Minimisation and Retention:

  Only necessary data is collected, with strict retention policies in place to ensure compliance with GDPR. Data is stored only as long as needed for service provision.

3. Telemedicine and Remote Prescribing Regulations

Remote Consultation Standards:

• Verification and Documentation:

  The platform ensures that all remote consultations adhere to the requirements of Decree-Law no. 176/2006. Patient identity verification and a comprehensive medical history are mandatory before any consultation or prescription issuance.

Prescription Guidelines:

• Controlled Substances:

  All prescriptions for medical cannabis comply with Decree-Law no. 8/2019, requiring a special prescription model and verification of the purchaser's identity. The platform supports both electronic and physical prescription handling, in line with national laws.

4. Financial and Payment Processing

Financial Conduct Authority (FCA):

• Payment Processing Compliance:

  The platform ensures that all payment transactions between patients, doctors, and pharmacies comply with Portuguese financial regulations. Anti-Money Laundering (AML) measures and Know Your Customer (KYC) checks are implemented to ensure the legality and security of financial transactions.

5. Cybersecurity Standards

Technical and Organisational Measures:

• Data Encryption and Access Controls:

  Data is encrypted both at rest and in transit, as required by GDPR and national regulations. Access is restricted to authorised personnel only, with detailed audit logs maintained to monitor for unauthorised activities.

Compliance Standards:

• Cyber Essentials and ISO/IEC 27001:

  The platform follows best practices in cybersecurity, including adherence to the Cyber Essentials guidelines and consideration for ISO/IEC 27001 certification for information security management.

Encryption and Profile Data Security:

• End-to-End Encryption:

  Communications between patients and doctors are end-to-end encrypted, ensuring privacy. Medical and lifestyle data on the user profile is encrypted and inaccessible to admin users, complying with GDPR.