Privacy notice: BMJ Best Practice tools

When you use BMJ Best Practice, BMJ Publishing Group Limited (“BMJ” or “we”) collect certain information about you. We will only use your personal data as outlined in this privacy notice.

You’ll normally get this notice when you first register for BMJ Best Practice (including on the website and app). You can also access it at any other time through the app ‘settings tab’ or at the footer of the website.

What should I expect?

When we collect or otherwise use your personal data, we have to have a ‘legal basis’ under data protection law, and to explain which one applies to particular use of data. We collect the minimum amount of data required for the app to function. As all the data is necessary, we cannot provide the option to opt out of its collection. We collect the following data when you use BMJ Best Practice: 

What data we collect:

How we use it:

Log-in credentials Collected when you register for BMJ Best Practice and used to enable you to access the platform. Our legal basis is that this is necessary for us to fulfil our contractual obligations.
Email address Collected when you register for BMJ Best Practice and used to create a unique identifier for you. Our legal basis is that it’s necessary for us to fulfil our contract with you or your organisation: we need this information to enable us to verify you as an eligible user.

We will use your email address to send you messages about changes to the service.  

If you opt in to receive marketing from BMJ, then we may also send you direct marketing communications about our products and services. You can withdraw your consent to receive direct marketing at any time by updating your account settings or contacting us.

IP address Where your organisation has arranged for your access to BMJ Best Practice, we collect your IP address to check that it falls within the range of authorised IP addresses that your organisation uses. Our legal basis is that we have a legitimate interest in making sure that only people entitled to use our products and services are able to.
Usage analytics We collect information about how you use BMJ Best Practice. Our legal basis is that we have a legitimate interest in wanting to understand how our products and services are being used, and what we might be able to do to develop and improve them for the benefit of our users.

Personal data is encrypted both in transit and at rest to help ensure security. BMJ’s internal processes patch and regularly update security features. BMJ Best Practice does not make automated decisions about you with a legal or similarly significant effect.

If BMJ makes changes to this privacy policy, we will send a notification.

Which organisations are involved?

BMJ is the sole ‘data controller’ for the personal data we collect from you. Where your access has been arranged by an organisation (such as a hospital - as a benefit of your employment), that organisation will be a separate data controller. They will tell you if, how, and why they will use your data. We do not have any control over how other organisations will use your data. 

Do you share my personal data?

We provide your data to the following third parties in order for our products and services to work properly, to keep your data safe, and to deliver good user experiences:

  • third party service providers such as our app platform provider who assist us in delivering the app to you; and,
  • our data storage providers. Our usage data is tracked and stored in Google Analytics, Firebase and Scholarly IQ for website and app usage.

Is my data going to be processed overseas?

Yes. BMJ uses information storage based in the Republic of Ireland. The RoI has very similar data protection laws to the UK, and BMJ has strict contractual agreements to ensure that any personal data is handled properly and securely.

How long will my data be held?

We hold your data for ten years from the date you last accessed BMJ Best Practice. If you use the same email address to use other BMJ products or services, your login and usage data will be held for ten years after the last time you accessed any of those products or services. Personal data is securely erased at the end of the retention period.

What are my rights?

You have rights over your data. You can contact us if you would like to:

  • have a copy of your personal data;
  • correct factually inaccurate information about you;
  • erase information about you;
  • restrict how your data is used; or
  • object to our use of your data (including marketing).

We will respond to requests within one calendar month. You can find advice about your rights on the website for the Information Commissioner’s Office (the regulator for data protection in the UK). 

If you would like privacy information about any other BMJ products or services you can view our main privacy policy here, or search for the specific product at

If you have any questions, concerns, complaints, or you believe a child may be accessing the app, we’d like it if you contacted us at BMJ in the first instance, marked for the attention of Tim Morgan, Data Protection Compliance Manager. You also have the right to complain to the Information Commissioner’s Office if you’d like to.

EU representative

In accordance with the requirements of the GDPR (Article 27), BMJ also has a data protection representative in the EU: Rechtsanwaltsgesellschaft m.b.H.

Geschäftsführer: RA Klaus Foitzick

Kurfürstendamm 56

10707 Berlin

HRB 185355 Amtsgericht München


Tel: +49 (0) 30 / 770191070