Privacy and data protection policy

As an UK-based organisation MedLed must comply with the Data Protection Act (2018) which encompasses the General Data Protection Regulations (GDPR) 2016. The company holds personal information about employees, clients and other 3rd party partners and suppliers, and has a duty of care to ensure its protection.

The Data Protection Act (DPA) requires that all data:

  • Is processed fairly, lawfully and in a transparent manner;
  • Is collected and processed only for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
  • Is adequate, relevant and limited to what is necessary for those purposes;
  • Is accurate, up to date and not kept in an identifiable form for longer than necessary for the purposes for which it is processed.
  • Is processed in accordance with the data rights of individuals
  • Is securely held, including protection by technical and organisational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage.
  • The DPA also gives individuals the right to access, delete, correct or receive in an easily transferable format, where applicable, personal information held by the business upon request.

MedLed is committed to complying with these requirements.

All employees, whether permanently employed, or working with MedLed on a contract-basis, are bound by the terms of the following policy and have undergone relevant training.

MedLed must be transparent with all individuals about what data is collected, stored and processed about them. Whilst the DPA covers the rights of UK subjects, and GDPR of EU subjects, we apply these principles to all data subjects regardless of location.

MedLed are registered with the UK Information Commissioner’s Office with registration number: ZA892723

The nominated Data Protection lead for the organisation is: Ella Barrington, Operations Director.

Data protection policy

This policy applies to all personal and sensitive data within the organisation.

Defined data types

MedLed acknowledges the following definitions of data types covered by this policy and subsequent privacy notice.

Personal data is defined as data which relate to a living individual who can be identified:

  • from those data, or
  • from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
  • and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

Sensitive personal data is defined as personal data consisting of information as to:

  • the racial or ethnic origin of the data subject,
  • their political opinions,
  • their religious beliefs or other beliefs of a similar nature,
  • whether they are a member of a trade union(within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
  • their physical or mental health or condition,
  • their sexual life,
  • the commission or alleged commission by them of any offence, or
  • any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Lawful basis for processing

GDPR requires MedLed to establish one of the following lawful basis for processing data:

  • Consent: We hold recent, clear, explicit, and defined consent for the individual’s data to be processed for a specific purpose.
  • Contract: The processing is necessary to fulfil or prepare a contract for the individual.
  • Legal obligation: We have a legal obligation to process the data (excluding a contract).
  • Vital interests: Processing the data is necessary to protect a person’s life or in a medical situation.
  • Public function: Processing necessary to carry out a public function, a task of public interest or the function has a clear basis in law.
  • Legitimate interest: The processing is necessary for our legitimate interests, and does not outweigh the individual’s rights.

Before processing any data, we must be clear that the processing is necessary and one of the above applies. 

A copy of the company information asset register – including records of the lawful basis and retention periods – and relevant legitimate interest assessments is available on request, alongside data privacy impact assessments.

Subject access requests

In the event of an individual (or subject) exercising their rights to access, rectification, erasure restriction, objection or to port their data, MedLed will aim to provide the relevant data without delay, and within 30 days. They will be asked to provide relevant identification to start this process.

Disclosure

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, MedLed will disclose the requested data subject to checks that the request is legitimate.

Data transfer, retention and disposal

Data should only be transferred outside of the UK or European Economic Area (EEA) under the guidance of the Data Protection Lead. Data must only be retained for the retention Period in the company information asset register. It must then be secured and destroyed. If data is found to be inaccurate it must be updated or disposed of as soon as possible.

Data breaches

In the event of a data breach, MedLed must report to the UK Information Commissioner’s Office within 72 hours of the event with details of:

  • The nature of the personal data breach including, where possible:
  • The categories and approximate number of individuals concerned; and
  • Categories and approximate number of personal data records concerned;
  • The name and contact details of the Data Protection Lead.
  • A description of the likely consequences of the personal data breach.
  • A description of the measures taken or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measure taken to mitigate any possible adverse effects.

Monitoring and improvement

This policy is reviewed by the Data Protection Lead on an annual basis, or whenever our working business practices change. It is supported by other business practices such as IT, security and regular training of our team. MedLed carries out regular Due Diligence on all partner organisations around data protection, all of which must be DPA compliant. 

Privacy notice

MedLed may hold personal data about:

  • Employees
  • Prospective clients
  • Clients
  • Training participants
  • Suppliers
  • Newsletter subscribers

We will only disclose this data if:

  • It is required by law
  • It is required to provide you with services and goods
  • You have given us prior consent

MedLed does not buy or sell personal data for any purpose.

To verify, update or amend personal data, or contact us with a data protection query, please email dataprotection@med-led.co.uk at any time.

You also have the right to lodge a complaint about our processing with the UK’s Information Commissioner’s Office:

  • Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
  • Helpline number: 0303 123 1113

This policy will be reviewed annually. Date of last review: 13th February 2021

Your rights

As an individual whose personal data is processed by MedLed you have these rights:

  • The right to be informed
  • The right to access what data we hold about you.address above
  • The right to object to direct marketing 
  • The right to object to processing carried out on the basis of legitimate interests. Where MedLed rely on legitimate interests to process, store or use your data, we only do so after carrying out a full Legitimate Interest Assessment
  • The right to erasure (in some circumstances)
  • The right to data portability
  • The right to have your data rectified if it is inaccurate
  • The right to have your data restricted or blocked from processing
  • The right to refuse automated decision-making or profiling

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. 

Website analytics

MedLed uses a third-party service, Google Analytics, to understand how users interact with our website in order to understand better who is visiting, why they are visiting, and how we can better help them by improving our website.

Google Analytics stores information about:

  • the pages you visit on med-led.co.uk
  • how long you spend on each med-led.co.uk page
  • how you got to the site
  • what you click on while you’re visiting the site

Individuals cannot be identified from the information we gain from Google Analytics. You can opt out of all Google Analytics tracking if you would prefer.

Emailing us

We use Transport Layer Security (TLS) where possible to encrypt and protect email traffic. Where this is not possible we use Secure Socket Layer (SSL) protection, alongside monitoring for viruses or malicious software.

Data we may hold

Employees

As an employee, we may hold the following information about you:

  • Your name and contact information such as phone number and email address
  • Your salary payment information including taxation information (such as National Insurance number, pension contribution, etc. ), your address and postcode
  • Details of the nature of your employment, including your employment contract
  • Emergency contact details, such as next of kin
  • Qualifications and references that support your application for the position
  • Interview notes and employment review records
  • Training certificates 
  • Driving licences
  • Attendance records including absence notes
  • Accident records
  • Communications with you

We use this data to meet our contractual requirements to provide you with agreed employment and to make relevent payments to you in return. We also use this for lawful purposes, such as taxation. It also allows us to carry out other duties as a responsible employer such as providing relevant training and providing safe working environments for you. We will retain all financial records for 6 years, following the end of the current financial year. This may include your data. We will retain other information about you for the duration of our relationship with you, plus 24 months.

Prospective employees

As a prospective employee, we may hold the following information about you:

  • Your name and contact information such as phone number and email address
  • Qualifications and references that support your application for the position
  • Interview notes
  • Communications with you

All of the information you provide during the recruitment process will only be used for the purpose of progressing your application or to fulfil legal or regulatory requirements if necessary. MedLed will not share any of the information you provide during the recruitment process with any third parties for marketing purposes. The information you provide will be held securely by us whether the information is in electronic or physical format. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.  If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 1 years following the end of your employment. 

Prospective clients

As a prospective client, we may hold the following information about you:

  • Your name and basic contact information such as phone number and email address
  • What you do
  • What we may be able to do for you
  • Communications with you

If you contact us via email, phone or the contact us page on our website, this data allows us to follow-up with you. We feel this to be a legitimate interest. We believe that you would reasonably expect this processing, and it will have a minimal impact on your privacy. A copy of our Legitimate Interest Assessment is available on request.

If 24 months after the duration of the enquiry, you are not an active client we will remove this data from our systems.

Clients

As a client, we may hold the following information about you:

  • Your name and contact information such as phone number and email address
  • Your billing and payment information including your address and postcode
  • What you do
  • What we are working on for you
  • Communications with you

We use this data to meet our contractual requirements to you in providing an agreed service and to seek payment from you via invoice. We also use this for lawful purposes, such as taxation. We will retain all financial records for 6 years, following the end of the current financial year. This may include your data. We will retain other information about you for the duration of our relationship with you, plus 12 months.

We may also send you relevant news about our services in a number of ways including by email, but only if we have a legitimate interest to do so. We believe that you would reasonably expect this processing, and it will have a minimal impact on your privacy. A copy of our Legitimate Interest Assessment is available on request.

Training participants

As a training participant, we may hold the following information about you:

  • Your name and contact information such as phone number and email address
  • What you do and, if applicable, the organisation you work for
  • The training you undertook
  • Communications with you

We use this data to meet our contractual requirements to you in providing an agreed service. We will retain other information about you for the duration of our relationship with you, plus 24 months.

We may also send you relevant news about our services in a number of ways including by email, but only if we have a legitimate interest to do or by prior consent. We believe that you would reasonably expect this processing, and it will have a minimal impact on your privacy. A copy of our Legitimate Interest Assessment is available on request.

Suppliers

As a supplier, we may hold the following information about you:

  • Your name and contact information such as phone number and email address
  • Your billing and payment information including your address and postcode
  • What you do
  • What you are providing for us
  • Communications with you

We use this data as part of our contractual agreement to help you provide an agreed service and make payments to you via invoice. We also use this for lawful purposes, such as taxation. We will retain all financial records for 6 years, following the end of the current financial year. This may include your data. We will retain other information about you for the duration of our relationship with you, plus 24 months.

We may also send you relevant news about our services in a number of ways including by email, but only if we have a legitimate interest to do so. We believe that you would reasonably expect this processing, and it will have a minimal impact on your privacy. A copy of our Legitimate Interest Assessment is available on request.

Newsletter subscribers

As a newsletter subscriber, but where you are not a client or a supplier already, we may hold the following information about you:

  • Your name and email address
  • What you would like to hear from us about
  • A record of your consent to receive our newsletter

We will use this information to send you news about MedLed and its services. Newsletters and marketing communications might be sent from our own domain that provides an informative newsletter to business contacts.

We will ask you annually to check and update this information. If we do not hear from you then, your details will be removed. You can unsubscribe using the link including in all email newsletters or on the contact details above.

Sharing our content

When using our website or newsletter, you may wish to share information through social networks by ‘liking’ or ‘sharing’ our content. When doing this, your personal information may be visible to the providers of those social networks and/or their other users. Please make sure you have checked the privacy settings on your social network accounts, and are comfortable with how your information is used and shared on them.

Data processors

We may occasionally instruct third-party data processors who provide services to us, and on our behalf. Where this processing occurs we will have Data Processing Agreements in place. By having these agreements in place it means they:

  • Will hold you personal data securely
  • Will only hold your data for the period we instruct
  • Cannot process your personal data in any way other than what we have instructed them to
  • Will not share your personal information with any other organisations or sub-processors
  • Are required to report to us any data breaches that may have occurred which may affect your data
  • Must participate and cooperate with any invocation of your data rights (e.g. the right to access)

Data we may transfer

We use third party tools in our business. These tools may transfer your information out of the UK and the European Economic Area. If you have any concerns around your data being transferred international from these third parties, please contact us. We’ll be happy to discuss.

Changes

We reserve the right to change this policy and privacy notice in line with legal changes and clarifications, or business changes.

If, in future, we may decide to sell or transfer all or part of our business. Any personal data relevant specifically to that business element will also be transferred. The new owner or controlling party will be permitted to use that data only for the purposes for which we originally collected it for. It will be held under the terms of this policy.