Privacy policy
As an UK-based organisation MedLed must comply with the Data Protection Act (2018) which encompasses the General Data Protection Regulations (GDPR) 2016. The company holds personal information about employees, clients and other 3rd party partners and suppliers, and has a duty of care to ensure its protection.
The Data Protection Act (DPA) requires that all data:
Is processed fairly, lawfully and in a transparent manner;
Is collected and processed only for specified, explicit and legitimate purposes, and not
further processed in a manner that is incompatible with those purposes;
Is adequate, relevant and limited to what is necessary for those purposes;
Is accurate, up to date and not kept in an identifiable form for longer than necessary for the purposes for which it is processed.
Is processed in accordance with the data rights of individuals
Is securely held, including protection by technical and organisational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage.
The DPA also gives individuals the right to access, delete, correct or receive in an easily transferable format, where applicable, personal information held by the business upon request.
MedLed is committed to complying with these requirements.
All employees, whether permanently employed, or working with MedLed on a contract-basis, are bound by the terms of the following policy and have undergone relevant training.
MedLed must be transparent with all individuals about what data is collected, stored and processed about them. Whilst the DPA covers the rights of UK subjects, and GDPR of EU subjects, we apply these principles to all data subjects regardless of location.
MedLed are registered with the UK Information Commissioner’s Office with registration number: ZA892723
The nominated Data Protection lead for the organisation is: Ben Tipney, Managing Director.
Data protection policy
This policy applies to all personal and sensitive data within the organisation.
Defined data types
MedLed acknowledges the following definitions of data types covered by this policy and subsequent privacy notice.
Personal data is defined as data which relate to a living individual who can be identified:
from those data, or
from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
Sensitive personal data is defined as personal data consisting of information as to:
the racial or ethnic origin of the data subject,
their political opinions,their religious beliefs or other beliefs of a similar nature,
whether they are a member of a trade union(within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992)
their physical or mental health or condition,
their sexual life,
the commission or alleged commission by them of any offence, or
any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.
Lawful basis for processing
GDPR requires MedLed to establish one of the following lawful basis for processing data:
Consent: We hold recent, clear, explicit, and defined consent for the individual’s data to be processed for a specific purpose.
Contract: The processing is necessary to fulfil or prepare a contract for the individual.
Legal obligation: We have a legal obligation to process the data (excluding a contract).
Vital interests: Processing the data is necessary to protect a person’s life or in a medical situation.
Public function: Processing necessary to carry out a public function, a task of public interest or the function has a clear basis in law.
Legitimate interest: The processing is necessary for our legitimate interests, and does not outweigh the individual’s rights.
Before processing any data, we must be clear that the processing is necessary and one of the above applies.
A copy of the company information asset register – including records of the lawful basis and retention periods – and relevant legitimate interest assessments is available on request, alongside data privacy impact assessments.
Subject access requests
In the event of an individual (or subject) exercising their rights to access, rectification, erasure restriction, objection or to port their data, MedLed will aim to provide the relevant data without delay, and within 30 days. They will be asked to provide relevant identification to start this process.
Disclosure
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, MedLed will disclose the requested data subject to checks that the request is legitimate.
Data transfer, retention and disposal
Data should only be transferred outside of the UK or European Economic Area (EEA) under the guidance of the Data Protection Lead. Data must only be retained for the retention Period in the company information asset register. It must then be secured and destroyed. If data is found to be inaccurate it must be updated or disposed of as soon as possible.
Data breaches
In the event of a data breach, MedLed must report to the UK Information Commissioner’s Office within 72 hours of the event with details of:
The nature of the personal data breach including, where possible:
The categories and approximate number of individuals concerned; and
Categories and approximate number of personal data records concerned;
The name and contact details of the Data Protection Lead.
A description of the likely consequences of the personal data breach
A description of the measures taken or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measure taken to mitigate any possible adverse effects
Monitoring and improvement
This policy is reviewed by the Data Protection Lead on an annual basis, or whenever our working business practices change. It is supported by other business practices such as IT, security and regular training of our team. MedLed carries out regular Due Diligence on all partner organisations around data protection, all of which must be DPA compliant.
Privacy notice
MedLed may hold personal data about:
Employees
Prospective clients
Clients
Training participants
Suppliers
Newsletter subscribers
We will only disclose this data if:
It is required by law
It is required to provide you with services and goods
You have given us prior consent
MedLed does not buy or sell personal data for any purpose.
To verify, update or amend personal data, or contact us with a data protection query, please email dataprotection@med-led.co.uk at any time.
You also have the right to lodge a complaint about our processing with the UK’s Information Commissioner’s Office:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF Helpline number: 0303 123 1113
This policy will be reviewed annually. Date of last review: 21st November 2021
Your rights
As an individual whose personal data is processed by MedLed you have these rights:
The right to be informed
The right to access what data we hold about you.address above
The right to object to direct marketing
The right to object to processing carried out on the basis of legitimate interests. Where MedLed rely on legitimate interests to process, store or use your data, we only do so after carrying out a full Legitimate Interest Assessment
The right to erasure (in some circumstances)
The right to data portability
The right to have your data rectified if it is inaccurate
The right to have your data restricted or blocked from processing
The right to refuse automated decision-making or profiling
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Emailing us
We use Transport Layer Security (TLS) where possible to encrypt and protect email traffic. Where this is not possible we use Secure Socket Layer (SSL) protection, alongside monitoring for viruses or malicious software.
Data we may hold
Employees
As an employee, we may hold the following information about you:
Your name and contact information such as phone number and email address
Your salary payment information including taxation information (such as National Insurance number, pension contribution, etc. ), your address and postcode
Details of the nature of your employment, including your employment contract
Emergency contact details, such as next of kin
Qualifications and references that support your application for the position
Interview notes and employment review records
Training certificates
Driving licences
Attendance records including absence notes
Accident records
Communications with you
We use this data to meet our contractual requirements to provide you with agreed employment and to make relevant payments to you in return. We also use this for lawful purposes, such as taxation. It also allows us to carry out other duties as a responsible employer such as providing relevant training and providing safe working environments for you. We will retain all financial records for 6 years, following the end of the current financial year. This may include your data. We will retain other information about you for the duration of our relationship with you, plus 24 months.
Prospective employees
As a prospective employee, we may hold the following information about you:
Your name and contact information such as phone number and email address
Qualifications and references that support your application for the position
Interview notes
Communications with you
All of the information you provide during the recruitment process will only be used for the purpose of progressing your application or to fulfil legal or regulatory requirements if necessary. MedLed will not share any of the information you provide during the recruitment process with any third parties for marketing purposes. The information you provide will be held securely by us whether the information is in electronic or physical format. We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for. If you are successful, the information you provide during the application process will be retained by us as part of your employee file for the duration of your employment plus 1 years following the end of your employment.
Prospective clients
As a prospective client, we may hold the following information about you:
Your name and basic contact information such as phone number and email address What you do
What we may be able to do for you
Communications with you
If you contact us via email, phone or the contact us page on our website, this data allows us to follow-up with you. We feel this to be a legitimate interest. We believe that you would reasonably expect this processing, and it will have a minimal impact on your privacy. A copy of our Legitimate Interest Assessment is available on request. If 24 months after the duration of the enquiry, you are not an active client we will remove this data from our systems.
Clients
As a client, we may hold the following information about you:
Your name and contact information such as phone number and email address
Your billing and payment information including your address and postcode
What you do
What we are working on for you
Communications with you
We use this data to meet our contractual requirements to you in providing an agreed service and to seek payment from you via invoice. We also use this for lawful purposes, such as taxation. We will retain all financial records for 6 years, following the end of the current financial year. This may include your data. We will retain other information about you for the duration of our relationship with you, plus 12 months.
We may also send you relevant news about our services in a number of ways including by email, but only if we have a legitimate interest to do so. We believe that you would reasonably expect this processing, and it will have a minimal impact on your privacy. A copy of our Legitimate Interest Assessment is available on request.
Training participants
As a training participant, we may hold the following information about you:
Your name and contact information such as phone number and email address
What you do and, if applicable, the organisation you work for
The training you undertook
Communications with you
We use this data to meet our contractual requirements to you in providing an agreed service. We will retain other information about you for the duration of our relationship with you, plus 24 months.
We may also send you relevant news about our services in a number of ways including by email, but only if we have a legitimate interest to do or by prior consent. We believe that you would reasonably expect this processing, and it will have a minimal impact on your privacy. A copy of our Legitimate Interest Assessment is available on request.
Suppliers
As a supplier, we may hold the following information about you:
Your name and contact information such as phone number and email address
Your billing and payment information including your address and postcode
What you do
What you are providing for us
Communications with you
We use this data as part of our contractual agreement to help you provide an agreed service and make payments to you via invoice. We also use this for lawful purposes, such as taxation. We will retain all financial records for 6 years, following the end of the current financial year. This may include your data. We will retain other information about you for the duration of our relationship with you, plus 24 months.
We may also send you relevant news about our services in a number of ways including by email, but only if we have a legitimate interest to do so. We believe that you would reasonably expect this processing, and it will have a minimal impact on your privacy. A copy of our Legitimate Interest Assessment is available on request.
Newsletter subscribers
As a newsletter subscriber, but where you are not a client or a supplier already, we may hold the following information about you:
Your name and email address
What you would like to hear from us about
A record of your consent to receive our newsletter
We will use this information to send you news about MedLed and its services.
Newsletters and marketing communications might be sent from our own domain that provides an informative newsletter to business contacts.
We will ask you annually to check and update this information. If we do not hear from you then, your details will be removed. You can unsubscribe using the link including in all email newsletters or on the contact details above.
Sharing our content
When using our website or newsletter, you may wish to share information through social networks by ‘liking’ or ‘sharing’ our content. When doing this, your personal information may be visible to the providers of those social networks and/or their other users. Please make sure you have checked the privacy settings on your social network accounts, and are comfortable with how your information is used and shared on them.
Data processors
We may occasionally instruct third-party data processors who provide services to us, and on our behalf. Where this processing occurs we will have Data Processing Agreements in place. By having these agreements in place it means they:
Will hold you personal data securely
Will only hold your data for the period we instruct
Cannot process your personal data in any way other than what we have instructed them to
Will not share your personal information with any other organisations or sub-processors
Are required to report to us any data breaches that may have occurred which may affect your data
Must participate and cooperate with any invocation of your data rights (e.g. the right to access)
Data we may transfer
We use third party tools in our business. These tools may transfer your information out of the UK and the European Economic Area. If you have any concerns around your data being transferred international from these third parties, please contact us. We’ll be happy to discuss.
Changes
We reserve the right to change this policy and privacy notice in line with legal changes and clarifications, or business changes.
If, in future, we may decide to sell or transfer all or part of our business. Any personal data relevant specifically to that business element will also be transferred. The new owner or controlling party will be permitted to use that data only for the purposes for which we originally collected it for. It will be held under the terms of this policy.