Aviation Medicals Limited provides medical services to individuals and organisations. This privacy notice provides information about the personal information we process about you as a data controller, in compliance with the General Data Protection Regulation (GDPR).
As an essential part of our business, we collect and manage client and non-client data. In doing so, we observe the UK data protection legislation, and are committed to protecting client’s and non-client’s privacy and rights. Specifically, we act as a “Data Contoller” in respect of the information gathered and processed by us.
So you are reliably informed about how we operate, we have developed this privacy notice, which describes the way in which we collect, mange, process, store and share information about you as a result of you being a client. The privacy notice also provides you with information about how you can have control over the use of your data.
What information do we keep about you?
1. We process the personal data of individuals who are obtaining medical services.
2. The personal data may include:
• Names, contact details and dates of birth;
• Financial information and bank details (usually associated with invoicing or our duties to comply with financial governance e.g. accounting under companies house.
• Health information – this will be treated as confidential outside the scope of GDPR e.g. Access to Medical Reports Act 1988.
• Information about race, ethnic origin and sex;
3. In many cases, an individual has consented to the transfer of their personal data to us. This is common practice with regard to medical reports to employers. Where an individual has consented, he or she may easily withdraw it in accordance with Access to Medical Reports Act 1988.
Other personal data
4. We also process personal data pursuant to our legitimate interests in running our business such as:
• Invoices and receipts;
• Accounts, VAT and tax returns;
• Insurance policies and related documents;
How long do we keep your information for – The Retention Period?
5. Personal data with regard to your medical records are retained, where necessary, for six years in compliance with our professional indemnity obligations. Where this is not necessary, it is destroyed on the conclusion of the case. We only hold on to your personal information for as long as We actually need it for the purposes We acquired it for in the first place.
6. Administrative data is retained for up to six years as necessary, in the unlikely event there are queries from HMRC and the VAT commissioner. Where it is not necessary to retain the data for six years, it is destroyed as soon as possible.
Whom do we share personal data with?
7. We share personal data internally strictly on a need to know basis.
8. Special category data and personnel files held electronically are held on a security system with restricted access. Hard copy special category and other personal data is stored securely with restricted access in an alarm protected building.
9. We do not share personal data with anyone external to the organisation, other than with:
• In legal requests.
• In statutory medical cases, with regulators already compliant with GDPR e.g. CAA,HSE, OGUK, UKDMC.
• In medical cases, with other healthcare professionals; but only those directly relating to your care e.g. specialist or your GP, and only with your express consent.
• With employers only with your express written consent under Access to Medical Reports Act 1988.
• HMRC and the VAT Commissioner as they require
• With others pursuant to a court order
How will we use your personal information?
10. Generally your personal information will be used in connection with the management of your medical records. The legal basis of this is fulfil our professional obligation to you under the GMC regulation.
11. To process and respond to complaints under our legal obligation to do so.
12. We are committed to protecting your rights to privacy. They include:
• Right to be informed about what we do with your personal data. This privacy notice fulfils our obligation to tell you about the ways in which we use your information;
• Right to Access have a copy of all the personal information we process about you.
You have the right to ask us for a copy of any personal data that we hold about you in the form of a “Subject Access Request”. You can obtain this information at no cost and we will send you a copy of the information within 30 days of your request.
• Right to rectification of any inaccurate data we process, and to add to the information we hold about you if it is incomplete;
• Right to be forgotten and your personal data destroyed. This is subject to legal Requirements. In many instances although we may have destroyed your data the appropriate regulator may still hold personal data on you.
• Right to restrict the processing of your personal data on the grounds that it is inaccurate, unlawful or that you want us to retain your data e.g. due to a legal claim, we will need time to validate this and you should contact us directly to discuss it.
• Right to object to the processing we carry out based on our legitimate interest. You have the right to withdraw your consent where consent is the lawful basis for processing your personal data, or object to continued use of your personal data that has a deemed legitimate purpose.
Information Commissioner’ s Office
13. If you have any concerns about the way your personal information has been processed, please contact Name above. Alternatively, you may contact the Information Commissioner’ s Office on 0303 123 111