Privacy notice

This privacy notice describes how MDDUS collects, manages, protects and makes use of your personal data

At The Medical and Dental Defence Union of Scotland, we are committed to protecting and respecting your privacy.

Please read this privacy notice, together with any other privacy notice that we may provide to you, as it contains important information about how we collect, manage, use and protect your personal data. This privacy notice may also be used in conjunction with other privacy notices that we may provide you with in certain situations.

We may change this privacy notice from time to time. Please check this policy frequently to ensure you are aware of the most recent version and the date that it was last updated.

This policy was last updated in April 2018.

If you have any questions regarding this policy or about our privacy practices, please contact us on the below details:

  • E-mail: customerservices@mddus.com - mark your query for the attention of the Data Protection Officer
  • Post: The Medical and Dental Defence Union of Scotland, Mackintosh House, 120 Blythswood Street, Glasgow, G2 4EA. Mark your query for the attention of the Data Protection Officer
  • Telephone: 0333 043 4444.

Who are we?

When we say ‘MDDUS’, ‘we’ or ‘us’ in this policy, we are referring to The Medical and Dental Defence Union of Scotland, a company incorporated in Scotland (Company Number: SC005093) with its registered office at Mackintosh House, 120 Blythswood Street, Glasgow, G2 4EA.

This also includes our group companies including MDDUS Property Limited, a company incorporated in Scotland (Company Number: SC426947) and MDDUS Education Limited, a company incorporated in Scotland (Company Number: SC120857), both with their registered office at Mackintosh House, 120 Blythswood Street, Glasgow, G2 4EA together with any other entities that we may add to our group in the future.

MDDUS is a "data controller" of the personal data that we hold about you. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this privacy notice.

What information do we collect?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you. What information we collect will depend on your interactions with us.

However, we have grouped together the types of information that we may collect from you as follows:

  • Identity data including name, gender, date of birth, marital status, occupation, GMC, GDC or other professional registration number, details of dependants and family members (if you are a patient)
  • Contact data including home address, business address, email address, phone numbers
  • Financial data including bank account details, your anticipated income, information relating to any financial audit that we may conduct
  • Transaction data including details about payments to and from you
  • Professional data including indemnity provider history, claims history, clinical practice history, whether you are a partner in a practice or salaried, your qualifications, your GMC, GDC or other professional registration status
  • Membership data including membership history, renewal information, event attendance, your username and password, preferences, feedback and survey responses
  • Communications data including your preferences in receiving communications from us
  • Technical data including the internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
  • Usage data including the full uniform resource locators (URL) clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call us.

Special categories of personal data

We may also collect, store and use information about:

  • your criminal history, collected as part of a membership application, or if you contact us for assistance with criminal matters after you are in membership
  • your health, including any medical conditions or disabilities, if you are a patient submitting a case against an MDDUS member or if you are a member seeking to defer your membership.

How do we collect your information?

Information you give us

 You may give us such information directly by applying to become a member, becoming a member, completing forms, corresponding or speaking with us by phone, email, letter, at an event or otherwise, submitting a query, providing us with feedback about a product, visiting our website, requesting that we provide you with services / communications, when you submit a claim against a member or when we appoint you as a service provider.

Information we collect about you

  • When you call us or we call you through our call recording system
  • When you visit our website and receive e-mails from us we may automatically collect technical information about your equipment, browsing actions and patterns. We collect this by using cookies.

Information provided by cookies

Cookies are used to improve your experience while visiting our website. Where applicable this website uses a cookie control system allowing you on your first visit to the website to allow or disallow the use of cookies on your computer/device. This complies with legislation requirements for websites to obtain explicit consent from you before leaving behind or reading files such as cookies on your computer/device.

Cookies are small files saved to the user's hard drive that track, save and store information about the user's interactions and usage of the website. This allows our website, through its server, to provide users with a tailored experience.

If you wish to prevent the use and saving of cookies from this website on to your computer's hard drive you should take necessary steps within web browser's security settings to block all cookies from our website.

Our website uses tracking software to monitor its visitors to better understand how you use it. This software is provided by Google Analytics which uses cookies to track visitor usage. The software will save a cookie to the user's hard drive in order to track and monitor engagement and usage of the website, but will not store, save or collect personal information. You can read Google's privacy policy here for further information.

Other cookies may be stored on your hard drive by external vendors when our website uses referral programs, sponsored links or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer.

If you would like further information about cookies and how they are used, you can visit www.allaboutcookies.org

When we email you, such emails may contain tracking facilities. Activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include but is not restricted to: the opening of emails, forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity.

Information we receive about you from other sources.

  • If you are a member, we may receive information about you in the event that a claim is made about you.
  • If you are a patient, we may receive information about you relating to your claim from your solicitor or other third parties involved in the claim such as a coroner or GMC.  We may also receive information about you from an MDDUS member where legal advice is being sought and where this relates to a case that you have raised.  
  • We may receive information about you from your employer if they are applying for a corporate membership.
  • We may receive information about you if you use any of the other websites we operate or the other services that we provide. In this case we will have informed you when we collected that data that it may be shared internally and combined with data collected on this site.
  • We also work with third parties (including, for example, business partners, sub-contractors in technical, payment and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies) and may receive information about you from them.
  • We may receive information if you have provided permission to other organisations to share it with us. Before providing permission to such third party organisations to share your personal data, you should check their privacy notices carefully.
  • We may take information from publically available sources (where possible) to keep your information up to date, for example, from the Post Office’s National Change of Address Database or the GMC database.
  • We may occasionally purchase the contact details of people who might be interested in hearing from us. Before purchasing such information, we will check with the vendor that your information was originally collected in a compliant manner.
  • We may receive information about you if you apply for a vacancy at MDDUS.

How we might use your information

We use information held about you in the following ways:

  • To manage and administer our relationship with you
  • To carry out our obligations arising from any contracts entered into between you and us
  • To conduct any claim
  • To respond to your requests
  • To provide you with information about our activities and services
  • To improve our level of service
  • To notify you about changes to our service and notify you of new products and services
  • To seek your views on our products and services
  • To consider your application for employment
  • For administrative and quality assurance purposes
  • To ensure that content from our website is presented in the most effective manner for you and for your computer
  • For the purposes of the establishment, exercise or defence of legal claims
  • To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
  • To provide and improve our site to ensure that content is presented in the most effective manner for you and for your computer
  • To allow you to participate in interactive features of our service, when you choose to do so as part of our efforts to keep our site safe and secure
  • Information we receive from other sources. We may combine this information with information you give to us and information we collect about you. We may us this information and the combined information for the purposes set out above (depending on the types of information we receive).

Communications with you

We may text or email you to provide you with information about our activities and services supplied by us. You can unsubscribe at any time through an automated system. This process is detailed at the footer of each email or text. If an automated unsubscription system is unavailable clear instructions on how to unsubscribe will be detailed instead.

We may occasionally call you to provide you with information about our activities or provide you with information about services supplied by us. You may unsubscribe to calls by instructing the person calling you or by contacting us at any time on the details set out in the ‘Contact Us’ section of this notice.

We may also communicate with your through postal marketing when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing you with information on our services and other activities and those of other carefully selected organisations. You have the right to contact us at any time and opt out of receiving postal communications.

Profiling

We may use profiling and screening methods to produce relevant communications and provide you with a better experience.

To do this we may use additional external sources of data to increase and enhance the information we hold about you. This may include obtaining details of changes of address and other contact details.

If you do not wish for your information to be used in this manner, or have any queries about how we use your information, you can contact us on the details provided in the ‘Contact us’ section of this notice.

What is our legal basis for using your information?

There are a number of lawful reasons for us to process your personal data.

One of these is called ‘legitimate interest’ and means that we can process your personal data if (i) we have a genuine and legitimate reason; and (ii) are not harming any of your rights and interests.

We provide healthcare professionals across the UK with access to indemnity, assistance and support.

We will use your personal data in order to help us provide those services and to give you the most appropriate information, products and services and to provide you with the best experience when dealing with us.

Whenever we process your personal data for our legitimate interests, we will consider and balance any potential impact on you and your rights under data protection law.

Other legal bases that we will rely on include the following:

  • If you take out a membership with us, we may process your personal data in order to fulfil our contract with you.
  • If we are providing you with email communications, we will do so with your consent, unless you are a member of MDDUS, in which case we may rely on our legitimate interests to contact you further. You can ask us not to send such email communications with you at any time by using the details below in the ‘Contact Us’ section.
  • Where we are required to comply with our legal obligations, or to establish and defend our legal rights, or to prevent and detect crimes such as fraud.

Where we use special categories of personal data, for example, information about your health or genetic information, we may ask for your consent to such use. However, sometimes, there may be reasons that enable us to use this information without consent, for example, in the establishment, exercise or defence of legal claims.

How long will we hold your information for?

We will hold your personal data on our systems for as long as is necessary to fulfil the purposes that we collected it for.

By law, we are required to retain certain information for a prescribed period of time. In circumstances where there are no such legal requirements, to determine the appropriate retention period, we will consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we are processing your personal data and whether we can achieve those purposes through other means.

Therefore, some information may be kept for more or less time depending on how long we reasonably feel it is required for.

We review our retention periods for personal data on a regular basis.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.

If you ask us to delete your information in accordance with your rights set out below, we will retain basic information on a suppression list to record your request and to avoid sending you unwanted materials in the future.

Who we might share your information with

We will NOT sell your personal data to any third parties.

We may share your personal information with any member of our group where we have a legal basis for doing so.

We may share your information with selected third parties including:

  • When we use other companies to provide services on our behalf, e.g. answering questions about services, sending mail and emails, and when using auditors or other professional advisors
  • Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you
  • Analytics and search engine providers that assist us in the improvement and optimisation of our site
  • IT service providers
  • If we run an event in partnership with other named organisations your details may need to be shared. We will be very clear what will happen to your data when you register
  • If we merge with another organisation or form a new entity, your personal data may be transferred to that new entity.

We may disclose your personal information to third parties to:

  • Comply with any court order or other legal obligation or when data is requested by our regulators or by government agencies or law enforcement agencies
  • Enforce or apply our terms of use and any other agreements
  • In the establishment, exercise or defence of any legal claims
  • Protect the rights, property, or safety of us, our employees or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

International transfers of personal data

The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”) for the purposes described in this policy. It may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the processing of your payment details and the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.

If we do this, your personal information will continue to be subject to one or more appropriate safeguards set out in the law, for example we may use model contracts in a form approved by regulators. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy policy.

If you fail to provide personal data

Where we need to collect personal data by law or under the terms of a contract we have with you, we may not be able to perform the contract we have with you or permit you to participate in the programme. If this is the case, we will notify you at the time.

Your rights

You have a number of rights. If you would like to exercise any of these rights, please contact us using the details set out below in the ‘contact us’ section. If you exercise any of these rights we may ask for proof of identity and sufficient information about your interactions with us so that we can locate your personal information. If we agree that we are obliged to provide personal information to you (or someone else on your behalf), we will provide it to you or them free of charge except in exceptional circumstances.

If you wish to raise a complaint in relation to our processing of your personal data, you can contact our Data Protection Officer at the contact details provided at the end of this privacy notice. You also have the right to lodge a complaint with the data protection regulator, the Information Commissioner’s Office, if you have concerns about how we use your personal information. Click here to contact the Information Commissioner’s Office.

Your rights include:

  • Right of access to your personal information. This means you have the right to transparency over how we use your data and to make a subject access request;
  • Right to request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
  • Right to request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to stop processing personal information where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground;
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
  • a right to object to (i) processing based on our legitimate interests; (ii) processing of your information for direct marketing purposes; and (iii) automated decision making and profiling;
  • a right to request the transfer of your personal information to another party; and • a right to claim compensation for material or non-material damage caused if we breach the data protection rules.

If you would like to find out more about your rights, you can visit the Information Commissioner’s Office website.

How you can access and update your information

We strive to maintain accurate, complete, and relevant personal information for the purposes identified in this privacy statement. If any of the personal information we hold about you is inaccurate or out of date, you may ask us to correct it. It is important that the personal information we hold about you is accurate and current.

Security precautions in place to protect against the loss, misuse or alteration of your information

We have implemented reasonable measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration and disclosure. Details of these measures can be obtained on request.

Third parties will only process your personal information on our instructions and where they have agreed to treat the information confidentially and to keep it secure.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

Our security measures are regularly reviewed.

Contact us

If you have any questions regarding this policy or about our privacy practices, wish to exercise any of your rights or wish to make a complaint, please contact us as follows:

  • E-mail: customerservices@mddus.com - mark your query for the attention of the Data Protection Officer
  • Post: MDDUS, Mackintosh House, 120 Blythswood Street, Glasgow, G2 4EA - mark your query for the attention of the Data Protection Officer
  • Telephone: 0333 043 4444.