The MDDUS Group is committed to protecting and respecting your privacy.
Please read this privacy notice, together with any other privacy notice that we may provide to you, as it contains important information about how we collect, manage, use and protect your personal data.
We may change this privacy notice from time to time. Please check this notice frequently to ensure you are aware of the most recent version and the date that it was last updated.
This notice was last updated on 23 November 2023.
If you have any questions regarding this privacy notice or about our privacy practices, please contact our Data Protection Officer, Assad Khokhar, on the below details:
- E-mail: dpo@mddus.com
- Post: MDDUS, 206 St Vincent Street, Glasgow, G2 5SG
Download a pdf version of our group privacy notice here
Download a pdf version of our telephone privacy statement here
-
Who are we?
The MDDUS Group is made up of several different legal entities, including: The Medical and Dental Defence Union of Scotland (SC005093); MDDUS Education Limited (SC120857); MDDUS Property Limited (SC426947); and MDDUS Solutions, the operating name of MDDUS Services Limited (SC615691). These are all companies incorporated in Scotland with their registered office at 206 St Vincent Street, Glasgow, G2 5SG. MDDUS Services Limited is authorised by the Financial Conduct Authority to distribute medical indemnity insurance in the United Kingdom. The MDDUS Group also includes MDDUS Insurance Limited (30330), a company registered in Guernsey, with a registered office at PO Box 33, Dorey Court, Admiral Park, St Peter Port, Guernsey GY1 4AT, and any other entities that we may add to our Group from time to time.
Each of the companies within the MDDUS Group may provide different aspects of the full range of products and services that are available to MDDUS members or customers (collectively ‘members’).
Accordingly, each of the companies within the MDDUS Group is a ‘data controller’ of the personal data held in connection with the relevant product or service that it provides and is responsible for deciding how the personal data held about you is used in connection with the product or service that it provides.
When we say ‘we’, 'our' or ‘us’ in this privacy notice, we are referring to the relevant MDDUS Group company that is responsible for processing your data in connection with the product or service provided by that MDDUS Group company.
We are required under data protection legislation to notify you about the information contained in this privacy notice. Close -
What personal data do we collect?
Personal data means any data relating to a living individual from which that person can be identified. It does not include data where the identity has been permanently removed and cannot be reinstated (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you. The type of data we collect will depend on the nature and reasons for your interactions with us. We have grouped together the types of data that we may collect from you as a (potential) member of the Group when you look at our websites, deal with us or if you engage with us in respect of our products and services:- Identity data including name, gender, date of birth, occupation, General Medical Council (GMC), General Dental Council (GDC) or other professional registration number
- Contact data including home address, business address, email address and phone numbers
- Financial data including bank account details, your anticipated and annual income and information relating to any financial audit that we may conduct
- Transaction data including details about payments to and from you in relation to the payment of subscriptions
- Professional data including indemnity provider history, claims history (for more information see below), clinical practice history, whether you are a partner in a practice or salaried, your qualifications and your GMC, GDC or other professional registration status
- Membership data including membership history, renewal information, event attendance, your username and password, preferences, feedback and survey responses
- Pricing and risk data that we may collect from third parties about you
- Communications data including your preferences in receiving communications from us
- Technical data including the internet protocol (IP) address used to connect your computer to the internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
- Usage data including the full uniform resource locators (URL) clickstream to, through and from our site (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page and any phone number used to call us (and recordings of that phone call).
If you are a (potential) claimant, we may collect the following data:
- Contact data (as above)
- Details of dependants and family members
- Technical data (as above – excluding login information)
- Usage data (as above).
If you are a (potential) employee of the Group, we may collect the following data:
- Contact data (as above)
- Details from previous employers, CVs, application forms, interview notes and the results of recruitment testing
- Details of dependants and family members
- Transaction data including details about payments to and from you in relation to remuneration, etc.
- Technical data (as above – excluding login information)
- Usage data (as above)
- More information is provided in our Privacy Notice for Employees.
Special categories of personal data
We may also collect, store, use and transfer the following types of data about (potential) members:
- Your claims history, which may include information about your health or trade union membership
- Information collected as part of your membership application, which may include your criminal record history, information regarding your health, including any medical conditions or disabilities. We may also collect this if you contact us for assistance after you are in membership.
If you are a (potential) claimant making a claim, then we may also collect data about your health, including any medical conditions or disabilities. This may include third-party individuals within a claim, whether they are identified or in anonymised form.
Close
If you are a (potential) employee of the Group, then we may also collect data about your health, including any medical conditions or disabilities. In addition, please see our Privacy Notice for Employees.
Other companies in the MDDUS Group may process the above data if you engage with them for the provision of other products or services, including insurance. -
How do we collect your personal data?
Personal data you give us
You may give us such data directly by:
- applying and being accepted for our products and services (including membership of the Group)
- completing forms
- corresponding or speaking with us by phone, email, letter, at an event or otherwise
- submitting a query to us
- providing us with feedback about a product or service
- visiting our websites
- requesting that we provide you with products / services / communications.
In addition, you may provide such data directly when you submit a claim against companies of the Group or when we appoint you as a service provider to the MDDUS Group.
Personal data we collect about you
- When you call us or we call you through our call recording system
- When you visit our websites and receive e-mails from us we may automatically collect technical data about your equipment, browsing actions and patterns. We collect this by using cookies.
Personal data provided by cookies
Cookies are used to improve your experience while visiting our websites. Where applicable, we use a cookie control system that enables you, on your first visit, to allow or disallow the use of cookies on your computer/device. This complies with requirements for websites to obtain explicit consent from you before leaving behind or reading files such as cookies on your computer/device.
Cookies are small files saved to the user's hard drive that track, save and store information about the user's interactions and usage of the website. This allows our websites, through the server, to provide users with a tailored experience.
If you wish to prevent the use and saving of cookies from our websites on to your computer's hard drive, you should take the necessary steps within the web browser's security settings.
Our websites use tracking software to monitor visitors to better understand how you use them. This software is provided by Google Analytics. The software will save a cookie to the user's hard drive in order to track and monitor engagement and usage of our websites, but will not store, save or collect personal information. You can read Google's privacy policy here for further information.
We also use Hotjar to gather customer feedback and to analyse how visitors interact with website pages and their content. The information gathered is used to help improve the website usability. No personal information is captured within the Hotjar cookies. You can read Hotjar's privacy policy here for further information.
Other cookies may be stored on your hard drive by external vendors when our websites use referral programs, sponsored links or adverts. Such cookies are used for conversion and referral tracking and typically expire after 30 days, though some may take longer.
If you would like further information about cookies and how they are used, you can visit www.allaboutcookies.org.
When we email you, such emails may contain tracking facilities. Activity is tracked and stored in a database for future analysis and evaluation. Such tracked activity may include, but is not restricted to: the opening of emails, the forwarding of emails, the clicking of links within the email content, times, dates and frequency of activity.Personal data we receive about you from other sources
- If you are a member, we may receive data about you in the event that a claim is made against you
- If you are a (potential) claimant, we may receive data about you relating to your claim from your solicitor or other third parties involved in the claim, such as the GMC
- We may also receive data about you from your colleagues or employer where legal advice is being sought and where this relates to a case that you have raised
- We may receive data about you from your employer if they are applying for a corporate membership
- We may receive data about you from previous providers of our products and services
- We may receive data about you if you use any of the other websites we operate, or the other products or services provided by another company in the MDDUS Group
- We may receive data from claims companies, insurers and reinsurers we work with to provide our products and services to you
- We may receive data from relevant third parties we work with, including: business partners; sub-contractors in technical, payment and delivery services; advertising networks; analytics providers; search information providers; credit reference agencies; and fraud prevention agencies
- We may receive data if you have provided permission to other organisations to share it with us. Before providing permission to such third party organisations to share your data, you should check their privacy notices carefully
- We may take data from publicly available sources (where possible) to keep your information up to date, for example, from the Post Office’s National Change of Address Database or the GMC database
- We may occasionally purchase the contact details of people who might be interested in hearing from us. Before purchasing such data, we will check with the vendor that the data was originally collected in a manner that is compliant with data protection laws.
We may combine the data we receive from other sources, the data you give to us and / or the data we collect about you. We may use this data and the combined data for the purposes set out below (depending on the types of data we receive).
Close -
How we might use your personal data
We can only use the data that we collect or hold about you if we have a lawful ground for doing so. We have set out below how we use your data and our lawful grounds for doing so. A minimal set of data is processed in each case, and processed or retained in anonymised or pseudonymised form where that is possible.
How and why we use your personal data Our lawful grounds for doing this To respond to enquiries you make about our products and services, to carry out necessary checks, collect necessary information and assess applications for our products and services (including the risk of doing so) and, where we chose to offer a product or service, to put in place an appropriate contract with you
We do these things for the purpose of entering into and carrying out a contract with you.Where not done for the purpose of carrying out our contract with you, we do this in our legitimate interests of providing you with a product and service, improving these products and services and improving customer service, including providing you with information and services via our websites (this is always subject to your rights as set out below).To price our products and services for you To manage and administer our relationship with you, including sharing your data with other companies in the MDDUS Group when needed to administer your membership To carry out our obligations arising from any contracts entered into between you and us To provide you with our products and services To conduct any claim that may be made about you To collect payments from you or to enforce and pursue any outstanding payments To communicate with you about your product and services, and hold records about our dealings and communications with you To continually assess our products and services and their continued suitability for you To share information with others as set out below How and why we use you personal data Our lawful grounds for doing this To respond to your requests or general enquiries you may make We do this in our legitimate interests of providing you with a product and service, improving these products and services and improving customer service, including providing you with information and services via our website (this is always subject to your rights as set out below).To improve our level and standards of services and the customer experience To notify you about changes to our products and services generally For administrative and quality assurance purposes To ensure our website is kept up to date and is presented in the most effective manner for you and for your browser device and to allow you to participate in interactive features of our service, when you choose to do so as part of our efforts to keep our site safe and secure To administer our website and internal business operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes To manage and continually improve our business operations To seek your views on our services and products How and why we use you personal data Our lawful grounds for doing this To carry out identity checks and anti-fraud checks We are under a legal obligation to carry out these checks. To maintain records for regulatory, audit, accounting and tax purposes To communicate with you regarding our activities, products and services and to let you know about our other products and services We do this in our legitimate interests of providing products and services (this is always subject to your rights as set out below).
We may also do this where you have provided us with your consent to do so.
To consider applications of employment We do this for the purpose of entering into and carrying out a contract with (potential) employees.Where not done for the purpose of carrying out our contract with you, we do this in our legitimate interests of providing you with a product and service, improving these products and services and improving customer service.
Close -
How we might use your special categories of personal data
We will only use your special categories of personal data:
- to provide contracts for products or services, or
- for the establishment, exercise or defence of legal claims, or
- whenever courts are acting in their judicial capacity, or
- to record risk or potential risk for ‘reasons of substantial public interest',
which includes safeguarding (risk of harm to yourself or others) and past offending, or - where you have given you consent to its use.
In addition, please see our Privacy Notice for Employees.
From 6 April 2020, we migrated personal data (and potentially special categories of personal data) relating to the Existing Liabilities Scheme for General Practice to NHS Resolution (the operating name of NHS Litigation Authority). This migration by way of a scheme of arrangement under the Companies Act 2006 was agreed by the membership on 11 February and sanctioned by the court on 5 March 2020.
From 30 June 2020, we migrated personal data (and potentially special categories of personal data) relating to the Existing Liabilities Scheme for General Practice in Wales to NHS Wales Shared Services Partnership Legal and Risk Services. This migration is in accordance with The National Health Service (Existing Liabilities Scheme for General Practice) (Wales) Regulations 2020, which came into force on 6 April 2020.
We will retain a copy of the migrated data in accordance with our retention period.
Marketing communications with you
Where you have taken out a product or service with us:
- We may text or email you to provide you with information about our activities, products and services. You can unsubscribe at any time through an automated system. This process is detailed at the footer of each email or text. If an automated un-subscription system is unavailable, clear instructions on how to unsubscribe will be detailed instead
- We may occasionally call you to provide you with information about our activities, products and services. You may unsubscribe to calls by instructing the person calling you or by contacting us at any time on the details set out in the ‘Contact Us’ section of this privacy notice
- You can also contact our Data Protection Officer if you want to stop receiving marketing communications by us.
If you have not taken out a product with us, we will only text or email you with information where: (i) you have given your consent; or (ii) it is in our legitimate interests to contact you, for example because you have started an application for receiving an indicative quote by us or where such communication is allowed by law without consent. You can withdraw consent at any time by contacting our Data Protection Officer.
We may also communicate with you through postal marketing when it is in our legitimate interests to do this and when these interests do not override your rights. Those legitimate interests include providing you with information on our activities, products and services and those of other carefully selected organisations. You have the right to contact our Data Protection Officer at any time to opt out of receiving postal communications.Profiling and automated decision making
We may use profiling and screening methods to produce relevant communications and provide you with a better experience.
To do this, we may use additional external sources of data to increase and enhance the data we hold about you. This may include obtaining details of changes of address and other contact details.
If you do not want your data to be used in this manner, or have any queries about how we use your data, you can contact us on the details provided in the ‘Contact us’ section of this notice.We do not use automated decision making or artificial intelligence systems to accept or reject eligible applications for membership, employment or a potential claim: A suitably qualified member of staff or team will make that decision. For pricing of our products and services however, we do use industry standard models and systems that are based on large anonymised datasets, when developing our pricings structures.
Close -
How long will we hold your personal data?
We will hold your data on our systems for as long as is necessary to fulfil the purposes for which it was collected.
By law, we are required to retain certain information for a prescribed period of time. In circumstances where there are no such legal requirements, to determine the appropriate retention period, we will consider the amount, nature and sensitivity of the data, the potential risk of harm from unauthorised use or disclosure of your data, the purposes for which we are processing your data and whether we can achieve those purposes through other means.
Therefore, some information may be kept for more or less time, depending on for how long we reasonably feel it is required. For example claim records are retained for 10 years after a case is closed; PAYE records for three years; rejected job applicant records for six months after being notified.
We review our retention periods for data on a regular basis.
In some circumstances, we may anonymise your data (so that it can no longer be associated with you) for research or statistical purposes. In which case, we may use this data indefinitely without further notice to you. If you ask us to delete your data in accordance with your rights set out below, we will retain basic data on a suppression list to record your request and to avoid sending you unwanted materials in the future. Close -
Who we might share your personal data with
We will NOT sell your data to any third parties.
We may share your data with any company in the MDDUS Group where we have a legal basis for doing so (for example, where we have a legitimate interest in sharing the data with another MDDUS Group company in order for them to contact you about the renewal of your membership, to tell you about products and services that they can provide to you, or where you have consented to us providing your data to another MDDUS Group company). If your data is shared with another company in the MDDUS Group, they may combine this with data they already hold about you, where this is permitted by law.
We may share your data with selected third parties, including:
- When we use other companies to provide services on our behalf, e.g. answering questions about products and services, lawyers, underwriters and reinsurers, actuaries, sending mail and emails, and when using auditors or other professional advisers
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you
- Analytics and search engine providers that assist us in the improvement and optimisation of our site
- IT service providers
- If we run an event in partnership with other named organisations, your data may need to be shared. We will be very clear what will happen to your data when you register
- If we merge with another organisation or form a new entity, your data may be transferred to that new entity.
We may disclose your data to third parties:
- to comply with any court order or other legal obligation or when data is requested by our regulators or by government agencies or law enforcement agencies
- to enforce or apply our terms of use and any other agreements
- in the establishment, exercise or defence of any legal claims
- to protect the rights, property or safety of us, our employees or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
International transfers of personal data
The data that we collect from you may be transferred to, and stored at, a destination outside the UK for the purposes described in this privacy notice. It may also be processed by staff operating outside the UK who work for us or for one of our suppliers. Such staff may be engaged in, among other things, the processing of your financial and transaction data and the provision of support services.
If we do this, your data will continue to be protected and comply with data protection law. There will either be an adequacy decision in respect of those countries and the UK (countries deemed to provide an adequate level of protection for your personal information); or the transfer is covered by appropriate safeguards (legal safeguards detailed in UK General Data Protection Regulation [UK GDPR] to ensure people’s rights and freedoms about their personal data are protected). We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy notice.If you fail to provide personal data
Where we need to collect data by law or under the terms of a contract we have with you, and you fail to provide your data, we may not be able to perform the contract we have with you or permit you to participate in the programme. If this is the case, we will notify you at the time.
Your rights
You have a number of rights. If you would like to exercise any of these rights, please contact us using the details set out below in the ‘contact us’ section. If you exercise any of these rights, we may ask for proof of identity and sufficient information about your interactions with us so that we can locate your data. If we agree that we are obliged to provide data to you (or someone else on your behalf), we will provide it to you or them free of charge, except in exceptional circumstances.
If you wish to raise a complaint in relation to our processing of your data, you can contact our Data Protection Officer at the contact details provided at the end of this privacy notice. You also have the right to lodge a complaint with the data protection regulator, the Information Commissioner’s Office, if you have concerns about how we use your data. Click here to contact the Information Commissioner’s Office.
Your rights include:
- to request access to information about data that we may hold and/or process about you, including: whether or not we are holding and/or processing your data; the extent of the data we are holding; and the purposes and extent of the processing
- to have any inaccurate data we hold about you rectified and/or updated. If any of the data that you have provided changes, or if you become aware of any inaccuracies in the data, please let us know in writing, giving us enough information to deal with the change or correction
- in certain circumstances, to request that we delete all data we hold about you (the ‘right of erasure’). Please note that this right of erasure is not available in all circumstances, for example, where we need to retain the data for legal compliance purposes. If this is the case, we will let you know
- in certain circumstances, to request that we restrict the processing of your data, for example, where the data is inaccurate or where you have objected to the processing (see below)
- in certain circumstances, to request a copy of the data we hold about you and to have it provided in a structured format suitable for you to be able to transfer it to a different data controller (the ‘right to data portability’). Please note that the right to data portability is only available in some circumstances, for example, where the processing is carried out by automated means. If you request the right to data portability and it is not available to you, we will let you know
- in certain circumstances, to object to the processing of your data. If so, we shall stop processing your data, unless we can demonstrate sufficient and compelling legitimate grounds for continuing the processing which override your own interests. If, as a result of your circumstances, you do not have the right to object to such processing, then we will let you know
- in certain circumstances, not to be subject to a decision based solely on automated processing, for example, where a computer algorithm (rather than a person) makes decisions which affect your contractual rights. Please note that this right is not available in all circumstances. If you request this right and it is not available to you, we will let you know
- to object to marketing (see above).
If you would like to find out more about your rights, you can visit the Information Commissioner’s Office website.
Close -
How you can access and update your information
We strive to maintain accurate, complete, and relevant data for the purposes identified in this privacy statement. If any of the data we hold about you is inaccurate or out of date, you may ask us to correct it. Members can do so by logging-on here or by contacting our Data Protection Officer. Any updates relating to an insurance policy (via MDDUS Insurance Limited) must be made through the Single Point of Contact for your scheme. It is important that the data we hold about you is accurate and current.
Security precautions in place to protect against the loss, misuse or alteration of your personal data
We have implemented reasonable measures designed to secure your data from accidental loss and from unauthorised access, use, alteration and disclosure. Details of these measures can be obtained on request.
Third parties will only process your data on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Our security measures are regularly reviewed.
Contact us
If you have any questions regarding this privacy notice or about our privacy practices, wish to exercise any of your rights or wish to make a complaint, please contact our Data Protection Officer, Assad Khokhar, on these details:
- E-mail: dpo@mddus.com
- Post: MDDUS, 206 St Vincent Street, Glasgow, G2 5SG