GDPR Policy

General information
ML Doctors operate as an Information Controller as defined under GDRP. We collect data via instructions from IPs, from various health authorities and related bodies and direct from the public in the form of consent forms. We store and use this data to instruct medical experts and provide treatment programs for clients as appropriate. We use a secure cloud based system for managing appointments, records and reports and hold a GDPR complaint contract with the IT providers of that platform as they are data processors.

The ICO (Information Commissioners Office) have published a guide on how organisations should be approaching the implementation of General Data Protection Regulations. Below are the requirements of GDPR published by the ICO and how ML Doctors have approached these.

1. Awareness You: should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
ML Doctors have published guidance documents for staff and ensured all staff and relevant 3rd parties have attended a "GDPR" awareness course held internally.
2. Information you hold: You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
A data flow mapping exercise has taken place for all types of personal data we process or control. In addition to this we have Information Security Policies in line with our ISO27001 accreditation to ensure that date we hold is secure.
3. Communicating privacy information: You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
ML have implemented their Information Security and Privacy Policies in line with ISO27001 and these can be viewed on our public web site and internal staff have been trained on the changes.
4. Individuals' rights: You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
A defined process on how we obtain rights and transfer or delete personal information is now in place
5. Subject access requests: You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.
All staff have been trained on Data Subject Access Requests and a documented process for dealing with this has been published.
6. Lawful basis for processing personal data: You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
ML Doctors have verified the lawfulness of processing and have a documented privacy policy in place which can be viewed on our website.
7. Consent: You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don't meet the GDPR standard.
Consent is gathered where needed from data subjects and stored within our systems. We also have an appointed Caldicott Guardian who is responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.
8. Children: You should start thinking now about whether you need to put systems in place to verify individuals' ages and to obtain parental or guardian consent for any data processing activity.
Children's information and consent is gathered from a parent or guardian. We also have an appointed Caldicott Guardian who is responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.
9. Data breaches: You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Processes in are place to deal with any actual or attempted breach of personal data. These are individually logged including outcomes and lessons learned in line with ISO27001. Any such breaches are reviewed in monthly management meetings.
10. Data Protection by Design and Data Protection Impact Assessments: You should familiarise yourself now with the ICO's code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party and work out how and when to implement them in your organisation.
Data Protection Impact assessments are undertaken by ML Doctors as part of monthly ISO27001 and risk analysis meetings. These meetings are minuted and outcomes published to relevant interested parties. A repeatable methodical, risk-based approach is used to identify and treat risks to personal data.
11. Data Protection Officers: You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation's structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
ML has not appointed a Data Protection Officer

12. International: If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
ML do not transfer or work outside of the EU. All our data and processing facilities are stored in the EEA.

For any additional information please contact our Data Protection Officer (DPO)

Questions regarding this GDPR Statement or the information practices of the Company's Websites and Services should be directed to:

ML Doctors Privacy by mailing us at:

ML Doctors Limited

ML House, 9 North Street, Manchester, M8 8RE,

Or by email to:

Dan Raddings dan@mldoctors.com

Download a PDF copy of this document here