Privacy notice.

Last Updated: 21st Feb 2022.

At Medicus we take data privacy very seriously and we are committed to protecting and respecting the rights of all individuals. We are dedicated to ensuring the confidentiality and privacy of information entrusted to us and aspire to be transparent when we collect and use personal data.

This privacy notice covers the following:
Our Contact Details 
How Medicus collects personal information
Medicus’s purposes and lawful bases of personal data processing
How we store your information
Sharing Information
Your rights
Rights related requests
Access using NHS Login
How to complain
Changes to this Privacy Notice

Our contact details
Medicus’s registered address is: 71-75 Shelton Street, London, WC2H 9JQ

Medicus is registered with the Information Commissioner’s Office, with registration number ZA625889.

How Medicus collects personal information
At Medicus we may obtain personal data directly from individuals in a number or ways including:

When you fill in a form on our website
When you give us your business card
When you become a client
When you submit a job application
When you use our support and service portals
When you email or call us,When you visit our offices or attend events, conferences and meetings
When you subscribe to our newsletters and user groups.
When you participate in a white paper research project

Medicus may also obtain personal information indirectly from a variety of sources including:
Third parties, such as joint marketing partners and data brokers that share business contact information with us
Recruitment services will provide us with CV’s
Existing clients may share their employees contact details with us
Publicly available sources such as LinkedIn
Companies House or freely available news articles
Companies providing security background checks
CCTV located at Medicus offices

We will always ensure you know we are processing your personal information except where it is disproportionately difficult to do so.

Purposes and lawful bases of data processing
Medicus processes personal data for the following reasons:

To fill job vacancies
If you submit a job application either directly or through a recruiter, we will use your information in connection with the specific job that you have applied for and, in the event you are unsuccessful in your application, we will keep your information on file in case additional vacancies come up for which you may be suitable.  We store the information of unsuccessful candidates for 6 months. If you give us your consent to hold it for longer, we will keep this for a maximum of 2 years.

Sometimes we use publicly available sources of data such as LinkedIn in order to source candidate’s information. 

The legal basis for processing your data for recruitment is our Legitimate Interest in operating our business. 

Prior to the interview process, we will ask whether you need modified access because of disabilities. Our legal basis for processing this information is legal obligation.

To provide customer support and access to self-service portals and to provide service delivery
When you become a partner / customer of ours, we collect your data from our portal login pages. We do this in order to provide online and telephone support services to help deliver contracted services to you via web portals, email or over the telephone. We use this information to process online requests, solve problems, answer questions and respond to communications from individuals and organisations.

If you have access to parts of our websites or use our on-line services, you remain responsible for keeping your user ID and password confidential.

Our legal basis for processing these data is our Legitimate Interest in providing our services.

For purposes of financial management
We gather and retain business contact details for financial management purposes. Personal information such as names and contact information will be needed to ensure purchase orders, requisitions, invoices and debts are handled appropriately. 

Our legal basis for processing financial information is the performance of a contract. Retention period for this type of information is up to 7 years in line with legal and tax regulations.

To send you marketing materials by email
We use your contact to send you marketing and product information. You can opt out of marketing messages at any time.

We will remove your details from our marketing list if there is no activity (such as opening an email) for a 3 year period.

We only send marketing information to corporate subscribers (business emails).
Our legal basis for this processing is our Legitimate Interest in promoting our business.

To tell you about our products and services
If you complete an enquiry form on our website or give us your details in person, for example at a conference, we will contact you by email or phone so that we can discuss the products or services in which you have indicated an interest.

As a Medicus customer you may wish to join our special interest and user group forums. These are groups of people that share a common interest in Medicus products and services. In such cases Medicus will store personal contact information such as name & email address to facilitate the organisation of group events and meetings. Medicus may share this personal information amongst other group members to aid in discussions, knowledge sharing and distribute information relating to new products that the group may be interested in. Our lawful basis for processing is our legitimate interest in selling our products and services.

To invite you to conferences or exhibitions
We use your data to invite you to conferences and events. Sometimes Medicus uses this information to provide assistance with travel and/or hotel arrangements at the request of the individual. Our lawful basis for processing data for these purposes is legitimate interest.

To host meetings with you at Medicus offices, conferences or exhibitions
We need to process your data in order to manage access and physical security at our offices. At some Medicus sites visitors may be required to provide photo proof of id, but this information will not be stored. Our lawful basis is legitimate interest to ensure the security of our business premises and authorised attendance at our events.

Additionally, during the COVID-19 pandemic, we will record the dates and times you visit a Medicus facility. We will also collect a contact number from you (or the nominated lead, if you are part of a group) in the event that this may be needed to support the contact tracing scheme. This data is only retained for a period of 21 days.

Our lawful basis for processing data for this purpose is legitimate interest.
We may also ask for dietary restrictions or access requirements that reveal religious beliefs or physical health conditions. Our legal basis for processing these data is your consent which you can withdraw at any time.
Once your access has been arranged, we do not retain this information

To manage the security of our facilities
Some of our offices have CCTV systems that monitor the perimeter of the buildings. These collect location and time based images of you and, sometimes, of your vehicle in order to our protect buildings and assets from damage, vandalism or another crime.

Our lawful basis for the processing this data is legitimate interest to ensure the security of our business premises and help prevent and detect crime.

Our policy is to automatically overwrite CCTV footage within 60 days.

To allow members of the public to participate in White Paper research projects
If you agree to take part in either an Engagement Solutions research project or a research project on behalf of one of our customers, your data may be used to produce an industry white paper, thought leadership report, or set of research findings which may published either by us or our customer and as such in the public domain.

Our legal basis for this processing is our Legitimate Interest in promoting our business.

To comply with auditing requirements
In order to maintain our certifications and to comply with our legal obligations, Medicus is required to assist and cooperate with external third-party auditors. We may need to share your information as part of these audits.

Our legal basis for this processing is legitimate interest.

To train and develop our staff
We record calls that are made to our customer service centre to assist in our review of call quality standards. We use this information to help train and develop our staff.

Call recordings are retained for a period of 90 days before they are automatically deleted.
Our lawful basis for processing data for these purposes is legitimate interest.

How we store your information
Medicus is dedicated to keeping your data safe.

We are certified under ISO 27001 as having put technical and organisational policies and procedures in place to protect personal data from loss, misuse, alteration or destruction. We ensure that access to your personal data is limited only to those who need to access it and those individuals are required to maintain the confidentiality of such information. Where necessary, we apply encryption and anonymisation techniques in efforts to further protect personal data.

Sharing information
We will never sell your data to third parties. We may, however, share your data with companies with whom we have a direct business arrangement in order to jointly market Medicus related products.

We also use third party data processors who provide marketing, marketing automation and lead-generation services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation and they will hold it securely and retain it for the period we instruct.The legal basis for sharing these data is our legitimate interest in cost effectively marketing our business.

Your rights
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process.

Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to processing if we are using legitimate interests as our lawful basis for processing.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or as part of a contract, or in talks about entering into a contract and the processing is automated.

Your right to withdraw consent

You can withdraw your consent that you have previously given to one or more specified purposes to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. It may mean we are not able to provide certain products or services to you and we will advise you if this is the case.

Rights related requests
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information or to exercise any of your other rights. This helps us to ensure that personal data is not disclosed to any person who has no right to receive it.

No fee is required to make a request unless your request is clearly unfounded or excessive. Depending on the circumstances, we may be unable to comply with your request based on other lawful grounds.

Use of PDS FHIR API
If you are receiving care from a health or care organisation, that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number the health and care organisations can work together more closely to improve your care and support.

Your NHS number is accessed through an NHS England service called the Personal Demographic Service (PDS). A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS number. Once retrieved from the PDS, the NHS number is stored in our case management system. These data are retained in line with our record retention policies and in accordance with the Data Protection Act 1998, Government record retention regulations and best practice.

We will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional, and where the user has a direct care relationship with you.

The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process, because hospital staff will know who to talk to.

You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care, but will result in the benefits outlined above not being realised. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options that you have.If you wish to opt-out from the use of your NHS number in this way, you can contact the healthcare organisation responsible for your care.

Access using NHS Login

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity. To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

Use of NHS Care Identity Authentication (CIA)
Please note that if you access our service using your NHS Care Identity credentials, the identity access and management services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get a national digital identity and authenticate your claim to that identity, and uses that personal information solely for that single purpose. For any personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, view the NHS Care Identity Service 2 page. This restriction does not apply to the personal information you provide to us separately which is managed in accordance with our Privacy Policy.

GP Connect
The 'End user organisation privacy notice statement' is available on the GP Connect privacy notice page.

How to complain
If you disagree with how we are processing your data, please contact our DPO at dpo@medicus.health or address your letter to the DPO at the Medicus address listed in the ‘Contact Details’ section.

You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Helpline number: 0303 123 1113

Changes to this privacy notice
Medicus will occasionally update this privacy notice to reflect changes in legislation, our practices and services. When we post changes to this privacy notice, we will revise the “last updated” date at the top of this privacy notice. If we make any material changes in the way we collect, use, and share personal data, we will notify you by prominently posting notice of the changes on the website. We recommend that you check this page from time to time to inform yourself of any changes in this privacy notice.

How to complain
If you disagree with how we are processing your data, please contact our DPO at dpo@medicus.health or address your letter to the DPO at the Medicus address listed in the ‘Contact Details’ section.

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 1113

Changes to this privacy notice
Medicus will occasionally update this privacy notice to reflect changes in legislation, our practices and services. When we post changes to this privacy notice, we will revise the “last updated” date at the top of this privacy notice. If we make any material changes in the way we collect, use, and share personal data, we will notify you by prominently posting notice of the changes on the website. We recommend that you check this page from time to time to inform yourself of any changes in this privacy notice.