Data Processor Privacy Notice
SMITH MEDICOLEGAL LIMITED PRIVACY NOTICE
DATA PROCESSOR - (Instructing Parties including their Clients)
This notice relates to how Smith Medicolegal Ltd (‘Smith Medicolegal) processes personal data as a data processor which includes our Customers (instructing party) and their Client’s both referred to as ‘you’ or ‘your’ in this notice.
Clients should refer to their instructing parties (Solicitors / Insurers/ Official Injury Claims Portal) privacy notices for more clarity on how they deal with your data as the data controller.
Where ‘Smith Medicolegal’ is processing personal data as a controller please see our data controller privacy notice which includes how we use personal data collected when using our website.
This Privacy Notice will change from time to time and, if it does, the up-to-date version will be available on our website and becomes effective immediately. The privacy notice was last updated on 20 April 2024.
- Introduction
Welcome to the Smith Medicolegal Limited (‘Smith Medicolegal’) Privacy Notice. ‘Smith Medicolegal’ is an independent medical reporting and administration provider.
‘Smith Medicolegal takes data protection seriously and is committed to respecting and protecting your personal data. Personal data
- any information ‘relating’ to an identified or identifiable person (‘data subject’);
- an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
For the purposes of this Privacy Notice, “Data Protection Legislation” means all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the EU Regulation 2016/679 as it forms part of the law of England and Wales by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018 or any successor legislation.
This Privacy Notice explains how we will collect, store and use any personal data you provide in the course of the services we provide to you.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO) the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the opportunity to deal with your concerns before you approach the ICO so please contact us in the first instance. Please note that as we are acting on behalf of the Instructing Party in our role as a data processor and any communications to the ICO would need to be made dealt with by them. We of course would fully co-operate in any investigation.
If you have any questions you can contact our Data Protection Officer at:
E-mail –enquiry@smithmedicolegal.com
Post – 18 Luker Avenue, Henley on Thames, Oxon, RG9 2EU
Registration Number: 14853446 ICO Registration Number: ZB544789
- The data we may collect about you
We will collect, or be provided with, and process information about you, your personnel and clients through various means, including:
In the course of carrying out work for you (or your business), in which case we will process any of your client personal data provided to us as a Data Processor as defined in the Data Protection Legislation:
- Via our Portals
- By email or other electronic correspondence;
- By telephone;
- Postal correspondence;
- Otherwise through providing our services or operating our business.
The personal data you give to us will include:
- Your name and title;
- Contact information, including telephone number, postal address and email address;
- Information relating to your location;
- Photographic identification;
- With respect to clients, their personal data (contact details/ accident date) including special categories of personal data (medical records when requested, medical reports and information around rehabilitation);
- Any other personal data we collect (such as the customer and client reference numbers which will be assigned to you) in the context of providing our services or in the course of operating our business;
- If you register for access to the Secure Client Area (Portal) we will collect company details, name, email and telephone number, user name and password.
If you contact us by phone your conversation will be recorded
The personal data described above may relate to any of the following categories of person:
- You the customer and your clients;
- How we use your information
We may use your information for the following purposes:
- To complete our contractual obligations to you;
- To respond to any query that you may submit to us;
- To manage our relationship with you (and/or your business), including by maintaining databases of customers and other third parties for administration, accounting and relationship management purposes;
- Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests;
- Where we need to comply with a legal or regulatory obligation (for example any relevant anti-money laundering law or regulation).
- Legal grounds for processing your information
We will rely on the following legal bases under Data Protection Legislation for processing your personal data:
- Performance of, or entry into, a contract such as arranging appointments with medical experts, collecting medical records, when requested, providing medical reports and organising rehabilitation treatments;
- Compliance with a legal obligation to which we are subject;
- We have a legitimate interest in doing so as a services provider;
- Where processing of ‘special category data’ is necessary in the context of the establishment, exercise or defence of legal claims;
- In certain circumstances, where we have express consent to do so. Where we collect consent, we will explain that it may be withdrawn at any time in accordance with the information we provide at that time;
We will process your client’s personal data as a Data Processor in accordance with the terms of the contractual arrangements in place between us.
- Sharing your information
We will share your details with third parties instructed by us in accordance with your instructions to enable us to fulfil our contractual obligations to you and/or your clients in the course of business. These include:
- Our carefully selected service providers who provide IT and system administration services to enable us to communicate effectively with you, provide services to you, and to give you access and use of the Secure Client Area (Portals);
- You specifically request this or it is necessary to provide our services to you, for example disclosure to expert medical providers;
- We consider other companies’ products and services in our group of companies may interest you;
- If we are under a duty to disclose or share your personal data in order to comply with any legal obligation.
We will not sell your information.
- What we do to protect your personal data
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we have put in place procedures to deal with any suspected personal data breach and, in the event of a breach, will notify you and any applicable regulator of a breach where we are legally required to do so.
- Storage and retention of your personal data
We retain your personal data in line with our internal retention policies and guidelines. These have been developed to ensure our compliance with regulatory obligations and professional practice. The time periods vary depending on the particular circumstances.
We will not store your information for longer than is reasonably necessary or required by law, and/or as needed for the duration of our contractual relationship.
- Sending your information outside of the UK
Your information will be predominantly processed in the UK. If your information is transferred outside the UK or the EEA you can expect a similar degree of protection in respect of your information as provided by processing in the UK.
- Your information rights
Data Protection Legislation gives your clients the right to access information held about them.
With respect to your clients we will, as you are the Data Controller, notify you if we directly receive a request relating to their rights and await your instructions on how to proceed.
If we are asked to process the information requests we may ask your client to confirm their identity so that we can validate their request. Your clients may make a request by email or writing to the DPO using the contact details provided above.
Your Clients have the right to:
- Request access to your personal data and check that we are lawfully processing it.
- Request correction of the personal data that we hold about you if you consider that it is inaccurate.
- Request the transfer of your personal data to you or to a third party.
- Request erasure of your personal data. This includes where you have been successful in exercising your right to object to processing (see below). However we may not be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Request restriction of processing of your personal data. This may be the case if you want us to establish the data’s accuracy or where our use of the personal data is unlawful but you do not want us to erase it.
- Object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts your fundamental rights and freedoms.
Where you exercise your rights to request erasure, or request a restriction in the processing of your personal data or to object to processing of your personal data, we may still need to keep basic contact information about you if you are already or will shortly be an active customer as we will require this for contractual purposes.
We will not charge a fee unless we feel the request for your personal information is clearly unfounded or excessive (repeated requests) where we will either charge a reasonable fee or refuse to deal with the request.