image

Privacy policy

Our privacy policy

MDUConnect is available through our network of insurance brokers. This privacy policy explains how we collect, use and store any personal information provided to us.

 

MDU companies

In our privacy policy, when we refer to 'the MDU', 'we', 'us' or 'our', we mean the Medical Defence Union Limited (company number 00021708), (of which the Dental Defence Union is the specialist dental division), MDU Services Limited (company number 03957086), including the trading name MDU Insurance Solutions, and MDU Reinsurance Limited (registered in Guernsey, company number 42829), all of which are data controllers in relation to the personal data we hold.  Our full privacy policy is at themdu.com/privacy.

If you have any questions about this policy, contact us at dataprotectionofficer@themdu.com or 020 7202 1500.

 

Linked websites

Please note that any websites that may be linked to our websites are subject to their own privacy policy.

Protecting patient information

Companies providing clinical services will continue to be considered data controllers under Data Protection Legislation and are therefore required to inform patients about how they will use the data they hold about them. MDU members should therefore inform their employees and patients – in leaflets, privacy notices and complaints procedures etc. – that, should a patient make a complaint or claim, they may need to provide information about the patient, and treatment they have received, to insurers, indemnifiers, brokers or legal advisers.

 

Sending information to our risk advisory team

When seeking medico-legal/dento-legal advice from the MDU, please do not send us any information about patients that is not directly relevant to your enquiry and necessary for us to advise or assist you/ your client. If you do need to send information about patients you should remove any details that could identify the patient(s) concerned (other than their initials and date of birth which we need to check for conflicts or duplicates) unless we have specifically requested original unedited documents. Providing our risk advisory team with documents that contain unnecessary personal data about patient(s) may delay our ability to respond quickly as we may need to remove identifying details from incoming correspondence before passing it on to an adviser.

 

Sending information to our claims or legal teams

Generally, documents sent to our claims handling should be sent securely in their original form with no information removed.

 

How we use, store and protect personal data

We understand how important it is that we store data securely and that we tell you how we will use data in a transparent and clear way. 

 

What information do we collect?

To provide quotes, administer products and MDU membership, and/or to deal with any claims or complaints, we need to collect and process personal data. This includes:

  • Information provided to us in an application for membership or proposal form.
  • Information to help us carry out our obligations under any insurance contract in place.
  • Information provided to us in relation to an insurance claim.
  • Information to enable us to assess and respond to a complaint relating to our products and services.
  • Analysing data for compliance with sanctions and fraud checks.

 

In certain circumstances, we may need to collect sensitive information about health or previous claims. We will only use this information to:

  • Administer or carry out our obligations under any contract in place.
  • Assess and adjust any insurance claim.
  • Assess and respond to a complaint relating to our products or services.

 

If you use our website, we will also record your IP address and information about which web pages you're accessing and when. This is important for us to be able to improve our website and enhance your online experience. See themdu.com/about-cookies for more information.

When a member calls the MDU/DDU and speaks to one of our medico-legal/dento-legal advisers, we may record that call. This helps us with training and lets us monitor the service we provide.

 

Authorised contacts

We collect the personal data, such as contact information, from authorised contacts if an MDU Member gives permission for us to discuss their membership details with an authorised contact.

 

Sharing personal data

We sometimes need to share data with third parties who help us provide our services.

We also make sure that any third parties who have access to personal data have systems and processes in place to keep it confidential and only use it in ways that would be reasonably expected.

These third parties include:

  • insurers and reinsurance companies who support our financial stability and underwrite our indemnity
  • third parties that help us in the day-to-day running of our business - such as our mailing house, internal and external audit services, IT payment providers and banks, who allow us to receive and process funds
  • technologies (including data storage), and administrative services
  • our legal and professional advisers, including our external auditors
  • other medical or dental defence organisations, NHS bodies or insurers involved in the handling of a claim, or when a letter of good standing is requested
  • law enforcement and justice organisations, such as criminal and civil courts, coroner services and police forces
  • third parties that help us develop and deliver member benefits and services by finding out your opinions on existing and proposed benefits and services
  • when using our website or mobile app, your data is shared with our IT security companies to protect against security threats.

 

Transferring data outside the EEA

Personal data may be transferred to or stored outside the UK or the European Economic Area (EEA).  For example, to allow us access to global reinsurance markets, we may share limited personal data with non-UK/EEA insurers or reinsurers, or where remote access may be needed from outside the EEA to provide technical support.

We also use cloud providers to host some of our data, and where possible, we request that the personal data is stored within the UK or the EEA.

In all instances, we will continue to make sure personal data is collected, used and stored for the same standards and for the same purposes we highlight in this privacy policy, with the equivalent level of protection as provided by UK/EU law.

Prior to any personal data transfer, we conduct assessments and apply required controls as encryption and secure access and put in place data protection agreements.  A full list of countries where data is transferred can be found in our full privacy policy at themdu.com/privacy.

 

Storing personal data

We take security seriously and ensure we only use systems which are proven to be resilient to handle personal data with confidentiality and integrity. We use encryption and authentication tools to keep data safe and secure.

You can also be sure that personal data is protected behind secured networks and only accessible by authorised people who are viewing or updating information according to agreed policies and procedures.

 

How long do we hold data?

We hold personal information for as long as is necessary to fulfil the purposes we've outlined in this privacy policy, and to comply with our own legal obligations (whichever is longer). The length of time we hold certain data is comprehensively covered in our Retention Schedule and we have set out examples of retention periods within our full privacy policy at themdu.com/privacy.

 

Our legal basis for processing data

The MDU collects and processes personal information on the following legal bases:

  • We need it to perform a contract, or when taking steps to enter into a contract.
  • We need it to comply with a legal obligation specific to our organisation.
  • We need it for our legitimate business purposes (such as those below) while taking into account the rights and freedoms of the data subject.

 

There are also legal obligations around processing special categories of personal data and criminal records, as defined in the UKGDPR and the Data Protection Act 2018. We process this type of data on the basis that:

  • we need to manage legal claims when investigating or defending a claim, or during judicial and regulatory proceedings
  • we need to provide confidential and professional counselling to our members, to support the public interest
  • we need to provide services which assist our members in managing health systems and services
  • as a not-for-profit organisation, we need to process our members' data in the interest of the membership as a whole
  • we may ask for explicit consent to process data - for example, when instructing a solicitor on behalf of a member.

 

What are the MDU's legitimate interests?

'Legitimate interests' means the interests of the MDU in how we conduct and manage the benefits of membership on behalf of our members. For example:

  • we provide services to our members that involve processing patient data
  • we share limited member data with our reinsurers, to provide financial stability for our organisation
  • we keep an email archive, in case a query is raised about information we have sent to a member
  • we use data for research and analysis, including reviewing trends in complaints and claims and setting subscription costs
  • we seek advice from our professional advisers, including insurers and legal advisers, when we exercise our rights to defend ourselves from claims.

 

If you would like to find out more about our legitimate interests for processing data, please contact the data protection officer.

 

What rights do members have?

Members have a number of rights relating to the processing of their personal data, subject to some exceptions defined by law.

The data protection officer can be contacted by email, phone or post (using the contact details below) if your client would like to request any of the following:

  • to be told how personal information will be used, as set out in this privacy policy
  • to ask what information we hold and to request a copy of that information, subject to any exemptions
  • to raise a valid objection to personal data being processed
  • to have personally identifiable data deleted in certain situations
  • to ask for records to be updated, if they believe they are inaccurate
  • for processing of personal data to be restricted, which can be done in certain situations.
  • to transfer personal data from one service provider to another.

 

The member’s name, email address and postal address must be provided in the request. We may also ask for proof of identity.

We will confirm that we have received the request within five working days, and we will usually provide a response within one calendar month.

You can also lodge a complaint at any time about our processing of personal data. If you have any questions, comments or concerns about any aspect of this policy, you can contact the data protection officer at:

Email: dataprotectionofficer@themdu.com 

Telephone: 020 7202 1500

Write to: One Canada Square, London, United Kingdom, E14 5GS.

We hope we'll be able to resolve any concerns you may have, so please contact us in the first instance.

However, if we cannot resolve your issue to your satisfaction, you have the right to raise a complaint to the UK's supervisory authority for data protection, the Information Commissioner's Office (ICO) at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Alternatively, you can email the ICO at casework@ico.org.uk or call 0303 123 1113.

If you are within the EU but not a UK resident, you can raise any issues or concerns either with the ICO or with the supervisory authority in the jurisdiction where you are located. If you need any help with finding out who to contact and how, please let us know.

Please note that we have appointed IT Governance Europe Limited to act as our EU representative. If you would like to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any questions about your rights or general privacy matters, please email our representative at eurep@itgovernance.eu, making sure to include our company name in any correspondence you send.

 

Changes to this statement

We may update this privacy policy from time to time and also the MDU’s main privacy notice, and any important changes about how your data is processed will be published here. We may also send you an email to let you know of any important changes.

This policy was last updated in June 2024.