Data Security Statement

I take privacy very seriously and have updated all our processes so as to ensure that I am fully meeting the data protection standards introduced by the General Data Protection Regulation (GDPR) on 25 May 2018.

I am registered as a data processor with the Information Commissioner’s Office (ICO).

I endorse fully and adhere to the six principles of data protection, as set out in the Article 5 of the GDPR. 1 - Data must be processed lawfully, fairly and in a transparent manner in relation to individuals. 2 - Data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. 3 - Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. 4 - Data must be accurate and, where necessary, kept up to date; every reasonable steps must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. 5 - Data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. 6 - Data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

The categories of information that I collect, and hold may include: Personal information (such as name, date of birth) Personal health details ( such as medical history, treatments and medication ), appointed legal representatives, names of next of kin. I do not collect personal characteristics (such as ethnicity, language, nationality, country of birth), addresses or telephone numbers, other details of next of kin personal / family contact information.

Lawful basis of collecting data: I collect and use all information under lawful bases established by the GDPR. In terms of legitimate interests, the processing involves using data in ways instructing solicitors would reasonably expect and which have a minimal privacy impact whilst allowing me to provide the service that has been requested. Data captured and held by me limited to what is strictly necessary for the agreed purposes for which it is being processed. I do not process instructing solicitors data for any purposes other than what it was originally intended for and agreed. I only process instructing solicitors personal data on the written instructions of the instructing solicitor.

I share information with no-one other than the instructing solicitor or other than on the instructions of the instructing solicitor.

Data collection requirements: To be granted access to any information I hold, I comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data. I consider all data to be highly sensitive and personal and the security reflects that. I do not keep data for any longer than necessary and do not allow its use for any purpose other than that for which it has been collected – the provision of medicolegal services. Data is then securely destroyed.

Data security: data is stored on 2 PCs and is fully encrypted with BitLocker or Veracrypt using AES cypher. No data is kept unencrypted. Personal computers are protected by up-to-date antivirus antimalware technology.

Data is backed-up via the provider Tresorit. This involves end to end encryption, encrypted at source before data transfer, the highest level of security and via Microsoft Azure data centres in Switzerland and Ireland. The security satisfies all industry standards and is ISO 27001 certified. Even though data is encrypted there is the ability of remote deletion in the event of security breach. Sensitive material is sent on an end to end encrypted email service, Proton Mail, password protected for the recipient and time limited presence or via email but encrypted at source. ALL email and data services require dual verification systems. The data is securely maintained and under highly restricted access.

No data will be transferred to or stored at a location outside the EEA or controlled by a US-registered company.

Data access: Dr M W M Upton is the only person with access to the medical and sensitive information on the personal computer, the online backup systems and electronic mail.

Mrs C S Upton manages the accounts and bookings which is limited to data of addresses of solicitors, names of claimants, and addresses of claimants if letters are written to them.

No one else has access to the information, nor is information shared or sent other than to the instructing solicitors except with their express permission. Access is therefore completely limited and restricted solely to these.

Data breaches: I have processes and controls in place (technical and organisational) to detect, report and investigate data breaches via personal awareness, from PC, alert from systems and email and cloud systems. Instructing solicitors will be immediately informed of data breaches.

I have a record of all data processing based on a list of reports and letters produced,

Storage duration: Paper notes and DVDs are received into a staffed reception desk which is secure when unmanned. Paper records/DVDs are subsequently stored in a locked office. Paper records/DVDs are then stored to a maximum of 3 months after seeing a claimant or after production of a report or supplemental report. These are then securely destroyed.

Electronic information is kept on a personal computer for up to 7 years before deletion.

Third party: Some data will be transcribed by a specific third party UK based transcription service Accuro who have their own GPDR Policy. They use 256 bit SSL encryption and are ISO 27001 certified. Their data protection policy can be provided on request. Detailed information about their data security and GDPR is continually evaluated. A few reports are transcribed by an NHS secretary using encrypted PCs.

Business Continuity: It is the responsibility of the instructing solicitor to ensure that all the supplied information is both accurate and is maintained as current. Any changes must be notified as soon possible.

Rights: Under the GDPR, there is a right to request access to information that is relevant and compliant with the law. There is a right to object to the processing of personal data, to have inaccurate personal data rectified, blocked, erased or destroyed. My processes are available for audit and inspection on reasonable request to demonstrate compliance. If you have a concern about the way that I collect or use all data, we request that you raise your concern with me in the first instance. This does not affect your right to complain to the Information Commissioner’s Office (ICO) (ico.org.uk).

Direct marketing - I hereby confirm that I do not undertake in any forms of direct marketing and thus any information that is held by me is never used by us, or indeed ever supplied to a third party, in respect of any form of marketing, direct or otherwise.

Dr M W M Upton