Medicare Systems Data Privacy Policy

Medicare Systems GDPR Data Protection Policy

Introduction
Medicare Systems Ltd (“Medicare Systems”) is dedicated to conducting its business operations in accordance with all valid data protection laws and regulations with the highest standards of ethical conduct. This policy sets forth the expected behaviours of Medicare Systems in relation to the collection, use, retention, transfer, disclosure and destruction of any personal data belonging to a Medicare Systems contact (i.e. the data subject).

Personal Data is any information (including opinions and intentions) which relates to an identified or identifiable natural person. Personal data is subject to certain legal safeguards and other regulations, which impose restrictions on how organisations may process personal data. An organisation that handles personal data and makes decisions about its use is known as a data controller.

Medicare Systems, as a data controller will be responsible for ensuring compliance with the data protection requirements outlined in this policy. Medicare Systems management is fully committed to ensuring continued and effective implementation of this policy.

Background
This policy applies to all Medicare Systems entities where an individual’s personal data is processed:
In the context of the business activities of Medicare Systems Ltd.

This policy applies to all processing of personal data in electronic form (including electronic mail and documents) or where it is held in manual files that are structured in a way that allows ready access to information.

Policy
Medicare Systems will ensure that all Medicare Systems Employees responsible for the processing of personal data are aware and comply with the contents of this policy.

Data Protection Principles
Medicare Systems has adopted the following principles to govern its collection, use, retention, transfer, disclosure and destruction of personal data:

Principle 1: Lawfulness, Fairness and Transparency
Personal Data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. This means, Medicare Systems will inform the Data Subject what processing will occur within its terms and conditions (transparency), the processing must match the description given to the Data Subject (fairness), and it must be for one of the purposes specified in the applicable Data Protection regulation (lawfulness).

Principle 2: Purpose Limitation
Personal Data will be collected for specified, explicit and legitimate purposes. Medicare Systems will specify to the data subject exactly what the Personal Data collected will be used for.

Principle 3: Data Minimisation
Personal Data will be adequate and limited to what is necessary in relation to the purposes for which they are managed. Medicare Systems will only store personal data beyond for what is required.

Principle 4: Accuracy
Personal Data shall be accurate and, kept up to date. Medicare Systems has key processes for identifying and addressing out-of-date personal data.

Principle 5: Integrity & Confidentiality
Personal Data is processed in a manner that ensures appropriate security of the personal data. Medicare Systems will use appropriate measures to ensure the integrity and confidentiality of personal data is maintained at all times.

Data Collection
Data Subject Consent
Medicare Systems will obtain personal data only by lawful and fair means and, where appropriate with the knowledge and consent of the individual concerned.
This will include provisions for:
Determining what disclosures should be made in order to obtain valid consent.
Ensuring the request for consent is presented in a manner which is clearly distinguishable from any other matters.
Ensuring the consent is freely given
Documenting the date, method and content of the disclosures made.
Providing a simple method for a data subject to withdraw their consent at any time.

Data Use
Data Processing
Medicare Systems will use the personal data of its contacts for the following broad purposes:
The general running and business of Medicare Systems, to provide services to Medicare Systems customers and the ongoing administration and management of customer services.
The use of a contact’s information should always be considered from their perspective and whether the use will be within their expectations or if they are likely to object.
Medicare Systems will process personal data in accordance with all applicable laws and applicable contractual obligations.

Medicare Systems will not process personal data unless at least one of the following requirements are met:
The Data Subject has given consent to the processing of their personal data for one or more specific purposes stated within Medicare Systems terms and conditions
Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Processing is necessary for the purposes of the legitimate interests pursued by the data controller.

E-LOGGING information
Medicare Systems is the data controller for the E-LOGGING web platform. All personal data, usernames, and passwords used by recipients are stored in a secure database server within the UK that is compliant with all data protection legislation. All information is anonymized and non-identifiable to each data recipient.
All new and existing customers of E-LOGGING will have to give their consent for Medicare Systems to store their personal data.

Data Quality
Medicare Systems will adopt all necessary measures to ensure that the Personal Data it collects and processes is complete and accurate in the first instance, and is updated to reflect the current situation of the data subject.
All personal data will not be transferred to any third parties. Unless consent has been given by the data subject.

Medicare Systems has adopted the following measures to ensure data quality:
Correcting Personal Data known to be incorrect, inaccurate, incomplete, ambiguous, misleading or outdated, even if the Data Subject does not request rectification.
The removal of Personal Data if in violation of any of the data protection principles or if the personal data is no longer required.
Restriction, rather than deletion of personal data, insofar as:
A law prohibits erasure.
Erasure would impair legitimate interests of the data subject.
The data subject disputes that their personal data is correct and it cannot be clearly ascertained whether their information is correct or incorrect.

Digital Marketing

It should be noted that where digital marketing is carried out in a ‘business to business’ context, there is no legal requirement to obtain an indication of consent to carry out digital marketing to individuals provided that they are given the opportunity to opt-out.

Data Subject Requests
Medicare Systems has an established structure enabling the exercise of data subject rights relating to:
Information access.
Objection to processing.
Data erasure.

If an individual makes a request relating to any of the rights listed above, Medicare Systems will consider each request in accordance with data protection regulations.

Data information request

In line with GDPR the data subject is entitled to request information on the personal data that Medicare Systems holds. Should the data subject wish to do so please email Medicare Systems with the subject “Information Request for (your name)” to info@medicaresystems.co.uk and information we be provided within 30 days, in line with the General Data Protection Regulation.

Right to be forgotten

The data subject has the right to request us to remove some or all personal information Medicare Systems holds on that individual. Should the data subject wish to exercise this right an email should be sent to info@medicaresystems.co.uk with the information that should be removed.

Retention period
Medicare Systems will hold personal information for the period necessary to provide the products and services it has been contracted, and to fulfil the purposes outlined in our terms and conditions unless a longer retention period is required or permitted by law.

Data breaches
While we make every effort to secure and protect all personal information shared with us should we experience a data breach of sensitive customer data we will report the fact to the ICO and yourself within 72 hours of identification within GDPR guidelines.

Policy Maintenance
All enquiries about this policy, including requests for exceptions or changes should email info@medicaresystems.co.uk.
Publication, this policy shall be available to all Medicare Systems Employees and current customers and clients.
Effective Date this policy is effective as of 20th May 2018.