MLACP GDPR Data Protection Policy

Privacy Policy

The Medicolegal Association of Chartered Physiotherapists (MLACP) is a professional network for Chartered Physiotherapists and others who have a special interest in Medicolegal work.  We provide a directory of members, a variety of information resources and a number of courses throughout the year, to help improve the knowledge and skills of physiotherapists who undertake medicolegal work.

The MLACP takes its data protection obligations seriously and is committed to the highest professional standards.  We only collect data that is relevant and necessary for us to deliver the best possible service.

This Policy is to help the MLACP deal with data protection matters.

The MLACP handles personal data about current, former, and on occasion prospective members, as well as other individuals that we communicate with.  We also receive some information from solicitors who wish to instruct an expert witness.

We recognise the need to treat all personal data in an appropriate and lawful manner, in accordance with the EU General Data Protection Regulation 2016/679 (GDPR).

Correct and lawful treatment of this data will maintain confidence in the MLACP and protect the rights of any individuals associated with the MLACP.  This Policy sets out our data protection responsibilities and highlights the obligations of the MLACP.

The MLACP will be responsible for ensuring compliance with this Policy.  Any questions about this Policy or data protection concerns should be referred to the MLACP Data Protection Officer (DPO).  The DPO is currently Will Winterbotham and can be contacted on

Collection of personal information

We will collect the basic contact information of members, comprising their name, telephone numbers, email and postal address.  We will also collect their area(s) of clinical expertise for the members directory, under a maximum of three headings.   We process and store this data because it is in our legitimate interest as a professional network to do so.

We will ensure that the personal data we hold is accurate and kept up to date. We will check the accuracy of any personal data at the point of collection and at the start of each year via membership renewal.  We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

We will take appropriate security measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data

Payment of membership is completed securely through PayPal and no payment details are kept.

How we use this information

The information we collect is used to ensure that we provide members with the best and most appropriate service.  We use members’ contact information on the MLACP members directory, which is available for anyone to access.  We anticipate that the majority of people using this directory will be other physiotherapists or solicitors looking to instruct an expert witness.

We will also use members’ contact details to inform them of news, events, forthcoming courses and any relevant information which we deem appropriate.  We consider that by signing up to membership of the MLACP, members consent to their information being used in this way and we will not seek further consent.  We will not use members’ personal details for anything that does not relate to the work of the MLACP.

Storage, processing and retention of your information

Member’s personal data is held on a secure database.

Personal details (name, address, telephone number and email address), and area(s) of clinical expertise are accessible to anybody using the online members directory, which is free and readily accessible to all members of the public.

Payment details are not held.

Retention period

We will keep members’ data for two years after the end of their MLACP membership, unless required otherwise by law and / or regulatory requirements.

How and when we share personal information

We share personal data on a strictly ‘need to know’ basis.

We will contact members via email.

All emails regarding patients are confidential; person identifiable data will be redacted prior to sending and initials will be used.

The subject line of emails will not contain any patient identifiable data.

Members’ rights

The MLACP is committed to protecting our members’ right to privacy.  These rights include:

  • Right to be informed about what we do with their personal data
  • Right to have a copy of all the personal information we process about them
  • Right to rectification of any inaccurate data we process
  • Right to be forgotten and personal data destroyed
  • Right to restrict the processing of their personal data
  • Right to object to the processing we carry out based on our legitimate interest.

Information Commissioner’s Office

If members have any concerns about the way their personal information has been processed, please contact the DPO above.  If they are still unhappy following a review by us then can then complain to the Information Commissioners Office (ICO).  Telephone: 0303 123 1113 (local rate) or 01625 545 7451.

Data Breach Policy

If there is a personal data breach, the MLACP will report this immediately, truthfully and in full.

The DPO is responsible for handling data breaches and will evaluate what the breach is, how it occurred and the associated risk to data subjects.

If there is a risk to data subjects, the breach will be reported to the Information Commissioners Office within 72 hours.  If the report is late, an explanation must be given as to why.

Where the risk to data subjects is high, the breach must be reported to them individually if at all possible.

The DPO will inform the ICO how the breach occurred, what steps are being taken to reduce the risk, and how a similar breach is to be avoided in future.  The initial report will contain a summary of the position.  The DPO may wish to seek authority to obtain legal advice before submitting the initial and any subsequent reports.

A thorough investigation and corrective action will be undertaken so as to reduce the risks to data subjects arising out of any breach, and to make sure that something similar does not happen again in future.

Where a breach of a computer system is suspected, the DPO may engage the support of IT support, to better understand the nature of the breach.

The theft of data, whether as a result of shortcomings in the physical security arrangements on the premises, or the hacking and penetration of computer systems, or theft by a member of staff, will be reported immediately to the police.

The breach, investigation and corrective actions must be documented and filed on the MLACP data protection risk register.

All personal data breaches, however minor, and whether reportable or not will be recorded in the data protection risk register, held by the DPO.

Changes to this policy

 We reserve the right to change this policy at any time.

Security Policy

This security policy is designed to ensure that the MLACP complies with the security requirements of the General Data Protection Regulation, and the rights to privacy of data subjects are protected.

In compliance with Article 32 the MLACP has implemented appropriate physical, organisational and technical measures to ensure a level of security appropriate to the risk.

Security measures

Hard copy material containing personal data is stored securely and locked in filing cabinets in the office at night.

Electronic data is encrypted with restricted access.

No emails to members will contain personal information that is not freely available on the MLACP members directory.  Email addresses will not be shared between members and the bcc function will be used for group emails.

Shredding of confidential information is carried out securely on site or outsourced pursuant to a GDPR compliant contract.

When receiving telephone enquiries, we will only disclose personal data if we have checked the caller’s identity to make sure they are entitled to it.

Mobile equipment such as laptops will be encrypted and locked away when not in use.

Computers and other electronic equipment will be disposed of in a safe manner.

Anti-virus and anti-spyware tools will be installed on computers and a full scan performed weekly.

All computers will be password protected.

Changes to this policy

We reserve the right to change this policy at any time.