How we use, store and protect your personal data

The Medical Defence Union was the world's first medical defence organisation. We're proud to have been guiding, supporting and defending our members since 1885.

We understand how important it is that we store your data securely and that we tell you how we will use your data in a transparent and clear way.

Whether that's providing a subscription quote, sending you our publications, defending a claim on your behalf or providing you with legal support, our aim is to make sure the personal details you provide are secure and processed as explained in this privacy policy.

If you have any questions about this policy, contact us at dataprotectionofficer@themdu.com or +44 207 202 1500.

How the MDU handles your data

thumbnail

This privacy policy sets out how we collect, use and store any personal information we may have about you. It applies to any personal data we collect, as well as data provided to us by third parties and our members.

When sharing personal data with the MDU/DDU, you can be sure that:

  1. it's collected and held securely, so you know your information is safe

  2. we will use your data to make sure your experience with us is personalised, supportive and efficient

  3. you can review and update the information we hold about you at any time

  4. you're in control of your data and, while we need to send you some types of communications, such as surveys, our annual report or claims and advisory information, you decide what other information you'd like to receive from us. 

About us

About the MDU companies

In our privacy policy, when we refer to 'the MDU', 'we', 'us' or 'our', we mean the Medical Defence Union Limited (company number 00021708), (of which the Dental Defence Union is the specialist dental division), MDU Services Limited (company number 03957086) and MDU Reinsurance Limited (registered in Guernsey, company number 42829), all of which are data controllers in relation to the personal data we hold about you.

The personal data we collect

The basics

There are different types of data about you that we may collect, store and process depending on your relationship with us.

This can include:

  • personal information about you - such as your name, contact details, date of birth and bank details
  • special categories of data, which require more protection - such as health information or criminal offence data.

If you use our website or the MDU/DDU mobile app, we will also record your IP address and information about which web pages you're accessing and when. This is important for us to be able to improve our website and enhance your online experience. See our cookies statement for more information.

When you call the MDU/DDU and speak to one of our advisers or our membership team, we will record your call. This helps us with training and lets us monitor the service we provide.

We may record your phone calls as part of our customer research to support our understanding of your needs.

Depending on your relationship with the MDU/DDU, we may also need additional information to find out more about you and how we can help. See below.

Quotes/applications for membership, or current or former members

Depending on whether you are interested in membership or applying for/renewing your MDU/DDU membership, phoning us for advice or receiving assistance with a claim or advisory matter, the personal information we collect from you will vary but can include:

  • your qualifications, work details and previous professional indemnity history
  • your working practice and relevant financial income
  • payment information, such as bank details
  • your criminal record (if any) and details of any ongoing court proceedings or complaints
  • your health data, if this is relevant to your query or claim. 

We also collect personal data about you from certain third parties, for example:

  • regulatory bodies, such as the General Medical Council (GMC) or professional bodies when, as part of our conditions, we need data to be able to verify your registration
  • other medical or dental defence organisations or insurers, who we contact during your membership application or in the course of a case
  • your employer, with your knowledge - for example, if you're joining the MDU or DDU as part of a deanery scheme or a corporate organisation
  • brokers, insurers and reinsurers we work with to provide products and services to you
  • other contacts you have nominated and authorised for us to speak to about your membership - such as your practice manager
  • claimants or potential claimants, or their representatives
  • publicly available sources - including the GMC and GDC's lists of registered medical professionals, government organisations such as the NHS or CQC, and approved healthcare data providers
  • providers of services that allow us to verify your details, such as your bank account information or address.
Patients involved in a complaint or claim against an MDU/DDU member

If you make a complaint about an MDU or DDU member or raise formal concerns with a body such as the GMC, GDC or the police, we may also take the following actions to provide advice or assistance to our member:

  • request the relevant parts of your medical or dental records
  • seek an account of events from our member
  • seek an expert opinion on the care provided from another clinician.

If you make a claim against an MDU or DDU member, we will need to ask you for:

  • your medical or dental records
  • your work history, financial records, and any details of expenses or purchases, if you are claiming for losses
  • in some instances, your bank account information and national insurance number.

We may also collect information from third parties, including:

  • members, former members, other healthcare professionals or representatives acting on their behalf
  • representatives acting on your behalf
  • providers of services that allow us to verify the details that you provide to us, such as bank account information.
Training course and event attendees

If you take part in an MDU or DDU training course or other event, we will collect and process personal data about you. This includes personal data that you provide to us voluntarily, such as your payment information when booking a course, video and/or photographs.

Authorised contacts

If a member has given permission for us to discuss their membership details with you on their behalf, we will collect your contact details.

Executors of a member's estate

If you are the executor of a deceased member's estate, we will need to collect information to help us update our membership records and provide assistance with claims brought against the estate.

Co-defendants or other medical professionals involved in an MDU/DDU member's claim

If a claim has been made against an MDU/DDU member and you are a co-defendant or involved in the case, we will collect information about your clinical involvement in the case.

We may also collect information from third parties, including:

  • members, former members, other healthcare professionals or representatives acting on their behalf
  • representatives acting on your behalf
  • claimants or potential claimants, or their representatives.
Suppliers of services to the MDU/DDU, including experts and contractors

We collect and process personal data about our suppliers, including experts and individuals associated with our suppliers, so that we can support our members with the business services you provide.

We collect:

  • names and addresses
  • bank information
  • names, qualifications and details of individuals working on the contract.

How we use your personal data

General uses of your data

Without your personal data, we wouldn't be able to provide many of the daily services and benefits our members receive as part of their membership. Your data is also important in helping us regularly review, analyse and improve what we do.

Below are some examples of how we use your personal data to provide our services, depending on your relationship with us.

  • Interacting with you via the MDU and DDU websites, webchat (live chat) and social media - for example, when you post, comment or share our Facebook and Twitter posts, or anything on the MDU/DDU website or YouTube channel.
  • Understanding how you use our website, so that we can learn about your experience, record information about choices you've made and allow us to tailor your website experience, fix any issues and improve our digital presence.
  • Staff training and service improvement, for example when we record calls for quality monitoring or monitoring letters and emails. We do this to make sure that all callers are given the right information, our records are kept up to date, and we can handle any complaints which impact your indemnity.
  • Using data for business analysis and reporting on key information, such as our membership demographic and how we're performing.
  • Using data for research and statistical analysis to identify trends in the services we provide.
  • Making sure our marketing and sales communications are tailored to specific groups, through data profiling.
  • Using data to help with statutory reporting and audit, for example in compiling our annual report.
  • Analysing data for compliance with sanctions and fraud checks.
  • Performing tasks that are essential to our daily business activities - such as keeping an archive of all emails sent and received, to help resolve any queries or disputes.
  • Physical and IT security monitoring, so that we know your personal data is well protected.
  • Providing financial protection for the MDU companies and allowing ongoing handling of claims through reinsurance.
  • Assessing subscriptions and pricing by analysing, or profiling, categories of members, their work history and notifications such as case details.
Quotes/applications for membership, or current or former members

Your personal data allows us to:

  • verify your identity, qualifications and work circumstances - this tells us whether you're eligible for membership, and allows us to process your membership payment.
  • understand the risk associated with the work you need us to indemnify, and assess current and future subscription rates - we use data profiling to support this process
  • provide you with membership benefits and services, including medico and dento-legal advice, clinical risk management, legal instruction and claims handling
  • contact you by telephone, post, email or SMS to let you know about events, services and membership benefits, such as training courses and discounts available to MDU/DDU members, or to find out your opinion on proposed services or benefits – unless you let us know that you would prefer not to receive this type of communication
  • send you surveys to gain your opinion on the level of services provided by the MDU/DDU and help us develop relevant new services
  • process training course bookings, attendance registers and feedback so that we can provide CPD certificates after you've finished one of our courses.
Patients involved in a complaint or claim against an MDU/DDU member

If you make a claim or complaint against an MDU/DDU member, or if an MDU/DDU member requests advice or assistance from us, we may need personal information about you so we can provide guidance and advice, clinical risk management, legal instructions and claims handling, and other membership services to our member.

We use patient information when helping a member with an investigation or legal case, so we can provide support based on their particular circumstances. It also helps us to determine if a patient is associated with any other members or claims, so our advisers and legal teams can avoid any potential conflicts and make sure any new information is matched up with existing information we hold.

Training courses and event attendees

Your personal data lets us arrange your attendance at an MDU/DDU event or training course, manage your booking, provide CPD certificates and respond to CPD audits, where relevant.

Authorised contacts

If an MDU/DDU member has given permission for us to discuss membership matters with you, we will need to collect your personal data, such as your contact information, to help with:

  • applying for, renewing or continuing their membership of the MDU or DDU
  • providing access to membership benefits and services, including advisory services, clinical risk management, legal instruction and claims handling.
Executors of a member's estate

If you are the executor of a deceased member's estate, we will need to collect information so we can provide assistance with claims brought against the estate. This includes your contact information, to help us with ongoing administration of the member's records and the handling of their claim.

Co-defendants or other medical professionals involved in an MDU/DDU member's claim

We will capture information about co-defendants and other involved parties when a member has a claim made against them, to allow us to investigate or defend the claim. 

Suppliers of services to the MDU/DDU, including experts and contractors

In delivering your services to our members, your personal data allows us to manage our relationship with you as a supplier, measure quality and provide payment.

How we share your personal data

Sharing information with third parties

We sometimes need to share your data with third parties who help us provide our services.

We will never share your personal data with other companies or organisations for their own marketing or promotional purposes. We also make sure that any third parties who have access to your personal data have systems and processes in place to keep it confidential and only use it in ways that you would reasonably expect.

These third parties include:

  • insurers and reinsurance companies who support our financial stability and underwrite our indemnity
  • third parties that help us in the day-to-day running of our business - such as our mailing house, internal and external audit services, IT technologies (including data storage), and administrative services
  • expert witnesses, solicitors and/or barristers appointed by the MDU/DDU, or claimants' solicitors involved in the handling of a clinical negligence claim
  • regulatory or professional bodies, such as the GMC, GDC and BMA - with your knowledge, if we are assisting you with your advisory case
  • payment providers and banks, who allow us to receive and process funds
  • Premium Credit Ltd, for credit referencing and fraud and financial checks, when providing a loan for members who wish to pay their subscription by credit agreement
  • our legal and professional advisers, including our external auditors
  • other medical or dental defence organisations, NHS bodies or insurers involved in the handling of a claim, or when a letter of good standing is requested
  • law enforcement and justice organisations, such as criminal and civil courts, coroner services and police forces
  • training providers and venues that help us deliver courses and events which you might attend
  • your employer - such as your practice, Deanery or the NHS - or employer's elected administrator
  • other contacts you have nominated and authorised for us to speak to about your membership and any related matters
  • third parties that help us develop and deliver member benefits and services by finding out your opinions on existing and proposed benefits and services
  • when using our website or mobile app, your data is shared with our IT security companies to protect against security threats.

In the event of a change in the structure of our business, or if we sell, merge or transfer our business or parts of our business, we may share your personal data with the prospective buyer, owner or indemnifier.

If you are involved in a claim against one of our members - for example as a patient who has raised the claim or a co-defendant - we may need to share your personal data with:

  • members, former members, other healthcare professionals or representatives acting on their behalf
  • medical or dental defence organisations, brokers, insurers and Lloyd's of London
  • representatives acting on your behalf
  • courts
  • expert witnesses
  • solicitors and/or barristers appointed by the MDU/DDU
  • the Compensation Recovery Unit.
What happens when your data is transferred outside the UK and EEA?

What happens when your data is transferred outside the UK and EEA?

Your personal data may be transferred to or stored outside the UK or the European Economic Area (EEA).

For example, to allow us access to global reinsurance markets, we may share limited personal data with non-UK/EEA insurers or reinsurers, or where remote access may be needed from outside the EEA to provide technical support.

We also use cloud providers to host some of our data, and where possible, we request that the personal data is stored within the UK or the EEA.

In all instances, we will continue to make sure your personal data is collected, used and stored for the same standards and for the same purposes we highlight in this privacy policy, with the equivalent level of protection as provided by UK/EU law.

Prior to any personal data transfer, we conduct assessments and apply required controls as encryption and secure access and put in place data protection agreements. A full list of countries where your data is transferred can be found here.

Storing your personal data

Keeping your data secure

We take security seriously and ensure we only use systems which are proven to be resilient to handle your personal data with confidentiality and integrity. We use encryption and authentication tools to keep your data safe and secure.

You can also be sure that your personal data is protected behind secured networks and only accessible by authorised people who are viewing or updating your information according to agreed policy and procedures.

How long do we hold your data?

We hold your personal information for as long as is necessary to fulfil the purposes we've outlined in this privacy policy, and to comply with our own legal obligations (whichever is longer). The length of time we hold certain data is comprehensively covered in our Retention Schedule and we have set out examples of retention periods below.

Quotes/queries

If you're requesting a quote by phone or through our website, we hold your personal data for 40 months. This lets us monitor the quality of advice and the service provided to you.

If you have applied but not joined, or are not accepted into the MDU, we keep your personal data for 40 years from your application. This is because you can still request our assistance with matters arising from the period of your application process, and incidents can come to life many years after the event.

Members

Similarly, for current and former members, we keep personal data for 40 years after the end of your membership. Again, incidents can be reported many years after the event, and you can still request our assistance in accordance with the memorandum and articles of the MDU.

Case files

If you make a claim against an MDU member, we will retain information about that case until the claim has concluded, or until any relevant limitation periods have expired. Once the case is closed, we normally hold this information for 10 years, but this might be longer in certain situations, such as if the case involves a minor or where there is a brain injury.

If you'd like to find out more about our retention schedule for data, please contact our data protection officer using the details below.

How the law allows us to process your information

Our legal basis for processing data

The MDU/DDU collects and processes your personal information on the following legal bases, and for the purposes we've outlined in the 'How we use your personal data' section above.

  • We need it to perform a contract, or when taking steps to enter into a contract with you - such as when you are considering joining the MDU/DDU, or when we provide advice and support to our members.
  • We need it to comply with a legal obligation specific to our organisation.
  • We need it for our legitimate business purposes (such as those below) while taking into account your rights and freedoms in relation to data.
  • You have given consent for us to use your data for our business purposes, for example when we send you marketing communications. You can withdraw your consent at any time at themdu.com/mymembership or theddu.com/mymembership, or by contacting the data protection officer.

There are also legal obligations around processing special categories of personal data and criminal records, as defined in the UKGDPR and the Data Protection Act 2018. We process this type of data on the basis that:

  • we need to manage legal claims when investigating or defending a claim, or during judicial and regulatory proceedings
  • we need to provide confidential and professional counselling to our members, to support the public interest
  • we need to provide services which assist our members in managing health systems and services
  • as a not-for-profit organisation, we need to process our members' data in the interest of the membership as a whole
  • we may ask for explicit consent from you to process your data - for example, when instructing a solicitor on your behalf. If you do not consent, we may not be able to provide you with the full benefits of membership.
What are the MDU/DDU's legitimate interests?

'Legitimate interests' means the interests of the MDU/DDU in how we conduct and manage the benefits of membership on behalf of our members. For example:

  • we provide services to our members that involve processing patient data
  • we share limited member data with our reinsurers, to provide financial stability for our organisation
  • we keep an email archive, in case a query is raised about information we have sent to you
  • we use your data for research and analysis, including reviewing trends in complaints and claims and setting subscription costs
  • we communicate with you through direct marketing about benefits of membership, our products and services unless you let us know that you would prefer not to receive this type of communication
  • we seek advice from our professional advisers, including insurers and legal advisers, when we exercise our rights to defend ourselves from claims.

If you would like to find out more about our legitimate interests for processing data, please contact the data protection officer.

What rights do you have?

You have a number of rights relating to the processing of your personal data, subject to some exceptions defined by law.

You can contact the data protection officer by email, phone or post (using the contact details below) if you'd like to request any of the following:

  • to be told how your personal information will be used, as set out in this privacy policy
  • to ask what information we hold about you and request a copy of that information, subject to any exemptions
  • to raise a valid objection to your personal data being processed
  • to have your personally identifiable data deleted in certain situations
  • to ask for your records to be updated, if you believe they are inaccurate
  • for processing of your personal data to be restricted, which you can do in certain situations
  • to transfer your personal data from one service provider to another - we will provide you with specific information if you're considering switching to another indemnifier.

Please include your name, email address and postal address in your request. We may also ask for proof of your identity.

We will confirm that we have received your request within five working days, and we will usually provide a response within one calendar month.

You can also lodge a complaint at any time about our processing of your personal data. If you have any questions, comments or concerns about any aspect of this policy, you can contact the data protection officer at:

We hope we'll be able to resolve any concerns you may have, so please contact us in the first instance.

However, if we cannot resolve your issue to your satisfaction, you have the right to raise a complaint to the UK's supervisory authority for data protection, the Information Commissioner's Office (ICO) at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Alternatively, you can email the ICO at casework@ico.org.uk or call 0303 123 1113.

If you are within the EU but not a UK resident, you can raise any issues or concerns either with the ICO or with the supervisory authority in the jurisdiction where you are located. If you need any help with finding out who to contact and how, please let us know.

Please note that we have appointed IT Governance Europe Limited to act as our EU representative. If you would like to exercise your rights under the EU General Data Protection Regulation (EU GDPR), or have any questions about your rights or general privacy matters, please email our representative at eurep@itgovernance.eu, making sure to include our company name in any correspondence you send.

Making contact

When do we contact you?

There are three main reasons for us to contact you during your membership, by email, post, telephone or messaging services.

1. Statutory communications

So that we can comply with our legal obligations, we send you statutory communications including:

  • a link to the Annual Report & Accounts, including notice of the annual general meeting
  • a link to the online proxy form
  • notice of any other general meeting.

2. Service communications

To tell you about your membership - including information about your renewal or any important changes to your membership - claim or advisory matters, or need-to-know medico-legal and regulatory updates.

3. Marketing communications

You can tell us if you would like to receive information about products and services we think you might be interested in. For example, your membership will allow you to take advantage of our training courses and resources, as well as accessing preferential rates on relevant business support services. You can also choose to receive notifications through our app.

If you would rather not receive marketing communications from us, you can let us know at any time by using the unsubscribe function in our emails, emailing membership@themdu.com or membership@theddu.com, or updating your communication preferences via our website.

You can also write to the membership team at One Canada Square, London E14 5GS or call +44207 202 1500.

Changes to our privacy policy

We may update this privacy policy from time to time, and any important changes about how your data is processed will be published here. We may also send you an email to let you know of any important changes.

This policy was last updated in June 2023.

Keeping us updated

Keep your information up to date by letting us know if any of your details, such as your home address or place of work, change.

Contact our membership department or login to My Membership and help us make sure the information we hold is current and correct.

Get in touch

If you have any questions, comments or concerns about any aspect of this policy, you can contact the Data Protection Officer at: