Privacy Policy

---

Effective date: 01/08/2023

D4You Medicals Ltd, trading as D4You Clinic and D4You Driver Medicals, is committed to protecting the privacy, confidentiality and security of personal information and medical information.

This privacy policy explains how we collect, use, store and share personal information when providing medical assessment, driver medical, occupational health and related clinical services.

D4You Medicals Ltd is the data controller for personal information collected during our medical assessments. This means we are responsible for deciding how personal information is used and for ensuring it is handled in accordance with UK data protection law.

This policy applies to individuals who use our services directly, individuals referred to us by employers or organisations, and individuals who contact us through our website, booking system, email, telephone or other communication channels.

D4You Medicals Ltd
Trading names: D4You Clinic and D4You Driver Medicals
Registered/business address: 78 Churchgate, Stockport, Manchester, United Kingdom, SK1 1YJ
Email for privacy and data protection requests: admin@d4youclinic.co.uk
ICO registration reference: ZB895302

D4You Medicals Ltd is registered with the Information Commissioner’s Office and is Cyber Essentials certified.

We may collect and process the following types of personal information, depending on the service being provided:

Personal identification information, such as name, date of birth, address, telephone number, email address and photographic identification where required.

Booking information, including your name, email address, phone number, appointment type, appointment date and time, and any information provided when making or managing a booking.

Administrative information, such as employer or referring organisation, job role, service requested, payment status, consent forms and correspondence.

Medical and health information, such as medical history, current symptoms, diagnoses, medications, allergies, operations, hospital attendance, GP or specialist involvement, examination findings and relevant test results.

Assessment information, such as blood pressure, vision results, urine results, audiometry, spirometry, mobility, functional capacity, fitness-to-work findings, driver medical findings and other clinical information relevant to the assessment being carried out.

Employment or role-related information, such as job role, duties, workplace risks, shift pattern, driving requirements, safety-critical duties, exposure risks and employer referral information.

Certificate and report information, such as fitness outcomes, restrictions, recommendations, medical certificates, occupational health reports and correspondence with the individual or referring organisation.

Payment information, such as payment confirmation and transaction-related information. We do not usually store full card details ourselves, as payments are processed through third-party payment providers.

Website and communication information, such as enquiries submitted through our website, emails, telephone calls, online booking forms and other communications with us.

We collect and use personal information for the following purposes:

To arrange and manage appointments.

To confirm identity where required.

To carry out medical assessments, driver medicals, occupational health assessments and fitness-to-work assessments.

To assess medical fitness for driving, employment, safety-critical work, workplace duties, regulated activities, certificates or specific forms.

To complete medical certificates, reports, forms or fitness outcomes.

To communicate with individuals about appointments, results, further information required, certificates, reports, invoices or administrative matters.

To communicate with employers, referrers or organisations where the individual has been referred for an occupational health or workplace-related assessment.

To maintain clinical and administrative records.

To respond to complaints, queries, legal claims, regulatory enquiries or insurance matters.

To meet legal, regulatory, professional, clinical governance and record-keeping obligations.

To protect patient safety, public safety, workplace safety and the integrity of medical decision-making.

To improve and manage our services, systems, processes and business operations.

Under UK data protection law, we must have a lawful basis for using personal information.

Depending on the circumstances, we may rely on one or more of the following lawful bases:

Consent, where you have given clear permission for us to use your information for a specific purpose.

Contract, where processing is necessary to provide a service you have requested or to take steps before providing that service.

Legal obligation, where we need to process information to comply with the law.

Legitimate interests, where processing is necessary for our legitimate business, clinical, administrative or occupational health purposes, provided your rights and interests do not override those interests.

Vital interests, where processing is necessary to protect someone’s life or safety.

For medical and health information, which is special category data, we also rely on an additional condition under UK data protection law. This may include processing for the provision of health care or occupational health services, medical diagnosis, assessment of working capacity, management of health care services, or where explicit consent has been provided.

Where an employer, organisation or third party refers you for an occupational health or medical assessment, we will explain the purpose of the assessment and what information may be shared.

We do not share full clinical notes with employers. We usually only share the outcome of the assessment, such as fit, unfit, fit with restrictions, or whether further information is required, unless the individual has consented to wider disclosure or disclosure is required by law.

Where an occupational health report is prepared, we will only include information that is relevant to the purpose of the referral, the role, the workplace risk, or the question being asked. We aim to keep reports proportionate and focused on functional ability, fitness, restrictions, recommendations and workplace adjustments where relevant.

In some cases, we may ask for your consent before releasing a report or certificate to an employer, referrer or organisation.

We only share personal information where there is a valid reason to do so. Depending on the service, we may share information with:

You, as the individual receiving the service.

Your employer, prospective employer, referrer or organisation, where this is relevant to the assessment and appropriate consent or lawful basis applies.

Your GP, specialist, consultant or other healthcare professional, where needed and with appropriate consent or lawful basis.

Regulators, public authorities, courts, legal bodies or law enforcement agencies, where required by law.

Our professional advisers, insurers or legal representatives, where necessary for complaints, claims, legal advice or insurance purposes.

Third-party service providers who support our systems and services, such as secure booking systems, clinical record systems, email providers, website providers, payment processors, IT providers and administrative software providers.

We require service providers to handle personal information securely and only for the purpose of providing services to us.

We use secure third-party systems and service providers to help us manage appointments, clinical records, communications, payments, website enquiries and business administration.

This may include the following categories of providers:

Appointment booking systems.

Clinical record systems.

Secure email and communication providers.

Website hosting and website enquiry providers.

Payment processors.

IT, cyber security and administrative software providers.

Professional advisers, such as legal, insurance, accountancy or data protection advisers where required.

We use SimplyBook.me to manage appointment bookings. SimplyBook.me may collect and process booking information such as your name, email address, phone number and appointment details so that we can arrange and manage your appointment.

Where third-party providers process personal information on our behalf, we take reasonable steps to ensure that appropriate data protection and security measures are in place. These providers are only permitted to process information for the purpose of providing services to us.

Where payment providers are used, payment details are processed by the payment provider. We do not usually store full card details ourselves.

We take confidentiality and information security seriously. We use reasonable administrative, technical and organisational measures to protect personal information against unauthorised access, loss, misuse, alteration or disclosure.

These measures may include:

Secure digital systems for clinical and administrative records.

Password-protected access to systems.

Restricted access to personal and medical information on a need-to-know basis.

Use of secure devices and appropriate technical protections.

Cyber security controls and Cyber Essentials certification.

Staff and clinician awareness of confidentiality and data protection responsibilities.

Secure disposal or deletion of information when no longer required.

No system can be guaranteed to be completely secure, but we take reasonable steps to reduce the risk of unauthorised access or misuse.

Medical information is treated as confidential.

We only access and use information where necessary for the purpose of providing services, making clinical decisions, completing certificates or reports, managing the clinic, meeting legal or regulatory duties, or dealing with complaints, claims or professional matters.

We do not sell personal or medical information.

We retain occupational health and medical assessment records for as long as reasonably necessary for clinical, legal, regulatory, insurance and business purposes.

The exact retention period may vary depending on the type of assessment, the nature of the record, professional obligations, legal requirements, insurance requirements and the reason the information was collected.

When information is no longer required, we will securely delete, dispose of or anonymise it where appropriate.

Under UK data protection law, you have rights in relation to your personal information. These may include:

The right to be informed about how your information is used.

The right to access your personal information.

The right to request correction of inaccurate or incomplete information.

The right to request deletion of your information in certain circumstances.

The right to request restriction of processing in certain circumstances.

The right to object to processing in certain circumstances.

The right to data portability in certain circumstances.

The right to withdraw consent where we are relying on consent as the lawful basis for processing.

Some rights are not absolute and may depend on the circumstances. For example, we may need to retain certain medical, legal, regulatory or business records even if a deletion request is made.

To make a request, please contact us using the details below.

If you would like to access the personal information we hold about you, or if you believe information we hold is inaccurate or incomplete, please contact:

D4You Medicals Ltd
Email: admin@d4youclinic.co.uk

We may need to verify your identity before responding to a request.

If you have concerns about how we handle your personal information, please contact us first so that we can try to resolve the issue.

Email: admin@d4youclinic.co.uk

You also have the right to raise a concern with the Information Commissioner’s Office, which is the UK regulator for data protection.

We may update this privacy policy from time to time to reflect changes in our services, systems, legal obligations or data protection practices.

The latest version will be made available on our website or provided on request.

For questions, concerns or requests relating to privacy, confidentiality or personal information, please contact:

D4You Medicals Ltd
Trading as D4You Clinic and D4You Driver Medicals
78 Churchgate
Stockport
Manchester
United Kingdom
SK1 1YJ

Email: admin@d4youclinic.co.uk
ICO registration reference: ZB895302