Privacy Policy

 

Untitled Document

This privacy notice explains how Londonwide Local Medical Committees Limited (ICO registration number Z1239475) and its subsidiary company Londonwide Enterprise Ltd (ICO registration number Z1965945) process your data and for what reasons.  The notice is layered, you can click on the section below that relates to you for more detail on how we use your data:

Constituents
 

Constituents are all practising GPs represented by the following Local Medical Committees (LMCs): Barnet, Bexley, Brent, Bromley, Camden, City & Hackney, Ealing, Hammersmith & Hounslow, Enfield, Greenwich, Haringey, Harrow, Hillingdon, Islington, Kensington, Chelsea & Westminster, Lambeth, Lewisham, Merton, Newham, Redbridge, Southwark, Sutton, Tower Hamlets, Waltham Forest, and Wandsworth.

A GP is represented by the LMC, if they are registered on the National Performers List, working in the LMC area, and paying a statutory/administrative levy. Constituents also include sessional GPs and as the levy is paid per practice, constituents also include the practice staff employed by the practice.

 

Purpose: We process constituents’ personal data in order to provide the services and work outlined in the agreement between your LMC and Londonwide LMCs, which includes the following purposes:

  • Administer lists of Representative GPs (as required under the LMC constitution) and practices and their practice staff.
  • To administer the LMC elections.
  • To consider and specifically deal with matters arising under section 97 of the NHS Act.
  • To negotiate with or between and to CCGs and other bodies
  • To encourage and assist in the development of services, activities and amenities to constituents.
  • Provide advice, support and training.
  • Seek and represent your views.
  • Keep you informed about LMC activities, provide key information and guidance across London, locally and nationally through our monthly newsletters and e-alerts.
  • Keep you informed on news relating to the Londonwide LMCs’ buying Group.
  • Send out invites for attending events run by Londonwide LMCs Ltd and/or Londonwide Enterprise Ltd.
 
 

Lawful basis for the processing:

The majority of our processing is carried out under General Data Protection Regulation (GDPR) Article 6 (1) (e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

 

Personal data:

Name

Contact postal address.

Contact email address.

Contact telephone number.

Practice name(s) where you do most work.

Date of birth.

General Medical Council (GMC) number (for GPs).

Gender.

LMC area you do most work in.

 

Who provides the personal data:

Data subject: Constituents directly.

Practice Managers and other practice staff on behalf of the practice.

We receive a minimum data set from NHS England with the details of GPs joining or leaving the performers list, which includes name, contact address, contact email address (if provided), GMC number, Date of birth (if provided) and practice where they are working.

 
 

Who we share your personal data with:

  • Electoral Reform Services (ERS): We provide names, contact postal and email address details of GPs to the Electoral Reform Services, who perform the role of independent scrutineer for the LMC elections and act as a Data Processor in this situation.
    We also provide the names and contact postal and email addresses with Electoral Reform Services on request from the General Practitioners Committee (GPC) for administering their regional elections.
  • NHS England: We provide, on request, the names of practices and the names of principal GPs for those practices to NHS England to confirm levy mandates and payments.
  • Exact Target/Salesforce Marketing Cloud: We use Exact Target/Salesforce Marketing Cloud, acting as a data processor, to deliver our monthly e-newsletter and other emails. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve all of our e-communications.
  • ComRes: We provide names, contact email address and the practice name (only where a GP or Practice Manager works at more than one practice) to ComRes, acting as a data processor, in order for them to send out our twice-yearly workforce survey.
  • Your LMC: We provide details of the names of GPs and the practices they work at for the LMCs as a list of the GPs they represent.
 
 

Personal data transfers outside of the EEA

None. 
 

How long we retain your personal data

When you retire as a GP, or are no longer registered on the NPL (national performers list), or you no longer work as a GP in an LMC area covered by Londonwide LMCs , unless you request to remain as a retired member on our database, we will lapse your record on the database keeping only minimum information including name, GMC number and work history, eg relationships to practices. For practice staff, their record will be lapsed when they no longer work in the areas covered by Londonwide LMCs.

 

How we store your data

Your personal data is stored in our membership database provided to us by APT Solutions Ltd, who act as a data processor.

Committee Members
 

Committee members are GPs elected or co-opted by other GPs in their LMC area, onto a Local Medical Committee (LMC). Practice Managers and Practice Nurses are invited representatives on the LMCs.

 

Purpose

In addition to the purposes outlined under Constituents, we process committee members’ personal data for the purpose of administering the committee, including the election process and payment of honoraria.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller’.

GDPR Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

GDPR Article 6 (1) (c) ‘Processing is necessary for compliance with a legal obligation to which the controller is subject’.

Any special category data relating to access requirements and/or dietary preferences is processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

Any special category data, eg BMA number is processed under GDPR Article 9 (2) (d) ‘processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects’.

 
 

Personal data:

In addition to the personal data described under constituents, we process:

  • National insurance number, date of birth and financial details (including bank account and sort code) for processing and payment of honoraria payroll.
  • BMA number (for those LMC members who attend the annual LMC conference as a conference representative).
  • Dietary preferences/access requirements.
 

Who provides the personal data:

Directly from the data subject: Committee members and invited representatives.

 

Who we share your personal data with:

We provide name, contact details, national insurance number, date of birth and financial details to SD Worx, who act as a data processor for us, in order to process and pay honoraria.

We provide the names of Officers (LMC Chairs and LMC Vice-Chairs) to the General Practitioners Committee (GPC) for the entry under your LMC for the GPC year book.

We provide details of the names of committee members to all constituents when we declare results of the LMC elections and the names of committee members are displayed on Londonwide LMCs’ website www.lmc.org.uk

We provide details to HMRC for tax purposes.

 

Personal data transfers outside of the EEA

None. 
 

How long we retain your personal data

When a committee member finishes their term of office or resigns from the committee, their personal information is retained on the payroll system until the completion of the next quarterly honoraria payment and in order to issue a P45.

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of the tax, payroll or accounting enquiry.

 

How we store your data

Your personal data, including your BMA number (if applicable) is stored in our membership database provided to us by APT Solutions Ltd, who act as a data processor. In addition, your name, contact details, national insurance number, date of birth and financial details are stored in the SD Worx payroll database.

Event Attendees
 

Event attendees may be constituents but can also be non-constituents. They are anyone who attends an event run by Londonwide LMCs Ltd or Londonwide Enterprise Ltd.

 

Purpose

We process the personal data in order to run and manage the event the event attendee is attending. We may take photos or video footage of some events this will be made clear to all delegates prior to the day and at the start of the day.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data relating to access requirements and/or dietary preferences is processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

 
 

Personal data:

Name

Contact postal address

Contact email address

Contact telephone number

Practice name(s)

Dietary preferences

Access requirements

Photos/Video footage taken at an event.

 

Who provides the personal data:

Directly from the data subject: event attendee or from the person booking the event on their behalf, eg a Practice Manager for a GP.

 

Who we share your personal data with:

We may share your name with the speakers or sponsors of an event and if this is the case, you will be informed.  We may share names with our landlord, the British Medical Association, if the event is held at our office. We may also share access requirements with the Landlord if an individual PEP is required.

 
 

Personal data transfers outside of the EEA

None. 

 

How long we retain your personal data

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

 

How we store your data

Your personal data is stored in our membership database provided to us by APT Solutions Ltd, who act as a data processor.

We don’t store any payment card details, these are processed through the Stripe Payment Platform. https://stripe.com/gb/privacy

Some of our free events are processed using Event Brite. event brite-privacy-policy

Event Exhibitors, Event Sponsors, Event Speakers and Blended Learning Programme Trainers and Mentors
 

Event exhibitors, sponsors and speakers are normally non-constituents but may also be constituents.  They are anyone who exhibits, sponsor or speaks at an event run by Londonwide LMCs Ltd or Londonwide Enterprise Ltd. This section also covers the Programme Trainers and Mentors on the Blended Learning Programmes. 

 

Purpose

We process the personal data in order to run and manage the event and/or run the training programme. We may take photos or video footage of some events this will be made clear to all delegates prior to the day and at the start of the day.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data relating to access requirements and/or dietary preferences is processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

 

Personal data:

Name

Contact postal address

Contact email address

Contact telephone number

Dietary preferences

Access requirements

Photos/Video footage at an event/training day

CVs for trainers and mentors.

 

Who provides the personal data:

Directly from the data subject: event exhibitor contact, sponsor contact, speaker contact, trainer or mentor.

 

Who we share your personal data with:

We may share your name with the speakers or sponsors of an event and if this is the case, you will be informed. 

 

Personal data transfers outside of the EEA

None. 
 

How long we retain your personal data

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

 

How we store your data

Your personal data is stored in our membership database provided to us by APT Solutions Ltd, who act as a data processor.

Blended learning programme students
 

Practice Managers, Practice Nurses or Health Care Assistants attending one of our blended learning training programmes. They may be a constituent or a non-constituent.

 

Purpose

We process the personal data in order to provide the blended learning training programmes.

We may take photos or video footage of some training days, this will be made clear to all delegates prior to the day and at the start of the day.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data relating to access requirements and/or dietary preferences is processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

 
 

Personal data:

Name

Contact postal address

Contact email address

Contact telephone number

Date of Birth (required for accreditation)

Gender, ethnicity, sexual orientation, religion (collected on a separate form and held as non-identifiable statistics)

Dietary preferences

Access requirements

Photos/video footage taken at a training day

Work submitted.

 

Who provides the personal data:

Directly from the student or from the person commissioning a group booking.

 

 

Who we share your personal data with:

Universities providing accreditation for the courses: University of Middlesex. Trainers and mentors providing support on the course.

 

Personal data transfers outside of the EEA

None. 

 

 

How long we retain your personal data

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

 

How we store your data

Your personal data is stored in a training database provided by Kent House Ltd.

We don’t store any payment card details, these are processed through the Stripe Payment Platform. https://stripe.com/gb/privacy

Employees/Workers
  All staff who have a contract of employment or a service agreement with Londonwide LMCs Ltd/Londonwide Enterprise Ltd
 

Purpose

We process the personal data in order to fulfil obligations of an employment contract, provide a safe working environment, and meet legal obligations.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

GDPR Article 6 (1) (c) ‘Processing is necessary for compliance with a legal obligation to which the controller is subject’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data is normally processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

 
 

Personal data:

Name

Contact details

Date of Birth

Gender

National insurance number/Passport/ID number

Work Permit/Visa details (for non-EU nationals)

Emergency contact details

Dietary requirements

Access requirements.

 

Who provides the personal data:

Employee/Worker

 

Who we share your personal data with:

Landlord (British Medical Association) for access purposes

HM Revenue & Customs, regulators (such as the ICO) and other authorities if required under law.

Pension providers for management of auto enrolment compliance.

Data processors, who assist in the operation of our organisation, including, SD Worx for payroll and leave, Pension providers.

 

Personal data transfers outside of the EEA

None. 
 

How long we retain your personal data

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

 

How we store your data

In paper and electronic HR files, Payroll and leave system hosted by SD Worx, who act as a data processor, Pension providers systems.
Job applicants
  Any individual who applies for a position at Londonwide LMCs Ltd/Londonwide Enterprise Ltd
 

Purpose

We process the personal data in order to fulfil obligations of making pre-contract checks, providing a safe working environment, and meeting legal obligations.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

GDPR Article 6 (1) (c) ‘Processing is necessary for compliance with a legal obligation to which the controller is subject.’

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data is normally processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

 
 

Personal data:

Name

Contact details

Right to work (is checked at interview but is not stored for applicants)

Ethnicity, gender, age, access requirements (captured on a separate form and are held in a non-identifiable form for equality monitoring)

Declaration of unspent convictions under the Rehabilitation of Offenders Act 1974 (the declaration forms are kept separately from the application forms or CVs).

 

Who provides the personal data:

Job applicant

Agency

 

Who we share your personal data with:

Interview panel

Names will be shared with the Landlord for access purposes to the office.

 

Personal data transfers outside of the EEA

None. 
 

How long we retain your personal data

We keep identifiable details for a period of 6 months after the interviews are concluded.

 

How we store your data

In paper and electronic HR files.
Suppliers & Contractors
  All suppliers and contractors who provide services to Londonwide LMCs Ltd/Londonwide Enterprise Ltd.
 

Purpose

We process the personal data in order to manage the contract and the services.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

  Personal data:

Name

Contact details

 

Who provides the personal data:

Data Subject directly or from the supplier company they work for.

 

Who we share your personal data with:

Landlord (British Medical Association) for access purposes

 

Personal data transfers outside of the EEA

None. 
 

How long we retain your personal data

Personal identifiable data will be held for as long as the contract is in place.

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

 

How we store your data

In paper and electronic files.
Press
  All press contacts
 

Purpose

We process the personal data in order to manage press contacts.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

 
  Personal data:

Name

Contact details

Company they work for

 

Who provides the personal data:

Data Subject directly or from the company they work for.

 

Who we share your personal data with:

Landlord (British Medical Association) for access purposes

 

Personal data transfers outside of the EEA

None. 
 

How long we retain your personal data

Personal identifiable data will be held for as long as the contract is in place.

   How we store your data

In paper and electronic files.

Visitors to our office
  All visitors to our office. 
 

Purpose

We process the personal data for security and safety reasons.

If your visit is planned, we’ll send your name and visit information to our landlord, the British Medical Association’s (BMA), security, who are our landlord, before your visit – so that we can print a personalised badge for your arrival. If you arrive without an appointment, you will be given a generic visitor badge. You must wear a pass throughout your visit.

 

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

 

Personal data:

Name

Contact details

Company they work for.

Closed-circuit television (CCTV) used in the communal areas of the British Medical Association building is not operated by us, so we are not the controller. It is under the control of the building landlord, BMA.

 

Who provides the personal data:

Data Subject directly or from the company they work for/representing.

 

Who we share your personal data with:

Name and Company they represent are shared with our Landlord, the BMA for access purposes

 

Personal data transfers outside of the EEA

None. 
 

How long we retain your personal data

Personalised badges will be destroyed when you leave the premises.

 

How we store your data

In electronic files.
Visitors to our website and how we use Cookies
Since May 2012 European Union (EU) legislation has meant that we have to gain users’ consent to store cookies from our website on their computer or device.

First time visitors to the website are asked whether they consent to us placing cookies on their computer. This meets the current requirement of the EU legislation and it gives the user the choice to opt out of using cookies if they so wish. You can block cookies by activating a setting on your browser allowing you to refuse cookies. You can also delete cookies through your browser settings. If you turn off cookies, you can continue to use the website and browse its pages, but certain services will not work as effectively.

We use cookies specifically for Google Analytics which helps us to monitor use of the site and improve it in the future. No personal data about users is retrieved or stored.

Google Analytics
What is it?

A way of tracking activity on this website so that we can see how many visitors we have, which pages are being looked at, how the visitor found our page and the categories of people who are looking at the site.

How does Google know all of this?
Google Analytics works like this:

You land on a web page which has GA code on it. The code creates one or more text files on your computer (called a “cookie”). The cookies contain a “client ID” which is used to uniquely identify your browser and track each site you visit that has GA enabled. If you already have GA cookies, they will be updated with the latest information about your visit to the site. Google also collects information about you from its doubleclick tracking and profiling service, from ad-supported apps on your Android or iOS device, from your YouTube and Gmail activity and from your Google account. This data is put together and used to make inferences about your age, gender, interests, hobbies, shopping habits and living circumstances. Statistics based on this information are available to us, as the website owner. For example, we can see whether our site is accessed more by men or by women, whether we have repeat visitors and whether our visitors are sports fans or movie buffs. We cannot see your individual information – only Google has access to this.

How do I prevent being tracked by Google Analytics?
If you are uncomfortable with this tracking, you can take the following actions:
  • Use a tracking-blocker
  • Install the Google Analytics opt-out extension
  • Clear cookies after every browsing session.
Sharing your information
We will not share your information with any third parties for the purposes of direct marketing. We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. In the individual sections, we have detailed any specific instances of sharing with data processors.

In some circumstances we are legally obliged to share information. For example, under a court order, where sharing is required we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision making.  
Your Rights
 

The right to be informed – which is what this privacy notice is for

 

The right to access the data we hold about you This is commonly known as a ‘subject access request’

 
 

The right to object to processing carried out in the public interest, please contact us on info@lmc.org.uk

 

The right to object to direct marketing – either use the unsubscribe button in an email or contact us on info@lmc.org.uk

 

The right to erasure (right to be forgotten)(in some circumstances)

 

The right to data portability (in some circumstances)

 
 

The right to have your data rectified if it is inaccurate

 
 

The right to have your data restricted or blocked from processing

To exercise any of these rights, please contact us on governance@lmc.org.uk 

You also have the right to lodge a complaint with the supervisory authority, which is the UK Information Commissioner, who you can contact via their helpline or as directed on their website www.ico.org.uk.

How to contact us and exercise your rights
Londonwide LMCs is not required to have a Data Protection Officer. The Data Protection Lead is the Director of Resources. If you have a data protection query, please contact us via governance@lmc.org.uk.

We also have a subscription service with a data protection company, Protecture (https://protecture.org.uk), who provide data protection advice and assurance for us.

Any future changes to this policy will published on the website (www.lmc.org.uk) and communicated to constituents. New versions of the privacy policy will be indicated by the version number and updated date.