1. Purpose

This policy explains how The Medics Lodge (“we”, “our”, “us”) collects, uses, stores, and protects personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We are committed to handling all personal data lawfully, fairly, transparently, and securely.

2. Scope

This policy applies to:

• All personal data processed by our organisation (including staff, learners, and suppliers).
• All formats — electronic, paper, verbal or photographic.
• Anyone working on behalf of The Medics Lodge, including employees, freelance trainers, and administrative staff.

3. Key Data Protection Principles

We adhere to the following principles under Article 5 of the UK GDPR. Personal data shall be:

1. Processed lawfully, fairly and transparently.
2. Collected for specified, explicit and legitimate purposes.
3. Adequate, relevant and limited to what is necessary.
4. Accurate and kept up to date.
5. Stored only as long as necessary.
6. Processed securely using appropriate technical and organisational measures.

4. Lawful Basis for Processing

We process personal data under one or more of the following lawful bases:

• Contract: To deliver booked training and issue certificates.
• Legal obligation: To meet regulatory or awarding body requirements.
• Consent: Where individuals have opted in to receive marketing or updates.
• Legitimate interests: To manage operations, ensure quality, and communicate effectively with clients and learners.

5. What Data We Collect

Depending on the course or service, we may collect the following information:

• Name, address, email and phone number.
• Date of birth and identification details (where required for certification).
• Employment details and professional role.
• Payment and invoicing details.
• Attendance and assessment records.
• Any specific learning or access requirements.

We do not collect unnecessary personal information and never store sensitive data without clear purpose and consent.

6. How We Use Personal Data

Personal data is used for purposes including:

• Managing bookings, payments, and course administration.
• Delivering training and assessment.
• Issuing certificates and maintaining training records.
• Communicating course details and updates.
• Meeting our legal and regulatory obligations.

We will never sell or share your personal data with third parties for marketing purposes.

7. Data Storage and Retention

• Personal data is stored securely and only accessible to authorised personnel.
• Electronic data is stored on password-protected systems; paper records are held in locked storage.
• Personal data is retained only for as long as necessary — typically until the course has concluded and certification issued, unless required for auditing or legal reasons.
• After this period, all data is securely destroyed or anonymised.

8. Data Sharing

We may share necessary data only with:

• Awarding or accrediting bodies (for verification and certification).
• Regulatory authorities if legally required.
• Venues or partners for logistical purposes (e.g. delegate lists).

All partners handling personal data on our behalf must comply with this policy and data protection law.

9. Individual Rights

Under the UK GDPR, individuals have the right to:

1. Be informed about how their data is used.
2. Access their personal data.
3. Rectify inaccurate or incomplete data.
4. Request erasure (“right to be forgotten”).
5. Restrict or object to processing.
6. Data portability (transfer of data to another provider).

Requests to exercise these rights should be submitted in writing to our Data Protection Lead (see Section 12).

10. Data Breaches

We take all breaches of data security seriously.
In the event of a suspected or actual data breach:

• It will be investigated immediately by the Data Protection Lead.
• Affected individuals and the Information Commissioner’s Office (ICO) will be notified within 72 hours where required.
• Steps will be taken to prevent recurrence.

11. Training and Responsibilities

All staff and trainers must:

• Handle data responsibly and in accordance with this policy.
• Report any data concerns or breaches promptly.

We provide appropriate training to ensure everyone understands their obligations under data protection law.

12. Data Protection Lead and Contact

For all data protection queries or requests, please contact:

Data Protection Lead: Georgia Leadbeater
Email: comms@medicslodge.com

We will respond to all requests within one month of receipt.

13. Review

This policy is reviewed annually or sooner if there are significant changes to data protection legislation or our processing activities.