Privacy Policy

Constituents are all practising GPs represented by the following Local Medical Committees (LMCs): Barnet, Bexley, Brent, Bromley, Camden, City & Hackney, Ealing, Hammersmith & Hounslow, Enfield, Greenwich, Haringey, Harrow, Hillingdon, Islington, Kensington, Chelsea & Westminster, Lambeth, Lewisham, Merton, Newham, Redbridge, Southwark, Sutton, Tower Hamlets, Waltham Forest, and Wandsworth.

A GP is represented by the LMC, if they are registered on the National Performers List, working in the LMC area, and paying a statutory/administrative levy. Constituents also include sessional GPs and as the levy is paid per practice, constituents also include the practice staff employed by the practice.

Purpose: We process constituents’ personal data in order to provide the services and work outlined in the agreement between your LMC and Londonwide LMCs, which includes the following purposes:

• Administer lists of Representative GPs (as required under the LMC constitution) and practices and their practice staff.
• To administer the LMC elections.
• To consider and specifically deal with matters arising under section 97 of the NHS Act.
• To negotiate with or between and to CCGs and other bodies
• To encourage and assist in the development of services, activities and amenities to constituents.
• Provide advice, support and training.
• Seek and represent your views.
• Keep you informed about LMC activities, provide key information and guidance across London, locally and nationally through our monthly newsletters and e-alerts.
• Keep you informed on news relating to the Londonwide LMCs’ buying Group.
• Send out invites for attending events run by Londonwide LMCs Ltd and/or Londonwide Enterprise Ltd.

Lawful basis for the processing:

The majority of our processing is carried out under General Data Protection Regulation (GDPR) Article 6 (1) (e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Personal data:

Name

Contact postal address.

Contact email address.

Contact telephone number.

Practice name(s) where you do most work.

Date of birth.

General Medical Council (GMC) number (for GPs).

Gender.

LMC area you do most work in.

Who provides the personal data:

Data subject: Constituents directly.

Practice Managers and other practice staff on behalf of the practice.

We receive a minimum data set from NHS England with the details of GPs joining or leaving the performers list, which includes name, contact address, contact email address (if provided), GMC number, Date of birth (if provided) and practice where they are working.

Who we share your personal data with:

• Electoral Reform Services (ERS): We provide names, contact postal and email address details of GPs to the Electoral Reform Services, who perform the role of independent scrutineer for the LMC elections and act as a Data Processor in this situation.
  We also provide the names and contact postal and email addresses with Electoral Reform Services on request from the General Practitioners Committee (GPC) for administering their regional elections.

• NHS England: We provide, on request, the names of practices and the names of principal GPs for those practices to NHS England to confirm levy mandates and payments.

• Exact Target/Salesforce Marketing Cloud: We use Exact Target/Salesforce Marketing Cloud, acting as a data processor, to deliver our monthly e-newsletter and other emails. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve all of our e-communications.

• ComRes: We provide names, contact email address and the practice name (only where a GP or Practice Manager works at more than one practice) to ComRes, acting as a data processor, in order for them to send out our twice-yearly workforce survey.

• Your LMC: We provide details of the names of GPs and the practices they work at for the LMCs as a list of the GPs they represent.

Personal data transfers outside of the EEA

How long we retain your personal data

When you retire as a GP, or are no longer registered on the NPL (national performers list), or you no longer work as a GP in an LMC area covered by Londonwide LMCs , unless you request to remain as a retired member on our database, we will lapse your record on the database keeping only minimum information including name, GMC number and work history, eg relationships to practices. For practice staff, their record will be lapsed when they no longer work in the areas covered by Londonwide LMCs.

How we store your data

Your personal data is stored in our membership database provided to us by APT Solutions Ltd, who act as a data processor.

Committee members are GPs elected or co-opted by other GPs in their LMC area, onto a Local Medical Committee (LMC). Practice Managers and Practice Nurses are invited representatives on the LMCs.

Purpose

In addition to the purposes outlined under Constituents, we process committee members’ personal data for the purpose of administering the committee, including the election process and payment of honoraria.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (e) ‘Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority invested in the controller’.

GDPR Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

GDPR Article 6 (1) (c) ‘Processing is necessary for compliance with a legal obligation to which the controller is subject’.

Any special category data relating to access requirements and/or dietary preferences is processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

Any special category data, eg BMA number is processed under GDPR Article 9 (2) (d) ‘processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects’.

Personal data:

In addition to the personal data described under constituents, we process:

• National insurance number, date of birth and financial details (including bank account and sort code) for processing and payment of honoraria payroll.
• BMA number (for those LMC members who attend the annual LMC conference as a conference representative).
• Dietary preferences/access requirements.

Who provides the personal data:

Directly from the data subject: Committee members and invited representatives.

Who we share your personal data with:

We provide name, contact details, national insurance number, date of birth and financial details to SD Worx, who act as a data processor for us, in order to process and pay honoraria.

We provide the names of Officers (LMC Chairs and LMC Vice-Chairs) to the General Practitioners Committee (GPC) for the entry under your LMC for the GPC year book.

We provide details of the names of committee members to all constituents when we declare results of the LMC elections and the names of committee members are displayed on Londonwide LMCs’ website www.lmc.org.uk. 

We provide details to HMRC for tax purposes.

Personal data transfers outside of the EEA

How long we retain your personal data

When a committee member finishes their term of office or resigns from the committee, their personal information is retained on the payroll system until the completion of the next quarterly honoraria payment and in order to issue a P45.

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of the tax, payroll or accounting enquiry.

How we store your data

Your personal data, including your BMA number (if applicable) is stored in our membership database provided to us by APT Solutions Ltd, who act as a data processor. In addition, your name, contact details, national insurance number, date of birth and financial details are stored in the SD Worx payroll database.

Event attendees may be constituents but can also be non-constituents. They are anyone who attends an event run by Londonwide LMCs Ltd or Londonwide Enterprise Ltd.

Purpose

We process the personal data in order to run and manage the event the event attendee is attending. We may take photos or video footage of some events this will be made clear to all delegates prior to the day and at the start of the day.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data relating to access requirements and/or dietary preferences is processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

Personal data:

Name

Contact postal address

Contact email address

Contact telephone number

Practice name(s)

Dietary preferences

Access requirements

Photos/Video footage taken at an event.

Who provides the personal data:

Directly from the data subject: event attendee or from the person booking the event on their behalf, eg a Practice Manager for a GP.

Who we share your personal data with:

We may share your name with the speakers or sponsors of an event and if this is the case, you will be informed.  We may share names with our landlord, the British Medical Association, if the event is held at our office. We may also share access requirements with the Landlord if an individual PEP is required.

Personal data transfers outside of the EEA

None. 

How long we retain your personal data

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

How we store your data

Your personal data is stored in our membership database provided to us by APT Solutions Ltd, who act as a data processor.

We don’t store any payment card details, these are processed through the Stripe Payment Platform. https://stripe.com/gb/privacy

Some of our free events are processed using Event Brite. event brite-privacy-policy

Event exhibitors, sponsors and speakers are normally non-constituents but may also be constituents.  They are anyone who exhibits, sponsor or speaks at an event run by Londonwide LMCs Ltd or Londonwide Enterprise Ltd. This section also covers the Programme Trainers and Mentors on the Blended Learning Programmes. 

Purpose

We process the personal data in order to run and manage the event and/or run the training programme. We may take photos or video footage of some events this will be made clear to all delegates prior to the day and at the start of the day.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data relating to access requirements and/or dietary preferences is processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

Personal data:

Name

Contact postal address

Contact email address

Contact telephone number

Dietary preferences

Access requirements

Photos/Video footage at an event/training day

CVs for trainers and mentors.

Who provides the personal data:

Directly from the data subject: event exhibitor contact, sponsor contact, speaker contact, trainer or mentor.

Who we share your personal data with:

We may share your name with the speakers or sponsors of an event and if this is the case, you will be informed. 

Personal data transfers outside of the EEA

How long we retain your personal data

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

How we store your data

Your personal data is stored in our membership database provided to us by APT Solutions Ltd, who act as a data processor.

Practice Managers, Practice Nurses or Health Care Assistants attending one of our blended learning training programmes. They may be a constituent or a non-constituent.

Purpose

We process the personal data in order to provide the blended learning training programmes.

We may take photos or video footage of some training days, this will be made clear to all delegates prior to the day and at the start of the day.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data relating to access requirements and/or dietary preferences is processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

Personal data:

Name

Contact postal address

Contact email address

Contact telephone number

Date of Birth (required for accreditation)

Gender, ethnicity, sexual orientation, religion (collected on a separate form and held as non-identifiable statistics)

Dietary preferences

Access requirements

Photos/video footage taken at a training day

Work submitted.

Who provides the personal data:

Directly from the student or from the person commissioning a group booking.

Who we share your personal data with:

Universities providing accreditation for the courses: University of Middlesex. Trainers and mentors providing support on the course.

Personal data transfers outside of the EEA

None. 

How long we retain your personal data

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

How we store your data

Your personal data is stored in a training database provided by Kent House Ltd.

We don’t store any payment card details, these are processed through the Stripe Payment Platform. https://stripe.com/gb/privacy

Purpose

We process the personal data in order to fulfil obligations of an employment contract, provide a safe working environment, and meet legal obligations.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

GDPR Article 6 (1) (c) ‘Processing is necessary for compliance with a legal obligation to which the controller is subject’.

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data is normally processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

Personal data:

Name

Contact details

Date of Birth

Gender

National insurance number/Passport/ID number

Work Permit/Visa details (for non-EU nationals)

Emergency contact details

Dietary requirements

Access requirements.

Who provides the personal data:

Employee/Worker

Who we share your personal data with:

Landlord (British Medical Association) for access purposes

HM Revenue & Customs, regulators (such as the ICO) and other authorities if required under law.

Pension providers for management of auto enrolment compliance.

Data processors, who assist in the operation of our organisation, including, SD Worx for payroll and leave, Pension providers.

Personal data transfers outside of the EEA

How long we retain your personal data

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

How we store your data

Purpose

We process the personal data in order to fulfil obligations of making pre-contract checks, providing a safe working environment, and meeting legal obligations.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6 (1) (b) ‘Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

GDPR Article 6 (1) (c) ‘Processing is necessary for compliance with a legal obligation to which the controller is subject.’

Or under GDPR Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Any special category data is normally processed under GDPR Article 9 (2) (b) ‘processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject’.

Personal data:

Name

Contact details

Right to work (is checked at interview but is not stored for applicants)

Ethnicity, gender, age, access requirements (captured on a separate form and are held in a non-identifiable form for equality monitoring)

Declaration of unspent convictions under the Rehabilitation of Offenders Act 1974 (the declaration forms are kept separately from the application forms or CVs).

Who provides the personal data:

Job applicant

Agency

Who we share your personal data with:

Interview panel

Names will be shared with the Landlord for access purposes to the office.

Personal data transfers outside of the EEA

How long we retain your personal data

We keep identifiable details for a period of 6 months after the interviews are concluded.

How we store your data

Purpose

We process the personal data in order to manage the contract and the services.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Name

Contact details

Who provides the personal data:

Data Subject directly or from the supplier company they work for.

Who we share your personal data with:

Landlord (British Medical Association) for access purposes

Personal data transfers outside of the EEA

How long we retain your personal data

Personal identifiable data will be held for as long as the contract is in place.

We need to keep the details of financial transactions for six years after the end of the financial year in which they were processed, in the event of an accounting enquiry.

How we store your data

Purpose

We process the personal data in order to manage press contacts.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Name

Contact details

Company they work for

Who provides the personal data:

Data Subject directly or from the company they work for.

Who we share your personal data with:

Landlord (British Medical Association) for access purposes

Personal data transfers outside of the EEA

How long we retain your personal data

Personal identifiable data will be held for as long as the contract is in place.

In paper and electronic files.

Purpose

We process the personal data for security and safety reasons.

If your visit is planned, we’ll send your name and visit information to our landlord, the British Medical Association’s (BMA), security, who are our landlord, before your visit – so that we can print a personalised badge for your arrival. If you arrive without an appointment, you will be given a generic visitor badge. You must wear a pass throughout your visit.

Lawful basis for the processing:

General Data Protection Regulation (GDPR) Article 6.1 (f) ‘processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.’

Personal data:

Name

Contact details

Company they work for.

Closed-circuit television (CCTV) used in the communal areas of the British Medical Association building is not operated by us, so we are not the controller. It is under the control of the building landlord, BMA.

Who provides the personal data:

Data Subject directly or from the company they work for/representing.

Who we share your personal data with:

Name and Company they represent are shared with our Landlord, the BMA for access purposes

Personal data transfers outside of the EEA

How long we retain your personal data

Personalised badges will be destroyed when you leave the premises.

How we store your data

The right to be informed – which is what this privacy notice is for

The right to access the data we hold about you This is commonly known as a ‘subject access request’

The right to object to processing carried out in the public interest, please contact us on info@lmc.org.uk

The right to object to direct marketing – either use the unsubscribe button in an email or contact us on info@lmc.org.uk

The right to erasure (right to be forgotten)(in some circumstances)

The right to data portability (in some circumstances)

The right to have your data rectified if it is inaccurate

The right to have your data restricted or blocked from processing