Privacy Policy

1. Introduction, Scope, and Commitment

Medical Diagnosis Victoria (“MDX-Victoria”) is a branch of Medical Diagnosis Ltd. This policy details how Medical Diagnosis Ltd. (“MD,” “we,” “us,” or “our”) collects, processes, uses, and protects personal data when a healthcare provider, referrer, or patient directly requests a pathology test service.

MD takes customer privacy and confidentiality seriously and implements measures to ensure patient information is secure and confidential.

This policy may be updated from time to time. MD encourages regular checking of this page and may notify customers of major changes via email or other communication routes based on communication preferences.

2. Contact Information and Roles

3. Roles as Data Controller and Processor

MD’s data protection role is defined by the service request.

MD acts as a Data Controller in all scenarios for specific organisational functions, including archiving, legal action, mandatory public health reporting, website security, financial record-keeping, and general internal administration.

When acting as a Processor, MD adheres strictly to the referrer’s instructions, including which tests to perform and where results should be sent. As the referrer is the Data Controller, the referrer ultimately decides and/or agrees how personal data is used to provide the services and is responsible for explaining those uses to patients.

4. Personal Data Collected

MD collects and processes various types of personal data, which may include special category data due to the nature of pathology and healthcare services.

• Identity Data: name, date of birth, gender, sample identity number, and NHS number.
• Contact Data: address, email address, and telephone number.
• Clinical Details / Health Data: clinical details and history relevant to requested tests, which may include medical history.
• Laboratory Data: data created by MD when processing pathology samples, including test results.
• Referrer / Third-Party Data: requesting clinician, address, specialties, and contact information, where applicable.
• Transaction and Financial Data: billing information, order details, card details, insurer information, invoice details, and products purchased.
• Technical Data: IP address, browser information, operating system, preferences, website usage information, Google Analytics ID, device details, and country-level location.
• Special Categories: race, ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health, genetic, and biometric data, where applicable.
• Aggregated Data: statistical or demographic data derived from personal data that does not directly reveal identity.

5. Sources of Personal Data

MD obtains personal data from the following sources:

• Direct Interactions: information provided by you through forms, website order forms, post, phone, email, social media, orders, or newsletter subscriptions.
• Automated Technologies: technical data collected automatically as you interact with the website, using cookies and similar technologies.
• Third Parties: technical data from analytics providers and financial or transaction data from payment providers.
• Data We Create: laboratory data created when MD processes pathology samples.
• Referrers: information provided by the requesting clinician or referrer, in addition to pathology samples, especially where MD acts as Data Processor.

Where MD is required to collect personal data by law or under the terms of a contract, and you fail to provide that data when requested, MD may not be able to perform the contract or provide the relevant service. In such cases, MD may be required to cancel the service and will notify you at the time.

6. Purposes and Lawful Bases for Processing

MD processes personal data for various purposes, supported by one or more lawful bases.

• Order and Service Processing: client registration, pathology testing, result delivery, and payment processing. Lawful bases include performance of a contract, provision of health or social care or treatment, and legitimate interests.
• Service Communications: notifying customers of changes, delays, material issues, or requesting feedback. Lawful bases include performance of a contract, legal obligation, and legitimate interests.
• Administration, Security, and Analytics: business administration and protection, system maintenance, troubleshooting, analysis, testing, reporting, data hosting, website improvement, product and service improvement, marketing efforts, and customer relations. Lawful bases include legal obligation and legitimate interests.
• Archiving and Clinical Record Retention: complying with Royal College of Pathologists’ guidance. Lawful bases include legitimate interests and provision of healthcare.
• Mandatory Public Health Reporting: reporting to public bodies such as UKHSA. Lawful bases include legal obligation and public interest in the area of public health.
• Legal Action: defending, establishing, exercising, or settling legal claims. Lawful bases include legal claims and legitimate interests.
• Marketing and Promotional Purposes: contacting you with information about products and services, based on consent only.
• Special Category Data: processed where explicit consent applies, where data has been manifestly made public, where necessary for preventive or occupational medicine, assessment of working capacity, medical diagnosis, healthcare provision, health or social care treatment, or management of health or social care systems.

7. Sharing Personal Data with Third Parties

MD may share personal data with the following categories of third parties under strict data protection arrangements:

• Referrers: the requesting clinician who ordered the test and/or is required to receive the results.
• Specialist Laboratories: third-party laboratories, strictly where necessary, to perform specialised or high-volume tests.
• Health Insurers: the patient’s health insurer, limited to instances where the insurer is responsible for paying for services rendered.
• IT and Finance Support Providers: MD’s IT and finance/payment providers, to the minimum extent necessary and under strict confidentiality conditions.
• Service Providers / Sub-Processors: IT support, data storage providers, LIMS providers, finance systems, document management systems, and payment providers.
• Legal Advisors and Insurers: for receiving legal advice and for insurance-related purposes.
• Mandatory Public Health Reporting: public bodies in the UK, such as UKHSA, where MD is legally required to report.
• Debt Collection: debt collection agencies, solely where invoices remain unpaid.
• Third-Party Products: trusted third parties such as Google Analytics, Google Ads, and Facebook for a relevant and optimised website experience.

MD never sells customer details to other organisations. In the event of a business sale or reorganisation, personal data may be transferred as part of the general business data.

8. International Data Transfers

MD primarily stores personal data in the United Kingdom when acting as Data Controller.

Personal data may be transferred outside the UK and European Economic Area only where necessary for service provision. Examples include where a referrer is based outside the UK or EEA, or where samples must be referred to specialist laboratories outside the UK or EEA.

Where such transfers are made, MD ensures appropriate safeguards are in place. These safeguards may include contractual clauses approved under data protection law or reliance on explicit consent where applicable.

9. Data Security and Retention

Data Security

MD is committed to taking reasonable steps to protect personal data through a robust combination of legal, administrative, and technical procedures.

• Legal Compliance: MD complies with UK GDPR and continuously monitors internal procedures to ensure ongoing adherence to relevant statutory requirements.
• Regular Review: MD regularly reviews confidentiality and security arrangements and implements measures to maintain and improve information security where possible.
• Data Minimisation: MD does not retain information for longer than is necessary for the purposes set out in this policy.
• Awareness and Confidentiality: MD ensures officers, employees, and sub-contractors are aware of information security rules and the importance of confidentiality.
• Duty to Comply: officers, employees, and sub-contractors have a duty to follow these rules and cooperate to ensure this policy is effective.
• Training and Supervision: MD implements measures to ensure proper training, supervision, and instruction for employees handling personal information.
• Sub-Contractor Agreements: MD requires sub-contractors to adhere to confidentiality agreements regarding information acquired from MD.
• Technical Accreditation: the Laboratory Information Management System provider is accredited to ISO/IEC 27001:2024.

Data Retention

MD retains personal data for as long as necessary to fulfil the purpose for which it was gathered and to comply with legal, financial, and regulatory requirements.

MD follows UK retention guidelines as a minimum standard and maintains pathology records in line with Royal College of Pathologists’ guidance on the retention and storage of pathological records and specimens. This supports continued patient care and provides a physical audit trail for medico-legal purposes. For full details regarding retention periods, please refer to the guidance available at www.rcpath.org.

10. Your Data Subject Rights

You have the following rights concerning your personal data:

• Right of Access / Data Subject Access Request: to receive a copy of personal data held about you. MD reserves the right to charge a reasonable fee if requests are excessive or repetitive.
• Right to Correction / Rectification: to have incomplete or inaccurate data corrected under certain circumstances.
• Right to Erasure / Deletion: to ask MD to delete or remove personal data where there is no good reason to continue processing it, where you have successfully objected, where processing was unlawful, or where removal is required by local law.
• Right to Object to Processing: to object to the processing of your personal data.
• Right to Restriction: to ask MD to suspend processing of your personal data under certain circumstances.
• Right to Data Portability: to request transfer of your personal data to you or a third party, where applicable.
• Right to Withdraw Consent: to withdraw consent at any time where MD relies on consent as the lawful basis for processing. Withdrawal may affect MD’s ability to provide certain services.
• Right to Complain: to lodge a complaint with the Information Commissioner’s Office. MD appreciates the opportunity to address concerns directly first.

11. Cookies and Third-Party Websites

MD uses cookies and similar technologies. You can manage cookies through your web browser settings, including refusing cookies or requesting alerts. Disabling cookies may cause some parts of the website to become inaccessible or not function properly.

Cookie Policy: www.mdx-victoria.co.uk/cookie-policy

MD’s website may include links to third-party websites, plug-ins, and applications. Clicking these links or enabling these connections may permit third parties to collect or share data about you. MD does not control these websites and is not responsible for their privacy statements. You are encouraged to review the privacy policy of every website you visit after leaving MD’s site.