How we use, store and protect your personal data

The DDU understands how important it is that we store your data securely and that we tell you how we will use your data in a transparent and clear way.

Whether that's providing a subscription quote, sending you Cautionary Tales or our dento-legal journal, defending a claim on your behalf or providing you with legal support, our aim is to make sure that the personal details you provide to us are secure and processed as explained in this privacy policy.

If you have any questions about this policy, contact us at dataprotectionofficer@theddu.com or +44207 202 1500.

How the DDU handles your data

This privacy policy sets out how we collect, use and store any personal information we may have about you. It applies to any personal data we collect, as well as data provided to us by third parties and our members.

When sharing personal data with the MDU/DDU, you can be sure that:

  1. It's collected and held securely, so you know your information is safe. 

  2. We will use your data to make sure your experience with us is personalised, supportive and efficient.

  3. You can review and update the information we hold about you at any time.

  4. You can change your preferences and have full control over which communications you receive from us.

About us

About the MDU companies

In our privacy policy, when we refer to 'the MDU', 'we', 'us' or 'our', we mean the Medical Defence Union Limited (company number 00021708), (of which the Dental Defence Union is the specialist dental division), MDU Services Limited (company number 03957086) and MDU Reinsurance Limited (registered in Guernsey, company number 42829), all of which are data controllers in relation to the personal data we hold about you.

The personal data we collect

The basics

There are different types of data about you that we may collect, store and process depending on your relationship with us.

This can include:

  • Personal information about you – such as your name, contact details, date of birth and bank details.
  • Special categories of data, which require more protection – such as health information. 

If you use our website, we will also record your IP address and information about which web pages you're accessing and when – this is important for us to be able to improve our website and enhance your online experience. See our cookies statement for more information.

When you call the MDU/DDU and speak to one of our advisers or our membership team, we will record your call – this helps us with training and lets us monitor the service we provide.

Depending on your relationship with the MDU/DDU, we may also need additional information to find out more about you and how we can help. See below.

Applicants for membership, or current or former members

Depending on whether you are applying for or renewing your MDU/DDU membership, phoning us for advice or receiving assistance with a claim or advisory matter, the personal information we collect from you will vary but can include:

  • Your qualifications, work details and previous professional indemnity history. 
  • Your working practice and relevant financial income.
  • Payment information, such as bank details. 
  • Your criminal record (if any) and details of any ongoing court proceedings or complaints.
  • Your health data, if this is relevant to your query or claim. 

We also collect personal data about you from certain third parties, for example:

  • Regulatory bodies, such as the General Medical Council (GMC) or professional bodies when, as part of our conditions, we need data to be able to verify your registration.
  • Other medical or dental defence organisations or insurers, who we contact during your membership application or in the course of a claim.
  • Your employer, with your knowledge – for example if you are joining the MDU or DDU as part of a Deanery scheme or a corporate organisation.
  • Other contacts you have nominated and authorised for us to speak to about your membership – such as your practice manager.
  • Claimants or potential claimants, or their representatives.
  • Publicly available sources – including the GMC and GDC's list of registered medical professionals, government organisations such as the NHS or CQC, and approved healthcare data providers.
  • Providers of services that allow us to verify your details, such as your bank account information or address.
Patients involved in a complaint or claim against an MDU/DDU member

If you make a complaint about an MDU or DDU member or raise formal concerns with a body such as the GMC, GDC or the police then, in order to provide advice or assistance to our member we may also:

  • request the relevant parts of your medical or dental records
  • seek an account of events from our member
  • seek an expert opinion on the care provided from another clinician.

If you make a claim against an MDU or DDU member, we will need to ask you for:

  • your medical or dental records
  • your work history, financial records, and any details of expenses or purchases, if you are claiming for losses
  • in some instances, your bank account information and national insurance number.

We may also collect information from third parties, including:

  • members, former members, other healthcare professionals or representatives acting on their behalf
  • representatives acting on your behalf
  • providers of services that allow us to verify the details that you provide to us, such as bank account information.
Training course and event attendees

If you attend an MDU or DDU training course or other event, we will collect and process personal data about you. This includes personal data that you provide to us voluntarily, such as your payment information when booking a course, video and/or photographs.

Authorised contacts

If a member has given permission for us to discuss their membership details with you on their behalf, we will collect your contact details.

Executors of a member's estate

If you are the executor of a deceased member's estate, we will need to collect information which will help us update our membership records and provide assistance with claims brought against the estate. These include the details and value of the estate.

Co-defendants or other medical professionals involved in an MDU/DDU member's claim

If a claim has been made against an MDU/DDU member and you are a co-defendant or involved in the case, we will collect information about your clinical involvement in the case.

We may also collect information from third parties, including:

  • Members, former members, other healthcare professionals or representatives acting on their behalf.
  • Representatives acting on your behalf.
  • Claimants or potential claimants, or their representatives.
Suppliers of services to the MDU/DDU, including experts and contractors

We collect and process personal data about our suppliers, including experts and individuals associated with our suppliers, so that we can support our members with the business services you provide.

We collect:

  • names and addresses
  • bank information
  • names, qualifications and details of individuals working on the contract.

How we use your personal data

General uses of your data

Without your personal data, we wouldn’t be able to provide many of the daily services and benefits our members receive as part of their membership. Your data is also important in helping us regularly review, analyse and improve what we do.

Below are some examples of how we use your personal data to provide our services, depending on your relationship with us.

  • Interacting with you via the MDU and DDU websites and social media – for example when you post, comment or share our Facebook and Twitter posts, or anything on the MDU/DDU website or YouTube channel.
  • Understanding how you use our website, so that we can learn about your experience, fix any issues and improve our digital presence.
  • Staff training and service improvement, for example when we record calls for quality monitoring. We do this to make sure that all callers are given the right information, our records are kept up to date, and we can handle any complaints which impact your indemnity.
  • Using data for business analysis and reporting on key information, such as our membership demographic and how we’re performing.
  • Using data for research and statistical analysis to identify trends in the services we provide.
  • Making sure our marketing and sales communications are tailored to specific groups, through data profiling.
  • Using data to help with statutory reporting and audit, for example in compiling our annual report.
  • Analysing data for compliance with HMT sanctions and fraud checks.
  • Performing tasks which are essential to our daily business activities – such as keeping an archive of all emails sent and received, to help resolve any queries or disputes.
  • Physical and IT security monitoring, so that we know your personal data is well protected.
  • Providing financial protection for the MDU companies and allowing ongoing handling of claims through reinsurance.
  • Assessing subscriptions and pricing by analysing, or profiling, categories of members, their work history and claims details.
Applicants for membership, or current or former members

Your personal data allows us to:

  • verify your identity, qualifications and work circumstances. This tells us whether you're eligible for membership, and allows us to process your membership payment.
  • understand the risk associated with the work you need us to indemnify, and assess current and future subscription rates. We use data profiling to support this process.
  • provide you with membership benefits and services, including medico and dento-legal advice, clinical risk management, legal instruction and claims handling.
  • contact you by telephone, post, email or SMS to let you know about events, services and membership benefits, such as training courses and discounts available to MDU/DDU members, or to find out your opinion on proposed services or benefits – unless you let us know that you would prefer not to receive this type of communication.
  • process training course bookings, attendance registers and feedback so that we can provide CPD certificates after you've finished one of our courses.
Patients involved in a complaint or claim against an MDU/DDU member

If you make a claim or complaint against an MDU/DDU member, or if an MDU/DDU member requests advice or assistance from us, we may need personal information about you so that we can provide guidance and advice, clinical risk management, legal instructions and claims handling, and other membership services to our member.

We use patient information when helping a member with an investigation or legal case, so that we can provide support based on their particular circumstances. It also helps us to determine if a patient is associated with any other members or claims, so that our advisers and legal teams can avoid any potential conflicts and make sure any new information is matched up with existing information we hold.

Training course and event attendees

Your personal data lets us arrange your attendance at an MDU/DDU event or training course, manage your booking, provide CPD certificates and respond to CPD audits, where relevant.

Authorised contacts

If an MDU/DDU member has given permission for us to discuss membership matters with you, we will need to collect your personal data, such as your contact information, to help with:

  • applying for, renewing or continuing their membership of the MDU or DDU
  • providing access to membership benefits and services, including advisory services, clinical risk management, legal instruction and claims handling.
Executors of a member's estate

If you are the executor of a deceased member's estate, we will need to collect information so that we can provide assistance with claims brought against the estate. This includes your contact information, to help us with ongoing administration of the member's records and the handling of their claim.

Co-defendants or other medical professionals involved in an MDU/DDU member's claim

We will capture information about co-defendants and other involved parties when a member has a claim made against them, to allow us to investigate or defend the claim. 

Suppliers of services to the MDU/DDU, including experts and contractors

In delivering your services to our members, your personal data allows us to manage our relationship with you as a supplier, measure quality and provide payment.

How we share your personal data

Sharing information with third parties

We sometimes need to share your data with third parties who help us provide our services.

We will never share your personal data with other companies or organisations for their own marketing or promotional purposes. We also make sure that any third parties who have access to your personal data have reviews and processes in place to keep it confidential and only use it in ways that you would reasonably expect.

These third parties include:

  • other companies within the MDU group of companies
  • reinsurance companies who support our financial stability and underwrite our indemnity
  • third parties that help us in the day-to-day running of our business – such as our mailing house, internal and external audit services, IT technologies (including data storage), and administrative services
  • expert witnesses, solicitors and/or barristers appointed by the MDU/DDU, or claimants' solicitors involved in the handling of a clinical negligence claim
  • regulatory or professional bodies, such as the GMC, GDC and BMA – with your knowledge, if we are assisting you with your advisory case
  • payment providers and banks, who allow us to receive and process funds
  • Premium Credit Ltd, for credit referencing and fraud and financial checks, when providing a loan for members who wish to pay their subscription by instalment
  • our legal and professional advisers, including our external auditors
  • other medical or dental defence organisations, NHS bodies or insurers involved in the handling of a claim, or when a letter of good standing is requested
  • law enforcement and justice organisations, such as criminal and civil courts, coroner services and police forces
  • training providers and venues that help us deliver courses and events which you might attend
  • your employer – such as your practice, Deanery or NHS trust – or employer's elected administrator
  • other contacts you have nominated and authorised for us to speak to about your membership and any related matters.

In the event of a change in the structure of our business, or if we sell, merge or transfer our business or parts of our business, we may share your personal data with the prospective buyer, owner or indemnifier.

If you are involved in a claim against one of our members – for example as a patient who has raised the claim or a co-defendant – we may need to share your personal data with: 

  • members, former members, other healthcare professionals or representatives acting on their behalf
  • medical or dental defence organisations and insurers
  • representatives acting on your behalf
  • Courts
  • expert witnesses
  • solicitors and/or barristers appointed by the MDU/DDU
  • the Compensation Recovery Unit.
What happens when your data is transferred outside the EEA?

Occasionally, your personal data may be transferred to and stored outside the European Economic Area (EEA). For example, to allow us access to global reinsurance markets, we may share limited personal data with non-EEA insurers or reinsurers.

In these instances, we will continue to make sure your personal data is collected, used and stored by the same standards and for the same purposes we highlight in this privacy policy.

We have a number of controls and safeguards in place to help us make sure your data is protected – including secure transfers of personal data and appropriate model contract and data protection clauses.

The main countries where limited personal data is handled outside the EEA include Guernsey for intra-group companies. A list of countries can be found here.

Storing your personal data

Keeping your data secure

We only use systems which are proven to be resilient and will handle your personal data with confidentiality and integrity. We use encryption and authentication tools to keep your data safe and secure.

You can also be sure that your personal data is protected behind secured networks and only accessible by authorised people who are viewing or updating your information according to agreed procedures.

How long do we hold your data?

We hold on to your personal information for as long as is necessary to fulfil the purposes we've outlined in this privacy policy, and to comply with our own legal obligations (whichever is longer).

If you'd like to find out more about our retention policy and schedule for data, please contact our Data Protection Officer.

How the law allows us to process your information

Our legal basis for processing data

The MDU/DDU collects and processes your personal information on the following legal bases, and for the purposes we've outlined in the 'How we use your personal data' section above.

  • We need it in order to perform a contract, or when taking steps to enter into a contract with you – such as when you are considering joining the MDU/DDU, or when we provide advice and support to our members.
  • We need it to comply with a legal obligation specific to our organisation.
  • We need it for our legitimate business purposes (such as those below) while taking into account your rights and freedoms in relation to data.
  • You have given consent for us to use your data for our business purposes, for example when we send you marketing communications. You can withdraw your consent at any time at themdu.com/mymembership or theddu.com/mymembership, or by contacting the Data Protection Officer.

There are also legal obligations around processing special categories of personal data and criminal records, as defined in the Data Protection Act 2018. We process this type of data on the basis that:

  • We need to manage legal claims when investigating or defending a claim, or during judicial proceedings.
  • We need to provide confidential and professional counselling to our members, to support the public interest.
  • We need to provide services which assist our members in managing health systems and services.
  • As a not-for-profit organisation, we need to process our members' data in the interest of the membership as a whole.
  • We may ask for explicit consent from you to process your data – for example, when instructing a solicitor on your behalf. If you do not consent, we may not be able to provide you with the full benefits of membership.
What are the MDU/DDU's legitimate interests?

'Legitimate interests' means the interests of the MDU/DDU in how we conduct and manage the benefits of membership on behalf of our members. For example:

  • We provide services to our members which involve processing patient data. 
  • We share limited member data with our reinsurers, to provide financial stability for our organisation. 
  • We keep an email archive, in case a query is raised about information we have sent to you.
  • We use your data for research and analysis, including reviewing trends in complaints and claims and setting subscription costs.
  • We communicate with you through direct marketing about benefits of membership, our products and services.
  • We seek advice from our professional advisers, including insurers and legal advisers, when we exercise our rights to defend ourselves from claims.

If you would like to find out more about our legitimate interests for processing data, please contact the Data Protection Officer.

What rights do you have?

The law gives you a number of rights in relation to your personal data, including in certain circumstances the right to object to your personal data being processed.

You can contact the Data Protection Officer by email, phone or post if you’d like to request any of the following:

  • To be told how your personal information will be used, as set out in this privacy policy.
  • To ask what information we hold about you and request a copy of that information, subject to any exemptions.
  • To raise a valid objection to your personal data being processed.
  • To have your personally identifiable data deleted in certain situations.
  • To ask for your records to be updated, if you believe they are inaccurate.
  • For processing of your personal data to be restricted, which you can do in certain situations.
  • To transfer your personal data from one service provider to another. We will provide you with specific information if you’re considering switching to another indemnifier.

Please include your name, email address and postal address in your request. We may also ask for proof of your identity.

We will confirm that we have received your request within five working days, and provide a response within 30 days.

You can also lodge a complaint at any time about our processing of your personal data with the Information Commissioner's Office.

Making contact

When do we contact you?

There are three main reasons for us to contact you during your membership, by email, post, telephone or, if you have opted in, SMS.

1. Statutory communications

So that we can comply with our legal obligations, we send you statutory communications including:

  • a link to the Annual Report & Accounts, including notice of the Annual General Meeting
  • a link to the online proxy form
  • notice of any other general meeting.

2. Service communications

To tell you about your membership – including information about your renewal or any important changes to your membership – claim or advisory matters, or need-to-know medico-legal and regulatory updates.

3. Marketing communications

You can tell us if you would like to receive information about products and services we think you might be interested in. For example, your membership will allow you to take advantage of our training courses and resources, as well as accessing preferential rates on relevant business support services.

If you would rather not receive marketing communications from us, you can let us know at any time by using the unsubscribe function in our emails, emailing membership@themdu.com or membership@theddu.com, or updating your communication preferences via our website. You can also write to the membership team at One Canada Square, London E14 5GS or call +44207 202 1500.

Changes to our privacy policy

We may update this privacy policy from time to time, and any important changes about how your data is processed will be posted here. We may also send you an email to let you know of any important changes.

This policy was last updated in May 2018.

Keeping us updated

Keep your information up to date by letting us know if any of your details, such as your home address or place of work, change.

Contact our membership department or login to My Membership and help us make sure the information we hold is current and correct.

Get in touch

If you have any questions, comments or concerns about any aspect of this policy, you can contact the Data Protection Officer at: