Internal Staff Notice

Privacy Notice

This page is maintained by the MCL Medics app owner to answer common internal privacy and data protection questions about the platform. It applies to the internal clinical management system used by up to 10 authorised staff.

Who this notice is for

This notice is for authorised MCL Medics employees and contractors who use the MCL Medics clinical management platform. It explains what personal data we process in the platform, why we process it, and how we keep it secure. It does not cover patient-facing public services, because this system is internal only.

What data we process

The platform processes personal data needed to deliver clinical care and run our medical operations. This includes patient identifiers (name, date of birth, NHS number where relevant), clinical records, observations, medication administration records, inventory batch and expiry data, controlled drug register entries, staff names and roles, and audit logs of who accessed or changed records. We only collect what is necessary for the specific purpose.

How we use the data

We use the data to support direct patient care, maintain accurate medical records, manage medication and equipment inventory, comply with clinical governance requirements, investigate incidents or audits, and meet our legal and regulatory obligations. We do not use the data for marketing, automated decision-making, or purposes unrelated to clinical operations.

Lawful basis for processing

For patient and staff data, we rely on lawful bases that include compliance with legal obligations, performance of a contract, and legitimate interests in running a safe clinical service. Health data is treated as special category data and is processed only where necessary for healthcare purposes, medical diagnosis, or public health interests, with appropriate safeguards in place.

Access and security controls

Access is restricted to named accounts with role-based permissions. Multi-factor authentication is required for clinical and administrative roles. The system logs every access and change for audit purposes. Data is stored in an encrypted database with Row Level Security, and file uploads are held in secure storage with access controls. Idle sessions are automatically timed out.

Retention and deletion

Clinical records are retained for 8 years after last interaction for adults, and until age 25 for paediatric records, in line with UK clinical records retention standards. Audit logs and access records are retained for the operational life of the system and any minimum period required by law or governance. When a retention period expires, records are reviewed for secure deletion.

Your rights and questions

Staff can ask for a copy of their own personal data, request corrections, or raise concerns about how data is handled. Requests should be sent to the contact below. We will respond without undue delay and within the timeframes required by applicable law.

Contact and queries

For questions about this privacy notice or data protection matters, contact the MCL Medics Information Governance lead. This page is maintained by the app owner to answer common internal privacy questions; it is not an independent legal certification or external audit report.

Shared responsibility

Platform-level security features such as encryption at rest, access controls, and audit logging are built into the application. Day-to-day responsibilities — for example assigning correct roles, keeping devices secure, reporting lost credentials, and only uploading necessary attachments — remain with the staff and administrators using the platform. This notice describes the current controls and practices, not a guarantee of legal compliance.

Last updated: 3 July 2026

Back to home