top of page

Morgannwg LMC privacy policy

MLMC Privacy Policy

​

Updated January 2026

Morgannwg Local Medical Committee (MLMC) is committed to protecting and respecting your privacy.  As part of our representative function we collect certain personal data. This privacy policy will outline the basis on which we hold and use any personal data provided to us in connection with our support and representation of General Practitioners.

​

This policy applies to:

  1. The General Practitioners that we support and represent  (‘Represented Practitioners’ and ‘Constituents’)

  2. Individuals whose personal data we receive in connection with our support and representation of Represented Practitioners (‘Non-Constituents).

Topics covered:

1.0        About 2

2.0        What information we collect and how we will use it 2

2.1         Our Duty. 2

2.2         If you are a Represented Practitioner / Constituent 2

2.3         If you are a Non-Constituent 4

3.0        Change of Purpose. 5

4.0        Sharing your information. 5

4.1         Service Providers. 5

5.0        Storing personal data. 5

5.1         Data Format 5

5.2         Data Retention. 6

6.0        Keeping your information secure. 6

7.0        Your rights. 6

7.1         Request correction or erasure. 6

8.0        Changes to this privacy policy. 7

 

1.0About

MLMC is the statutory representative body for GPs and their Practices operating across the Swansea Bay University Health Board area.  We exist solely to represent, advise and support GPs and their Practices. 

DATA CONTROLLER: Morgannwg LMC Ltd, a Company registered in England and Wales under Company,  number 7582825, whose registered office is at  6 Uplands Terrace, Uplands, Swansea SA2 0GU, is the data controller responsible for deciding how the personal data described below is held. By virtue of our size, the data we hold and the processing we undertake we do not believe we are required to have a Data Protection Officer.

2.0What information we collect and how we will use it

We will only use personal data where we have a valid lawful basis to do so.  We summarise below what information we collect, how we use it and what our legal basis is for using it.

2.1Our Duty

We have a duty to process personal data fairly, lawfully and in a manner that you would expect given the nature of our relationship with you. Where we have a legal basis to use your personal data without consent (as set out below), this policy fulfils that duty by giving you appropriate notice and explanation of the way in which your personal data will be used.

2.2If you are a Represented Practitioner / Constituent

  1. We collect and use personal data about you in order to:

    • Administer your membership (if applicable)

    • Provide you with advice, support and training

    • Seek and represent your views

    • Keep you informed about the LMCs activities and other information of interest

    • Provide pastoral care

    • Administer the LMC’s elections

    • Support you in relation to fitness to practice investigations and complaints

  2. We may collect and use the following personal data about you:

    • Name

    • Address and contact details

    • Job title, employment status and practice details

    • Date of birth

    • GMC registration number

    • Contacts with the LMC office (eg emails, details of telephone conversations)

    • Medical information (this is special category data and would only be necessary in relation to fitness to practice investigations)

    • Further information that you provide to us in correspondence and records of our contacts and correspondence with you.

 

  1. If you are an Elected Member we would collect and use the following additional data about you:

    • National Insurance Number

    • Bank/payment details

  2. We obtain the above personal data directly from you and/or your practice, from public domain sources and from third parties (such as other NHS bodies).

  3. Our lawful basis for processing the above personal data is that its processing is necessary in connection with the legitimate interests of the LMC as a body that advises, supports and represents practitioners and their practice staff.   We undertake some processing that is necessary for the performance of a task carried out in the public interest or in order for the LMC to carry out its legal obligations.  We will only use any information that you provide consistent with the principles of the Data Protection Act 2018 and General Data Protection Regulations.  This means that we will always ask for your consent when we collect information for the purposes of this policy. At no time will your personal information be shared with third parties unless you have given us permission do so.

  4. We retain personal data relating to your membership on the Medical Performers List and for one year thereafter unless there is a legitimate reason to retain some or all of it longer, such as in connection with a fitness to practice investigation or complaint.

  5. We generally retain:

    • Minutes of LMC meetings for a period of 10 years following the meetings.

    • Records of financial transactions for a period of 7 years following the transaction

    • Records of elections and member data for a period of 7 years 

2.2.1Supporting you in relation to fitness to practice investigations / Reference Panels

In addition to the categories of data and details of processing described above, we may hold and process medical information and testimonials about you and allegations against you in relation to fitness to practice investigations. We will retain records relating to investigations for a period of six months from the end of the appeal time frame.

Our lawful basis for processing the above personal data is that its processing is necessary in connection with the legitimate interest of the LMC as a body that advises, supports and represents practitioners.

2.2.2Supporting you in relation to complaints

The same categories of data and details of processing apply to supporting you in relation to complaints as apply to fitness to practice investigations (see above). However we retain records relating to complaints for a period of 7 years from the end of the conclusion of the complaints process (including the exhaustion of all possible legal proceedings).     

2.2.3Special category personal data

Where the personal data described above includes the special category personal data of Practitioners:

  1. we may hold and process such special category data in connection with our legitimate  activities that the special category personal data is not disclosed outside the LMC without your consent.

  2. we may hold and process such special category data to the extent necessary for the establishment, exercise or defense of legal claims or in order to comply with legal obligations.  

  3. in some cases, such as where the LMC is sent unsolicited information or in other unforeseen circumstances, there may be public interest grounds to hold and process special category personal data.

2.2.4Processing requiring consent

We will obtain consent for any data processing that requires consent, such as for marketing purposes or to disclose your personal data outside the LMC in cases where such disclosure does not fall within a lawful basis for processing and condition for processing special category personal data outlined above. Even where consent to sharing personal data is not required, we would ask you to inform us of any instances where you would prefer that any of your personal data is not shared.

2.3If you are a Non-Constituent

We request anonymised information which does not engage any rights under data protection and privacy laws, hence falls outside the scope of this policy.

2.3.1Personal Data

We may receive information relating to an identified or identifiable Non-Constituent in  relation to our advising, support and representation of Represented Practitioners or their staff. This information may be provided to us by the individual data subject, by the Represented Practitioner or by a third party. Such personal data is handled in confidence and is used only for the purpose of advising, supporting and representing Represented Practitioners or their staff. Non-Constituent personal data is retained for as long as necessary to support the relevant Represented Practitioner and no longer than six years. 

Our lawful basis for using such Non-Constituent personal data is that its processing is either necessary in connection with the legitimate interests of the LMC as a body that advises, supports and represents GPs and their staff or necessary for the performance of a task carried out in the public interest.  

2.3.2Special Category personal data

We will usually only receive special category personal data of Non-Constituents (eg data concerning health) in connection with fitness to practice investigations and complaints.  In such cases, we may hold and process such data to the extent necessary for the establishment, exercise or defense of legal claims. In some cases there may be public interest grounds for us to hold and process the special category personal data of Non-Constituents.

3.0Change of Purpose

We may only use your personal data for the purpose for which we collected it and any purposes that are compatible with that original purpose.  Please note that we may process personal data without the data subject’s knowledge or consent where this is required or permitted by law.

4.0Sharing your information

We may share your personal data with your consent or under the lawful basis and special   category conditions outlined above. We may also share data with the third parties involved in the activities set out above, eg legal advisors, parties identified as being involved in issues with which we are assisting Represented practitioners, regulators and other bodies with oversight of fitness to practice and complaints. We may share anonymised information with third parties.  Such information does not engage any rights under data protection and privacy laws, hence falls outside the scope of this policy.

4.1Service Providers

 We require all outside service providers to take appropriate and stringent security measures to        protect your personal data in line with our policies.   We do not allow our third-party service        providers to use that personal data for their own purposes and we only permit them to process     personal data for specified purposes in accordance with our instructions. We currently use the following service providers:

  • Sage (payroll)

  • Morgan Hemp (accountants)

5.0Storing personal data

The LMC is based and processes your personal data within the UK. Our third party service providers may have servers in countries outside of the UK /EEA and some personal data may be transferred outside of the EEA in connection with their provision of services.  Where data that we control is transferred, we take all steps reasonably necessary to ensure that your data receives an adequate level of protection and treated in a way consistent with EU and UK laws. 

5.1Data Format

Within the LMC office we hold your data electronically, password protected with Multi Factor Authentication on our internal computer systems.  In some instances, data can be accessed by mobile devices also with Multi Factor Authentication. Where paper records are retained, these are held securely in the               LMC office which is always locked when not occupied.

5.2Data Retention

We will only retain personal data for as long as is necessary in order to fulfil the purposes for which it was collected for, including for the purpose of satisfying any legal, accounting reporting obligations.  In particular, any personal data linked to a possible legal claim may be retained for a period of 7 years.

6.0Keeping your information secure

All information is stored on secure servers. We have put in place appropriate measures to protect the security of your information. The transmission of information via the internet is not completely secure. Although we take appropriate measures to protect your personal data, we cannot guarantee the security of the information transmitted over the internet or to our website. Any transmission is at the sender’s own risk.

7.0Your rights

Subject to certain conditions, you have the right under data protection laws to:

  1. request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. This right is subject to a number of exemptions which allow information to be withheld in certain circumstances. For example, subject access rights are excluded where compliance would involve disclosing: information relating: to another individual; data which consists of information which is subject to legal professional privilege; negotiations or confidential references;

  2. request correction or erasure of your personal data (unless we have the legal right to retain it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below);

  3. object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.

  4. request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it.

To exercise any of the above rights, please contact us via email. You will not usually have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. As a security measure we may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights).

7.1Request correction or erasure

In the limited circumstances where we are relying on your consent as the legal basis to process your personal data for a particular purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent please contact us via email. Once we know that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

8.0Changes to this privacy policy

Please note, this policy will be regularly reviewed and updated in line with current GDPR                 guidance and Data Protection Regulations.  This policy was last updated in January 2026.

bottom of page