Legal

Privacy Policy.

How personal information and medical records are collected, used and protected within Upper Hand Medico-Legal's expert witness work.

Contact details

Name: Upper Limb and Hand Rehab Ltd T/A Upper Hand Medico-Legal
Company number: 15663192
Registered office: 128 City Road, London EC1V 2NX
ICO registration: ZB741744
Email: [email protected]

About this notice

Upper Limb and Hand Rehab Ltd, trading as Upper Hand Medico-Legal, is committed to protecting personal information handled within the expert witness practice.

This notice explains what information is collected, how it is used and protected, and the rights of the people the information relates to. It applies whether you have instructed the practice or your information has been disclosed for the purposes of an expert report.

Queries about this notice or about personal information held can be sent to [email protected].

Definitions

'We', 'our', 'us' and 'the practice' refer to Upper Hand Medico-Legal (Upper Limb and Hand Rehab Ltd).

'Instructing party' means the solicitor, insurer or other legal instructor commissioning expert evidence.

'Claimant' and 'Defendant' have their ordinary meaning under English and Northern Irish civil procedure.

'Subject' means the person whose hand or upper limb injury is the subject of an expert report (typically the Claimant). Where the practice is asked to opine on records alone, the subject is the person to whom those records relate.

'GDPR' means the UK General Data Protection Regulation.

'ICO' means the Information Commissioner's Office.

'Personal information' has the meaning given to 'personal data' and 'special category data' in the GDPR.

Who this notice applies to

This notice applies to:

  • Solicitors, insurers and other legal instructors enquiring about or commissioning expert witness work
  • The Claimants, Defendants or other subjects whose injuries are the subject of expert reports
  • Individuals enquiring directly (including litigants in person)
  • Anyone communicating with the practice in relation to current, past or potential instructions

Sources of personal information

Personal information reaches the practice from the following sources:

  • The instructing solicitor, insurer or other legal instructor, by way of letter of instruction, records, imaging and any existing expert evidence
  • The Claimant or Defendant directly during in-person examination, telephone or video consultation, or by written correspondence
  • Hospitals, GP practices, treating clinicians and providers of imaging and diagnostic testing, where records are disclosed for the purposes of the report
  • Medical records organisations acting on the instructing party's behalf
  • Other expert witnesses where joint discussions, joint statements or addendums are required
  • A parent, guardian or other authorised representative where the subject is a minor or otherwise lacks capacity

Categories of personal information processed

Standard personal information

This includes, but is not limited to: name, address, date of birth, contact details, occupation, employment history, education, and details of solicitor, insurer or other instructing party. Financial details relating to fees may be processed; no card details are stored.

Special category personal information

Information relating to physical and mental health, including medical history, examination findings, imaging, diagnostic testing, treatment records, correspondence between treating clinicians, and any existing expert evidence. This category is at the centre of medico-legal work and is handled accordingly.

How the information is used

Legal basis for standard personal information

Standard personal information is processed where:

  • It is in the practice's legitimate interests (administering instructions, corresponding with instructing parties, scheduling examinations, issuing invoices)
  • It is necessary for the establishment, exercise or defence of legal claims (Article 6(1)(f) UK GDPR, read with Article 9(2)(f) for special category data)
  • It is a legal obligation (compliance with court directions, regulatory record-keeping)

Legal basis for special category personal information

Medical records and other special category data are processed under Article 9(2)(f) of the UK GDPR — processing necessary for the establishment, exercise or defence of legal claims, or where courts are acting in their judicial capacity. Where applicable, Article 9(2)(h) (provision of health and social care) is also relied on.

Sharing personal information

Information may be shared with:

  • The instructing solicitor, insurer or other legal instructor
  • The Court or Tribunal hearing the matter
  • Opposing experts and their instructing parties during joint discussions and joint statements under CPR Practice Direction 35
  • Other experts involved in the same proceedings, where required by the instructing party
  • Persons or bodies the practice is required to share information with by law, regulator or court order
  • Any other person the data subject or instructing party has authorised the practice to share information with

The practice does not sell personal information, and does not share it for marketing purposes.

Securing personal information

Appropriate technical and organisational measures are in place:

  • Records, instructions and reports are held on encrypted systems
  • Two-factor authentication is used on key systems where available
  • Devices that hold personal information are encrypted to industry standard
  • Screens are locked when unattended and operating system updates are applied promptly
  • Third-party providers used by the practice are required to meet data protection obligations and to support secure restore
  • Postal disclosures of records are received, stored and returned or destroyed securely

Transfers outside the United Kingdom

Personal information is generally stored on systems within the United Kingdom or the European Economic Area. Where any system used by the practice is hosted outside these areas, suitable contractual or other safeguards (including the UK International Data Transfer Agreement and industry-standard encryption) are in place.

How long information is kept

Medico-legal records are retained for eight years from the date the report or addendum is issued. Records may be kept longer where required to deal with regulatory enquiries or legal claims arising from the practice's work.

Your rights

The right to be informed

You have the right to be informed about how personal information is collected and used. This notice is intended to meet that right.

The right of access

You have the right to confirmation that your information is being processed and to a copy of it (a Subject Access Request). Requests are responded to within one month, extended by up to two months where complex.

The right to rectification

You can ask for inaccurate personal information to be corrected. Clinical findings and the opinions expressed in an expert report remain valid as the contemporaneous record of what was found and opined; factual errors will be corrected where identified.

The right to erasure

You can ask for personal information to be erased. Requests are considered alongside the legal duty to retain medico-legal records for the limitation periods set out above. Where erasure is not possible, restriction of processing can be requested instead.

The right to restrict processing

You can ask that information held about you is restricted, so that it is stored but not actively processed.

The right to data portability

Because personal information is processed under legal obligations and the establishment of legal claims rather than consent or contract, the right to data portability is limited. Requests will be considered on their facts.

The right to object

You have the right to object to processing carried out on the basis of legitimate interests, and to processing for direct marketing (which the practice does not undertake).

Automated decision-making and profiling

The practice does not carry out automated decision-making or profiling.

Right to complain

If you have a concern about how personal information has been handled, please contact the practice first at [email protected]. You also have the right to complain to the Information Commissioner's Office:

Cookies and analytics

The site uses no third-party tracking cookies and no analytics that profile visitors. Where any first-party functional cookies are introduced (for example to remember session preferences), this notice will be updated to reflect them.

Changes to this notice

This notice may be updated from time to time. The current version is always the one published at /privacy-policy on this site.