Medqon Limited – GDPR & Data Protection Policy

Last updated: 03.10.2025

1. Purpose and Scope

This policy sets out how Medqon Limited (“Medqon”, “we”, “us”, “our”) ensures lawful, fair, and transparent processing of personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

It applies to all personal data processed through Medqon’s software platforms, including DictAIte™, Medico Reports, Medico Vault, and associated portals, mobile applications, and support systems.

This GDPR & Data Protection Policy applies to:

• Portal Users – authorised individuals accessing Medqon’s platforms, including Medico Writer (the medico-legal report-writing system) and Medico Vault (the case-management and CRM platform). Portal Users include medical experts, administrative staff, agency personnel, and referrers (such as solicitors or attorneys) who hold registered accounts within these systems.
• Claimants – individuals whose personal or health information is entered, uploaded, or processed by Portal Users through Medqon’s platforms for the purpose of preparing medico-legal reports or managing case files.
• Employees and Contractors – staff and third-party professionals engaged by Medqon who may process data as part of their contractual duties.

2. Data Roles and Responsibilities

Medqon performs different roles depending on the nature of the personal data being processed.

• Data Controller (Portal User and Employment Data)

Medqon acts as a Data Controller for personal data relating to:

• Portal Users using Medico Writer and Medico Vault; and
• Employees and contractors engaged by Medqon.

• Data Processor (Claimant or Patient Data)

For personal or health information entered or uploaded by Portal Users concerning claimants or patients, Medqon acts strictly as a Data Processor.

Medqon does not determine the purposes or means of such processing.

• Joint Controllers (Limited Circumstances)

In certain functions — such as anonymised analytics, audit logging, or AI-assisted quality assurance — Medqon may act as a Joint Controller with client organisations. In these cases, responsibilities and communication channels are clearly defined in a written joint controller agreement in accordance with Article 26 UK GDPR.

• Data Protection Officer (DPO)

The DPO oversees data protection compliance, internal audits, staff training, and incident response.

Contact: dpo@medqon.com

Address: Medqon Limited, Alison Business Centre, 39–40 Alison Crescent, Sheffield S2 1AS, United Kingdom.

• Employees, Contractors, and Sub-Processors

All authorised personnel are required to handle personal data in accordance with this policy and the UK GDPR.

Any third-party sub-processors engaged by Medqon must sign data processing agreements imposing equivalent data protection obligations.

Medqon maintains a Sub-Processor Register, available to clients upon request.

3. Lawful Basis for Processing

All processing activities carried out by Medqon Limited are based on one or more lawful grounds set out in Articles 6 and 9 of the UK GDPR and, where applicable, the Data Protection Act 2018:

• Contractual Necessity (Article 6(1)(b)) – to provide secure portal access, manage user accounts, deliver case-management and report-writing functionality, and fulfil contractual obligations to clients and authorised users.
• Legitimate Interests (Article 6(1)(f)) – to maintain system integrity and security, monitor usage for audit and compliance, prevent fraud or misuse, and enhance reliability and performance, provided such interests are not overridden by data subjects’ rights.
• Legal Obligation (Article 6(1)(c)) – to comply with statutory, regulatory, or professional requirements, including court directions, MedCo or NHS frameworks, tax and accounting duties, and mandatory data-retention periods.
• Consent (Article 6(1)(a)) – where users actively opt in to receive marketing, product updates, or other non-essential communications. Consent is recorded and may be withdrawn at any time without prejudice to prior lawful processing.
• Special Category Data (Article 9) – Medqon processes health-related information only under one or more of the following provisions:
  • Article 9(2)(f) – processing necessary for the establishment, exercise, or defence of legal claims; and
  • Article 9(2)(a) – explicit consent by the claimant or data subject, where applicable (for example, submission of medical records or supporting documents).

Where both Articles 6 and 9 apply, the processing purpose and lawful basis are documented within Medqon’s internal Record of Processing Activities (ROPA).

4. Principles of Data Protection

Medqon adheres to the seven key principles under Article 5 UK GDPR:

1. Lawfulness, fairness, and transparency
2. Purpose limitation – data collected only for defined, legitimate purposes.
3. Data minimisation – processing only what is strictly necessary.
4. Accuracy – maintaining data that is current and correct.
5. Storage limitation – retaining data only as long as required.
6. Integrity and confidentiality – ensuring security through appropriate controls.
7. Accountability – evidencing compliance through records, training, and audit trails.

5. Data Categories Processed

Portal Users: identifiers (name, email, contact details, login credentials), professional details, usage logs, and correspondence.

Claimants: personal and health information relevant to medico-legal reporting, including demographic data, injury details, and uploaded medical records.

Employees & Contractors: employment, payroll, and compliance data required for lawful operation.

6. Data Retention and Deletion

• Portal user data: retained for the life of the account + six years for audit, legal, or regulatory defence.
• Claimant data: held only under the data controller’s instruction, ordinarily up to six years post-claim closure.
• Employee data: retained in line with statutory record-keeping requirements.

When retention expires, data is securely deleted or anonymised using industry-approved standards.

7. Data Security and Confidentiality

Medqon implements technical and organisational measures consistent with Articles 32 and 25 UK GDPR, including:

• Encryption in transit and at rest.
• Multi-factor authentication and role-based access control.
• Network segmentation, firewalls, and intrusion detection.
• Regular vulnerability scans and third-party penetration testing.
• Strict device-management and password policies.
• Mandatory staff confidentiality agreements and annual GDPR training.

Access to personal data is limited to authorised individuals with a demonstrable business need.

8. Sub-Processors and Third Parties

Medqon engages certain authorised service providers (e.g. hosting, communication, and analytics vendors) who act as sub-processors under written agreements imposing equivalent data protection obligations.

All sub-processors are vetted for security, confidentiality, and jurisdictional compliance.
Details of these providers are maintained in Medqon’s Sub-Processor Register, available to clients upon request.

No personal data is transferred outside the UK or EEA without appropriate safeguards such as Standard Contractual Clauses or an adequacy decision.

9. Data Subject Rights

Individuals have the following rights under the UK GDPR:

• Access to personal data (“subject access request”).
• Rectification of inaccurate or incomplete data.
• Erasure (“right to be forgotten”), where legally applicable.
• Restriction or objection to processing.
• Data portability (machine-readable copy).
• Withdrawal of consent (for consent-based processing).
• Not to be subject to automated decision-making without human review.

Portal users may contact Medqon directly to exercise these rights.
Claimants should contact the medical expert or agency (their data controller); Medqon will assist that controller in fulfilling any request.

Requests will be acknowledged within one calendar month in accordance with Article 12 UK GDPR.

10. Data Breach Management

Medqon maintains a formal Incident Response Plan.
In the event of a personal data breach:

1. The breach is logged and investigated immediately.
2. Containment and mitigation steps are implemented.
3. The DPO assesses risk to data subjects.
4. If required, the ICO is notified within 72 hours.
5. Affected controllers and individuals are informed without undue delay where there is a high risk to rights or freedoms.

All incidents are reviewed for root-cause analysis and prevention.

11. Accountability and Governance

To evidence ongoing compliance, Medqon:

• Maintains a Record of Processing Activities (ROPA) under Article 30.
• Performs Data Protection Impact Assessments (DPIAs) for all high-risk or AI-related processing.
• Conducts regular internal audits and external security assessments.
• Reviews contracts with processors and sub-processors annually.
• Requires GDPR training for all staff and contractors.

Non-compliance with this policy may result in disciplinary action, termination of contract, or legal referral.

12. Cookies and Tracking Technologies

Our web platforms use cookies and similar technologies to:

• Maintain secure user sessions,
• Improve performance and analytics, and
• Enhance usability.

Essential cookies are required for portal operation.
Users may control or delete cookies through browser settings, though certain features may not function as intended.
For detailed information, see the Cookie Policy available on our website.

13. International Transfers

Medqon stores data primarily in the UK.

Where transfer outside these jurisdictions is necessary, it is conducted only:

• To countries recognised by the UK as providing adequate protection, or
• Under Standard Contractual Clauses approved by the ICO.

All such transfers are encrypted and logged.

14. Policy Review and Amendments

This policy is reviewed annually or sooner if required by legal, regulatory, or operational change.
Material updates are published on the Medqon website, and continued use of our services constitutes acceptance of the revised policy.

15. Complaints and Contact

For any privacy-related queries or to exercise your rights, please contact:

Data Protection Officer – Medqon Limited

Alison Business Centre, 39-40 Alison Crescent, Sheffield S2 1AS, United Kingdom
Email: dpo@medqon.com Telephone: (+44) 330 001 0805

If you are dissatisfied with our response, you may escalate to the Information Commissioner’s Office (ICO) at www.ico.org.uk or telephone 0303 123 1113.