top of page

Reactive Medical – Data Protection Policy


(Eleven forty one is a trading name of Reactive medical)
 

1. Policy Statement
 

Reactive Medical is committed to safeguarding the privacy, confidentiality, and rights of individuals in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy outlines how we collect, store, process, share, and dispose of personal and special category data, particularly in the context of clinical care, training, and operational activities.
 

2. Scope
 

This policy applies to all staff, contractors, volunteers, and third-party processors who have access to personal data collected or processed by Reactive Medical. It includes:
 

  • Patient clinical data (e.g. PRFs, EPRs, handover reports)
     

  • Learner and course participant information
     

  • Staff HR records and clinical CPD
     

  • Event documentation and contact details
     

  • Photographic or video material captured during services
     

3. Lawful Bases for Processing
 

Reactive Medical processes personal data under the following lawful bases:
 

  • Article 6(1)(b): performance of a contract (e.g. training agreements)
     

  • Article 6(1)(c): compliance with legal obligations (e.g. health and safety law)
     

  • Article 6(1)(e): performance of a task in the public interest (e.g. provision of emergency medical care)

  • Article 6(1)(a): consent (e.g. marketing communications)
     

For special category (health) data:
 

  • Article 9(2)(h): provision of health or social care
     

  • Article 9(2)(i): public interest in public health
     

4. Data Collection and Types
 

4.1 Clinical Records

  • Patient Report Forms (PRFs) and Electronic Patient Records (EPRs) are completed during medical cover or treatment episodes.
     

  • Forms include: patient identifiers, clinical assessments, treatment, medications administered, and handover details.
     

  • Data are recorded accurately and contemporaneously in accordance with JRCALC guidance.
     

4.2 Training & Administration
 

  • Course booking details, medical declarations, assessments, and certification records.
     

  • These may include names, contact details, dates of birth, emergency contacts, and medical history relevant to participation.
     

4.3 Operational Data
 

  • Risk assessments, event plans, contact logs, and safeguarding referrals where applicable.
     

  • Imagery for quality assurance, promotion, or training purposes.

     

5. Data Storage & Security
 

  • Paper PRFs are securely stored in locked cabinets at the Company’s registered premises.
     

  • Digital records are encrypted and hosted on secure UK-based servers.
     

  • Access is controlled via user authentication, role-based permissions, and device encryption.
     

  • Portable devices are protected with remote-wipe functionality.
     

6. Data Sharing & Handover
 

  • NHS and Emergency Services: PRFs or electronic records are shared with statutory services during handover via secure NHSmail or direct handoff.
     

  • Awarding Bodies: Learner details and assessment outcomes are shared under contractually governed data-processing agreements.
     

  • Safeguarding Authorities: Information is disclosed without consent where required to protect vulnerable individuals.
     

  • No data is transferred outside the UK without appropriate safeguards.
     

7. Retention & Disposal
 

Record Type - Retention Period - Disposal Method
 

Adult PRFs - 10 years from date of incident - Cross-cut shredding / digital wipe


Child PRFs - Until 25th birthday - As above


Training Records  - 7 years - Secure disposal


Staff Records - 6 years after employment ends - Secure disposal


Clinical Governance - 15 years - Secure disposal
 

Records are reviewed periodically and securely disposed of when no longer required.
 

8. Rights of Data Subjects
 

Data subjects have the right to:
 

  • Access their personal data
     

  • Rectify inaccurate data
     

  • Request erasure (where lawful)
     

  • Restrict or object to processing
     

  • Data portability (where applicable)
     

Requests can be made by emailing info@reactivemedical.co.uk or writing to: Data Protection Officer, Reactive Medical, 2 Bruce Knight Close, Danescourt, Cardiff, CF5 2QR. We will respond within 30 calendar days.
 

9. Data Breaches
 

  • All suspected breaches must be reported immediately to the Data Protection Officer.
     

  • Breaches will be assessed and, if reportable, notified to the Information Commissioner’s Office (ICO) within 72 hours.
     

  • Where applicable, affected individuals will be informed without undue delay.
     

10. Staff Responsibilities
 

  • All staff must complete annual training in GDPR and confidentiality.
     

  • A breach of this policy may lead to disciplinary action.
     

  • Clinical staff must follow the confidentiality standards set out by their registering body (e.g. HCPC, NMC).
     

11. Governance & Review
 

  • The policy is reviewed annually by the Data Protection Officer and Clinical Governance Lead.
     

  • Internal audits are conducted quarterly to ensure compliance.
     

  • The latest version is available at www.reactivemedical.co.uk/privacy.
     

Policy Owner: Data Protection Officer, Reactive Medical
Last Reviewed: 9 June 2025
Next Review Due: 9 June 2026

bottom of page