Company | MedBrief Data Protection Policy

MedBrief Data Protection Policy

Last updated: 25 September 2025

blank

Introduction

MedBrief’s mission is to support the fair and cost-effective resolution of medical or personal injury related claims and to promote and enhance access to justice and healthcare.

Consistent with our mission, and subject at all times to the provisions of this Data Protection Policy, we may process Personal Data, including Sensitive Data, in the course of our Data Processing Activities.

This Policy should be read in conjunction with our Privacy Policy, our Website Terms and Conditions, our Cookie Policy and, where applicable, our Services Agreement, that describe how we process and use personal information that we collect and/or receive from End-Users and Clients of our Services, including our Website.

Interpretation

In this Data Protection Policy, the following words and phrases should be given the respective meanings set out below:

Applicable Data Protection Laws” means the applicable data protection laws for the Client Regions specified at https://medbrief.com/Applicable-Data-Protection-Laws;

Client Region” means the territory or jurisdiction in which a Client is located;

Data Processing Activities” means medical, legal and/or medico-legal data analysis, processing and reporting services, including but not limited to medico-legal data classification, indexing and reporting services;

Data Protection Agreement” means the terms and conditions of any binding data protection agreement entered into between MedBrief and a Client, whether separately or as an addendum or supplement to the MedBrief Services Agreement;

MedBrief Approved Processing Environment” means a data hosting or data processing systems environment listed at https://medbrief.com/regions/ that has been identified by MedBrief as conforming to the MedBrief Minimum Data Protection Standards published from time to time at https://medbrief.com/data-protection-standards/;

MedBrief Minimum Data Protection Standards” means the minimum information security, data privacy and data protection standards and certifications for third party cloud hosting and other purposes listed by MedBrief at https://medbrief.com/data-protection-standards/ and that MedBrief has determined to provide appropriate technical, organisational and contractual safeguards to protect the confidentiality of Personal Data including Sensitive Data;

MedBrief Services Agreement” means the terms and conditions of a binding MedBrief Services Agreement entered into between MedBrief and a Client published at https://medbrief.com/services/; and

UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (United Kingdom General Data Protection Regulation).

Capitalised words and phrases not specifically defined in this Policy should be given the meanings assigned to them in Article 4 of UK GDPR unless the context clearly indicates otherwise.

References in this Policy to any other MedBrief policy or webpage shall be deemed to include any updates thereto that may be published or made available from time to time subject at all times to the provisions of any such policy, the MedBrief Website Terms and Conditions, the MedBrief Services Agreement and/or any applicable Data Protection Agreement that may have been entered into between MedBrief and a Client or End-User.

Commitment to compliance with Applicable Data Protection Laws

MedBrief:

  • will not process Personal Data unless lawful grounds for that processing exist in terms of Applicable Data Protection Laws, including in terms of Article 6(1) of UK GDPR where applicable;
  • will always take into account reasonable and appropriate technical, organisational and contractual safeguards to protect the confidentiality of Personal Data;
  • will not process Sensitive Data unless lawful grounds for that processing exist, including in terms of both Article 6(1) and Article 9(2) of UK GDPR where applicable;
  • will not, where Personal Data transfer is subject to the approval of a regulatory authority, transfer any Personal Data to any country that has not been declared by that relevant authority to provide an adequate level of data protection, including by the UK Secretary of State where applicable;
  • will not utilise the services of any processor who does not guarantee in terms of a written agreement to implement appropriate technical and organisational measures to ensure that the processing will meet the requirements of Applicable Data Protection Laws including the requirements of Article 28(1) of UK GDPR where applicable;
  • will not utilise the services of any processor to host or process Sensitive Data outside of the MedBrief Approved Processing Environment for the Client Region; and
  • will always comply with the terms and conditions of any Data Processing Addendum entered into between MedBrief and a Client.

Specific purposes for which we may process Sensitive Data

Without derogating from the generality of the aforegoing, you acknowledge and agree that we may process Sensitive Data,

  • where the processing is reasonably necessary for the performance of our contract with you;
  • where the processing is reasonably necessary for the purposes of obtaining a medical diagnosis or procuring or producing a medico-legal report;
  • where the processing is reasonably necessary for the establishment, exercise or defence of legal claims where either: (i) a data subject has authorised us, or has authorised their legal representatives to request us, to process their data, for one or more specific purposes; or (ii) where the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, including where a data subject has authorised us, or has authorised their legal representatives to request us, to process their data, for the purposes of providing medico-legal claims support services, including as part of an early case assessment or early case screening exercise, before the data subject enters into a formal legal mandate agreement or after the event insurance contract providing for legal representation or legal expenditure insurance to be procured in the course of the establishment, exercise or defence of legal claims;
  • where processing is reasonably necessary for compliance with a legal obligation to which we are subject, such as if we are obliged to process or produce data in response to a court order or to comply with any regulation to which we are subject, or where we are obliged in terms of health and safety legislation to process information relating to injuries sustained at work, or where we are required to process information regarding claims to statutory benefits for health or capacity reasons;
  • where the processing is reasonably necessary in order to protect the vital interests of the data subject or of another natural person or is reasonably necessary to mitigate imminent threat to life or serious threat to wellbeing including where we may process or distribute health records for healthcare providers in urgent or emergency circumstances;
  • where the processing is reasonably necessary for the purposes of a legitimate interest and processing relates to Sensitive Data which has been made public, such as when we process information contained in public judgments or tribunal reports, including for the purposes of organisational learning, risk mitigation and improvement in our Services;
  • where the processing is reasonably necessary for the purposes of a recognised legitimate interest and reasonably necessary for the assessment of the working capacity of another person, including where we are requested or required to carry out an assessment of the working capacity of such a person following illness or injury in order to determine whether insurance or liability compensation or other benefits may be due to that person;
  • where the processing is reasonably necessary for the performance of a task of the controller carried out in the public interest or a task carried out in the exercise of official authority vested in the controller, including where we may process or distribute health records for public healthcare providers performing a public healthcare function;
  • where the processing is reasonably necessary to comply with our archiving, records retention or insurance policies;
  • where the processing is reasonably necessary for the purposes of a recognised legitimate interest and processing is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of domestic law which provides for suitable and specific measures to safeguard the rights and freedoms of data subjects, including where we may process health records for public healthcare providers performing a public healthcare function;
  • where the processing is reasonably necessary for any other further purpose that we deem to be reasonably compatible with the purposes outlined herein and our interests to provide or perform our Data Processing Activities, subject at all times to the provisions of Applicable Data Protection Laws, including Article 6(4) of UK GDPR where applicable; and
  • where the processing is reasonably necessary in terms of other relevant law that we may be subject to, such as the Health and Safety at Work Act 1974, the Social Security Contributions Benefits Act 1992, the Employment Rights Act 1996 and the Equality Act 2010.

Find Out More

Should you have any questions in relation to our Data Protection Policy, please contact the MedBrief Trust Centre via our Contact page.

For more information about MedBrief’s data protection compliance program, please visit the MedBrief Trust Centre page here.