Privacy Policy

How HCML processes your personal data

HCML: Your Personal Data

Please note: there are separate Privacy Policies for Personal Medical and Health insurance customers.

HCML and the data we process:

HCML Rehabilitation Solutions is an Injury Rehabilitation company. We have been instructed by an insurer, solicitor or employer to support you in your rehabilitation – often following an accident or illness. It is often the case that several different stakeholders will jointly agree to fund and support the services HCML provides to you following an accident or injury. We’ll refer to these parties jointly as Stakeholders below. We will receive personal data such as, for example, your name, address and contact details and details about your one or more of: your injury, any insurance policy/claim and your employment from the stakeholders above. We will then add data you share with us directly, as well as data obtained from your treating practitioners and hospital/treatment facilities, and other stakeholders as your case progresses. Some of this information consists of special categories which receive further protection under law – primarily data regarding your health. From time to time, we may ask you about, or you may choose to disclose to us, data in other special categories, for example your sex life or sexual orientation, or your religious or political beliefs. We’ll also record the audio of telephone and video calls we make to and from you.

Why we need it:

We need to store and use your personal data and health data for one or more of the following purposes:
  • assisting you with your recovery and rehabilitation following injury or illness
  • assisting Stakeholders in administering an Insurance policy or a claim
  • supporting your health at work
  • arranging medical treatments, diagnoses or other support for you
  • providing medical assessments or reports for insurance or employment purposes

All audio from telephone and video calls to and from HCML is recorded for these purposes, and is also used for internal training, quality and administration purposes.

If we do ask for, or you disclose to us, data regarding other special categories apart from your health this data will only be stored and processed if it is relevant to one of these purposes – for example where your injury is affecting an aspect of your daily life, or a piece of information will assist us in coordinating your treatment. Regardless, we will ensure data we process is relevant and not excessive for these purposes, and we will not process data for any other purpose. As a rehabilitation supplier providing rehabilitation services to one or more of the stakeholders discussed, it is in our legitimate interests to process this data. We are permitted to process and share your sensitive data under the condition we are providing you health services and are not permitted to do so for any other reason.  We are legally bound to keep your data confidential.

How we use and protect your data:

We have a data protection framework in place which provides technical and organisational measures to ensure the effective and secure processing, storage and transfer of your personal data.

We will always process your data in accordance with the General Data Protection Regulations or other Data Protection legislation that may be in force.

All our staff are trained in data protection measures and your rights under data protection law. All your personal data remains in the UK, and in any event will not be transferred out of the EEA. We don’t make automated decisions about you based on the data we store. In line with medical best practice we will retain your personal data – which forms an important health record – for an appropriate retention period. Our retention policy is based on guidance provided by the NHS. Most records are kept until the end of the 7th year after our last regular contact with you, however, there are exceptions. We have a detailed information security framework which is designed to protect your data in our computer systems. If you would like to discuss any specific queries around these measures, you can email us at

Sharing your data:

Your personal data – including data in special categories like health – will be shared between HCML and the Stakeholders involved in your case. Relevant information will also be shared with treatment or service providers required for your rehabilitation or treatment. This will only be done for the purposes described above.

Around the time we first contact you we will inform you of which stakeholder instructed HCML and shared your data with us. We will also inform you of companies and organisations we instruct to support your rehabilitation and recovery at the time we make any referral to them. We will not share your information with third parties for any reasons other than the purposes above, and we specifically will not use your information for marketing purposes. As it is in our legitimate interests to process and share your data for these purposes, we are not relying on your consent to process or share your data. However, we will still ask for your agreement before sharing any information with – or requesting any information from – third parties, as those third parties may not release the information we need to support you, without your agreement. In the event you do not provide your agreement for us to share and receive data with the Stakeholders, or you withdraw your agreement to do so later, it is unlikely we will be able to continue your rehabilitation.

Contacting HCML or the ICO about your data:

  • You have the right to object to HCML processing your data
  • If at any point you believe the information we process about you is incorrect, you have the right to have it corrected
  • You also have the right to see the information we process about you
  • You may also have the right to have your data deleted

In the first instance, you can exercise these rights by speaking to your case manager or one of the team working with you at HCML by phone, email or in writing. If you don’t want to do this, you can email instead.

If you wish to raise a complaint about how we have handled your personal data, you can contact our Data Protection Officer who will investigate the matter. If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law, you can complain to the Information Commissioner’s Office (ICO) – more details are available at https://ico.org.uk/concerns/ Our data protection officer is Anthony Eeles and you can contact him at or by writing to Data Protection, HCML, Melrose House, Dingwall Road, Croydon, CR0 2NE.
HCML and HCML Rehabilitation Solutions are trading names of Health & Case Management Ltd, registered at Melrose House, 42 Dingwall Road, Croydon CR0 2NE.