Data Protection Policy

Privacy Notice

We treat your personal information with great care and respect. We will never share your information outside of the DutyDoctor system without your consent. We will never sell it to third parties. We follow the General Data Protection Regulations (2018).

  • DutyDoctorLtd collects and stores your information whilst you are an active customer or member and for up to 5 years afterward. This information is held so that DutyDoctor Ltd can fulfill its service contracts of providing staff scheduling and shift fulfillment. Records will be securely deleted after this time.
  • Your information is not sold or shared with any third parties. We will use the information to maintain information about our members and customers and their interests.
  • Information about shifts is shared in some form between DutyDoctor Ltd and some of its processing subcontractors, such as MailChimp Ltd. Your data is subject to the same controls with all our subcontractors.
  • Anyone may opt out of any marketing communications.
  • You may view your records that we hold and have the records updated, edited or deleted by informing DutyDoctor Ltd. You may obtain a copy in electronic format if required. If you have any concerns or complaints please contact Neil Iosson, Director, DutyDoctor Ltd using the contact information [LINK] on the website.
  • You have a right, under the General Data Protection Regulations (2018) to make a formal complaint to the Information Commissioner’s Office if you are dissatisfied with the response.

Personal Information held by DutyDoctor



Contact details

Professional and personal details

Certificates and documents

Skills, qualifications

Shifts worked, leave taken, sickness absence


Legal Basis

DutyDoctor holds information about individuals for the purposes of providing employment via third-party employers. It is not possible to do this without storing personal information so it is not possible to opt out of data storage.


Subject Access Policy

Subjects making a request for access to their information will be provided with a copy of the information within 28 days of their request. There is no charge for providing this and it will be provided by a member of the committee.


Error Correction

Any error highlighted by an individual will be corrected. It is (usually) not possible to completely delete personal information, however, a deletion request will be respected as far as possible whilst preserving data integrity. (e.g. Doris has worked for a GP practice for 3 years. She requests deletion – this isn’t possible in full, because a record of the shifts she worked remains necessary for the GP practice as a record of fact.)


Data Breaches

In the event that a personal data breach occurs then DutyDoctor Ltd will assess the severity and ensure they comply with best practice with regard to informing affected subjects and reporting, where required to do so, to the Information Commissioner’s Office.


Data Protection Officer

A data protection officer is not required for DutyDoctor Ltd under the GDPR and the responsibility will rest with the company directors.


International Considerations

Data storage and processing will remain in the EU (or US under EU GDPR rules) at all times.



DutyDoctor software is registered with the Information Commissioners Office.