Data Privacy Notice
1. Introduction
Yorkshire Aeromedical is committed to protecting the privacy, confidentiality and security of personal data entrusted to us. Much of the information we process constitutes special category health data, and we take our legal and professional responsibilities seriously.
This notice explains how we collect, use, store, share and protect personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and relevant Civil Aviation Authority (CAA) requirements.
As Aviation Medical Examiners (AMEs), we also have statutory and regulatory duties relating to aviation safety, which may require disclosure of relevant medical information to the Civil Aviation Authority.
2. Data controller status
Yorkshire Aeromedical acts as an independent data controller in relation to personal data processed for the purpose of providing aeromedical examinations and associated administrative services.
The Civil Aviation Authority acts as a separate data controller for information processed within its own regulatory systems, including the Cellma medical certification system.
In addition, Yorkshire Aeromedical acts as a data processor on behalf of the Civil Aviation Authority when entering and managing information within the CAA's Cellma system and when carrying out aeromedical examinations and assessments as directed by CAA regulatory requirements.
3. Scope
This notice applies to all personal data processed by Yorkshire Aeromedical, whether held electronically or in paper form. It covers data relating to patients, prospective patients, and any other individuals whose information we process in the course of providing aeromedical services.
4. Personal data we collect
We collect only the information necessary to carry out aeromedical assessments, manage our practice, and meet legal and regulatory obligations. This may include:
- Personal identification details (such as name, date of birth, address and contact details)
- Aviation-related information (such as licence number and medical certification history)
- Medical and health information, including examination findings, investigation results and clinical correspondence
- Appointment records and communications
- Billing and invoicing information
Health data is classified as special category data under UK GDPR.
5. Lawful basis for processing
We process personal data under the following lawful bases:
- Performance of a contract – to provide aeromedical examination services
- Legal obligation – to comply with CAA and other regulatory requirements
- Provision of healthcare – Article 9(2)(h) UK GDPR (medical diagnosis and assessment)
- Public interest in aviation safety
We do not rely on consent as the primary lawful basis for processing medical data required for certification.
6. How we use personal data
Personal data is used for the following purposes:
- Conducting aeromedical examinations and assessments
- Determining medical fitness in accordance with CAA regulations
- Maintaining accurate clinical records
- Communicating regarding appointments and certification outcomes
- Submitting required information to the CAA
- Billing and administrative management
- Audit, quality assurance and professional accountability
7. Systems used to store and process information
We use secure electronic systems to manage and store personal data. These include:
- Google Workspace (formerly G Suite) – for secure email communication, document storage and administrative records
- Cliniko – a clinical practice management system used for appointment scheduling, clinical record-keeping and invoicing
- CAA Cellma system – the Civil Aviation Authority's secure electronic medical certification system
Where information is entered into Cellma, the Civil Aviation Authority acts as data controller for that information within its regulatory system.
Where copies of medical or administrative records are retained within our own systems, Yorkshire Aeromedical remains the independent data controller.
Third-party service providers acting on our behalf (such as Google Workspace and Cliniko) operate as data processors and are contractually required to maintain appropriate data protection and security standards.
8. Disclosure and sharing of information
We do not share personal data unnecessarily. Information may be shared:
- With the Civil Aviation Authority, including via Cellma, in accordance with regulatory requirements
- With other healthcare professionals where necessary for continuity of care
- Where required by law, court order or regulatory authority
As AMEs, we have a professional and regulatory duty to disclose relevant medical information to the CAA where required in the interests of aviation safety. In certain circumstances, this may occur without patient consent where permitted or required by law.
Any disclosure is limited to what is necessary, proportionate and relevant.
9. Electronic communication and email security
Patients may choose to send medical information, including consultant letters and investigation results, by email. While we take appropriate technical and organisational measures to secure our systems, standard email transmission over the internet may not be fully secure.
Patients who have concerns about sending sensitive medical information electronically are invited to contact us to discuss alternative arrangements for secure transmission.
We use secure professional email systems with password protection and two-factor authentication enabled where available. Access to email accounts is restricted and appropriate security controls are in place.
Incoming emails containing medical information may remain within our secure inbox for administrative purposes. Where appropriate, relevant documents are transferred to the patient's clinical record within our practice management system. Emails and attachments may be deleted from the inbox after six months where appropriate. In some cases, retention for a longer period may be necessary to meet legal, regulatory or record-keeping requirements.
Where possible, outbound communications containing sensitive regulatory medical information will be sent via the Civil Aviation Authority's Cellma platform or other secure systems designated for aeromedical certification. Where email communication is necessary, appropriate safeguards such as password-protected attachments may be used.
10. International data transfers
Some electronic service providers may process data outside the United Kingdom. Where this occurs, appropriate safeguards are in place in accordance with UK data protection legislation.
11. Data security
We implement appropriate technical, physical and organisational measures to protect personal data against unauthorised access, loss, misuse or disclosure. These include:
- Secure password-protected systems
- Two-factor authentication where available
- Encrypted electronic communication where appropriate
- Restricted access to records
- Secure storage of paper documentation
- Periodic review of security arrangements
12. Data retention
Personal data is retained only for as long as necessary to meet legal, regulatory and professional obligations.
Medical records are retained in accordance with CAA guidance and applicable healthcare record retention standards.
13. Personal data breaches
We take data protection and information security seriously. A personal data breach includes any loss, unauthorised access, disclosure or alteration of personal data.
If a breach occurs, we will:
- Promptly investigate the incident
- Assess the risk to affected individuals
- Take appropriate steps to contain and mitigate the impact
- Maintain a record of the breach in accordance with legal requirements
Where required under UK GDPR, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach.
Where a breach is likely to result in a high risk to an individual's rights and freedoms, we will inform the affected individual without undue delay.
Where relevant to regulatory medical information or aeromedical certification, we may also notify the Civil Aviation Authority in accordance with our professional and regulatory obligations.
14. Your rights
Under UK GDPR, individuals have the right to:
- Access their personal data
- Request correction of inaccurate or incomplete data
- Request restriction of processing in certain circumstances
- Object to certain types of processing
- Request erasure where legally applicable
- Lodge a complaint with the Information Commissioner's Office
Some rights may be limited where processing is required to meet legal or regulatory obligations relating to aviation safety.
Requests relating to data protection rights should be made in writing.
15. Complaints
If you have concerns about how your data is handled, please contact Yorkshire Aeromedical in the first instance.
You also have the right to complain to the Information Commissioner's Office.
16. Review of this notice
This Data Privacy Notice is effective from 2 January 2026 and will be reviewed annually, or sooner if required, to ensure continued compliance with applicable law and professional standards.