This policy should be read alongside and in addition to the following:
- Our End User Licence Agreement, which governs the use of our platform
2. About Us
We are the Institute of Clinical Science and Technology Limited (ICST), working on behalf of NHS Wales.
We are a company incorporated in England and Wales (company number 09300292)
Our registered office is 33-35 Cathedral Road, Cardiff, CF11 9HB.
3. What is personal data?
Your personal data is information which, by itself or with other information available to us, can be used to identify a person directly or indirectly.
Some personal data is categorised as ‘sensitive personal data’ and includes information about race, ethnic origin, political opinions, religious beliefs, mental or personal health, sexual life or orientation, criminal proceedings (either alleged or prosecuted) and membership of a trade union.
We do not consider personal information to include information that has been anonymised or aggregated so that it can no longer be used to identify a person, whether in combination with other information or otherwise.
The collection and use of your personal data is regulated under the UK Data Protection Act 1998 (the Act) and the 2018 General Data Protection Regulations (GDPR) and we process your data in accordance with these regulations as both a data controller and a data processor.
4. How do we collect your information?
We collect information from the following sources:
- Directly from you
- From your employer or other stakeholder if they have contracted us to provide you with our services
- From a third party who has obtained your information and passed it on in full compliance of data protection laws
More information on collecting your information:
- When you access our website to register an account, access the online content, complete any associated actions we may collect, store and use personal information. We may also ask you for information when you report an error or problem with the website, online courses or content.
- When you register for an account, we ask for your first name, surname and email address. As part of your profile, you may also provide information on your location and employment that will help us to personalise the service to suit you.
- We may collect information to communicate with you via email to communicate messages relating to your membership.
- We may collect data relating to your visits to the website that cannot identify you but records your use of our website, online courses and content including IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths.
- We may receive information about you from third parties who are legally entitled to disclose that information such as credit reference agencies.
- We may collect information that you post to our website for publication on the internet including your user name, your profile pictures and the content of your posts.
- If you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information
5. How long do we retain your data?
We will only retain your personal information for as long as is necessary to fulfil the purposes we collected it for.
To determine the appropriate retention period for the personal information we hold, we consider the amount, nature and sensitivity of the personal information, the risk of harm from unauthorised use or disclosure of your personal information, the reasons why we handle your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
We may retain your data for the following reasons:
- In order to establish, exercise or defend our legal rights
- If we believe the documents may be relevant to any ongoing or prospective complaint or legal proceedings
- The purpose of satisfying any legal or accounting requirements
If you require further information about our specific retention periods, please contact us.
6. Ways you can access and control your personal information
Under data protection laws you have legal rights concerning our usage of your personal information, including:
- You have the right to know what personal information we hold on you.
- You have the right to ask us to correct or complete inaccurate or out of date personal information
- You have the right to object to our processing all or part of your personal information.
- Where we are relying on your consent to process data, you have the right to withdraw your consent
- You have the right to object to decisions taken by automatic means without human intervention
- You have the right to request that some elements of your information, such as academic progress, be provided to other organisations.
- You have the right to complain if you are unhappy with our handling of your data.
Please be aware that if you ask us to cease processing all or part of your data, this will impact on your ability to access some of our services. Further, we can only comply if there is no legitimate reason for ICST to continue to process your personal data.
We will honour any statutory right you might have to access, modify or erase your personal information. We encourage you to make such a request using our Subject Access Request form which is available on our website.
If you wish to make a complaint, you should first contact our Data Protection Officer via firstname.lastname@example.org They can invoke our formal complaints procedure if appropriate. You can also submit a complaint to the Information Commissioner’s Office; further details can be found at www.ico.org.uk.
7. How to update or correct your personal information
You can see, review and change most of your personal information by signing in to your account. Please update your personal information immediately if it changes or is inaccurate and notify us at email@example.com
8. How do we share your data?
We may share your personal information with your consent or if we are required to do so by law or in connection with any ongoing or prospective legal proceedings. We may also share your data to a prospective purchaser of our business or asset that we are contemplating selling.
Non account holders
- Where we have obtained your information from a third party or from you, for the sole purpose of marketing our services to you, we will only share your information internally for that explicit purpose.
- We will not share your information with third parties except as set out above.
- Where you have an account, we may disclose your personal information to any of our partner institutions, such as a professional society, university or other stakeholder, in order to fulfil our contract to provide our services to you.
Any research we or our partners, such as universities and other stakeholders, carry out will be conducted in accordance with our Research Ethics guidelines [Ethical Research Guidelines]
Your activities may be used for academic research purposes. This includes the comments you make where you may disclose certain personal information about yourself.
We will never associate your comments, information or other activity with any of your public user profile information (such as name or profile picture) in the datasets we share with the course provider, it may still be possible to identify you by (a) the content of your comments or (b) finding the actual comment on the Website and seeing the user associated with it.
We confirm that all our providers who conduct research will never associate your comment or your activity with your user account by method (b) above and will always treat any personal data in strict accordance with data protection laws and the research ethic guidelines.
If a course provider wants to quote a comment you have made in their research, they will identify you and your account only for the purpose of obtaining your permission.
10. International data transfers
Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy.
Information that we collect may be transferred to the following countries which do not have data protection laws equivalent to those in force in the European Economic Area: The United States of America, Russia, Japan, China and India.
Personal information that you publish on our website or submit for publication on our website may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.
You expressly agree to the transfers of personal information internationally as described.
11. Security of personal information
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
We will store all the personal information you provide on our secure (password- and firewall-protected) servers.
All electronic financial transactions entered into through our website will be protected by encryption technology.
You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
You are responsible for keeping the password you use for accessing our website confidential; we will not ask you for your password (except when you log in to our website).
Our data warehouse and servers use the latest technologies and robust procedures to ensure data security and safety.
For more information about cookies and our Cookies Policy, please click here.
You will be notified through email of all changes as they occur including the contents of changes and the date(s) they will become effective.
14. Contacting us
You can contact us:
- By post, to our registered office: 33-35 Cathedral Road, Cardiff, Wales CF11 9HB
- By email, using the email address published on our website from time to time.
15. More ways we use your data
We will use your personal data in a variety of ways, depending on your relationship with us. Below you will see some general and specific ways we use your data and the lawful bases on which we are processing it.