Data Privacy Notice
To ensure we remain compliant with data protection law, and particularly with the 2018 General Data Protection Regulation (GDPR), we have updated our data protection policy and privacy notice as described here. We will shortly be contacting individuals whose data we hold to notify them of the changes, and to let them know how they can access and query the data we hold.
What is the purpose of this document?
The Society for Studies in Organizing Healthcare (registered charity: 1120797; c/o Mark Exworthy, Cahir, University of Birmingham) is committed to protecting the privacy and security of the personal information of applicants for its award schemes and individuals who provide references in relation to those applications (Data Subjects).
The section of this notice headed ‘How is personal information about Data Subjects collected?’ provides further information regarding how personal information about Data Subjects who are members and not current members is collected.
This privacy notice describes how we collect and use personal information about Data Subjects in order to contact members and those who have expressed an interest with information about the activities of the society, in accordance with the General Data Protection Regulation (GDPR). It applies to all Data Subjects (whether current or former).
SHOC is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about Data Subjects. We are required under data protection legislation to notify Data Subjects of the information contained in this privacy notice.
We may update this notice at any time.
It is important that Data Subjects read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about Data Subjects, so that they are aware of how and why we are using such information.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about Data Subjects must be:
1. Used lawfully, fairly and in a transparent way.
2. Collected only for valid purposes that we have clearly explained to them and not used in any way that is incompatible with those purposes.
3. Relevant to the purposes we have told them about and limited only to those purposes.
4. Accurate and kept up to date.
5. Kept only as long as necessary for the purposes we have told them about.
6. Kept securely.
The kind of information we hold about Data Subjects
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, store, and use the following categories of personal information about Data Subjects:
• Personal contact details such as name, title, addresses, telephone numbers, employing organization and email addresses.
How is personal information about Data Subjects collected?
• We typically collect personal information about Data Subjects through the application forms for the bi-annual conference which include membership of the Society.
How we will use information about Data Subjects
We will only use personal information about Data Subjects when the law allows us to do so. Most commonly, we will use personal information about Data Subjects in the following circumstances:
1. To contact the data subject with information about the activities of the Society.
2. Where we need to comply with a legal obligation.
3. Any other circumstances where it is necessary for our legitimate interests (or those of a third party) and the interests and fundamental rights of the Data Subject do not override those interests.
4. Where we have obtained the Data Subject’s freely given, specific, informed and unambiguous consent by way of a statement or clear affirmative action.
We may also use personal information about Data Subjects in the following situations, which are likely to be rare:
1. Where we need to protect the Data Subject’s vital interests (or someone else’s vital interests).
2. Where it is needed in the public interest.
Situations in which we will use personal information about Data Subjects
We need all the categories of information in the list above (under the heading The kind of information we hold about Data Subjects) primarily to allow us to pursue our own legitimate interests or those of third parties, provided the interests and fundamental rights of the Data Subject do not override those interests[*]. In some cases we may use personal information about Data Subjects to enable us to comply with legal obligations[**]. The situations in which we will process personal information about Data Subjects are listed below. We have indicated by asterisks the purpose or purposes for which we are processing or will process personal information about Data Subjects.
Complying with our legal, accounting and reporting obligations to Companies House and the Charity Commission and other regulatory and statutory bodies the jurisdiction of which we are subject.
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of personal information about Data Subjects.
Change of purpose
We will only use personal information about Data Subjects for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use personal information of Data Subjects for an unrelated purpose, we will tell them about the legal basis which allows us to do so.
Please note that we may process personal information about Data Subjects without their knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may transfer personal information about Data Subjects outside the EU. If we do, Data Subjects can expect a similar degree of protection in respect of their personal information.
Why might we share personal information about Data Subjects with third parties?
We may share personal information about Data Subjects with third parties where required by law, where it is necessary for us to pursue our own legitimate interests to consider or determine the results of applications for our award schemes, to communicate the results of the applications to the applicants or to administer payments to successful applicants (provided the interests and fundamental rights of the Data Subject do not override those interests) or where we have another legitimate interest in doing so.
We have put in place measures to protect the security of personal information about Data Subjects. Details of these measures are available upon request.
Third-party service providers will only process personal information about Data Subjects on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent personal information about Data Subjects from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal information about Data Subjects to the Executive Committee and other third-party service providers who need to know. Third-party service providers will only process personal information about Data Subjects on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify the Data Subject, the ICO and any other applicable regulator of a suspected breach where we are legally required to do so.
How long will we use information for?
• We will only retain personal information about Data Subjects for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
• In some circumstances we may anonymise or pseudonymise personal information about Data Subjects so that it can no longer be associated with them, in which case we may use such information without further notice to them. Once a person has ceased to be a Data Subject (because for example they have not rejoined SHOC for 4 years) we will securely destroy any such data.
Rights of access, correction, erasure, and restriction
Data Subjects’ duty to inform us of changes
It is important that the personal information we hold about Data Subjects is accurate and current. We ask that Data Subjects keep us informed if their personal information changes.
Data Subjects’ rights in connection with personal information
Under certain circumstances, a Data Subject has the right to:
• Request access to her/his personal information (commonly known as a “data subject access request”). This enables her/him to receive a copy of the personal information we hold about her/him and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about her/him. This enables her/him to have any incomplete or inaccurate information we hold about her/him corrected.
• Request the erasure of her/his personal information. This enables her/him to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
• Object to processing of her/his personal information where we are relying on a legitimate interest (or those of a third party) and there is something about her/his particular situation which makes her/him want to object to processing on this ground. A Data Subject also has the right to object where we are processing her/his personal information for direct marketing purposes.
• Request the restriction of processing of her/his personal information. This enables her/him to ask us to suspend the processing of personal information about her/him, for example if he/she wants us to establish its accuracy or the reason for processing it.
• Request the transfer of her/his personal information to another party.
• Withdraw her/his consent where we rely on the same for a specific processing activity.
If a Data Subject wants to review, verify, correct or request erasure of her/his personal information, object to the processing of her/his personal information, request that we transfer a copy of her/his personal information to another party or withdraw her/his consent to a specific processing activity, please contact our Data Protection Contact in writing (see below).
No fee usually required
Data Subjects will not have to pay a fee to access their personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if their request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
Changes to this privacy notice
We review this privacy notice annually at the AGM and reserve the right to update it at any time, and we will make a new privacy notice available to Data Subjects when we make any substantial updates. We may also tell Data Subjects in other ways from time to time about the processing of their personal information.
If you have any questions about this privacy notice, please contact Chair of SHOC, Mark Exworthy: M.Exworthy@bham.ac.uk