1. Introduction
HOW2 is committed to safeguarding the privacy and security of the personal information we hold. This policy explains how we collect your personal information, what we do with it and your rights in respect of it. We have a separate policy which sets out similar information relating to the cookies that we use.
When we say 'we', 'our' or 'us' in this policy, we are referring to HOW2.
2. Who and where we are
HOW2 provides an online learning platform to primary care teams within the NHS focusing on developing and refreshing the IT skills required for practices to deliver a quality service to their patients.
The development, content creation and advisory teams are based in England, with the registered office in Cheshire.
This policy reflects the UK GDPR standard of protection of personal information and references the relevant Articles of the UK GDPR where appropriate.
2.1 Data Controller
We are the data controller of the personal information that we process, ie. the organisation which determines, alone or jointly with another party, how your personal information is processed and for what purposes. This means we are legally responsible for ensuring our systems, processes, suppliers and people comply with data protection laws in relation to the personal information we hold.
All of HOW2’s IT systems are located in the UK.
2.2 Contacting us
We want to offer you a means of contacting the right people in our organisation as swiftly and easily as possible. We therefore have in place a dedicated email address, which is managed by our GDPR Lead.
You may contact our GDPR Lead with any questions about this policy at DPO.healthcare@nhs.net.
You have rights in respect of the personal information we hold. More information about these rights is set out in Section 7 of this policy. You may exercise your rights by emailing DPO.healthcare@nhs.net.
3. Transfers, retention and protection of personal information
No personal information you provide will be passed on or sold to third parties for commercial purposes. We do not transfer personal data outside of the UK.
If we must confirm or share information with other organisations, this will be due to a legal requirement to do so. We are committed to ensuring your information is secure and only kept as long as necessary or required by law.
To prevent unauthorised access, disclosure, change, damage or loss of personal data that we collect, HOW2 has suitable IT and physical security and data protection safeguards in place.
4. What information we collect and how
The information we collect via the HOW2 website may include personal details you knowingly provide us when completing our online forms or contacting us directly. Your data may be used for the following purposes:
- Use of third-party service Google Analytics to collect standard internet log information and details of visitor behaviour patterns. This helps us to know how many visitors there are to the website and which website pages are visited. This information does not identify personal data. We do not, nor allow Google to, make any attempt to reverse anonymise aggregated data relating to website visitors.
- Data recorded by the website allows us to recognise you and your preferred settings to save you from re-entering information on return visits. This data is recorded locally on your computer using cookies. Most browsers can be programmed to reject or warn you before downloading cookies. Information regarding this may be found in your browser’s ‘help’ facility.
- Keeping you updated with the latest content and functionality using MailChimp. We use MailChimp to manage emails sent to users with information concerning HOW2. Users can unsubscribe from MailChimp communications at any time by clicking on the ‘unsubscribe’ link in any HOW2 MailChimp email.
5. How do we process your personal information?
We will only process your personal information where we have a legal basis to do so. The following section explains how we process your personal information and include further information about the legal basis or bases which we rely on in those circumstances.
In certain circumstances, we rely on the legal ground known as 'legitimate interests' to process your personal information. This is where the processing of your personal information is necessary to pursue our legitimate interests in a way which is reasonably expected as part of running our business, but which is not detrimental to you and would have minimal impact on your privacy. We undertake an assessment of any potential impact on your privacy before we process your personal information for our legitimate interests.
Insofar as we wish to use your personal information for purposes other than those mentioned above, we will check whether these additional purposes are compatible with the original purposes within the meaning of Article 6(4) of the UK GDPR. Depending on the circumstances, we will inform you about the change of purpose and obtain your consent for the further processing of your personal information.
If you would like more details about the specific legal basis we are relying on to process your personal information where more than one legal basis has been set out below, please email us as at DPO.healthcare@nhs.net.
5.1 Service users, contacts and visitors
If you use our website:
5.1.1 Data controller
In relation to our website and online services HOW2 ordinarily acts as data controller.
5.1.2 Legal bases for processing
- You have provided us with your consent to use your personal information, eg. in the course of subscribing to our newsletters, completing a survey of ours, signing-up to an event or creating an online account via our website (Article 6(1)(a) UK GDPR).
- It is necessary to pursue our legitimate interests for the purposes set out in the 'Use' section (Article 6(1)(f) UK GDPR).
We do not process special category personal data, therefore an Article 9 is not required.
5.1.3 Types of personal data
- Identification information, eg. title, name, the company you work for, and your job title or position.
- Contact information, eg. your, email address, phone number, and marketing preferences.
- Technical information, eg. IP address, details of visits made to our website such as the volume of traffic, statistics concerning which articles or content you have viewed, online registration details and login credentials.
5.1.4 Collection
- Directly from you, eg. when you register for log in details to our website. We use third party software to help us manage our email communications. When we send you such communications, we gather information through unique links contained within them which enables us to track who opens particular articles or emails so that we can assess their relevance and improve how we interact with you. In doing so, we use cookies to store or access data on your device; however, browsers can be programmed to reject, or warn visitors before downloading cookies (information regarding this may be found in your browsers ‘help’ facility).
- Via our website, eg. connection data sent to our webserver by your browser when you connect to our website.
- Via web-based services such as our tech-based client solutions and sector-specific blogs, e.g. some analytical information may be collected through electronic platforms made available to you in connection with services that we provide to you.
- Other publicly available sources, subject always to our obligations under applicable law.
5.1.5. Use
- To complete any request you may make in relation to your marketing preferences, or other preferences relating to our communications with you.
- To provide and improve our services and products, eg. by monitoring and recording information relating to web-based services such as how and when systems are accessed and how data is uploaded, to analyse performance, subject always to our obligations under applicable law.
- To promote our services and to contact you with communications about legal updates, breaking news, newsletters and events.
- For the application, audit and enforcement of our policies.
- Subject always to our obligations under applicable law, to improve your experience of our website.
- To facilitate our internal business operations, eg. internal record keeping.
- Subject always to our obligations under applicable law to monitor and analyse our interactions with you to improve our relationship with you and help us to grow and develop our business.
- For information and physical security and the prevention and detection of criminal and dishonest activity, including to ensure the security of our website and premises, and protect our information systems against data breaches, viruses and similar threats, eg. by monitoring patterns of activity, and scanning communications for appropriate content, attachments and viruses.
6. For how long do we keep your information?
Your personal information is retained by us in accordance with applicable law and regulation. Our data retention periods vary depending on the location, nature and context of the personal information that we have in our care, and are calculated taking into account the following factors:
- guidance from official bodies such as relevant data protection supervisory authorities and professional regulatory bodies;
- how long we need to keep the data to fulfil the original purpose for which it was collected;
- the nature and sensitivity of personal data; and
- legal obligations to which we are subject.
This means that, in general, we delete personal information when: the purpose for its processing has been fulfilled, you inform us that you have left the organisation or your organisation ceases to operate; and there are no other legal obligations to retain the personal information nor legal bases for further processing.
More information about your rights in respect of the personal information we hold, including how to contact us to exercise these or with questions around our retention practices in respect of your personal information, is set out in section 7 of this Policy.
7. Your rights
The following rights are provided for under the UK data protection regimes:
- to be informed about the collection and use of your personal information;
- to ask whether we process your personal information and request a copy of it if so;
- to object to decisions that we may make based solely on the automated processing of your personal information;
- in certain circumstances, to object to processing of your personal information where we do so for the purposes of our legitimate interests;
- to request that any inaccurate or incomplete personal information of yours in our care is rectified or completed;
- in certain circumstances, to restrict our processing of your personal information;
- in certain circumstances, to receive your personal information or have your personal information transmitted to another organisation in a structured, commonly used and machine readable format;
- in certain circumstances, to request that we delete your personal information; and
- to object to our processing of your personal information for direct marketing purposes.
Not all of these rights are absolute, which means that they may only apply in certain situations and may be subject to legal exceptions and exemptions. To exercise your rights, please email us at DPO.healthcare@nhs.net.
8. How to make a complaint
Our Data Protection Officer oversees our compliance with data protection laws and this policy and provides guidance and advice to HOW2 and its staff, and the reporting of any failures to comply with legislative requirements, including data protection.
Please direct any complaint relating to how we have processed your personal information to DPO.healthcare@nhs.net. We hope we can resolve any query or concern you raise about our processing of your personal information.
You the right to lodge a complaint with a data protection supervisory authority. You can contact the Information Commissioner’s Office at https://ico.org.uk/make-a-complaint/. Or in writing to:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
9. Links to other websites
This privacy policy only covers this website. Any other websites which may be linked to it are subject to their own policy, which may differ from ours.
.png)
