This is the privacy notice of PrescQIPP C.I.C, Company registration number: 9814012
Our registered office is Murray Harcourt Partners LLP, 6 Queen St, Leeds, LS1 2TW
This notice describes how we collect, store, transfer and use personal data. It tells you about your privacy rights and how the law protects you.
In the context of the law and this notice, ‘personal data’ is information that clearly identifies you as an individual or which could be used to identify you if combined with other information. Acting in any way on personal data is referred to as ‘processing’.
This notice applies to personal data collected through our websites and through social media and marketing platforms, including Twitter, LinkedIn and Mailchimp.
Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our websites.
Within this document you will find a description of our data processing activities, including:
- What information we collect and how we collect it
- How the information is stored
- How the information is used
- With whom this information may be shared
- Our legal basis for processing the information
- Your rights
- Storage of data on external systems
- Our responsibilities in case of a data breach
1. General data
By using our websites services, we process:
Your username and password and other information used to access our websites and our services. Information you contribute to our community, including reviews. Your replies to polls and surveys and any technical information about the hardware and the software you use to access our websites and use our services, including your Internet Protocol (IP) address, your browser type and version and your device’s operating system.
The usage information associated with this collection of data, includes the frequency you use our services, the pages of our website that you visit, the downloads that you might request, and any data associated with PrescQIPP C.I.C services.
PrescQIPP C.I.C always asks you through email or sign up pages on the website, to opt in to mailing lists for the different services we provide. We also keep a record of when and how we obtained consent from you. Additionally, we keep a record of exactly what you were told at the time.
1.1 Our use of aggregated data
We may aggregate anonymous information such as statistical or demographic data for any purpose. Anonymous information is that which does not identify you as an individual. Aggregated information may be derived from your personal data but is not considered as such in law because it does not reveal your identity.
For example, we may aggregate usage information to assess whether a feature of our website is useful.
However, if we combine or connect aggregated information with your personal data so that it can identify you in any way, we treat the combined information as personal data, and it will be used in accordance with this privacy notice.
2. Data processing activities
2.1 Subscriber data
In order to provide our service to subscribers, we need to collect some basic data regarding individuals within the organisations that subscribe to our services.
2.1.1 What information do we collect and how do we collect it?
We collect basic contact information for individuals within subscribing organisations. This includes name, email address, clinical commissioning area, employer, job role and telephone number.
2.1.2 How the information is used
The information is used to contact individuals within subscribing organisations to; provide our service, notify them of updates and discuss service (or contract) provision.
2.1.3 With whom is this information shared
We do not share this information with any third parties without prior consent.
2.1.4 Our legal basis for processing this information
We process information from individuals in accordance with UK GDPR and Data Protection Act 2018. The UK GDPR is the UK's implementation of the General Data Protection Regulation (GDPR).
2.2 Website user data
Many of our website resources are reserved for those with a website account. As part of this process, we need to collect a small amount of personal data.
2.2.1 What information do we collect and how do we collect it?
When individuals register to use our website, we collect data through our website forms. This data includes; name, email address, user passwords, clinical commissioning area, employer, job title, work postal code and whether the website terms and conditions have been agreed to.
We do not use pre-ticked boxes or any other type of default consent for sign up options to receive our newsletter, information about virtual professional groups and any other marketing materials.
We ask individuals to sign up to each of the different mailing lists we have and do not assume the consent applies to all lists.
We are keen to send email updates regarding our work and resources. Updates are sent to those working for subscriber organisations, potential partner organisations and miscellaneous individuals (everyone that doesn't fit into the first two categories).
We encourage our subscribers, stakeholders, attendees and website users to provide feedback wherever possible. This may relate to their experience on our website, at our events or as a result of any other engagement with us.
2.2.2 How the information is used
We may use this information to contact users of our website in order to resolve support queries and provide service updates. We also use the information to send relevant information out to the subscribers of our different mailing lists.
2.2.3 With whom is this information shared
We do not share this data with any third parties. However, subscribers (subscriber leads or their nominated deputies) may contact us to request lists of website users who work for their organisation. We will provide this information upon request. We also send a list of website users to each subscriber lead annually to ensure that the lists are up to data and that user access is still relevant for the individuals. When a new individual signs up to our website, the subscriber lead (or nominated deputy) is sent an e-mail asking them to confirm that this user is legitimate and works in the area.
2.2.4 Our legal basis for processing this information
This information is required to provide an effective website service and to fulfil our agreements with subscribers (who may need details of those registered for our website within their organisation). More information is covered in Section 7. Compliance with law.
2.3 Website payments
Some of our resources can be purchased directly online, for example access to e-learning courses and other training materials and membership to PrescQIPP Practice Plus. In order to process these orders, we need to collect several pieces of information.
2.3.1 What information do we collect and how do we collect it?
We collect data when individuals register for an e-commerce account and when they place an order. This data includes; name, email address, billing address, shipping address, products/services ordered, payment information and whether the individual has agreed to our terms and conditions.
2.3.2 How the information is used
We may use this information to process website orders, provide necessary documentation (e.g. invoices) and to contact customers in relation to their orders.
2.3.3 With whom is this information shared
We do not share this data with any third parties. However, our Payment Card Industry (PCI) Data Security Standard compliant payments processor will receive information related to payments.
2.3.4 Our legal basis for processing this information
PrescQIPP use a third-party payment processor that is PCI compliant. This information is required to process and support online orders. PrescQIPP C.I.C do not hold any credit/debit card information directly and have no access to such data.
2.4 Event registrations
Throughout the year we host a number of in-person and virtual events. In the majority of cases, those wishing to attend will be required to complete a registration form.
2.4.1 What information do we collect and how do we collect it?
When individuals complete an event registration form we collect; name, email address, organisation and clinical commissioning area.
2.4.2 How the information is used
We will use this information to contact individuals with updates and information regarding the event they have registered for. We may also contact individuals to ask for feedback and to suggest other events of interest.
2.4.3 With whom is this information shared
This information is not shared with any third party without consent. From time to time, this information may be shared with an event organiser. In such cases this will be clearly indicated.
2.4.4 Our legal basis for processing this information
We require this information to effectively run the events that individuals register for, to fulfil our agreement of providing the event. We also believe that individuals may have a legitimate interest in providing feedback or learning of other related events.
2.5 Engagement with individuals and organisations
Part of our work involves engagement with a large number of individuals and organisations. This typically begins with an individual completing a form (either online or offline) to begin a process of engagement with us. It is not feasible to encapsulate every engagement within this document. However, our engagements typically fall into one of the following groups:
Stakeholder consultation: Registering to be included in our stakeholder consultation process or providing feedback about a PrescQIPP resource
Individuals and groups wishing to provide comments about our work: Patient and carer groups, Pharmaceutical companies, Voluntary sector and NHS organisations
Those individuals involved in the production of our work: Parties involved in our Primary Care Rebates work, general queries from either subscribers or non-subscribers relating to our service or resources
2.5.1 What information do we collect and how do we collect it?
As with all of our data processing activities, we only collect the information that is required to fulfil the associated task. This typically involves contact information, a description of a query, or a contribution (comments) of some kind. Our primary means of data gathering is through online forms & surveys, though we do also support offline forms and direct email.
2.5.2 How the information is used
How we use this information will depend upon the context in which it is provided. For example, we will use the information provided on our ‘Stakeholder registration’ form to inform stakeholders of relevant updates and to involve them in the stakeholder consultation process. We will only use the information for the purpose under which it was provided and this will be clearly shown at the point of submission.
2.5.3 With whom is this information shared
This information is not shared with any third parties without individuals having prior knowledge or giving prior consent.
If we expect your information will be shared as part of the engagement process, we will clearly communicate this at the point of submission. If it becomes required to share your information after the point of submission, we will seek your approval prior to sharing your information. For example, we are required to publish a list of our stakeholder points of contact on our website. This is clearly indicated when the stakeholder form is submitted.
2.5.4 Our legal basis for processing this information
We require this information in order to respond to engagement requests from individuals or organisations. By submitting this information, individuals are consenting to their information being used exclusively for the purpose it was provided for.
2.6 Community resources and awards
We are passionate about sharing within our community and encourage our subscribers and website users to share useful information with their peers. Our website provides a mechanism which allows individuals to submit their case studies, innovations and nominations for awards.
2.6.1 What information do we collect and how do we collect it?
We will collect the name, email address, organisation and details regarding the case study/innovation/award nomination.
2.6.2 How the information is used
We use the information provided to publish and promote innovations within our community. The information may also be used to contact individuals that have made submissions to discuss the submission in further detail.
2.6.3 With whom is this information shared
Anything that is submitted within this context will be made publicly available on our website.
2.6.4 Our legal basis for processing this information
By submitting their work, individuals are consenting to it being published on our website and being contacted to discuss their work further.
3. Your rights
We are firm believers in the rights identified by the Data Protection Act and subsequent GDPR legislation. As an individual that we hold information pertaining to, you have the right to:
- Access: Please email email@example.com and a member of staff will be happy to provide you with a portable copy of the data we hold on you
- Be forgotten: If you would like us to destroy the data we hold on you please email firstname.lastname@example.org. Please note that in some cases this may prevent us from providing our service or resources to you
- Update your data: Whilst we make reasonable efforts to keep your information up-to date, sometimes information becomes dated or obsolete. If you believe that we hold out of date information about you then please email email@example.com to update your information. If required we can provide or delete all data held on our ecommerce, e-learning and website platforms.
- Opt out of profiling and automated decision making: No profiling or automated decision making is performed based on personal identifiers, characteristics or traits. Our profiling only extends to the type of individual you are, for example whether you work for a subscribing organisation
4. Our systems
- We store all data collected from subscribers, users, event registrations, feedback forms, newsletter data and engagement with our users in encrypted databases or secure storage systems.
- We use a range of systems to help us deliver our services. These include but are not limited to; content management systems, e-learning platforms, email management systems, survey software, online forms software, accounting and customer relationship management (CRM) systems.
- In some cases, these systems are not owned or operated by us and are provided by a third-party provider. In such cases we believe that each provider adheres to a strict code of conduct, is GDPR compliant and that reasonable precautions have been taken to secure your information. For security reasons we cannot identify our systems publicly.
Some systems are provided by US based companies operating under the ‘Safe Harbour’ agreement, which is currently covered by GDPR legislation.
- To find out more please contact firstname.lastname@example.org
5. In case of a data breach
If a data breach is either discovered or suspected, we pledge that:
- We will do everything in our power to confirm the breach by working with our internal team and external suppliers where appropriate
- We will take all reasonable measures to minimise the damage caused by the breach
- We will report the breach to those affected (and the ICO if required) within 72 hours
- We will adapt our policies and ways of working to minimise the damage of recurrence
Cookies are small text files that are placed on your computer's hard drive by your web browser when you visit a website that uses them. They allow information gathered on one web page to be stored until it is needed for use at a later date.
They are commonly used to provide you with a personalised experience while you browse a website, for example, allowing your preferences to be remembered.
They can also provide core functionality such as security, network management, and accessibility; record how you interact with our websites and services so that the owner can understand how to improve the experience of other visitors; and serve you advertisements that are relevant to your browsing history.
Some cookies may last for a defined period of time, such as one visit (known as a session), one day or until you close your browser. Others last indefinitely until you delete them.
Your web browser should allow you to delete any cookie you choose. It should also allow you to prevent or limit their use.
The law requires you to give explicit consent for use of any cookies that are not strictly necessary for the operation of a website.
- To track how you use our websites and services.
- To keep you signed into our website.
- To gather analytics to help us deliver an enhanced service to our users.
- To gather analytics to help us understand what resources are used.
7. Compliance with the law