1. Introduction
At PrescQIPP we recognise the importance of privacy. We want you to feel confident in engaging with us and in using our resources. We have developed this privacy policy to clearly explain how we collect and process personal data, not only on our website – but as an organisation on the whole.
Within this document you will find a description of our data processing activities, including:
- What information we collect and how we collect it
- How the information is stored
- How the information is used
- With whom this information may be shared with
- Our legal basis for processing the information
- Your rights
- Storage of data on external systems
- The use of cookies
- Our responsibilities in case of a data breach
2. Data processing activities
2.1 Subscriber data
In order to provide our service to subscribers, we need to collect some basic data regarding individuals within the organisations that subscribe to our services.
2.1.1 What information do we collect and how do we collect it?
We collect basic contact information for individuals within subscribing organisations. This includes name, email address, clinical commissioning area, employer, job role and telephone number.
2.1.2 How the information is stored
This information will be stored within our systems (see section 4).
2.1.3 How the information is used
The information is used to contact individuals within subscribing organisations in order to; provide our service, notify them of updates and discuss service (or contract) provision.
2.1.4 With whom is this information shared
We do not share this information with any third parties without prior consent. From time to time a member of staff within a subscribing organisation may request information relating to other team members from the same organisation. For example a manager may request details of other team members that are using our service (and how they are utilising our service). We will provide this information upon request.
2.1.5 Our legal basis for processing this information
We process this information in order to provide our service to subscribers as agreed in the contract. Without this information we cannot effectively provide our service to subscribers.
2.2 Website user data
Many of our website resources are reserved for those with a website account. As part of this process we need to collect a small amount of personal data.
2.2.1 What information do we collect and how do we collect it?
When users register to use our website we collect data through our website forms. This data includes; name, email address, clinical commissioning area, employer, job title, work postal code and whether the website terms and conditions have been agreed to.
2.2.2 How the information is stored
This information will be stored within our systems (see section 4).
2.2.3 How the information is used
We may use this information to contact users of our website in order to resolve support queries and provide service updates.
2.2.4 With whom is this information shared
We do not share this data with any third parties. However subscribers may contact us to request lists of website users who work for their organisation. We will provide this information upon request.
2.2.5 Our legal basis for processing this information
This information is required to provide an effective website service and to fulfil our agreements with subscribers (who may need details of those registered for our website within their organisation).
2.3 Website payments
Some of our resources can be purchased directly online, for example access to e-learning courses and other training materials. In order to process these orders we need to collect several pieces of information.
2.3.1 What information do we collect and how do we collect it?
We collect data when users register for an e-commerce account and when they place an order. This data includes; name, email address, billing address, shipping address, products/services ordered, payment information and whether the user has agreed to our terms and conditions.
2.3.2 How the information is stored
This information will be stored within our systems (see section 4). Please note that payment details are passed directly to our PCI compliant payments processor and are never received by us. They are not received or stored on any of our systems (with the exception of our PCI compliant payments processor).
2.3.3 How the information is used
We may use this information to process website orders, provide neccessary documentation (e.g. invoices) and to contact customers in relation to their orders.
2.3.4 With whom is this information shared
We do not share this data with any third parties. However our PCI compliant payments processor will receive information related to payments.
2.3.5 Our legal basis for processing this information
This information is required to process and support online orders.
2.4 Event registrations
Throughout the year we host a number of both in-person and virtual events. In the vast majority of cases those wishing to attend will be required to complete a registration form.
2.4.1 What information do we collect and how do we collect it?
When individuals complete an event registration form we collect; name, email address, organisation and clinical commissioning area.
2.4.2 How the information is stored
This information will be stored within our systems (see section 4).
2.4.3 How the information is used
We will use this information to contact individuals with updates and information regarding the event they have registered for. We may also contact individuals to ask for feedback and to suggest other events of interest.
2.4.4 With whom is this information shared
This information is not shared with any third party without consent. From time to time, this information may be shared with an event organiser. In such cases this will be clearly indicated.
2.4.5 Our legal basis for processing this information
We require this information to effectively run the events that individuals register for, to fulfil our agreement of providing the event. We also believe that individuals may have a legitimate interest in providing feedback or learning of other related events.
2.5 Engagement with individuals and organisations
Part of our work involves engagement with a large number of individuals and organisations. This typically begins with an individual completing a form (either online or offline) to begin a process of engagement with us. It is not feasible to encapsulate every engagement within this document. However o:ur engagements typically fall into one of the following groups
Stakeholder consultation: Registering to be included in our stakeholder consultation process or providing feedback about a PrescQIPP resource
Individuals and groups wishing to provide comments about our work: Patient and carer groups, Pharmaceutical companies, Voluntary sector and NHS organisations
Those individuals involved in the production of our work: Parties involved in our Primary Care Rebates work, general queries from either subscribers or non-subscribers relating to our service or resources
2.5.1 What information do we collect and how do we collect it?
As with all of our data processing activities, we only collect the information that is required to fulfil the associated task. This typically involves contact information, a description of a query, or a contribution (comments) of some kind. Our primary means of data gathering is through online forms, though we do also support offline forms and direct email.
2.5.2 How the information is stored
This information will be stored within our systems (see section 4).
2.5.3 How the information is used
How we use this information will depend upon the context in which it is provided. For example we will use the information provided on our ‘Stakeholder registration’ form to inform stakeholders of relevant updates and to involve them in the stakeholder consultation process. We will only use the information for the purpose under which it was provided and this will be clearly shown at the point of submission.
2.5.4 With whom is this information shared
This information is not shared with any third parties without individuals having prior knowledge or giving prior consent.
If we expect your information will be shared as part of the engagement process, we will clearly communicate this at the point of submission. If it becomes required to share your information after the point of submission, we will seek your approval prior to sharing your information. For example we are required to publish a list of our stakeholder points of contact on our website. This is clearly indicated when the stakeholder form is submitted.
2.5.5 Our legal basis for processing this information
We require this information in order to respond to engagement requests from individuals or organisations. By submitting this information, individuals are consenting to their information being used exclusively for the purpose it was provided for.
2.6 Feedback forms
We encourage our subscribers, stakeholders, attendees and website users to provide feedback wherever possible. This may relate to their experience on our website, at our events or as a result of any other engagement with us.
2.6.1 What information do we collect and how do we collect it?
When individuals complete a feedback form we collect; name, email address, organisation, clinical commissioning area, the service/resource in question and their comments.
2.6.2 How the information is stored
This information will be stored within our systems (see section 4).
2.6.3 How the information is used
We use this information to improve our services. From time to time we may contact individuals to clarify their feedback or to discuss their feedback in more detail.
2.6.4 With whom is this information shared
This information is not shared with any third party without consent.
2.6.5 Our legal basis for processing this information
By submitting feedback, individuals are consenting that their information is used to shape our future services. We believe that the individual may have a legitimate interest in discussing their feedback with us in more detail.
2.7 Community resources and awards
We are passionate about sharing within our community and encourage our subscribers and website users to share useful information with their peers. Our website provides a mechanism which allows individuals to submit their case studies, innovations and nominations for awards.
2.7.1 What information do we collect and how do we collect it?
We will collect the name, email address, organisation and details regarding the case study/innovation/award nomination.
2.7.2 How the information is stored
This information will be stored within our systems (see section 4).
2.7.3 How the information is used
We use the information provided to publish and promote innovations within our community. The information may also be used to contact individuals that have made submissions to discuss the submission in further detail.
2.7.4 With whom is this information shared
Anything that is submitted within this context may be made publicly available on our website.
2.7.5 Our legal basis for processing this information
By submitting their work, individuals are consenting to it being published on our website and being contacted to discuss their work further.
2.8 Our newsletter
We are keen to send email updates regarding our work and resources. Updates are sent to those working for subscriber organisations, potential partner organisations and miscellaneous individuals (everyone that doesn’t fit into the first two categories).
2.8.1 What information do we collect and how do we collect it?
We will collect the name, email address, organisation and clinical commissioning area for our newsletter subscribers.
2.8.2 How the information is stored
This information will be stored within our CRM and email broadcast software. It will be encrypted at rest.
2.8.3 How the information is used
We use the information to send relevant updates via email regarding our work and resources.
2.8.4 With whom is this information shared
Information is not shared with any third parties without prior consent.
2.8.5 Our legal basis for processing this information
We send our email updates to three groups of individuals:
Subscribers, employees, contractors and those with a direct affiliation (e.g. board members) to PrescQIPP. For subscribers we have an agreement to provide relevant updates and email is often our vehicle to do this. Contractors and those with a direct affiliation have a legitimate interest in receiving our updates
Individuals within complementary and potential partner organisations. We have collaborated and continue to collaborate with a number of complimentary organisations, who we believe have a legitimate interest in receiving our updates. We have advised that anyone within this group can opt-out at any time
Other individuals have been asked to provide explicit consent to receive our updates
Any individual (regardless of their group, above) can opt-out of receiving updates at any time.
2.9 Staff and contractors (or freelancers)
Our company includes a number of staff and external individuals who provide services to us. We collect information on individuals in order to fulfil contracts and agreements.
2.9.1 What information do we collect and how do we collect it?
We will collect the name, address, email address, telephone number, payment details, National Insurance details (where appropriate), conflicts of interest and performance notes relating to these individuals.
2.9.2 How the information is stored
This information will be stored within our systems (see section 4).
2.9.3 How the information is used
We use the information to fulfil contracts and agreements with our staff and contractors.
2.9.4 With whom is this information shared
This information may be shared with parties who are contracted to support us in our record keeping and accounting (for example financial advisers and accountants). In such cases we have a strict data privacy policy in place with these providers.
2.9.5 Our legal basis for processing this information
This information is required to fulfil working agreements with these individuals.
3. Your rights
We are firm believers in the rights identified by the Data Protection Act and subsequent GDPR legislation. As an individual that we hold information pertaining to, you have the right to:
- Access: Please email privacy@prescqipp.info and a member of staff will be happy to provide you with a portable copy of the data we hold on you
- Be forgotten: If you would like us to destroy the data we hold on you please email privacy@prescqipp.info. Please note that in some cases this may prevent us from providing our service or resources to you
- Update your data: Whilst we make reasonable efforts to keep your information up-to date, sometimes information becomes dated or obsolete. If you believe that we hold out of date information about you then please email privacy@prescqipp.info to update your information
- Opt out of profiling and automated decision making: No profiling or automated decision making is performed based on personal identifiers, characteristics or traits. Our profiling only extends to the type of individual you are, for example whether you work for a subscribing organisation
4. Our systems
We use a range of systems to help us deliver our service. These include but are not limited to; email, calendar, storage, email broadcast software, survey software, online forms software, payment, accounting and CRM systems.
In some cases these systems are not owned or operated by us and are provided by a third party provider. In such cases we believe that each provider adheres to a strict code of conduct, is GDPR compliant and that reasonable precautions have been taken to secure your information. For security reasons we cannot identify our systems publically.
Some systems are provided by US based companies operating under the ‘Safe Harbour’ agreement, which is currently covered by GDPR legislation.
To find out more please contact privacy@prescqipp.info
5. In case of a data breach
If a data breach is either discovered or suspected, we pledge that:
- We will do everything in our power to confirm the breach by working with our internal team and external suppliers where appropriate
- We will take all reasonable measures to minimise the damage caused by the breach
- We will report the breach to those affected (and the ICO if required) within 72 hours
- We will adapt our policies and ways of working to minimise the damage of recurrence
6. Cookies
We use two types of cookies on our website:
- Essential cookies are used to power the website, for example to provide user logon, security and resource access. By using the website you are agreeing to the use of these cookies
- Analytics cookies (Google Analytics) are used to provide insights into how our website is used. Data is collected anonymously but you must grant us consent in order for us to use these cookies