Health Data Research Gateway Privacy Policy
This privacy policy provides information on how Health Data Research UK (“HDR UK” “we”, “us” or “our”) collects and processes your personal data. It also describes your data protection rights, including a right to object to some of the processing which HDR UK carries out. More information about your rights, and how to exercise them, is set out in the “What rights do I have?” section.
Data Controller
HDR UK is a limited company registered in England and Wales under company number 10887014. Its registered office is at 215 Euston Road, London, England, NW1 2BE.
HDR UK is the controller and responsible for your personal data.
We have a data protection manager who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights as set out in this privacy policy, please contact: DataProtection@hdruk.ac.uk
Data we collect about you
Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data:
- Identity data including first name, last name, job title and similar identifier, bio, organisation, sector, ORCID (or other research digital identifier).
- Contact data such as your email address, address, telephone number, domain and social media address.
- Communications Data including your communication preferences.
- Technical data such as internet protocol (IP) address, browser type and version and operating system and platform. Please see our cookie notice for further details.
How is your personal data collected?
We use different methods to collect data from you including through:
Direct interactions. You may give us your personal data by filling in an enquiry form on our website, creating an account to access the Gateway, corresponding with us by phone, email, social media or otherwise, when you sign up to our newsletter or register for an event, training session or meeting.
Automated interactions. As you interact with our website we may collect technical data by using cookies or similar technologies. Please see our cookie notice for further details.
Third parties. When you register for our events or complete a survey via a third-party platform such as Eventbrite or SurveyMonkey, we will obtain your registration details from the platform operator.
How we use your personal data and the purpose for which we will use it
We will use your personal data for the following purposes:
To conduct our business and pursue our legitimate interests, in particular:
- To respond to any enquiry you make, we will use your identity data and contact data.
- To monitor use of our websites, and use your information to help us monitor, improve, and protect our products, content, services and websites, both online and offline.
- In connection with legal claims, compliance, regulatory and investigative purposes as necessary (including disclosure of such information in connection with legal process or litigation).
Where you give us your consent:
- To provide you with our information and updates about our work, new services, and developments that you may be interested in via our newsletter and other communications such as letters and event invitations, we will use your identity data and contact data.
- To improve our website, we will use your technical data.
- To contact you to seek feedback about your experience with the HDR UK Gateway.
For purposes which are required by law, in response to requests by government or law enforcement authorities conducting an investigation.
Withdrawing consent or otherwise objecting to direct marketing
Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above. In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out above.
Disclosure of personal data
We may share your personal data with external third-party system providers who provide services including IT, online training, system administration and cloud-based software services. We may also share your contact information with external third-party organisations that arrange events or training on behalf of HDR UK.
We will not share your personal data with other third parties, unless you give your consent for us to do so, and we will not share your information with any other organisations for their own marketing, market research or commercial purposes.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may share your personal information with regulators or other authorities if we have a legal obligation to do so.
If HDR UK is transferred or integrated with another business, your details will be disclosed to our advisers and the other party’s advisors.
International transfers
Some of our external third-party system providers are based in the United States or other countries outside the UK and EEA so their processing of your personal data will involve a transfer of data. Whenever we transfer your personal data out of the UK and EEA, we ensure a similar degree of protection is afforded to that personal data by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers in countries which have not been deemed to provide an adequate level of protection, we will use specific contracts approved by the European Commission which give personal data the same protection it has in the UK and Europe. A copy of this can be provided for your review on request to the contact details below.
Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for. Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data so that we can respect your request in future.
The lifespan of the cookies we use is explained in our cookie policy.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. You can read more about this right here.
- Request correction of your personal data. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us. You can read more about this right here.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. You can read more about this right here.
- Object to processing of your personal data. This enables you to object to processing of your personal data if you feel it impacts on your fundamental rights and freedoms or if we are using it for direct marketing purposes. You can read more about this right here.
- Request restriction of processing your personal data. This enables you to ask us to suspend the processing of your personal data in a number of different scenarios, such as where you want us establish the accuracy of the data. You can read more about this right here.
- Request transfer of your personal data. This enables you to request the transfer of your personal data to a third party. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. You can read more about this right here.
- Right to withdraw consent. This enables you to withdraw your consent that we are relying on to process your personal data. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.
If you wish to exercise any of these rights, please contact DataProtection@hdruk.ac.uk. You will not have to pay a fee to access your personal data (or to exercise any of the other rights).
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to the Information Commissioner, the UK’s data protection authority.