This policy should be read alongside and in addition to the following:
- Our Terms and Conditions, which governs the use of our website
2. About us
We are the Institute of Clinical Science and Technology Limited (ICST), working on behalf of NHS Wales.
We are a company incorporated in England and Wales (company number 09300292)
Our registered office is 33-35 Cathedral Road, Cardiff, CF11 9HB.
3. What is personal data
Your personal data is information which, by itself or with other information available to us, can be used to identify a person directly or indirectly.
Some personal data is categorised as ‘sensitive personal data’ and includes information about race, ethnic origin, political opinions, religious beliefs, mental or personal health, sexual life or orientation, criminal proceedings (either alleged or prosecuted) and membership of a trade union.
We do not consider personal information to include information that has been anonymised or aggregated so that it can no longer be used to identify a person, whether in combination with other information or otherwise.
The collection and use of your personal data is regulated under the UK Data Protection Act 1998 (the Act) and the 2018 General Data Protection Regulations (GDPR) and we process your data in accordance with these regulations as both a data controller and a data processor.
4. How do we collect your information?
We collect information from the following sources:
- Directly from you
More information on collecting your information:
- We may collect data relating to your visits to the website that cannot identify you but records your use of our website, online courses and content including IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths.
- If you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information
5. How long do we retain your data?
We will only retain your personal information for as long as is necessary to fulfil the purposes we collected it for.
To determine the appropriate retention period for the personal information we hold, we consider the amount, nature and sensitivity of the personal information, the risk of harm from unauthorised use or disclosure of your personal information, the reasons why we handle your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
We may retain your data for the following reasons:
- In order to establish, exercise or defend our legal rights
- If we believe the documents may be relevant to any ongoing or prospective complaint or legal proceedings
- The purpose of satisfying any legal or accounting requirements
If you require further information about our specific retention periods, please contact us at firstname.lastname@example.org
6. Ways you can access and control your personal information
Under data protection laws you have legal rights concerning our usage of your personal information, including:
- You have the right to know what personal information we hold on you.
- You have the right to ask us to correct or complete inaccurate or out of date personal information
- You have the right to object to our processing all or part of your personal information.
- Where we are relying on your consent to process data, you have the right to withdraw your consent
- You have the right to object to decisions taken by automatic means without human intervention
- You have the right to request that some elements of your information, such as academic progress, be provided to other organisations.
- You have the right to complain if you are unhappy with our handling of your data.
Please be aware that if you ask us to cease processing all or part of your data, this will impact on your ability to access some of our services. Further, we can only comply if there is no legitimate reason for ICST to continue to process your personal data.
We will honour any statutory right you might have to access, modify or erase your personal information. We encourage you to make such a request using our Subject Access Request form which is available on our website.
If you wish to make a complaint, you should first contact our Data Protection Officer via email@example.com They can invoke our formal complaints procedure if appropriate. You can also submit a complaint to the Information Commissioner’s Office; further details can be found at www.ico.org.uk.
7. How do we share your data?
We may share your personal information with your consent or if we are required to do so by law or in connection with any ongoing or prospective legal proceedings. We may also share your data to a prospective purchaser of our business or asset that we are contemplating selling.
Any research we or our partners, such as universities and other stakeholders, carry out will be conducted in accordance with our Research Ethics guidelines [Ethical Research Guidelines]
Your activities may be used for academic research purposes.
9. International data transfers
Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy.
Information that we collect may be transferred to the following countries which do not have data protection laws equivalent to those in force in the European Economic Area: The United States of America, Russia, Japan, China and India.
10. Security of personal information
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
We will store all the personal information you provide on our secure (password- and firewall-protected) servers.
You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
Our data warehouse and servers use the latest technologies and robust procedures to ensure data security and safety. As of June 2018, our servers will be compliant with ISO 9001 and ISO 27001, the highest security and quality assurance standards in the UK for data storage and transmission.
You will be notified through email of all changes as they occur including the contents of changes and the date(s) they will become effective.
13. Contacting us
You can contact us:
- by post, to our registered office 33-35 Cathedral Road, Cardiff, Wales CF11 9HB
- by email, using the email address published on our website from time to time.