1. Information about us
The data controller for all personal data governed by this privacy notice is:
The Nuffield Trust for Research and Policy Studies in Health Services
59 New Cavendish Street, London, W1G 7LP
Email: info@nuffieldtrust.org.uk
Telephone: 0207 631 8450
Registered charity number: 209169
Registered company number: 382452
Data Protection Officer: Mr Anthony Harbon
Email address: dataprotection@nuffieldtrust.org.uk
2. What is personal data?
Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number, but also includes identifiers such as an IP address or a cookie identifier, or other factors.
The personal data that we use is set out in Section 4, below.
3. Your rights
Under UK data protection legislation, you have a number of rights relating to any personal data that we hold which relate to you:
- The right to be informed about any personal data which we hold that relates to you and to obtain a copy of it
- The right to have any information that we hold about you which is inaccurate corrected
- The right to erasure of your personal data under certain circumstances
- The right to withdraw your consent that you have previously provided for us to process your data at any time
- The right to restrict processing of your data under certain circumstances
- The right to receive a copy of any personal data that we hold on you in a format that may be re-used by another party
For more information on our use of your personal data, or to exercise any of your rights, please contact us as described in Section 7.
If you have concerns about our use of your personal data, please contact us first. However, you also have a right to lodge a complaint with the Information Commissioner’s Office:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF
Telephone: 0303 123 1113
Web: http://www.ico.org.uk
4. What personal data we collect and how we use it
The ways in which we process individuals’ personal data are listed below:
4.1. Website visitors
Data collected
Your IP address (non-identifiable), details of your web browser and which version of it you used
Information on how you use our website
How we collect the data
In our web site log files, using cookies and Google Analytics. For information relating to our use of cookies please visit our cookies page
Purpose
To help us improve our web site
Lawful basis of processing
Legitimate Interest (Marketing)
Retention
50 months
4.2. Individuals contacting us via social media
Data collected
Name, email address, online ID
How we collect the data
Facebook, Twitter, LinkedIn
Purpose
To respond to your post
Lawful basis of processing
Legitimate Interest (Marketing)
Retention
3 months
4.3. Individuals who comment on blog posts
Data collected
Name, Email Address, Comments
How we collect the data
Facebook, Twitter, LinkedIn
Purpose
To respond to your post
Lawful basis of processing
Legitimate Interest (Marketing)
Retention
Registered users can delete posts
4.4. Newsletter subscribers
Data collected
Name, email address, organisation and subscriber status. Engagement metrics on if a subscriber has opened a newsletter or clicked any link in a newsletter.
How we collect the data
Online sign-up forms
Purpose
To disseminate the latest Nuffield Trust content
Lawful basis of processing
Informed consent, Legitimate Interest (Marketing).
Retention
Engagement metrics and other information is stored for up to 5 years. A person’s subscriber status and email address are retained indefinitely in order to ensure they are not sent emails they no longer wish to receive.
4.5. Individuals contacting us via email
Data collected
Name, Email Address,
How we collect the data
Inbound Email
Purpose
To respond to your email
Lawful basis of processing
Legitimate Interest (Marketing)
Retention
Maximum 3 years
4.6. Individuals who provide feedback via our website
Data collected
Name, Email Address, Comments
How we collect the data
Web site feedback forms
Purpose
To respond to your feedback
Lawful basis of processing
Legitimate Interest (Marketing)
Retention
2 years
4.7. Inbound telephone enquiries
Data collected
Name, Email, Telephone Number, Caller ID, Nature of your enquiry.
How we collect the data
Incoming phone calls
Purpose
To respond to your feedback
Lawful basis of processing
Legitimate Interest (Marketing)
Retention
12 months
4.8. Healthcare professionals
Data collected
Name, Email address
How we collect the data
Data Providers
Purpose
To provide subscribers with information relevant to their role
Lawful basis of processing
Legitimate Interest (Marketing)
Retention
Until a removal request is received
4.9. Employment candidates
Data collected
Name, Home Address, Contact telephone numbers, Email address, Education, Employment history, voluntary diversity data (protected characteristics) for monitoring purposes.
How we collect the data
Direct and via agencies
Purpose
To facilitate recruitment
Lawful basis of processing
Consent
Retention
12 months
4.10. Representatives, contributors, collaborators, senior associates and peers
Data collected
Name, Contact details
How we collect the data
Direct
Purpose
To either evaluate a particular health service, gain expert opinion in a particular policy area or understand service user experience and/or attitudes.
To identify contributors to our published reports.
Lawful basis of processing
Legitimate Interest (Conducting scientific research in the public interest) or consent.
Retention
Up to 5 years, depending on the nature of the relationship
4.11. Internally Hosted "Brown Bag" Events
Data collected
Name, Contact details, Video, Audio, Screen names
How we collect the data
Direct
Purpose
For review and/or reference, to gain expertise in a particular area of healthcare, policy or research methodology.
Lawful basis of processing
Legitimate Interest (Conducting scientific research in the public interest) or consent.
Retention
Up to 5 years, depending on the nature of the relationship.
4.12. Event attendees
Data collected
Name, Contact details
How we collect the data
Direct
Purpose
Marketing of our events
Lawful basis of processing
Consent
Retention
2 years
4.13. Suppliers of goods and services
Data collected
Name, Contact Information, Financial Information
How we collect the data
Direct
Purpose
Maintaining working relationship and contractual arrangements.
Lawful basis of processing
Contractual Necessity
Retention
3 Years after last engagement.
4.14. NHS patients
Data collected
NHS Digital provided de-identified data on Hospital Episode Statistics (HES)
4.14.1 Hospital Episode Statistics
This provides details of all admissions, outpatient appointments and A and E attendances at NHS hospitals in England
4.14.2 Community Services Data
The Community Services Data Set (CSDS) is a patient level, output based, secondary uses data set which will deliver robust, comprehensive, nationally consistent and comparable person-centred information for people who are in contact with NHS-funded Community Health Services
How we collect the data
Direct from patient as well as from NHS England.
Purpose
To enable us to undertake research work with the intention of improving UK healthcare
Lawful basis of processing
Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved patient outcomes within the NHS.
Retention
Dependent on the study. Retention periods are specified in the relevant NHS England data sharing agreement.
Data collected
Data from local NHS services: De-identified routinely collected data on contacts with health services, including reasons for attending and types of treatment. Health services covered will vary from study to study and could include primary care activity, A&E attendances, hospital admissions and use of other services.
How we collect the data
Data provided by NHS or other service providers.
Purpose
To enable us to undertake research work with the intention of improving UK healthcare
Lawful basis of processing
Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved patient outcomes within the NHS.
Retention
Dependent on the study. Retention periods are specified in the relevant data sharing agreement.
Data collected
Names and attitudes towards subject being surveyed.
How we collect the data
Collected as part of research activities (recorded interviews / transcripts )
Purpose
Individual patients may be discussed as part of a research review
Lawful basis of processing
Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved patient outcomes within the NHS.
Retention
Minimum of 2 years after study is completed. No longer than 5 depending on the requirements of the project.
A schedule of the projects undertaken where NHS Digital have provided data can be found here.
4.15. Research participants (general public)
Data collected
Names and attitudes towards subject being surveyed.
How we collect the data
Collected as part of research activities (recorded interviews / transcripts )
Purpose
Individual patients may be discussed as part of a research review
Lawful basis of processing
Legitimate interest – For scientific or statistical research purposes
Retention
Minimum of 2 years after study is completed. No longer than 5 depending on the requirements of the project.
A schedule of the projects undertaken where NHS England have provided data can be found here.
4.16. Prisoners
Data collected for our prisoner health research
NHS England provided de-identified data on Hospital Episode Statistics (HES)
This provides details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England.
Postcode
Prison postcodes provided by NHS England are used to identify NHS records to be included in the statistical analysis carried out as part of the study. These were crosschecked using postcodes provided by the Health and Justice Information Service team (see details of HJIS below) as well as Her Majesty’s Prison and Probation Service and Ministry of Justice public records of prison addresses (see below).
How we collect the data
HES data is provided NHS England under a data sharing agreement.
Purpose
To better understand the changing healthcare needs of prisoners, their use of hospital services and how the quality of care for prisoners compares to the non-prisoner population.
Lawful basis of processing
Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved patient outcomes within the NHS.
Retention
HES data selected for the study is retained for 2 years after the publication of our research reports (July 2024). The two year retention period post publication is to allow for the answering of questions relating to the study.
4.17. NHS Staff
Data Collected
De-identified data from the annual NHS Staff Survey.
4.17.1 NHS Staff survey
This dataset, owned by NHS England with the Picker Staff Survey Coordination Centre provides data on the views and characteristics of the NHS workforce.
How we collect the data
Data collection is implemented by NHS England and the Picker Institute Europe.
Purpose
To enable us to undertake research work with the intention of improving healthcare provision and staffing.
Lawful basis of processing
Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved workforce outcomes within the NHS.
Retention
Minimum of 2 years after study is completed. No longer than 5 depending on the requirements of the project.
4.17.2 NHS Nursing Workforce Data
This de-identified dataset is extracted from the Electronic Staff (ESR) and provides data on the characteristics of the NHS nursing workforce.
How we collect the data
The data is sourced from the Department of Health and Social Care (DHSC) under a Data Sharing Agreement (DSA).
Purpose
The research project uses electronic staff records to:
1. Provide a detailed description of the current nursing workforce in hospital and community services.
2. Identify national trends in joiner and leaver levels, including by staff characteristic.
3. Explore trust-level variation in joiner and leaver rates and the extent this can be explained by workforce and employer.
Lawful basis of processing
Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved workforce outcomes within the NHS.
Retention
Minimum of 2 years after study is completed. No longer than 5 depending on the requirements of the project.
5. Who we share your data with
It is not our practice to share personal data with third parties, subject to the following exceptions.
We may share your personal data as part of a joint research project. In this case, a formal assessment is undertaken to ensure that:
- The sharing of data is justified as being necessary and proportionate
- The sharing activity is governed by a data sharing agreement that includes adequate confidentiality and security clauses and in accordance with your rights, our obligations, and the third party’s obligations under the law.
If we transfer, or merge parts of our organisation’s assets, your personal data may be transferred to a third party. Any new owner of our organisation may continue to use your personal data in the same ways that we have used it, as specified in this Privacy Notice.
In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.
6. How and where we store your data
6.1. Research data
All research data is stored on our IT systems. It is only accessible by our research teams who are subject to stringent controls.
6.2. Marketing and administration data
We may store or transfer some or all of your personal data to be stored in countries that are not part of the European Economic Area. These are known as “third countries” and may not have data protection laws that are as strong as those in the UK and/or the EEA. In such cases we take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Data Protection Legislation. These steps include specific contracts that are approved by the European Commission for the transfer of personal data to third countries. These contracts require the same levels of personal data protection that would apply under UK Data Protection Legislation.
Please contact our DPO at dataprotection@nuffieldtrust.org.uk for further information about the particular data protection mechanism used by us when transferring your personal data to a third country.
7. How to exercise your rights
If you want to know what personal data we hold about you, you can ask us for details of that personal data and for a copy of it. This is known as a “Subject Access Request” (SAR).
All subject access requests should be made in writing via email or post and sent to the email or postal addresses shown in Section 8. Please complete our Subject Access Request Form or send the equivalent information to us in an email to help us to respond as quickly as possible.
There is not normally any charge for a subject access request unless your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests). In such cases a fee may be charged to cover our administrative costs in responding.
We will respond to your subject access request within 30 days. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
If you wish to object to the processing of your data for a specific purpose or you wish to withdraw consent that you have previously provided to us, please write to the Data Protection Officer at the address given in Section 8, or send an email to dataprotection@nuffieldtrust.org. Please provide us with as much information as you can relating to your request, and include a daytime contact number in case we have any questions.
8. How to contact us
Questions, comments and requests regarding this privacy policy are welcomed. If you want to exercise your rights or request information about our privacy policy you can email us or write to us at the address below.
The Nuffield Trust for Research and Policy Studies in Health Services
59 New Cavendish Street
London, W1G 7LP
Email: dataprotection@nuffieldtrust.org.uk
Telephone: 0207 631 8450
9. Links to other websites
This privacy notice does not cover the links within this site linking to other websites. How other organisations or websites capture, store and use personal information or site visitor information is outside our control. We encourage you to read the privacy statements on the other websites you visit. See our terms and conditions for more information.
10. Changes to this privacy notice
We keep our privacy notice under regular review. Whenever a change occurs, an announcement will be made in the news section of www.nuffieldtrust.org.uk.
11. Resources
The Trust maintains a schedule of relevant data protection resources which can be accessed here.
-
Updated 15/04/2024