Privacy notice

The Nuffield Trust for Research and Policy Studies in Health Services is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. We will only collect and process your personal data in ways that are described here, and in ways that are consistent with your rights under the prevailing European regulation and UK data protection legislation.

Resource

Published: 15/05/2024

1. Information about us

The data controller for all personal data governed by this privacy notice is:

The Nuffield Trust for Research and Policy Studies in Health Services
59 New Cavendish Street, London, W1G 7LP

Email: info@nuffieldtrust.org.uk
Telephone: 0207 631 8450
Registered charity number: 209169
Registered company number: 382452
Data Protection Officer: Mr Anthony Harbon
Email address: dataprotection@nuffieldtrust.org.uk

2. What is personal data?

Personal data is information that relates to an identified or identifiable individual. What identifies an individual could be as simple as a name or a number, but also includes identifiers such as an IP address or a cookie identifier, or other factors.

The personal data that we use is set out in Section 4, below.

3. Your rights

Under UK data protection legislation, you have a number of rights relating to any personal data that we hold which relate to you:

  • The right to be informed about any personal data which we hold that relates to you and to obtain a copy of it
  • The right to have any information that we hold about you which is inaccurate corrected
  • The right to erasure of your personal data under certain circumstances
  • The right to withdraw your consent that you have previously provided for us to process your data at any time
  • The right to restrict processing of your data under certain circumstances
  • The right to receive a copy of any personal data that we hold on you in a format that may be re-used by another party

For more information on our use of your personal data, or to exercise any of your rights, please contact us as described in Section 7.

If you have concerns about our use of your personal data, please contact us first. However, you also have a right to lodge a complaint with the Information Commissioner’s Office:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF

Telephone: 0303 123 1113
Web: http://www.ico.org.uk

4. What personal data we collect and how we use it

The ways in which we process individuals’ personal data are listed below:

4.1. Website visitors

Data collected

Your IP address (non-identifiable), details of your web browser and which version of it you used

Information on how you use our website

How we collect the data

In our web site log files, using cookies and Google Analytics. For information relating to our use of cookies please visit our cookies page

Purpose

To help us improve our web site

Lawful basis of processing

Legitimate Interest (Marketing)

Retention

50 months

4.2. Individuals contacting us via social media

Data collected

Name, email address, online ID

How we collect the data

Facebook, Twitter, LinkedIn

Purpose

To respond to your post

Lawful basis of processing

Legitimate Interest (Marketing)

Retention

3 months

4.3. Individuals who comment on blog posts

Data collected

Name, Email Address, Comments

How we collect the data

Facebook, Twitter, LinkedIn

Purpose

To respond to your post

Lawful basis of processing

Legitimate Interest (Marketing)

Retention

Registered users can delete posts

4.4. Newsletter subscribers

Data collected

Name, email address, organisation and subscriber status. Engagement metrics on if a subscriber has opened a newsletter or clicked any link in a newsletter.

How we collect the data

Online sign-up forms

Purpose

To disseminate the latest Nuffield Trust content

Lawful basis of processing

Informed consent, Legitimate Interest (Marketing).

Retention

Engagement metrics and other information is stored for up to 5 years. A person’s subscriber status and email address are retained indefinitely in order to ensure they are not sent emails they no longer wish to receive.

4.5. Individuals contacting us via email

Data collected

Name, Email Address,

How we collect the data

Inbound Email

Purpose

To respond to your email

Lawful basis of processing

Legitimate Interest (Marketing)

Retention

Maximum 3 years

4.6. Individuals who provide feedback via our website

Data collected

Name, Email Address, Comments

How we collect the data

Web site feedback forms

Purpose

To respond to your feedback

Lawful basis of processing

Legitimate Interest (Marketing)

Retention

2 years

4.7. Inbound telephone enquiries

Data collected

Name, Email, Telephone Number, Caller ID, Nature of your enquiry.

How we collect the data

Incoming phone calls

Purpose

To respond to your feedback

Lawful basis of processing

Legitimate Interest (Marketing)

Retention

12 months

4.8. Healthcare professionals

Data collected

Name, Email address

How we collect the data

Data Providers

Purpose

To provide subscribers with information relevant to their role

Lawful basis of processing

Legitimate Interest (Marketing)

Retention

Until a removal request is received

4.9. Employment candidates

Data collected

Name, Home Address, Contact telephone numbers, Email address, Education, Employment history, voluntary diversity data (protected characteristics) for monitoring purposes.

How we collect the data

Direct and via agencies

Purpose

To facilitate recruitment

Lawful basis of processing

Consent

Retention

12 months

4.10. Representatives, contributors, collaborators, senior associates and peers

Data collected

Name, Contact details

How we collect the data

Direct

Purpose

To either evaluate a particular health service, gain expert opinion in a particular policy area or understand service user experience and/or attitudes.

To identify contributors to our published reports.

Lawful basis of processing

Legitimate Interest (Conducting scientific research in the public interest) or consent.

Retention

Up to 5 years, depending on the nature of the relationship

4.11. Internally Hosted "Brown Bag" Events 

Data collected 

Name, Contact details, Video, Audio, Screen names

How we collect the data

Direct 

Purpose 

For review and/or reference, to gain expertise in a particular area of healthcare, policy or research methodology.

Lawful basis of processing 

Legitimate Interest (Conducting scientific research in the public interest) or consent.

Retention 

Up to 5 years, depending on the nature of the relationship. 

4.12. Event attendees

Data collected

Name, Contact details

How we collect the data

Direct

Purpose

Marketing of our events

Lawful basis of processing

Consent

Retention

2 years

4.13. Suppliers of goods and services

Data collected

Name, Contact Information, Financial Information

How we collect the data

Direct

Purpose

Maintaining working relationship and contractual arrangements.

Lawful basis of processing

Contractual Necessity

Retention

3 Years after last engagement.

4.14. NHS patients

Data collected

NHS Digital provided de-identified data on Hospital Episode Statistics (HES)

4.14.1 Hospital Episode Statistics
This provides details of all admissions, outpatient appointments and A and E attendances at NHS hospitals in England

4.14.2 Community Services Data
The Community Services Data Set (CSDS) is a patient level, output based, secondary uses data set which will deliver robust, comprehensive, nationally consistent and comparable person-centred information for people who are in contact with NHS-funded Community Health Services

How we collect the data

Direct from patient as well as from NHS England. 

Purpose

To enable us to undertake research work with the intention of improving UK healthcare

Lawful basis of processing

Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved patient outcomes within the NHS.

Retention

Dependent on the study. Retention periods are specified in the relevant NHS England data sharing agreement.

 

   

 

Data collected

 

 

Data from local NHS services: De-identified routinely collected data on contacts with health services, including reasons for attending and types of treatment. Health services covered will vary from study to study and could include primary care activity, A&E attendances, hospital admissions and use of other services.

How we collect the data

Data provided by NHS or other service providers.

Purpose

To enable us to undertake research work with the intention of improving UK healthcare

Lawful basis of processing

Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved patient outcomes within the NHS.

Retention

Dependent on the study. Retention periods are specified in the relevant data sharing agreement.

 

    

 

Data collected

 

 

Names and attitudes towards subject being surveyed.

How we collect the data

Collected as part of research activities (recorded interviews / transcripts )

Purpose

Individual patients may be discussed as part of a research review

Lawful basis of processing

Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved patient outcomes within the NHS.

Retention

Minimum of 2 years after study is completed. No longer than 5 depending on the requirements of the project.

 

A schedule of the projects undertaken where NHS Digital have provided data can be found here.

 

4.15. Research participants (general public)

Data collected

Names and attitudes towards subject being surveyed.

How we collect the data

Collected as part of research activities (recorded interviews / transcripts )

Purpose

Individual patients may be discussed as part of a research review

Lawful basis of processing

Legitimate interest – For scientific or statistical research purposes

Retention

Minimum of 2 years after study is completed. No longer than 5 depending on the requirements of the project.

A schedule of the projects undertaken where NHS England have provided data can be found here.

4.16. Prisoners

Data collected for our prisoner health research

NHS England provided de-identified data on Hospital Episode Statistics (HES)
This provides details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England.

 

Postcode
Prison postcodes provided by NHS England are used to identify NHS records to be included in the statistical analysis carried out as part of the study. These were crosschecked using postcodes provided by the Health and Justice Information Service team (see details of HJIS below) as well as Her Majesty’s Prison and Probation Service and Ministry of Justice public records of prison addresses (see below).

 

 

How we collect the data

HES data is provided NHS England under a data sharing agreement.

Purpose

To better understand the changing healthcare needs of prisoners, their use of hospital services and how the quality of care for prisoners compares to the non-prisoner population.

Lawful basis of processing

Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved patient outcomes within the NHS.

Retention

HES data selected for the study is retained for 2 years after the publication of our research reports (July 2024). The two year retention period post publication is to allow for the answering of questions relating to the study.

4.17. NHS Staff 

Data Collected 

De-identified data from the annual NHS Staff Survey. 

4.17.1 NHS Staff survey

This dataset, owned by NHS  England with the Picker Staff Survey Coordination Centre provides data on the views and characteristics of the NHS workforce. 

How we collect the data

Data collection is implemented by NHS England and the Picker Institute Europe. 

Purpose 

To enable us to undertake research work with the intention of improving healthcare provision and staffing. 

Lawful basis of processing 

Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved workforce outcomes within the NHS. 

Retention 

Minimum of 2 years after study is completed. No longer than 5 depending on the requirements of the project. 

4.17.2 NHS Nursing Workforce Data 

This de-identified dataset is extracted from the Electronic Staff (ESR) and provides data on the characteristics of the NHS nursing workforce. 

How we collect the data 

The data is sourced from the Department of Health and Social Care (DHSC) under a Data Sharing Agreement (DSA). 

Purpose 

The research project uses electronic staff records to:

1. Provide a detailed description of the current nursing workforce in hospital and community services.

2. Identify national trends in joiner and leaver levels, including by staff characteristic.

3. Explore trust-level variation in joiner and leaver rates and the extent this can be explained by workforce and employer.

Lawful basis of processing 

Legitimate interest – For scientific or statistical research purposes carried out in the wider public interest of improved workforce outcomes within the NHS. 

Retention 

Minimum of 2 years after study is completed. No longer than 5 depending on the requirements of the project. 

5. Who we share your data with

It is not our practice to share personal data with third parties, subject to the following exceptions.

We may share your personal data as part of a joint research project. In this case, a formal assessment is undertaken to ensure that:

  • The sharing of data is justified as being necessary and proportionate
  • The sharing activity is governed by a data sharing agreement that includes adequate confidentiality and security clauses and in accordance with your rights, our obligations, and the third party’s obligations under the law. 

If we transfer, or merge parts of our organisation’s assets, your personal data may be transferred to a third party. Any new owner of our organisation may continue to use your personal data in the same ways that we have used it, as specified in this Privacy Notice.

In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.

6. How and where we store your data

6.1. Research data

All research data is stored on our IT systems. It is only accessible by our research teams who are subject to stringent controls.

6.2. Marketing and administration data

We may store or transfer some or all of your personal data to be stored in countries that are not part of the European Economic Area. These are known as “third countries” and may not have data protection laws that are as strong as those in the UK and/or the EEA. In such cases we take additional steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Data Protection Legislation. These steps include specific contracts that are approved by the European Commission for the transfer of personal data to third countries. These contracts require the same levels of personal data protection that would apply under UK Data Protection Legislation. 

Please contact our DPO at dataprotection@nuffieldtrust.org.uk for further information about the particular data protection mechanism used by us when transferring your personal data to a third country.

7. How to exercise your rights

If you want to know what personal data we hold about you, you can ask us for details of that personal data and for a copy of it. This is known as a “Subject Access Request” (SAR).
All subject access requests should be made in writing via email or post and sent to the email or postal addresses shown in Section 8. Please complete our Subject Access Request Form or send the equivalent information to us in an email to help us to respond as quickly as possible.

There is not normally any charge for a subject access request unless your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests). In such cases a fee may be charged to cover our administrative costs in responding.

We will respond to your subject access request within 30 days. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.
If you wish to object to the processing of your data for a specific purpose or you wish to withdraw consent that you have previously provided to us, please write to the Data Protection Officer at the address given in Section 8, or send an email to dataprotection@nuffieldtrust.org. Please provide us with as much information as you can relating to your request, and include a daytime contact number in case we have any questions.

8. How to contact us

Questions, comments and requests regarding this privacy policy are welcomed. If you want to exercise your rights or request information about our privacy policy you can email us or write to us at the address below.

The Nuffield Trust for Research and Policy Studies in Health Services
59 New Cavendish Street
London, W1G 7LP
Email: dataprotection@nuffieldtrust.org.uk
Telephone: 0207 631 8450

9. Links to other websites

This privacy notice does not cover the links within this site linking to other websites. How other organisations or websites capture, store and use personal information or site visitor information is outside our control. We encourage you to read the privacy statements on the other websites you visit. See our terms and conditions for more information.

10. Changes to this privacy notice

We keep our privacy notice under regular review. Whenever a change occurs, an announcement will be made in the news section of www.nuffieldtrust.org.uk.

11. Resources

The Trust maintains a schedule of relevant data protection resources which can be accessed here.

Back to top
Updated 15/04/2024