Privacy policy and cookies

The Nuffield Trust for Research and Policy Studies in Health Services is committed to protecting and respecting your privacy. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.


Published: 02/10/2018

An overview of this privacy notice, including legal references is available here.

This privacy notice tells you what to expect when the Nuffield Trust collects personal information.

Visitors to our websites

When someone visits our website we use third party services, Google AnalyticsGoogle Tag Manager and Hotjar, to collect internet log information, including IP addresses, to analyse how people use the site, for example, details of visitor behaviour patterns such as the number of visitors to the various parts of the site. This information is only processed in a way which does not directly identify anyone. We do not make, and do not allow Google or Hotjar to make, any attempt to find out the identities of those visiting our website and we will not associate any data gathered from this site with any identifying information from any source.

QualityWatch is a partnership project between the Nuffield Trust and the Health Foundation, and as such information submitted directly to or to a QualityWatch email address may be shared by both organisations.

If we do want to collect personal information through either of our websites, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it and who we will share it with (if applicable).

The Trust will only receive personal information when it has been provided explicitly by a website visitor, for example, when signing up to our newsletter, filling in a feedback form, sending the Trust an email or when posting on a public forum. However, because of how Internet protocols work, some information is automatically broadcast, captured and recorded - there is no way around this. For example, the Internet requires that a user's IP address is given in order to establish communication. An IP address may be the address of your router, your Internet Service Provider (ISP) or your company's proxy server.

Server log information may be used to investigate any actual or suspected abuse of this website. Specific IP address information will only be revealed as part of formal investigations.

Use of cookies by the Nuffield Trust

You can read more about how we use cookies on our Cookies page.

Website management and search engine

We use a third party provider, Soapbox, to manage and host our website. Soapbox do not receive any personal information unless you explicitly provide information to them.

The website captures requests made to the site for performance and debugging purposes, as well as being used to spot hacking attempts and issues in the system. This information includes username (if logged in) and the IP addresses of visitors to the website. This information is only retained for as long as necessary and as specified in the ‘overview’ section of this page.

Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either the Trust or any third party.

Soapbox uses webs servers that are based in the UK and all information will be stored on the web server that the user has visited. For more information, please see Soapbox’s privacy statement.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential in line with our Acceptable Use Policy.

Comments sections

We use a third party service, Disqus to provide the comments section of our websites. Disqus requires visitors that want to post a comment to enter a name and email address. For more information, please see Disqus’s privacy statement.

Restrictions on what can be posted are provided in our ‘Comments Policy’ and in relevant 'Posting Guidelines'.

The Nuffield Trust reserves the right to remove any message from a Trust public forum and investigate cases of system abuse where the posting guidelines have been breached. In serious cases, this may mean passing information to the relevant authorities.

Remember that publicly posted information can be captured by third parties who are not associated with the Trust. Therefore site visitors post their details on public forums at their own risk and the Trust cannot guarantee the complete removal of information posted publically.

People who contact us via social media

We use a third party provider, Hootsuite to manage our social media interactions.

If you send us a private or direct message via social media the message will be stored by Hootsuite for three months. It will not be shared with any other organisations. For more information, please see Hootsuite’s privacy statement.

People who email us

Any email sent to us, including any attachments, may be monitored and used for the organisation’s legitimate interests of security and monitoring compliance with the organisation’s policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our email system; any email sent to the Trust is therefore sent at your own risk. Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.

Please be aware, we cannot accept file attachments that are larger than 10MB. If you're sending more than one email, please indicate this in the subject line.

When you email us; the message will only be used to answer your query. In any case email messages will only be stored by the Trust for as long as necessary for legal, tax or regulatory reasons or for legitimate and lawful business purposes and in line with our retention schedules.

Emails sent by our staff are intended for the named recipient(s) only and may contain privileged and confidential information. If you receive an email and are not the intended recipient you must not copy, distribute or take any action in reliance on it. If you receive an email in error please notify the sender immediately and permanently and securely delete the message from your system.

People who call us

When you call the Nuffield Trust we collect Calling Line Identification (CLI) information (Caller ID). We may use this information to investigate abuse. This information will be retained by the Trust for a period of 12 months. We do not pass this information on to any third parties and do not collect or retain any other data or record calls.

People who submit comments via a feedback form

We use a third party provider, Hotjar, to manage our feedback forms. Information submitted via a feedback form is logged for statistical purposes. Information may also be immediately processed and emailed to a relevant member of staff to review and/or action the feedback. For more information, please see HotJar’s privacy statement.

Where feedback contains personal information it will be treated with the strictest confidence and will not be passed on to any unauthorised parties without the express consent of the original sender. Feedback will be anonymised before being used for statistical purposes or being published.

Where you provide personal information to the Trust, it will only be used for the service you requested, for example when asking for information or giving feedback. Identifiable information will be retained for no longer than 2 years. We will not pass your details to any third party unless the law requires us to.

People who subscribe to our newsletter

The Trust offers various services to the public including regular updates and newsletters. We have to hold the details of anyone who opts to receive relevant information from us in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes, for example, we might use information about newsletter subscribers to carry out a survey to find out if they are happy with the level of service they received or to provide you with information about events which may be of interest to you. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this in each email we send. We use a third party provider, Campaign Monitor, to manage our newsletter subscriptions but we will not sell or pass on your details to any other third parties unless the law requires us to. We may, however, use trusted third parties under contract to carry out analysis and cleansing of data on our behalf.

If you wish to unsubscribe and/or do not want us to use your data in this way you can unsubscribe by clicking the link included in each email we send or by emailing us directly.

Campaign Monitor allows us to gather information around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For more information, please see Campaign Monitor’s privacy statement.

People on bought in marketing lists

We use a third party provider, Binley’s, to supply a list of corporate NHS contacts. This data is used to send professionally relevant information to the intended recipient in their current role. We use Campaign Monitor to facilitate disseminating relevant information but we will not sell or pass on your details to any other third parties unless the law requires us to.

All recipients can opt out from communications from the Nuffield Trust at any time and are given an easy way of doing this in each email we send. If you wish to unsubscribe and/or do not want us to use your data in this way you can unsubscribe by clicking the link included in each email we send or by emailing us directly.

Recipients wishing to update their preferences in relation to information shared by Binley’s should contact them directly. More information is available in Binley’s privacy statement.

Job applicants, current and former employees, interns, contractors and Trustees

When individuals apply to work at the Nuffield Trust, in whatever capacity, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference, obtain a ‘disclosure’ from the Disclosure and Barring Service (DBS) (previously the Criminal Records Bureau (CRB)), or share information with educator and examining bodies and/or employment and recruitment agencies we will not do so without informing you beforehand unless the disclosure is required by law.

Personal information about all candidates will be held for 12 months after the recruitment exercise has been completed; it will then be destroyed or deleted. We retain anonymous statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Once a person has taken up employment or temporary work at the Nuffield Trust, we will create a file relating to their work for the Trust. The information contained in this file will be kept secure and will only be used for purposes directly relevant to that person’s work for the Trust. Once their employment or other contract with the Trust has ended, we will retain the file in accordance with the requirements of our retention schedule and then securely delete it.

Representatives, contributors, collaborators and peers

When organisations or individuals collaborate with us we will only use the information they supply, which may include names and contact details, for the purpose of the collaboration, for example administration of meetings, or in the case of report authors, for acknowledging the contribution, which may include, with the individual’s consent, publishing the individuals name in on-line reports.

People who attend our events

We use a third party service, Eventbrite, to manage our event registrations. Eventbrite requires visitors that want to register for an event to enter a name and email address. When individuals apply to or attend an event organised by the Trust we use this information to contact you about the event and other closely related events that may be of interest. For more information please see Eventbrite’s privacy statement.

Suppliers of goods and services

When companies provide goods or services we will only use the information they supply, which may include names and contact details for individuals, to maintain our working relationship and contractual arrangements. This may include monitoring of the service and levels of service provided to the Trust.  

Complainants and enquirers

When we receive a complaint from a person we create a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We may compile and publish statistics showing information on the number of complaints we receive, but not in a form which identifies anyone.

We will endeavour to keep the complainant’s identity strictly confidential. If a complainant doesn’t want information identifying him or her to be disclosed to staff involved in the complaint, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for two years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Research participants

Personal information is processed in order to undertake research including, but not limited to research relating to health and social care. For this reason the information processed may include name, contact details and family details (unless de-identified) as well as lifestyle and social circumstances and physical or mental health details as detailed below.

See a table of the national and/or regional datasets (including  users of NHS hospital services de-identified data) that we make use of here.

Other research participants

The Nuffield Trust conducts qualitative research – primarily interviews, focus groups and surveys – as part of policy research projects. The purpose is to either evaluate a particular health service, gain expert opinion in a particular policy area or understand service user experience and/or attitudes. The majority of the data we collect is from professionals, rather than service users and this includes data collected from key stakeholders (privacy details for which are provided in the ‘Representatives, contributors, collaborators and peers section’ of this statement).

We record formal interviews and focus groups on dictation devices and use a third party provider to write up transcripts. Recordings may include interviewees’ name, job title and organisation. It may also include patient information including name and their experience/attitudes – e.g. experience of using a particular health service or technological application, attitudes towards sharing data etc.

All participants in these interviews and focus groups are given a bespoke information sheet which sets out the purpose of the particular project, how their data will be collected, analysed and stored, and how long we will keep it for. Participant’s involvement is completely voluntary and all participants are informed prior to recordings taking place. If we would like to name participants in a published report, we ask for express consent. Service users are never named. Participants are also given contact details to ask for further information about the project or the data collection exercise, before it takes place.

Data is saved securely on Nuffield Trust servers, and will be held for the minimum retention period of 2 years following the end of the project. Any data held after this time is subject to a formal benefit and risk assessment.

We also use a third party service, Survey Monkey, to carry out user surveys. For more information please see Survey Monkey’s privacy statement.

How to make a complaint

The Nuffield Trust tries to meet the highest standards when collecting and using personal information. For this reason, we take any such complaints very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of the Trust’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this or any specific questions or objections in relation to the use of your information in the ways which have been described should be sent to the Trust at the address detailed in the ‘How to contact us’ section below.

We would also encourage you to contact us if you are unhappy with any aspect of the way in which we deal with a request for information we hold about you. In the first instance you should complain by contacting the Trust. If you are not content with the outcome of your complaint, you may apply directly to the Information Commissioner for a decision. The Information Commissioner can be contacted at:

The Information Commissioner’s Office
Wycliffe House
Water Lane
Cheshire, SK9 5AF
Telephone: 0303 123 1113

If you disagree with the Information Commissioner’s decision and feel we have failed to disclose information without good reason you may apply to a Court for disclosure.

Access to personal information

The Trust tries to be as open as it can be in terms of giving people access to their personal information.

You have the right to access information held about you. Your right of access can be exercised at any time by contacting the Trust at the address detailed in the ‘How to contact us’ section below. This would include information relating to employment and training or anything which is limited to you as a person whether as a research participant, employee or partner of any kind.

If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible and portable form. There are some exceptions to this and we may refuse access where by providing access, we would reveal information which relates to and identifies another person unless that person has given consent. We will normally be able to provide your records with any such information removed and we would inform you if this is the case.
  • we will not usually charge a fee and will aim to respond promptly and in any case within one month of receiving your request.

To make a request to the Trust for any personal information we may hold you need to put the request in writing and provide adequate information to verify your identity and enable your records to be located (for example full name, address, date of birth, etc.).

If you have any difficulty in completing a request for information we hold about you, please contact the Trust for assistance.

If we do hold information about you, you can ask us to correct any mistakes. If you become aware of information about you that is out of date, please notify us as soon as possible.

You also have the right to ask us not to process your personal data. You can exercise your right to prevent such processing at any time by contacting the Trust at the address detailed in the ‘How to contact us’ section below.

Please note that for the patient information we hold that is de-identified/pseudonymised certain rights are affected. Please see the ‘National and/or regional datasets including users of NHS hospital services (de-identified data)’ section of this page for more details.

Maintaining data security

Please see our Information Security page for details of how we keep your data secure.

Disclosure of personal information

Only authorised individuals working for or on-behalf of the Trust have access to information unless otherwise specified in this privacy notice. We will not disclose personal data to any other third parties without your permission unless:

  • there are exceptional circumstances, such as if the health and safety of others is at risk;
  • we are under a duty to disclose or share your data in order to comply with any legal obligation. This may include disclosures to the courts, police forces or local and central government;
  • in order protect the Trust’s legitimate interests to enforce or apply our terms and conditions and other agreements; or to protect the rights, property, or safety of the Trust, our contacts, or others. This may include disclosures to professional advisors, auditors and audit bodies, financial organisations and/or legal representatives;
  • the disclosure is to third parties working under contract to the Trust and acting as a data processor for the Trust. These companies are required to only process information in line with our instructions, for example Soapbox, Torchbox, HotJar and Campaign Monitor.

Please contact us if you would like further information on:

  • agreements we have with other organisations for sharing information;
  • factors we shall consider when deciding whether information should be disclosed and circumstances where we can pass on personal data without consent for example, to prevent and detect crime and to produce anonymised statistics;
  • our instructions to staff on how to collect, use and delete personal data; and
  • how we check that the information we hold is accurate and up to date.

This privacy notice does not cover the links within this site linking to other websites. How other organisations or websites capture, store and use personal information or site visitor information is outside our control. We encourage you to read the privacy statements on the other websites you visit. See our terms and conditions for more information.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 02 May 2018. This statement is subject to change at any time. Whenever a change occurs, an announcement will be made in the news section of

How to contact us

Questions, comments and requests regarding this privacy policy are welcomed. If you want to request information about our privacy policy you can email us or write to us at the address below.

The Data Controller, responsible for keeping your information secure in relation to the above services is:

The Nuffield Trust for Research and Policy Studies in Health Services
59 New Cavendish Street
London, W1G 7LP

Telephone: 0207 631 8450


*the ICO’s privacy notice has been used and adapted under open governance license to draft this notice in an attempt to follow their lead as the regulator for Data Protection in the UK.