Privacy policy

 

May 2018

Protecting your data – how we comply with the General Data Protection Regulation (GDPR)

We take your privacy seriously and any information we hold about you whether held on our internal computer network or in written form is secure and accessible only to authorised PHG Foundation staff.  We ensure we have robust measures in place for processing all data in a secure and protected manner.

Purposes for which we process data

We process personal data to enable us to undertake the services we provide to you and to our other clients (individuals, companies and organisations). We use this information to keep you informed about our events, to provide newsletters and updates on what the Foundation is doing.

As an organisation, we also process personal data in relation to our staff (and associated family members), others who provide business services to us and those who visit our offices.

Parties with whom we may share data

We only share personal data with a third party where they are involved in supporting us in maintaining the services we provide you e.g. sending newsletters, invitations to participate in events, or to keep you informed about other activities in support of our mission to ‘Make science work for health’.

As an organisation, we only share data in relation to our employee or business contacts where it is necessary to carry out legitimate business processes such as making payments to suppliers, the payment of salaries and contributions to employee benefits.

What we do to meet the requirements of the GDPR

  • We review our key business functions regularly to check we are processing personal data securely and in accordance with the regulations.
  • We only share data with third parties when there is a clear business need to do so.
  • We work with those third parties to ensure that data is passed to them in a secure manner.
  • We provide staff training to make sure that our people process your personal data safely.
  • We communicate through our website and contracts to ensure people are aware of what we do with their data and how to contact us if they have any queries regarding this.
  • As a part of the University of Cambridge who provide our IT systems and infrastructure we are confident that robust measures are in place to protect the data we process. This includes hardware safeguards, access controls, solutions for combating spam, malware and viruses, as well as monitoring software and the carrying out regular tests to check the defences that are in place from a cyber-attack.

Where we use services provided by third parties, we satisfy ourselves that they understand the obligations on them to protect our data and process it in a lawful manner. In some instances, the use of these services will involve the movement of data to and from countries outside the UK and EEA.

How we use your personal information for event organisation

In broad terms, we use your information to manage the event(s) we arrange. The controller for your personal information is the Event Manager. The person responsible for data protection and the person who is responsible for monitoring compliance with relevant legislation in relation to the protection of personal information, is the Business and Operations Manager.

The legal basis for processing your personal information is that it is necessary in order for us to organise events that you will attend and provide resources to you. We will retain your information for the periods stated below unless or until you request us to do otherwise.

We collect and process your personal information for the following purposes:

A. Maintaining clear contact information for the event
We will hold your name, job title, organisation, email address and other relevant details you provide to us, and will use this information to maintain contact with you for the duration of the event organisation. We retain this information in our events records for one year (after the most recent event you have attended) and for six years in our financial records (due to statutory requirements). Where you have not attended an event organised by us, we will retain the details relating to your initial invitation for no more than a year.

B. Obtaining specific personal information for the organisation of the event
To manage the event we may on occasions require you to provide us with additional personal information relating to the event such as (dietary requirements or specific medical requirements). This may include the provision of sensitive personal information. This information will only be shared with the venue/accommodation provider involved with the event. We will not retain this information for any longer than necessary for the provision of the specific event, which might therefore require you to provide it on successive occasions if attending future events.

We only share personal data with a third party where they are involved in supporting us in organising the event we are delivering i.e venue or accommodation provider. Where we use services provided by third parties, we satisfy ourselves that they understand the obligations on them to protect our data and process it in a lawful manner. In some instances, the use of these services will involve the movement of data to and from countries outside the UK and EEA.

Our Administration Manager and Business and Operations Manager act as our first contacts for any enquiries you may have about how we look after your data, including any concerns you may have. You can contact either by email on [email protected]

You have the right: to ask us for access to, rectification or erasure of your information; to restrict processing (pending correction or deletion); to object to communications or direct marketing; and to ask for the transfer of your information electronically to a third party (data portability). Some of these rights are not automatic, and we reserve the right to discuss with you why we might not comply with a request from you to exercise them. You retain the right at all times to lodge a complaint about our management of your personal information with the Information Commissioner’s Office at https://ico.org.uk/concerns/