Privacy Notice

This Privacy Notice explains how the Health Foundation collects, stores, manages and protects your personal data. It outlines the types of data that we hold and how we use them. The Health Foundation takes its responsibilities around the correct collection, use and destruction of the personal data of its various audiences and stakeholders very seriously and is committed to opennes and fairness in the handling of Personal Data. We aim to be clear when we collect information about you and not do anything you wouldn’t reasonably expect.

The Health Foundation is the Data Controller (as defined by the Data Protection Act 1998 and all applicable laws which replace or amend it, including the General Data Protection Regulation) who will collect and process your personal data.

Who we are

The Health Foundation is an independent charity committed to bringing about better health and health care for people in the UK.

We are a registered charity (charity number 286967), company number 1714937.

The Health Foundation’s registered address is 90 Long Acre, London, WC2E 9RA.

Our purpose

Our aim is a healthier population, supported by high quality health care that can be equitably accessed. We learn what works to make people’s lives healthier and improve the health care system. From giving grants to those working at the front line to carrying out research and policy analysis, we shine a light on how to make successful change happen.

For more information on the Health Foundation see our website: www.health.org.uk.

What information do we collect about you?

The Health Foundation collect and process personal data to support all of the aims of the organisation.

In order to provide funding of awards and grants and to commission services in support of our work we may collect and process some or all of the following data about applicants, grant and award holders: 

  • Name, title, gender and date of birth
  • Nationality, Passport number, National Insurance number
  • Personal photo
  • Contact details including postal address, personal email, work email, phone number and links to social media accounts
  • Salary details
  • Occupation, career history, professional qualifications, CV
  • Race and ethnicity
  • Where we pay you directly your bank details

If you are a member of one of our communities such as Q, a Fellow or Alumni we may collect and process some or all of the following data:

  • Name, title, gender and date of birth
  • Nationality
  • Personal photo and video of events
  • Contact details including postal address, personal email, work email, phone number and links to social media accounts
  • Your occupation, career history and professional activities
  • Records of communications sent to you by us and received from you by us
  • Website use including IP address and your comments and interactions with the community on the website
  • Race and ethnicity
  • Sexual orientation

For managing events, marketing and promoting the work of the Health Foundation we may collect and process the following data:

  • Name, title
  • Postal address
  • Contact details work email, phone number and links to social media accounts
  • Personal photo and video of events

Patient Information

As part of our work, we are granted access to patient information to enable us to conduct indepth analysis in relation to specific projects. This information can include hospital records, GP records, and information on other health and social care services such as care homes and the 111 non-emergency phone number for medical help. We are only able to gain access to this type of data for specific projects and in all cases we are required to adhere to strict data handling procedures – for example, destroying the data when the project is completed.

All the information we hold on patients is pseudonymised, which means that patients are not directly identifiable from the data. Names, addresses and NHS numbers are, in every case, removed from the data we hold before we obtain it. We only hold the information relevant to our analysis, such as hospital use, diagnosis codes and some basic demographic information.

See full notice: http://www.health.org.uk/information-governance-and-data-security-use-patient-information

Sensitive personal data

Sensitive categories of data collected may include race, religion and ethnicity which is captured to enable us to monitor diversity across the community and award programmes. This information is captured at the point of application and then maintained as anonymised aggregated data. We will always ask for your consent to collect this information and you may refuse to provide the information. You may also withdraw your consent for us to process this information at any stage though we may already have disposed of the information.

How do we collect the data?

The majority of information we process is obtained directly from you and organisations you work for.

We may also collect information from publicly available sources to keep your information up to date.

We will also obtain your information when we use cookies on our websites (see below).

We may also obtain your personal data through your use of social media such as Facebook, Twitter or LinkedIn depending on your settings or the privacy policies of these social media and messaging services. To change your settings on these services, please refer to their privacy notices, which will tell you how to do this.

Facebook: https://www.facebook.com/help/568137493302217

LinkedIn: https://www.linkedin.com/legal/privacy-policy

Twitter: https://twitter.com/en/privacy

Cookies

When you visit our websites, we use cookies to automatically collect information about how you use our sites.

Cookies are small text files that websites use to store information about things like user preferences. We use cookies on this website to:

  • help make the website easier to use for people with a website account
  • help people share our content via social media
  • help us understand how the site is being used so that we can identify areas that are working well and areas that need improvement.

Our website uses Google Analytics, a service which transmits website traffic data to Google. This does not identify individual users or associate your IP address with other data held by Google. We use reports provided by Google Analytics to help us understand web traffic and webpage usage.

You may refuse the use of cookies by selecting the appropriate settings on your browser, however please note that if you do this you may not be able to use the full functionality of this website.

For more information about cookies, visit the All about cookies website.

How will we use your information?

We use the information you give us to:

  • send you the publications, newsletters and updates that you have subscribed to
  • provide you with the services and the information about our activities and events that you have requested
  • administer any user accounts we set up for you
  • conduct surveys and process your response to any survey you participate in for research, evaluation and statistical purposes
  • to analyse and improve the activities and content offered by the Health Foundation website to provide you with the most user-friendly navigation experience. We may also use and disclose information in aggregate (so that no individuals are identified) for marketing and strategic development purposes
  • to otherwise communicate with you regarding our aims and activities
  • to ensure we do not send unwanted information to stakeholders who have informed us they do not wish to be contacted
  • to keep your data up to date
  • to implement any instructions, you give us with regard to withdrawing consent to send marketing information, or informing us through the Health Foundation Preference Service that you do not wish to receive any marketing information
  • to use IP addresses to identify the location of users, to block disruptive use and to establish the number of visits from different countries
  • for internal record keeping so as to keep a record of your relationship with us
  • to fulfil contracts you have entered into with the Health Foundation
  • to maintain the knowledge of Health Foundation actions and engagements to understand the long-term effectiveness and impact of these actions on the goals of the Health Foundation.

Marketing communications

When and what do we communicate

The Health Foundation will only contact you for marketing purposes, for example keep you up to date on our work, where we have your consent or we are otherwise allowed to do so.

We will make it easy for you to tell us if you would like to receive communications from us and hear more about the Health Foundation work and the ways in which you would like to receive this information such as email, newsletter or post.

We will not send you marketing material or communications if you tell us that you do not wish to receive it. There are a variety of ways you can do this and these are detailed below.

Where you give us your consent to send you marketing information, you may opt out of this at any time. We review our retention periods for personal information on a regular basis, and we frequently encourage you to update your preferences, so you only receive news and opportunities you would like to hear about. You can update or withdraw your consent at any time.

Other circumstances in which you may receive communications from the Health Foundation

'Soft opt in'

This allows organisations to send communications by email to individuals, who we have an existing relationship with, and where we have identified that we have a legitimate interest in communicating about the Health Foundation, provided they are given the opportunity to opt out at the time of initial communication or engagement. This may be where you have applied for funds or joined one of our communities.

How to control what we send you or request we update your personal information?

The accuracy of your information is really important to us. We want to ensure that we are able to communicate with you in ways that you are happy with, and to provide you with information that is of interest.

If you wish to change how we communicate with you, or update the information we hold, then please contact us:

  • amend your preferences on our website: www.health.org.uk
  • email us at dpo@health.org.uk
  • write to us at: Data Protection Officer, The Health Foundation, 90 Long Acre, London WC2E 9RA
  • Telephone: 020 757 8000
  • Additionally, you can opt out of marketing emails at any time by clicking the unsubscribe link in any marketing email from the Health Foundation. You can also use the link to update your preferences.

How long will it take for these changes to be effective?

We endeavour to make updates to the marketing preference within:

  • 24 hours from updates to preference on the website or via the link in our email
  • 5 working days from receipt of email, call or letter

Who do we share your information with and why?

The Health Foundation will only use the information within the organisation for the purposes for which it was obtained. We will not under any circumstances, share or sell your data with any third party for their own purposes, and you will not receive marketing from any other companies, charities or organisations as a result of giving your details to us.

We may share your information with:

  • Third parties who supply services to us or process information on our behalf such as our website developer, event organisers and publishers.
  • Assessors, auditors and regulators as required by legal obligation or internal governance
  • Health Foundation partners and associated organisations
  • Facebook and other Social Media Sites – With your consent, we may also use your email address and phone number to match to your account on Facebook or other social media sites in order to show you Health Foundation content while using these services.
  • These “data processors” will only act under our instruction and are subject to contractual obligations containing strict data protection clauses. We do not allow these organisations to use your data for their own purposes or disclose it to other third parties without our consent and we will take all reasonable care to ensure that they keep your data secure.

We will share your information if we are required to by law (for example to law enforcement agencies for the prevention or detection of crime, subject to such bodies providing us with a relevant request in writing).

Where do we keep your data?

The Health Foundation maintains all your data within the EU.

Data is only processed by third parties outside of the EU for the provision of services such as:

  • managing events outside of the EU
  • technical service support
  • order fulfilment outside of the EU

Where data is processed outside of the EU the Health Foundation has verified that appropriate safeguards are in place including:

  • Complying with all data protection principles
  • Where possible trying to ensure data is processed in a country that is on the list of countries approved as adequate by the EU
  • If the transfer is to an organisation in the United States of America ensuring that the organisation participates under the auspices of Privacy Shield
  • Ensuring that in all other instances adequate contractual provision are in place to ensure the protection of the data

How long do we keep your data?

We will hold your personal data in our systems for as long as is necessary for the relevant activity. These purposes are laid out in the section 'How we will use your information'.

Data related to the application and management of funding applications, awards and grants will be retained for at least seven years after the completion of the programme or engagement.

Financial records will be retained in line with financial law and regulation for at least seven years.

We will keep records of Alumni, Award holders, Fellows and Community members indefinitely. This is to maintain the history of Health Foundation actions and engagements to understand the long-term effectiveness and impact of these actions on the goals of the Health Foundation.

If you request that we stop sending you marketing materials we will keep a record of your contact details to enable us to comply with your request not to be contacted.

How do we protect your data?

We ensure that there are appropriate and operational measures in place to protect your personal data. We have an internal body (Information Management Information Group) with responsibility for Information Governance across the organisation.

We have appropriate technical controls in place to protect your personal data:

  • Our network is protected behind firewalls
  • Anti virus and Malware software is deployed
  • All systems are password protected
  • Our network is monitored by security specialists
  • Network protection is formally tested
  • Mobile and removable devices are encrypted

We have appropriate operational measures in place to protect your personal data:

  • We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff and contractors.
  • Where we use external companies to collect or process personal data on our behalf, we do comprehensive checks on these companies before we work with them, and put a contract in place that sets out our expectations and requirements, especially regarding how they manage the personal data they collect on our behalf, or have access to.
  • We have a robust audit framework in place to ensure internal and external measures and obligations are in place and being maintained.

Your rights relating to your personal data

There are specific rights enshrined in law that you have around your data. These rights are:

  • Informed – you have the right to be informed about what data we hold and for what purpose
  • Access – you have the right to have access to your personal data
  • Rectification – you have the right to have your personal data corrected or removed if it is inaccurate
  • Erasure – you have the right to have your personal data deleted from our systems
  • Restrict processing – you have the right restrict the processing of your personal data
  • Right of objection – you have the right to object to the processing of your personal data for communications and marketing
  • Portability – you have the right to have your personal data transferred
  • Withdraw consent – where you have provided consent to process your personal data you have the right to withdraw that consent at any time
  • Complain – you have the right to complain to the regulator and/or seek judicial remedy if your data has not been treated in accordance with the law

We will respond to you within one month of receiving a request related to anyone of the above rights unless the number and complexity of the requests made is deemed sufficiently high in which case we may extend this time by a further two months. We will inform you if we need to make use of this additional time and why we need to do so.

We will not charge you for responding to any of these requests unless it can be demonstrated that you are making an excessive number of repetitive requests or that your request is not based on fact or realistic considerations. In such exceptional cases we may charge you a reasonable fee or choose to refuse your request.

If you disagree with our approach you may raise your concerns with the Information Commissioner’s Office (ICO) https://ico.org.uk/concerns/

To assist us in responding to these requests, we may ask you to verify your identity to make sure we do not give your personal data to the wrong person, update your data with details you did not provide or take action you did not request.

Right to be Informed

The Health Foundation has published this Privacy Notice along with additional notices when we collect personal data from you to explain what personal data we collect and process. We aim to be as open and transparent as possible about how we use your personal data.

Right of Access

You have the right to request a copy of the personal information that we hold about you. If you would like a copy of some or all of your personal data please email us at dpo@health.org.uk or write to Data Protection Officer, The Health Foundation, 90 Long Acre, London WC2E 9RA

Right of Rectification

It is important to us that the information we hold about you is accurate and up to date. If you believe that the information we hold is inaccurate or incomplete you have the right to ask us to rectify it. If we have passed your data to a third party for processing then we will also contact them to rectify the data. To request the rectification of your data please email us at dpo@health.org.uk or write to Data Protection Officer, The Health Foundation, 90 Long Acre, London WC2E 9RA with details of your request.

Right of Erasure

This is sometimes referred to as the “Right to be forgotten”. You can request that we delete your personal data from our systems if you

  • Believe the data is no longer necessary for the purpose for which it was collected
  • Withdraw your consent (subject to the requirement for us to retain data to process your request)
  • Believe we have processed your data unlawfully
  • Believe we should delete your data to comply with other laws or regulation

We may choose to refuse your request if we believe:

  • We have a legal obligation to keep your data
  • It is required for the legitimate interests and purposes of the Health Foundation
  • It is required for the establishment, exercise or defence of legal claims

To request the erasure of your data please email us at dpo@health.org.uk or write to Data Protection Officer, The Health Foundation, 90 Long Acre, London WC2E 9RA with details of your request.

Right of Restriction

You have the right to ask the Health Foundation to restrict how we process your data. This provides for a temporary halt to processing your data. You may make the request if you believe that

  • We should not process your data whilst we are in discussions with you regarding a disagreement over the accuracy of your personal data, or;
  • We have processed your data in a manner you believe to be unlawful but rather than asking for the erasure of the data you would prefer another course of action to rectify your issue, or;
  • We no longer require the data but you do not wish us to dispose of it as you require it to establish or defend a legal claim

If such as restriction is put in place we shall limit the processing of your data to storage with the following exceptions

  • Where the processing is for the establishment, exercise or defence of legal claims
  • We must process it to protect the rights of another person

To request the restriction of processing of your data please email us at dpo@health.org.uk or write to Data Protection Officer, The Health Foundation, 90 Long Acre, London WC2E 9RA with details of your request.

Right of Objection

You have the right to object to the processing of your personal data.

If your data is being used for direct marketing purposes you have the right at any time to stop us from contacting you as outlined in this notice.

If we are processing your data for research or statistical purposes or processing your data based on our legitimate interests you may seek to object to the processing of your personal data.

We may reject your request

  • Where we are processing data for research and statistical purposes where there is a public interest in the continued processing of the data
  • Where we believe we have compelling legitimate grounds for continuing to process your data which outweighs any harm or damage to you through the continued processing of the data
  • Where the processing is for the establishment, exercise or defence of legal claims

To object to the processing of your data please email us at dpo@health.org.uk  or write to Data Protection Officer, The Health Foundation, 90 Long Acre, London WC2E 9RA with details of your request.

Right of Portability

The Health Foundation must allow you to obtain and reuse your personal data for your own purposes. This applies to personal data you have provided to us and is processed in our computer systems. You can request that we provide you with a copy of this data in a format that can be read by another person’s or organisation’s computer system.

You have the right to transfer that copy of your data to another organisation or request that we do it for you where it is technically feasible for us to do so.

This right of transfer can be refused where we feel it may adversely affect the rights of another person.

To request the transfer of your data please email us at dpo@health.org.uk or write to Data Protection Officer, The Health Foundation, 90 Long Acre, London WC2E 9RA with details of your request.

Right to withdraw consent

Where we rely on your consent for the processing of your data you have the right to change your mind and withdraw your consent at any time. If you withdraw your consent we must stop processing your data.

To withdraw your consent for processing your data please email us at dpo@health.org.uk or write to Data Protection Officer, The Health Foundation, 90 Long Acre, London WC2E 9RA with details of your request.

Right to Complain

You have a right to complain to the Information Commissioner’s Office (ICO) if:

  • We do not take action on your request within one month of receipt and do not provide you with reasons why
  • You believe that the way we are processing your data is not in keeping with the requirements of the law
  • You believe your rights have been infringed because of the way we have processed your data

Please see the following section for contact information.

How to contact us or raise a concern or complaint

Contacting the Health Foundation

If you have any concerns about how your personal data is being collected and processed, or wish to exercise any of your rights detailed in this Privacy Notice please contact:

The Health Foundation Data Protection Officer

The Health Foundation

90 Long Acre

London

WC2E 9RA

Email: dpo@health.org.uk

Telephone: 020 7257 8000

Contacting the Information Commissioner’s Office

If you have wider concerns about how the Health Foundation manages information or wish to make a complaint please contact the Information Commissioners Office (ICO). The ICO can be contacted at https://ico.org.uk/global/contact-us/.  Concerns can also be logged via the ICO website https://ico.org.uk/concerns/

Future changes

If our information practices change at some point in the future we will update this policy. If material changes are made to this notice we will notify you by placing a prominent notice on the website and where we communicate with you through digital media.

We keep our Privacy Notice under regular review. This Privacy Notice was last updated on 23 March 2018.