This policy should be read alongside and in addition to the following:
- Our Terms and Conditions, which governs the use of our website
- Use of Student Data for Higher Education Students; which sets out in more details on data handling for these students
- Membership Terms and Conditions
2. About Us
We are the Institute of Clinical Science and Technology Limited (ICST).
We are a company incorporated in England and Wales (company number 09300292)
Our registered office is 28 Cathedral Road, Cardiff, CF11 9HB.
3. What is personal data
Your personal data is information which, by itself or with other information available to us, can be used to identify a person directly or indirectly.
Some personal data is categorised as ‘sensitive personal data’ and includes information about race, ethnic origin, political opinions, religious beliefs, mental or personal health, sexual life or orientation, criminal proceedings (either alleged or prosecuted) and membership of a trade union.
We do not consider personal information to include information that has been anonymised or aggregated so that it can no longer be used to identify a person, whether in combination with other information or otherwise.
The collection and use of your personal data is regulated under the UK Data Protection Act 1998 (the Act) and the 2018 General Data Protection Regulations (GDPR) and we process your data in accordance with these regulations as both a data controller and a data processor.
4. How do we collect your information?
We collect information from the following sources:
- Directly from you
- From your employer or other stakeholder if they have contracted us to provide you with our services
- From a third party who has obtained your information and passed it on in full compliance of data protection laws.
- When you access our website to register an account, access the online courses and content, complete any associated actions on an online course, participate in any surveys, submit feedback or make a purchase, we may collect, store and use personal information. We may also ask you for information when you report an error or problem with the website, online courses or content.
- When you register for an account or make a purchase on the website, we ask for your first name, surname and email address. As part of your student profile, you may also provide information on your location and employment that will help other students to get to know you and help us to personalise the service to suit you. We may also ask you about your educational history and qualifications in order to process your eligibility to access some online courses and content. We will also store the results of your assessments relating to online courses and content.
- When you make a purchase, our payment service provider, will also collect and process your credit card or other payment details. If you contact us, we may also keep a record of that correspondence. We may also keep records of your transactional history with us.
- We may collect information to communicate with you via email, SMS or app to communicate messages relating to your membership, online courses or associated products and services we sell.
- We may collect data relating to your visits to the website that cannot identify you but records your use of our website, online courses and content including IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths.
- We may receive information about you from third parties who are legally entitled to disclose that information such as credit reference agencies.
- We may collect information that you post to our website for publication on the internet including your user name, your profile pictures and the content of your posts.
- If you disclose to us the personal information of another person, you must obtain that person’s consent to both the disclosure and the processing of that personal information
5. How long do we retain your data?
We will only retain your personal information for as long as is necessary to fulfil the purposes we collected it for.
To determine the appropriate retention period for the personal information we hold, we consider the amount, nature and sensitivity of the personal information, the risk of harm from unauthorised use or disclosure of your personal information, the reasons why we handle your personal information and whether we can achieve those purposes through other means, and the applicable legal requirements.
We may retain your data for the following reasons:
- In order to establish, exercise or defend our legal rights
- If we believe the documents may be relevant to any ongoing or prospective complaint or legal proceedings
- The purpose of satisfying any legal or accounting requirements
If you require further information about our specific retention periods, please contact us.
6. Ways you can access and control your personal information
Under data protection laws you have legal rights concerning our usage of your personal information, including:
- You have the right to know what personal information we hold on you.
- You have the right to ask us to correct or complete inaccurate or out of date personal information
- You have the right to object to our processing all or part of your personal information.
- Where we are relying on your consent to process data, you have the right to withdraw your consent
- You have the right to object to decisions taken by automatic means without human intervention
- You have the right to request that some elements of your information, such as academic progress, be provided to other organisations.
- You have the right to complain if you are unhappy with our handling of your data.
Please be aware that if you ask us to cease processing all or part of your data, this will impact on your ability to access some of our services. Further, we can only comply if there is no legitimate reason for ICST to continue to process your personal data. You should also note that there will usually be a requirement for ICST to keep a basic student record indefinitely if you have completed an accredited course with us.
We will honour any statutory right you might have to access, modify or erase your personal information. We encourage you to make such a request using our Subject Access Request form which is available on our website.
If you wish to make a complaint, you should first contact our Data Protection Officer via firstname.lastname@example.org. She can invoke our formal complaints procedure if appropriate. You can also submit a complaint to the Information Commissioner’s Office; further details can be found at www.ico.org.uk.
7. How to update or correct your personal information
You can see, review and change most of your personal information by signing in to your ICST account. Please update your personal information immediately if it changes or is inaccurate and notify us at email@example.com
Any research we or our partners, such as universities and other stakeholders, carry out will be conducted in accordance with our Research Ethics guidelines [Ethical Research Guidelines]
Your activities on an Online Course may be used for academic research purposes. This includes the comments you make where you may disclose certain personal information about yourself.
We will never associate your comments, information or other course activity with any of your public user profile information (such as name or profile picture) in the datasets we share with the course provider, it may still be possible to identify you by (a) the content of your comments or (b) finding the actual comment on the Website and seeing the user associated with it.
We confirm that all our course providers who conduct research will never associate your comment or your activity with your user account by method (b) above and will always treat any personal data in strict accordance with data protection laws and the research ethic guidelines.
If a course provider wants to quote a comment you have made in their research, they will identify you and your account only for the purpose of obtaining your permission.
10. International data transfers
Information that we collect may be stored and processed in and transferred between any of the countries in which we operate in order to enable us to use the information in accordance with this policy.
Information that we collect may be transferred to the following countries which do not have data protection laws equivalent to those in force in the European Economic Area: the United States of America, Russia, Japan, China and India.
Personal information that you publish on our website or submit for publication on our website may be available, via the internet, around the world. We cannot prevent the use or misuse of such information by others.
You expressly agree to the transfers of personal information internationally as described.
11. Security of personal information
We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information.
We will store all the personal information you provide on our secure (password- and firewall-protected) servers.
All electronic financial transactions entered into through our website will be protected by encryption technology.
You acknowledge that the transmission of information over the internet is inherently insecure, and we cannot guarantee the security of data sent over the internet.
You are responsible for keeping the password you use for accessing our website confidential; we will not ask you for your password (except when you log in to our website).
Our data warehouse and servers use the latest technologies and robust procedures to ensure data security and safety. As of June 2018, our servers will be compliant with ISO 9001 and ISO 27001, the highest security and quality assurance standards in the UK for data storage and transmission.
You will be notified through email or the messaging feature on your account of all changes as they occur including the contents of changes and the date(s) they will become effective.
14. Contacting ICST
You can contact us:
- by post, to our registered office 28 Cathedral Road, Cardiff, Wales CF11 9HB
- using our website contact form;
- by telephone, on the contact number published on our website from time to time; or
- by email, using the email address published on our website from time to time.
15. More ways we use your data
We will use your personal data in a variety of ways, depending on your relationship with us. Below you will see some general and specific ways we use your data and the lawful bases on which we are processing it.
General ways we may use your data
- administer our website and business
- personalise our website for you
- enable your use of the services available on our website
- send you goods purchased through our website
- supply to you services purchased through our website
- send statements, invoices and payment reminders to you, and collect payments from you
- send you non-marketing commercial communications
- Send you course-specific communications and updates on online courses and content you have purchased/accessed
- send you email notifications that you have specifically requested
- send you our email newsletter, if you have requested it (you can inform us at any time if you no longer require the newsletter)
- send you marketing communications relating to our business (you can inform us at any time if you no longer require marketing communications)
- tailor our advertising on Google, Bing and social media platforms to your use of the website
- invite you to complete feedback surveys and share your experiences with us
- provide third parties with statistical information about our users (but those third parties will not be able to identify any individual user from that information)
- deal with enquiries and complaints made by or about you relating to our website;
- keep our website secure and prevent fraud; and
- verify compliance with the terms and conditions governing the use of our website (including monitoring private messages sent through our website private messaging service);
- comply with legal and regulatory requirements;
- to allow us and partner institutions to conduct academic research
- to provide third party goods or services through our website.
- If you submit personal information for publication on our website, we will publish and otherwise use that information in accordance with the licence you grant to us.
- Your privacy settings can be used to limit the publication of your information on our website, and can be adjusted using privacy controls on the website through your dashboard.
- We will not, without your express consent, supply your personal information to any third party for the purpose of their or any other third party’s direct marketing.
When you sign up for an ICST account
- When you sign up for an account with ICST, whether or not you have purchased a course or a course has been purchased on your behalf, we collect your name, email address, place of work, job title and phone number.
- We need to collect and handle your personal information in this way to perform the contract for the use of our website and the services we provide.
Where you have spoken to us at an event
- When you speak to us at an event or meeting, we will collect the following information from you: name, address, email address, phone number.
- When we collect this information we rely on your consent to contact you to keep you up to date with our courses, services and membership programme.
So that we can assist you
- When you phone, email or message us using our website portal, we may also handle your personal information (your name, contact details and any other details you provide us with at the time) in order to provide the customer services or support you have requested. This could be when you ask us to confirm when a particular course is available, or to explain more about a course or service we provide. Please be aware that we may record calls for training and monitoring reasons.
- We rely on your consent to handle your personal information in this way, except when we are providing a service you have requested as part of a contract between us. Please keep in mind that if you do not provide us with the personal information we request from you, we may not be able to fully answer your queries.
If you are on one of our Professional Registers
- If you are on one of the public facing Professional Registers we hold for a professional society, e.g. the ARTP National Spirometry Register, we handle your personal information for the legitimate purpose of hosting, managing and administering the register.
- We hold information which will be made available to the public (Name, profession, practice address, and societies identification number) as well as additional information not available to the public such as your personal address and email address.
Where we have obtained your information from a third party
- We sometimes obtain your personal information from a third party provider where you have either consented to them passing on your details to us or where they hold the information for legitimate purposes.
- We collect this information in this way because we have a legitimate interest to promote the success of our business.
If you have signed up for our newsletter, blog or other social media
- If you have opted in to receive marketing communications from us, we will use your name and email address to provide you with marketing communications in line with any preference you have told us about.
- When we send you these communications, we rely on your consent to contact you for marketing purposes.
- Every email sent to you for marketing purposes will also contain instructions on how to unsubscribe from receiving them.
- You are not under any obligation to provide us with your data for marketing purposes.
When you apply for a job with us
- We will collect and handle the data you provide to us on your application and/or CV on the basis of your consent. This includes any application for a tutor role on any programme where we administer the recruitment (eg the ARTP Spirometry programme) or for a role as a member of the ICST faculty. This information may include sensitive or special categories of personal data, such as your race, ethnic origin or information about your health. Where you have provided employment references to us as part of your application, we will contact those referees and ask them to provide a reference about you. As part of this process, we will disclose your name and the fact that you have applied to work with us to your referees. We also use the information you provide to us when applying for jobs to record who is applying for jobs with us and to make sure we are attracting a diverse range of applicants.
- You can withdraw your consent by contacting us at firstname.lastname@example.org, but if you choose to withdraw your consent we will be unable to continue to process your job application.