Last updated: 1 March 2019

The ‘Neurology Academy’ is committed to being transparent about the collection, usage and storage of your personal information. This Privacy Notice is designed to comply with your rights under data protection legislation.

It is important that you read this notice so that you are aware of how and why we are using your personal data.

Your key questions answered:

WHO ARE WE?

We are The Neurology Academy Limited of Sheffield, South Yorkshire, S6 2LR.

For any data protection queries contact Mrs Sarah Gillett, Managing Director – sarahgillett@neurologyacademy.org.

Please contact us in the first instance if you have any queries or concerns but you are free to contact the data protection regulator at any time. That is the Information Commissioner’s Office and they can be contacted via ico.org.uk/concerns or by telephoning 0303 123 1113.

There is important information about your rights which we have summarised and explained in the ‘Your Rights’ box below.

WHAT INFORMATION DO YOU COLLECT ABOUT ME?

  • Identity information – first name, last name and any title you  wish us to use.
  • Contact information – work telephone number, mobile telephone number, fax number, email address, alternative email address, work address.
  • Basic professional profile information – job title, current hospital, previous hospital, alternative telephone number for contact hospital, CCT date, whether you have completed a MasterClass project, information about the courses you have attended over the last five years and current course bookings.
  • Financial information – information as to how the course has been paid for and relevant financial data.

HOW WILL YOU USE THE INFORMATION YOU COLLECT ABOUT ME?

We need a legal basis for collecting and using your information.

If we are providing you with training we are entitled to process your information in order to provide that service (contract).

We may need to comply with legal or regulatory requirements (regulatory requirements).

For some purposes, we may need to ask for your permission (consent), such as to send you information that we believe will be of interest to you, such as news items or information of forthcoming courses.

We may also consider, having carefully assessed our business interests, that it would be fair to use your information and not override your rights to privacy to use your information in a particular way, for example to answer necessary queries from our auditors.

  • The main purpose of collecting the information is required information to perform the contract entered into, i.e. course administration and delivery.
  • The secondary purpose is to comply with regulatory requirements by retaining sufficient data for the five years required for continuing professional development (CPD) so that we can provide the Royal College of Physicians with data that you have completed the course, if we are required to do so.
  • Where you consent, we will keep your details in order to provide you with emailed news items or information about course which may be of interest to you.
  • Additionally, we may occasionally use your data for a business need where we have very carefully balanced that need with your privacy rights, such as to supply necessary information to our auditors; or to protect our company’s legal rights.  This is called legitimate interests.

Our email opt-in consent form will need to be completed by you if you wish to subscribe to email updates. You can unsubscribe from this database at any stage and all our updates make this easy for you to do. Our current policy is to review our consents to such contact every five years and check consent with you again, although we reserve our right to amend our policies from time to time.

WILL YOU SHARE ANY OF THE INFORMATION YOU COLLECT ABOUT ME?

  • For the purposes of privacy security and for ease of administration your data is held with DISCOUNTASP.NET. Their privacy and security policy can be read here. We have carefully chosen this database host but would still recommend that you read their privacy notice.
  • For the purposes of course registration and administration, identity and contact details are collected by Google Forms. Please read their privacy policy here.
  • Where you consent to our retaining your data for the purposes of contacting you about items we believe will be of interest, identity and contact information is stored with MailChimp. Please read MailChimp’s privacy policy here.
  • We will not sell, rent or otherwise disclose your information, without your consent.
  • Additionally we will share your information with the following organisations for the following reasons:
    • The speaker and speaker’s administrative team in respect of any course you are booked to attend only so far as that is necessary for the performance of the service we provide and we check that the speakers and any support team comply with privacy legislation;
    • The Royal College of Physicians to demonstrate CPD requirements but only in the event of your consenting. We will ask for your consent at the time of course booking but you are free to revoke that consent at any time during the five years we keep the data;
    • If we are required to do so for any legal or regulatory purpose and in those circumstances only the minimum data we are required to share;
    • Where we are required to do so as part of a contract with any insurance that we hold but again only where necessary to protect our rights, property and interests or that of any other member of our database and only the minimum data that we are required to share;
    • As necessary to protect our rights and interest or the rights of any other user of our services where we believe there is fraud, abuse, misuse or other illegal or unlawful conduct;
    • To protect our rights and interests and those of other users of our services including taking investigative and/or legal and/or regulatory advice; 
    • To third parties who provide services to us such as banks, building societies, processors of credit card information but only to the extent that that is necessary for the purposes of processing relevant financial information. Such organisations are chosen by us with care and are bound by confidentiality agreements with us;
    • To the extent necessary to any auditor or accountant in order to comply with our own legal obligations;
    • We may transfer our database, including personal information to a third party who acquires all or substantially all of the assets or shares in our company whether by merger, acquisition, re-organisation or otherwise.

IF YOU DID NOT OBTAIN MY DATA DIRECTLY FROM ME,
WHAT ADDITIONAL RIGHTS DO I HAVE?

Occasionally we buy data from a trusted third party who provides a legally compliant data licence valid for a short three month period. We carry out appropriate due diligence checks in connection with that data to ensure that we have a legal basis for contacting you. We will comply with our data protection legislation requirements in relation to such data and data has to be securely destroyed within a short period of time after our acquiring it unless we have entered into a separate arrangement with you to enable us to use and retain your data.

WILL MY DATA BE TRANSFERRED OUTSIDE OF THE UK AND, IF SO WHAT SAFEGUARDS ARE IN PLACE?

Our database is currently hosted by DISCOUNTASP.NET. They have been specifically chosen by us as an appropriate provider and we have concluded that the privacy and security arrangements are appropriate. The database is encrypted but it is held outside the EU, in the US. Under data protection law we have to ensure appropriate safeguards where data is transferred outside the EU. The safeguard here is the EU-US Privacy Shield. For more information click here. However, it is important that you read their privacy policy here.

We also collect identity and contact details for the purposes of course registration by Google Forms. Data is therefore held outside the EU but it is minimal identity data and we consider that appropriate safeguards are put in place as GDPR section 13(f) states “(f) where applicable, the fact that the controller intends to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.” However, it is important that you read their privacy policy here.

For email contact purposes we currently use MailChimp. Data processed by them is also processed outside the EU, in the US. We are satisfied appropriate safeguards are in place under the EU-US Privacy Shield. For more information click here. However, it is important that you read their privacy policy here.

Please note that we have no control over legal and regulatory bodies and that such bodies will have their own compliance requirements.

HOW IS MY DATA STORED?

In order to prevent unauthorised access, maintain data accuracy and ensure the correct use of information, we have in place appropriate physical, electronic and managerial procedures to safeguard and secure the information we collect. Please see the section above relating to how your data is shared and whether any of your data is transferred outside of the UK.

HOW LONG IS MY DATA KEPT FOR?

We reserve the right to amend our data retention policies from time to time. Currently all data is kept for five years in order to comply with CPD regulatory requirements.  We have in place consent procedures which will enable us to keep certain data longer but only if you consent.

WHAT ARE MY RIGHTS?

Under certain circumstances you have rights under data protection laws in relation to your personal data. You have the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data in certain circumstances.
  • Object to processing of your personal data in some cases.
  • Request restriction of processing of your personal data.
  • Request transfer of your personal data.
  • Right to withdraw consent.

YOUR RIGHTS:

Request access to your personal data (commonly known as ‘data subject access request’).  This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it and to give you an opportunity to request correct, if appropriate. We do not make a charge and will provide this within one month of your request.

Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, although we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no lawful reason for us continuing to process it or where, despite a lawful reason there is no good reason for us continuing to process it in the light of your request. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below) or where we may have processed your information unlawfully or where we accept that we have processed your information unlawfully.  However that we may not always be able to comply with your request for erasure for specific legal reasons which we will notify to you, if applicable, at the time of your request.

Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.  We operate on the basis of consent for direct marketing and we try to make it as easy as possible to withdraw consent at any stage. Where you object to processing of your personal data, in some cases we may demonstrate that we have compelling legitimate grounds to process your information which overrides your rights and freedoms.

Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:

(a)   If you want us to establish the data’s accuracy;

(b)   Where you believe our use of the data is unlawful but you do not want us to erase it;

(c)   Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or

(d)   You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, the personal data in a structured, commonly used, machine readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. We currently do not use such automated information.

Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out because you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.