Healthcare Learning is an EdTech company and a leading provider of education for healthcare professionals around the world.
Healthcare Learning is a limited company with the registration number: 03702400.
Healthcare Learning is committed to protecting your privacy.
The General Data Protection Regulation (GDPR) is a new EU legal framework for data protection. The GDPR will apply to all member states from the 25th May 2018.
The Regulation will replace our current UK Data Protection Act 1998, introduce greater protections for personal data and bring data protection law into the digital age. The GDPR introduces some new obligations for organisations that collect, use, share and store personal data.
This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others, and how we keep it secure.
We may change this Policy from time-to-time so please check this page occasionally to ensure that you are happy with any changes. By using our website, you are agreeing to be bound by this Policy.
Any questions regarding this Policy and our privacy practices should be sent by email to: email@example.com or by writing to: Healthcare Learning, Baird House, 15-17 St. Cross Street.Alternatively, you can telephone: 020 7400 8989.
2. Lawful Basis for Processing
Under EU data protection law, there must be a lawful basis for all processing of personal data (unless an exemption or derogation applies):
- Legitimate interests
- Contractual necessity
- Compliance with legal obligations
3. What Personal Data Do We Collect?
We collect information about you when you register with us or place an order for products or services. We also collect information when you voluntarily complete customer surveys, provide feedback and participate in competitions. Website usage information is collected using cookies.
We may collect information from you, such as:
- Telephone number
- Email address
- Date of birth
- Marital status
- Work experience
- Professional registration number (if relevant)
- Proof of identification (if relevant)
- Proof of qualifications (if relevant)
- Feedback and testimonials of our courses
- Photographs at events
- Criminal convictions
- IP address
- Payment details (if relevant)
- Ethnicity (if relevant)
- Special needs (if relevant)
- Immigration status (if relevant)
- Medical details (if relevant)
4. How Will We Use the Information?
We collect information about you to process your order, provide our services and, if you agree, to email you about other services we think may be of interest to you.
We use your information collected from the website to personalise your repeat visits to our website. Healthcare Learning will not share your information for marketing purposes with other companies.
We may process your information as follows:
- Send you details about our products and services
- Process orders you have made
- Register you on a course or service
- Send you information about the course or service you have signed up for
- Seek views or comments about the services we provide
- Send communications you have requested and that may be of interest
- Process a grant or job application
- Use your feedback and photos taken at events for marketing purposes
5. Who will the information be shared with?
In order to provide certain services, we will be obliged to share your information with third parties in the following circumstances:
- University or awarding-bodies
- With third-party education, distribution and accounting services
In each of these circumstances we have contacted the organisations and obtained a copy of their GDPR compliant policies.
For more detailed information please contact us.
We would like to send you information about our products and services and other companies in our group, which may be of interest to you. If you have consented to receive marketing, you may opt out at a later date.
We also may ask to share your information with relevant third-party organisations such as sponsors of a learning event.We will always ask your permission before doing this and give you the option to opt out at a later time.
You have a right at any time to stop us from contacting you for marketing purposes.
If you no longer wish to be contacted for marketing purposes, please let us know by emailing us here: firstname.lastname@example.org or by writing to: Healthcare Learning, Baird House, 15-17 St. Cross Street, London, EC1N 8UW. Alternatively, you can telephone: 020 7400 8989.
7. Access to Your Information and Correction
You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please let us know by emailing us here: email@example.com or by writing to: Healthcare Learning, Baird House, 15-17 St. Cross Street, London EC1N 8UW.Alternatively, you can telephone: 020 7400 8989.
We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information that you think is inaccurate.
Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.
You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
Healthcare Learning Data Protection Policy
Healthcare Learning is an EdTech company and a leading provider of education for healthcare professionals around the world.
Healthcare Learning is a limited company with the registration number: 03702400.
This Policy explains when and why we collect personal information, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
Healthcare Learning needs to collect and maintain certain information about its employees, students and other users of its services to allow it to monitor, for example, performance, achievements, and Health and Safety.
It is also necessary to process information so that employees and students can be recruited; employees paid, courses organised, external funding secured and legal obligations to funding bodies and government complied with.
Accordingly, data may be collected, not only from and about actual employees, students and service users, but also from and about a wide range of individuals having or contemplating dealings with Healthcare Learning; including employees and students, individuals involved in fund-raising and other individual stakeholders.
In order to ensure that information is collected and used fairly, stored safely and not disclosed to any other person unlawfully and that employees or others who process or use any personal information ensure that they follow the Data Protection Principles set out below; Healthcare Learning has adopted this Information and Data Protection Policy.
We may change this Policy from time to time so please check this page occasionally to ensure that you are happy with any changes. By using our website, you are agreeing to be bound by this Policy.
Any questions regarding this Policy and our privacy practices should be sent by email to: firstname.lastname@example.org or by writing to: Healthcare Learning, Baird House, 15-17 St. Cross Street, London, EC1N 8UW. Alternatively, you can telephone: 020 7400 8989.
Healthcare Learning has appointed the CEO as the Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy.
2. Policy Statement
Healthcare Learning will ensure that information is collected and used fairly, stored safely and not disclosed to any other person unlawfully. Whenever collecting information about people Healthcare Learning will therefore comply with the Data Protection Principles, which are set out in the General Data Protection Regulation (GDPR) and require that personal data shall be:
a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
3. Lawful Basis
In ensuring that personal data are processed lawfully, Healthcare Learning will only process data under one of the six lawful basis for processing set out in Schedule 6 of the GDPR:
- Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
- Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
4. Individual’s Rights
Healthcare Learning recognises that individuals have the following rights:
a) the right to be informed of the information Healthcare Learning holds on them in a concise, transparent, intelligible and easily accessible way. Healthcare Learning will typically make this information available through a Privacy Notice;
b) the right of access to their personal data and supplementary information, and to be aware of and verify the lawfulness of the processing;
c) the right to rectification of their personal data if it is inaccurate or incomplete;
d) the right to request the deletion or removal of personal data where there is no compelling reason for its continued processing;
e) the right to ‘block’ or suppress processing of personal data;
f) the right to data portability: to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability;
g) the right to object to: processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics; and
h) the right not to be subject to a decision when it is based solely on automated processing and produces a legal effect or a similarly significant effect on the individual.
In interpreting the Data Protection Principles and in making judgments on specific matters, Healthcare Learning will take account of the most recent guidance issued by the Information Commissioner’s Office (ICO).
5. Policy Objectives
To ensure that Healthcare Learning adopts best practice and compliance with legal requirements in its collection, processing and storage of personal data.
6. Scope of Policy
The policy applies to all employees, students and other users of Healthcare Learning’s services. This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by Healthcare Learning from time to time. Any breach of the General Data Protection Regulation or this policy will be considered to be an offence and in that event, Healthcare Learning disciplinary procedures will apply.
As a matter of good practice, other agencies and individuals working with Healthcare Learning and who have access to personal information will be expected to have read and to comply with this policy.
Employees who deal with external agencies will take responsibility for ensuring that such agencies sign a declaration agreeing to abide by this policy and detailing for how long it has been agreed that any data should be retained. Details of the declaration must be entered on a register to be held by Healthcare Learning’s Data Protection Controller.
Any employee or student (or former employee or student) or other individual who considers that the policy has not been followed in respect of the personal data held about them, should initially raise the matter with the Data Protection Controller. If the matter is not resolved it should be raised as a formal grievance or complaint.
7. Practical Implementation
All Employees Are Responsible For:
a) checking that any information that they provide to Healthcare Learning in connection with their office or employment is accurate and up to date;
b) informing Healthcare Learning of any changes to the information which they have provided e.g. changes of address, next of kin, bank details etc.;
c) checking the information that Healthcare Learning will send out from time to time, giving details of information kept and processed about them;
d) informing Healthcare Learning of any errors or changes; and
e) ensuring that they abide by Healthcare Learning Information Systems Acceptable Use Policy.
Healthcare Learning cannot be held responsible for any errors unless the individual has informed Healthcare Learning of them.
If and when, as part of their responsibilities, employees collect information about other people they must comply with the guidelines for employees. In particular they are responsible for ensuring that:
- any personal data that they hold are kept securely;
- when personal data need to be transmitted, internally or externally, they are transmitted securely; and
- personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party. Employees should note that unauthorised disclosure will usually be a disciplinary matter, and may be considered gross misconduct in some cases.
Personal Information Must:
- be kept in a locked filing cabinet; or
- be kept in a locked drawer; or
- if it is computerised, be password protected; or
- be kept only on electronic media which are themselves kept securely.
Managers Must Ensure That:
- all personal data processed within or by members of their curriculum or professional service team are processed according to the Data Protection Principles outlined above;
- privacy notices have been adequately communicated to those whose data are collected, stored or processed;
- consent has been duly obtained where it forms the lawful basis for processing the data;
- individuals have been made aware of their rights under the GDPR;
- any third parties who are commissioned to process personal data on Healthcare Learning’s behalf are engaged under a written contract which includes those terms required under the GDPR as set out in guidance issued by the Information Commissioner’s Office;
- privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. In planning projects, managers must ensure the principles of “privacy by design” are observed and where required a Data Protection Impact Assessment is undertaken in conjunction with the Data Protection Controller; and
- that any breaches of personal data are immediately notified to the Data Protection Officer who will investigate accordingly and where necessary notify the Information Commissioner’s Office.
Students must ensure that all personal data provided to Healthcare Learning are accurate and up to date. They must ensure that changes of address, etc. are notified to the Student Services Team.
Students who use Healthcare Learning computer facilities may, from time to time, process their own personal data. If they do so they must ensure that they comply with Healthcare Learning‘s IT Systems Acceptable Use Policy.
Data Subject Rights
Data Subjects (those individuals about whom Healthcare Learning has information on its records) have rights regarding data processing, and the data that are recorded about them, as set out above. Employees, students and other persons from or about whom Healthcare Learning has collected personal data therefore have the right to access any personal data that are being kept about them or to receive notification of the information currently being held about them either on computer or in relevant files.
Any person who wishes to exercise this right should submit their request to the Data Protection Controller. Healthcare Learning aims to comply with requests for access to personal information as quickly as possible, and will ensure that it is provided within one month unless requests are complex or numerous.
If this is the case, Healthcare Learning will inform the individual within one month of the receipt of the request that it needs to extend the period of compliance by a further two months, and will explain why the extension is necessary. Healthcare Learning reserves the right to charge a reasonable fee, taking into account the administrative costs of providing the information, where requests are manifestly unfounded or excessive, in particular because they are repetitive. In exceptional circumstances Healthcare Learning may exercise its right to refuse to respond but will explain, at the latest within one month, why, to the individual, informing them of their right to complain to the supervisory authority and to a judicial remedy.
Healthcare Learning will ensure that personal data are not disclosed to unauthorised third parties (including family members, friends, government bodies or the Police) except in the circumstances set out in Part 4 of, and Schedule 7 to, the Data Protection Act 1998 and listed below in which personal data may legitimately be disclosed. Personal data may be legitimately disclosed where one of the following conditions applies:
a)the individual has given their consent (e.g. a student/employee has consented to Healthcare Learning corresponding with a named third party);
b)the disclosure is in the legitimate interests of Healthcare Learning (e.g. personal information can be disclosed to other Healthcare learning employees if it is clear that those employees require the information to enable them to perform their jobs);
c)Healthcare Learning is legally obliged to disclose the data; or
d)disclosure of data is required for the performance of a contract (e.g. informing a student's employer or sponsor of course changes/withdrawal etc). The Act permits certain disclosures without consent so long as the information is requested for one or more of the following purposes
to safeguard national security:
- prevention or detection of crime including the apprehension or prosecution of offenders;
- assessment or collection of tax duty;
- discharge of regulatory functions (includes health, safety and welfare of persons at work);
- to prevent serious harm to a third party;
- to protect the vital interests of the individual (this refers to life and death situations).
Sometimes it is necessary to process information about a person's health, criminal convictions, race, gender or family details. This may be to ensure that Healthcare learning is a safe place for everyone, or to operate other Healthcare Learning policies, such as the Sick Pay Policy or Equality and Diversity Policy.
Healthcare Learning may also ask for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes. Healthcare Learning will only use such information in the protection of the health and safety of the individual. Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals, employees and students will be asked to give express consent for Healthcare Learning to do this. All prospective employees and students will therefore be asked to provide consent for Healthcare Learning to process data, regarding particular types of information when an offer of office or employment or a course place is made. A refusal to sign such a form will result in the offer being withdrawn.
Students who have no outstanding payment of course or assessment fees will be entitled to information about their marks or grades for both coursework and examinations. This may take longer than other information to provide, but will normally be available within 28 days, dependent on when the relevant awarding organisation furnishes Healthcare Learning with the information. Where students have outstanding course or assessment fee payments due, Healthcare Learning may withhold certificates, accreditation or references until the full course fees have been paid, or all books and equipment returned to Healthcare Learning.
Retention and Disposal of Data
Healthcare Learning will normally keep personal information only for as long as it is required to retain it for legal or other statutory reasons or as required by the funding or examination body or to meet its responsibilities as an employer (e.g. information regarding pensions, taxation, potential or current disputes or litigation regarding the employment) or education provider. A schedule of retention for different categories of personal information will be maintained by the Data Protection Controller.
Personal data will be disposed of in a way that protects the rights and privacy of data subjects (e.g. shredding, disposal as confidential waste, secure electronic deletion).
In order to ensure the protection of personal data held electronically, staff and students are required to adhere to Healthcare Learning’s IT Systems Acceptable Use Policy. Breaches of this policy where they concern misuse of personal data will be treated as disciplinary matter.
Healthcare Learning’s Management Team are responsible for ensuring that there are appropriate and adequate security measures in place including, as part of Healthcare Learning’s Business Continuity arrangements, an IT Recovery Plan.
Should there be a breach of security Healthcare Learning will notify any individuals whose personal data may have been disclosed to a third party as a result of the breach and will consider whether the breach warrants reporting to the Information Commissioner’s Office under the ICO’s Guidance on Notification of Data Security Breaches.
8. Communication and Training
The policy will be communicated to staff and students through Healthcare Learning’s website and internal communication services.
9. Review and Monitoring of Policy
The Information and Data Protection Policy will be reviewed biennially. The Senior Management Team is responsible for monitoring the implementation of the Policy via reports from the Data Protection Controller and relevant members of the Management Team.
Annex 1 Employee Guidelines for Data Protection
1. Many employees will process data about students on a regular basis, when marking registers or Healthcare Learning work, writing reports or references, or as part of a pastoral or academic supervisory role. Other employees may need to process data about fellow members of staff or other individuals. Healthcare Learning will ensure, through registration and recruitment procedures that all students give their consent to such processing, and are notified of the categories of processing, as required by the 1998 Act. The information that employees deal with on a day-to-day basis will be 'standard' and will cover categories such as:
- general personal details such as name and address;
- details about attendance, or about course work marks, grades and associated comments or performance at work; and
- notes of personal supervision, including matters about behaviour and discipline.
2. Information about an individual’s physical or mental health; sexual orientation; political or religious views; trade union membership or ethnicity or race is sensitive and can only be collected and processed with the student’s consent. If employees need to record this information where agreed Healthcare Learning policies and practices require or encourage the sharing of this information, they should use Healthcare Learning standard forms and templates.
3. All employees have a duty to make sure that they comply with the Data Protection Principles, which are set out in the Healthcare Learning Information and Data Protection Policy. In particular, employees must ensure that records are: (a) accurate; (b) up-to-date; (c) fair; and (d) kept and disposed of safely, and in accordance with Healthcare Learning policy.
4. Employees must not disclose personal data relating to any individual to any student, unless for normal academic or pastoral purposes, without authorisation or agreement from the Data Protection Controller, or in line with Healthcare Learning policy.
5. Employees must not disclose personal data relating to any individual to any other employee except with the authorisation or agreement of the Data Protection Controller, or in line with Healthcare Learning policy.
6. Before processing any personal data, all employees should consider the following checklist:
- Do you really need to record the information?
- Is the information 'standard' or is it 'sensitive'?
- If it is sensitive, do you have the data subject's express consent?
- Has the data subject been told that this type of data will be processed?
- Are you authorised to collect/store/process the data?
- If yes, have you checked with the data subject that the data are accurate?
- Are you sure that the data are secure?
- If you do not have the data subject's consent to process, are you satisfied that it is in the best interest of the student or the employee to collect and retain the data? Have you reported the fact of data collection to the authorised person within the required time?