This privacy notice is intended to provide transparency regarding what personal data MEH may hold about you, how it will be processed and stored, how long it will be retained and who may have access to your data.
Personal data is any information relating to an identified or identifiable living person (the data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number or factors specific to the physical, genetic or mental identity of that person, for example.
MEH is the leading provider of eye health services in the UK and a world-class centre of excellence for ophthalmic research and education. We have a reputation, developed over two centuries, for providing the highest quality of ophthalmic care. Our 2,300 staff are committed to sustaining and building on our pioneering legacy and ensuring we remain at the cutting edge of developments in ophthalmology.
What this privacy statement covers
This privacy statement only covers the processing of personal data by MEH that MEH has obtained from data subjects accessing MEH’s education website and from its provision of services and exercise of functions. It does not cover the processing of data by any sites that can be linked to or from MEH’s websites, so you should always be aware when you are moving to another site and read the privacy statement on that website.
When providing MEH with any of your personal data for the first time, for example, when you create an account on MEH’s website or when you enrol in any MEH sponsored training, you will be asked to confirm that you have read and accepted the terms of this privacy statement. A copy of your acknowledgement will be retained for reference.
Why MEH collects your personal data
Personal data may be collected from you when you create an account on our website, book a course with us or attend one of our learning and development opportunities..
Your personal data is collected and processed for the purposes of and in connection with the functions that MEH performs with regard to the provision of learning and development. The collection and processing of such data is necessary for the purposes of those functions.
In connection with training, MEH collects and uses your personal information for the following purposes:
1. To manage your training and programme
2. To quality assure training programmes and ensure that standards are maintained
3. To comply with legal and regulatory responsibilities including revalidation
4. To contact you about training opportunities, events, surveys and information that may be of interest to you
We also collect and use personal information from you so that we can provide education and training to you, to promote our services, to monitor our own accounts and records, to monitor our work, and to report on progress made.
Collection and use of data from website users
When you access MEH’s website, small amounts of information are sometimes placed on your device, including small files known as cookies. These pieces of information are used to improve services for you. For example, we use a series of cookies to monitor website speed and usage, as well as to ensure that any preferences you have selected previously are the same when you return to our website.
Google Analytics for example stores information about what pages you visit, how long you are on the site, how you got here and what you click on. Personal information (e.g. your name or address) is not however collected or stored so this information cannot be used to identify who you are. We do not allow Google to use or share our analytics data.
Full details on the cookies set by Google Analytics are published on the Google website. Google also publishes a browser add-on to allow you to choose that information about your website visit is not sent to Google Analytics.
On a number of pages we use ‘plug ins’ or embedded media. For example, we might embed YouTube videos in pages. The suppliers of these services may also set cookies on your device when you visit the pages where we have used this type of content. These are known as ‘third-party’ cookies. To opt-out of third-parties collecting any data regarding your interaction on our website, please refer to their websites for further information.
MEH as data controller
MEH is the data controller in respect of any personal data it holds concerning trainees in training, individuals employed by MEH and individuals accessing MEH’s website.
Legal basis for processing
The GDPR requires that data controllers and organisations that process personal data demonstrate compliance with its provisions. This involves publishing our basis for lawful processing.
MEH’s legal bases for the processing of personal data as listed in Article 6 of the GDPR are as follows:
• 6(1)(a) – Consent of the data subject
• 6(1)(b) – Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
Please note that not all of the above legal bases will apply for each type of processing activity that HEE may undertake. However, when processing any personal data for any particular purpose, one or more of the above legal bases will apply.
We may seek your consent for some processing activities, for example for sending out invitations to you to training events and sending out material from other government agencies. If you do not give consent for us to use your data for these purposes, we will not use your data for these purposes, but your data may still be retained by us and used by us for other processing activities based on the above lawful conditions for processing.
Information that we may need to send you
We may occasionally have to send you information from MEH. This could include changes to our policies and processes, information about your booked courses, including updates regarding venue and timings, and where relevant, any certificates or evidence of course completion. We may also send out surveys to request feedback and where users have positively opted in, we may send information regarding similar courses or events we think may interest you.
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Your data may only be transferred abroad where HEE is assured that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection.
How we protect your personal data
The personal data we hold may be held as an electronic record on data systems managed by MEH or as a paper record. These records are only accessed, seen and used as required and/or permitted by law by staff who need access to personal data so they can do their jobs and other partner organisations under data sharing agreements.
The security of the data is assured through the implementation of MEH’s policies on information governance management.
We make every effort to keep your personal information accurate and up to date, but in some cases we are reliant on you as the data subject to notify us of any necessary changes to your personal data. If you tell us of any changes in your circumstances, we can update the records with personal data you choose to share with us.
We will keep personal data for no longer than necessary, in line with our records management policy, and the NHS records retention schedule within the NHS records management code of practice.
Sharing personal data
We do not routinely share your data with any third parties, and access is restricted only to our employees who have a specific need to access your data in the course of their employment.
We may share information, where necessary, to prevent, detect or assist in the investigation of fraud or criminal activity, to assist in the administration of justice, for the purposes of seeking legal advice or exercising or defending legal rights or as otherwise required by the law.
Right to rectification and erasure
The GDPR extends and strengthens your rights as a data subject. Under the GDPR you have the right to rectification of inaccurate personal data and the right to request the erasure of your personal data. However, the right to erasure is not an absolute right and it may be that it is necessary for HEE to continue to process your personal data for a number of lawful and legitimate reasons.
Right to object
You have the right in certain circumstances to ask MEH to stop processing your personal data in relation to any MEH service. However, the right to object is not an absolute right and it may be that it is necessary in certain circumstances for MEH to continue to process your personal data for a number of lawful and legitimate reasons.
If you object to the way in which MEH is processing your personal information or if you wish to ask MEH to stop processing your personal data, please contact us on the details provided. However, if we do stop processing personal data about you, this may prevent MEH from providing the best possible service to you.
You can access a copy of the information MEH holds about you by writing to us. This information is generally available to you free of charge subject to the receipt of appropriate identification.
The GDPR sets out the right for a data subject to have their personal data ported from one controller to another on request in certain circumstances..
If you want to complain about how we have used your personal data or to know more about how your information will be used, please contact us
Alternatively, you can also contact the Information Commissioner if you have a complaint about our processing of your personal data:
The Office of the Information Commissioner
It is important that you work with us to ensure that the information we hold about you is accurate and up to date so please inform MEH if any of your personal data needs to be updated or corrected.
All communications from MEH will normally be by email. It is therefore essential for you to maintain an effective and secure email address or you may not receive information or other important news and information about your employment or training.
The Trust has Data Protection Officer, who is a dedicated individual responsible for data protection who can be contacted as follows:-
Data Protection Officer
Information Governance Department
Moorfields Eye Hospital NHS Foundation Trust
162 City Road
Tel: 020 7253 3411