What is the purpose of this document?
The Foundation for the Sociology of Health and Illness (registered company number 03835791 and registered charity number 1078203) c/o Wrigley’s Solicitors, 3rd floor, 3 Wellington Place, Leeds, West Yorkshire, LS1 4AP (FSHI) is committed to protecting the privacy and security of the personal information of applicants for its award schemes and individuals who provide references in relation to those applications (Data Subjects).
The section of this notice headed How is personal information about Data Subjects collected? provides further information regarding how personal information about Data Subjects who are not applicants for our award schemes is collected, and the obligations of the applicants regarding that information.
This privacy notice describes how we collect and use personal information about Data Subjects in order to consider and determine applications for our award schemes, to communicate the results of those applications to the applicants and to facilitate the payment of the award if the application is successful, in accordance with the General Data Protection Regulation (GDPR). It applies to all Data Subjects (whether current or former).
FSHI is a “data controller”. This means that we are responsible for deciding how we hold and use personal information about Data Subjects. We are required under data protection legislation to notify Data Subjects of the information contained in this privacy notice.
This notice does not form part of any contract in relation to an application for our award schemes. We may update this notice at any time.
It is important that Data Subjects read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about Data Subjects, so that they are aware of how and why we are using such information.
Data protection principles
We will comply with data protection law. This says that the personal information we hold about Data Subjects must be:
- Used lawfully, fairly and in a transparent way.
- Collected only for valid purposes that we have clearly explained to them and not used in any way that is incompatible with those purposes.
- Relevant to the purposes we have told them about and limited only to those purposes.
- Accurate and kept up to date.
- Kept only as long as necessary for the purposes we have told them about.
- Kept securely.
The kind of information we hold about Data Subjects
We may collect, store, and use the following categories of personal information about Data Subjects:
- Personal contact details such as name, title, addresses, telephone numbers and email addresses.
- Bank account and other financial details.
- Details of employer, past employers, education and professional experiences and interests.
- Their opinions on the quality of work of others.
How is personal information about Data Subjects collected?
We typically collect personal information about Data Subjects through the application forms or references for our award schemes. This personal information will either relate directly to the applicant or to an individual acting as that applicant’s referee.
We may collect additional personal information about Data Subjects in the course of the administration of the award following a successful application.
In relation to personal information provided by a Data Subject who is an applicant (including any information relating to a Data Subject who is an individual acting as their referee), they must comply with data protection law and ensure the accuracy, quality and legality of such other Data Subject personal information and the means by which they acquired such other Data Subject personal information. They must also shall establish the legal basis for processing such other Data Subject personal information under data protection law, including by providing all notices and obtaining all consents as may be required under data protection law in order for us to process such other Data Subject personal information to consider and determine applications for our award schemes.
How we will use information about Data Subjects
We will only use personal information about Data Subjects when the law allows us to do so. Most commonly, we will use personal information about Data Subjects in the following circumstances:
- Where the Data Subject has submitted an application to us for our award scheme and in order to pursue our legitimate interests we need to consider and determine the result of that application, communicate the result of the application to the applicant or facilitate a payment as a result of a successful application (provided the interests and fundamental rights of the Data Subject do not override those interests).
- Where we need to comply with a legal obligation.
- Any other circumstances where it is necessary for our legitimate interests (or those of a third party) and the interests and fundamental rights of the Data Subject do not override those interests.
- Where we have obtained the Data Subject’s freely given, specific, informed and unambiguous consent by way of a statement or clear affirmative action.
We may also use personal information about Data Subjects in the following situations, which are likely to be rare:
- Where we need to protect the Data Subject’s vital interests (or someone else’s vital interests).
- Where it is needed in the public interest.
Situations in which we will use personal information about Data Subjects
We need all the categories of information in the list above (under the heading The kind of information we hold about Data Subjects) primarily to allow us to pursue our own legitimate interests or those of third parties, provided the interests and fundamental rights of the Data Subject do not override those interests[*]. In some cases we may use personal information about Data Subjects to enable us to comply with legal obligations[**]. The situations in which we will process personal information about Data Subjects are listed below. We have indicated by asterisks the purpose or purposes for which we are processing or will process personal information about Data Subjects.
- Considering and determining the results of applications in relation to our award schemes*
- Administering payments of the awards to successful applicants*
- Processing the personal information of persons who are nominated by the applicants to our award schemes to act as their referees, in order to obtain references so that the applications can be properly considered*
- Examining trends in the pattern of awards offered to different demographic groups*
- Maintaining a central, secure database of personal information relating to applicants and referees. For these purposes we will use a secure remote server provided by Google Cloud (see below)*
- Complying with our legal, accounting and reporting obligations to Companies House and the Charity Commission and other regulatory and statutory bodies the jurisdiction of which we are subject**
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of personal information about Data Subjects.
If a Data Subject fails to provide personal information
Where a Data Subject applies for any of our award schemes and fails to provide certain information when requested, we may not be able to consider or determine their application or make any payments to that applicant if their application is successful.
Change of purpose
We will only use personal information about Data Subjects for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use personal information of Data Subjects for an unrelated purpose, we will tell them about the legal basis which allows us to do so.
Please note that we may process personal information about Data Subjects without their knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We may have to share personal information about Data Subjects with third parties, including third-party service providers.
We require third parties to respect the security of personal information about Data Subjects and to treat it in accordance with the law.
We may transfer personal information about Data Subjects outside the EU. If we do, Data Subjects can expect a similar degree of protection in respect of their personal information.
Why might we share personal information about Data Subjects with third parties?
We may share personal information about Data Subjects with third parties where required by law, where it is necessary for us to pursue our own legitimate interests to consider or determine the results of applications for our award schemes, to communicate the results of the applications to the applicants or to administer payments to successful applicants (provided the interests and fundamental rights of the Data Subject do not override those interests) or where we have another legitimate interest in doing so.
Which third-party service providers process personal information about Data Subjects?
The following activities are carried out by third-party service providers:
- Maintaining a central secure database through the use of Google Cloud.
How secure is personal information with third-party service providers?
All our third-party service providers are required to take appropriate security measures to protect personal information about Data Subjects in line with our policies. We do not allow our third-party service providers to use the personal data of Data Subjects for their own purposes. We only permit them to process such personal data for specified purposes and in accordance with our instructions. Google Cloud may transfer personal information about Data Subjects outside of the EU and has therefore put in place certain measures (details of which can be seen here) which allow it to do so on a lawful basis.
What about other third parties?
We may share personal information about Data Subjects with other third parties. For example, we may need to share such personal information with a regulator or to otherwise comply with the law.
We have put in place measures to protect the security of personal information about Data Subjects. Details of these measures are available upon request.
Third-party service providers will only process personal information about Data Subjects on our instructions and where they have agreed to treat the information confidentially and to keep it secure.
We have put in place appropriate security measures to prevent personal information about Data Subjects from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal information about Data Subjects to those employees, agents, contractors and other third-party service providers who need to know. Third-party service providers will only process personal information about Data Subjects on our instructions and they are subject to a duty of confidentiality. Details of these measures may be obtained from our Data Protection Contact whose details can be found below.
We have put in place procedures to deal with any suspected data security breach and will notify the Data Subject, the ICO and any other applicable regulator of a suspected breach where we are legally required to do so.
How long will we use information for?
We will only retain personal information about Data Subjects for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise or pseudonymise personal information about Data Subjects so that it can no longer be associated with them, in which case we may use such information without further notice to them. Once a person has ceased to be a Data Subject (because, for example, their application has been considered and any award to them has been made) we will retain their personal information (and the information in relation to any referees provided by them) for a maximum seven years, following which we will securely destroy any such data.
Rights of access, correction, erasure, and restriction
Data Subjects’ duty to inform us of changes
It is important that the personal information we hold about Data Subjects is accurate and current. We ask that Data Subjects keep us informed if their personal information changes.
Data Subjects’ rights in connection with personal information
Under certain circumstances, a Data Subject has the right to:
- Request access to her/his personal information (commonly known as a “data subject access request”). This enables her/him to receive a copy of the personal information we hold about her/him and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about her/him. This enables her/him to have any incomplete or inaccurate information we hold about her/him corrected.
- Request the erasure of her/his personal information. This enables her/him to ask us to delete or remove personal information where there is no good reason for us continuing to process it.
- Object to processing of her/his personal information where we are relying on a legitimate interest (or those of a third party) and there is something about her/his particular situation which makes her/him want to object to processing on this ground. A Data Subject also has the right to object where we are processing her/his personal information for direct marketing purposes.
- Request the restriction of processing of her/his personal information. This enables her/him to ask us to suspend the processing of personal information about her/him, for example if he/she wants us to establish its accuracy or the reason for processing it.
- Request the transfer of her/his personal information to another party.
- Withdraw her/his consent where we rely on the same for a specific processing activity.
If a Data Subject wants to review, verify, correct or request erasure of her/his personal information, object to the processing of her/his personal information, request that we transfer a copy of her/his personal information to another party or withdraw her/his consent to a specific processing activity, please contact our Data Protection Contact in writing (see below).
No fee usually required
Data Subjects will not have to pay a fee to access their personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if their request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from Data Subjects
We may need to request specific information from Data Subjects to help us confirm their identity and ensure their right to access the information (or to exercise any of their other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Changes to this privacy notice
We review this privacy notice annually and reserve the right to update it at any time, and we will make a new privacy notice available to Data Subjects when we make any substantial updates. We may also tell Data Subjects in other ways from time to time about the processing of their personal information.
If you have any questions about this privacy notice, please contact us via our contact form