York Health Economics Consortium

YHEC PRIVACY NOTICE – 02 January 2024 

York Health Economics Consortium (YHEC) is committed to ensuring that your privacy is protected. We want you to know that you can trust us to respect your privacy and keep your personal information safe, in accordance with the UK General Data Protection Regulation (UK GDPR). This privacy notice explains how we use the information we collect about you. By submitting your information to YHEC, you consent to the use of that information as set out in this notice.

For the purposes of this privacy notice, YHEC is the Data Controller as defined in the UK GDPR. We are registered with the Information Commissioner’s Office and our entry can be found at https://ico.org.uk/ESDWebPages/Entry/Z6136867. Our registration number is Z6136867. YHEC is a company wholly owned by the University of York and the University’s Data Protection Officer is Durham Burt.

  1. What data do we have?

This privacy notice is for any individual who provides personal data or special category data to YHEC.

Personal data may include name, date of birth, postal address, email address, telephone number, emergency contact details, education records (past and present).

Special category data includes information about disability, health, ethnicity and racial origin.

The legal basis for processing your data is that you have given us your consent or, in the case of special category data, your explicit consent.

  1. Use and storage of your information

YHEC has implemented appropriate technical and organisational measures to protect your data. Access to information is restricted and is given on a need-to-know basis, and security arrangements are regularly reviewed to ensure their continued suitability. We undertake to fulfil our responsibilities as follows:

  • We will only collect and retain relevant and essential data.
  • We will store your information safely and securely, protecting it from loss, misuse, unauthorised access and disclosure.
  • We will ensure that appropriate measures are in place to protect personal data.
  • We will destroy your information securely.
  • We will work hard to keep your personal data up to date.
  • We will not share the information that is provided to us except:
    • With specific third-party service providers, as detailed below,
    • If we have a legal obligation to disclose your information
  • We will comply fully with our obligations under the UK General Data Protection Regulation.

YHEC’s incident management procedures are available in full in the YHEC Information Governance Policy. This includes the notification process in the event of a data security incident.

  1. How long do we keep your personal information?

We keep your personal information:

  • For as long as we need to for the purposes for which it was collected.

OR (if longer):

  • For any period for which we are required to keep personal information to comply with our legal and regulatory requirements.

OR (if sooner):

  • Until you ask us to delete your personal data, in accordance with your rights below.

We will regularly assess the personal data that we hold to determine its relevance and destroy your personal data if we no longer require it or no longer provide any services to you.

  1. Your rights

You have a number of rights in relation to your personal data. These include the right to:

  • Find out how we process your personal data.
  • Request that your personal data is corrected if you believe it is incorrect or inaccurate.
  • Withdraw your consent to our processing of your personal data.
  • Obtain a copy of the personal information that we hold about you. We will take steps to verify your identity before responding to your request and will respond as soon as possible (after receipt of confirmation of your identify) and in any event within one month. 

Please see Section 11 for how to contact us. 

  1. Registering on our mailing list

When registering on YHEC’s mailing list, we ask you to provide your email address. We use this information to send you news and information about YHEC.

YHEC uses Campaign Monitor to manage the mailing list. Their privacy notice can be found at https://www.campaignmonitor.com/policies/#privacy-policy.

You will be given an opportunity to unsubscribe in every email we send.

  1. Social Media

If you interact with or contact YHEC through a social media platform, you should familiarise yourself with the privacy information of that platform. 

  1. Training courses

When booking onto our training courses, you will be asked to provide personal information via an online form. By supplying this personal information, you consent to YHEC storing the information for the stated purpose. The information is held by YHEC in accordance with the provisions of the UK GDPR. YHEC’s website is hosted by Bluestorm, who has access to the information provided but does not process this information. Bluestorm’s privacy policy can be found at https://bluestormdesign.co.uk/privacy-policy.

From time to time, we may also use Eventbrite to promote and ticket our training courses. Eventbrite’s privacy policy can be found at https://www.eventbrite.co.uk/help/en-gb/articles/460838/eventbrite-privacy-policy/.

Upon booking, we will send you an invitation to the training course via Google Calendar. Google’s privacy policy is available at https://policies.google.com/privacy?hl=en-GB.

For courses that require payment, the payments are processed by Stripe. Their privacy policy can be found at https://stripe.com/en-gb/privacy.

Online training courses are delivered via Zoom. The Zoom privacy statement can be found at https://explore.zoom.us/en/privacy/.

We use Google Forms to evaluate our training courses. Completing an evaluation is optional. Responses are collected anonymously but IP addresses may be logged; these are recorded in the Google Drive audit log which the University retains for 180 days and which is only accessible to the Cyber Security team and a limited number of Google Administrators in the University. The University’s policies on this are available at https://www.york.ac.uk/about/legal-statements/#tab-4 and https://www.york.ac.uk/it-services/google/policy/terms/. 

  1. Teleconferencing

Online meetings will take place via platforms including Zoom and Microsoft Teams. The Zoom privacy statement can be found at https://explore.zoom.us/en/privacy/; the Teams privacy statement can be found at https://learn.microsoft.com/en-us/microsoftteams/teams-privacy. 

  1. YouTube videos

YHEC’s website includes embedded YouTube videos. By viewing these videos, you are agreeing to be bound by YouTube’s terms of service (https://www.youtube.com/t/terms) which is also subject to Google’s Privacy Policy: https://policies.google.com/privacy?hl=en-GB.

  1. Right to complain

If you are unhappy with the way in which YHEC has handled your personal data, you have a right to complain to the Information Commissioner’s Office. For information on reporting a concern to the Information Commissioner’s Office, see www.ico.org.uk/concerns. 

  1. Contact us

If you would like to exercise any of your rights as outlined in this notice or have any questions about the way in which YHEC handles your personal data, please contact us in writing at yhec@york.ac.uk.

  1. Updates and changes to our privacy notice 

Our privacy notice is regularly reviewed. This notice was last updated on 02 January 2024.

  1. Job applicant privacy notice 

A Job Applicant Privacy Notice is available at https://yhec.co.uk/careers/.