Privacy Notice

Privacy Notice, Disclaimer and Terms Of Use

The Velindre Oncology Academy is strongly committed to protecting personal data. This Privacy Notice explains the following:

Who are we

What information do we collect about you?

How we collect your information, why we need it and how we use it

Use of automated decision making and profiling

Use of cookies and other technologies

What legal basis we have for processing your personal data

When do we share personal data

Where do we store and process personal data

How we secure personal data

How long do we keep personal data for

Keeping us up to date

Your legal rights in relation to personal data including your rights to withdraw consent

How to contact us including how to make a complaint with a supervisory authority

How and when we review our privacy notice

We recommend you read this privacy notice thoroughly. Please contact us with any questions or concerns regarding our privacy practices. Our contact details are on our website and also contained within this Privacy Notice.

Who are we?

The Velindre Oncology Academy is part of Velindre University NHS Trust, known as the “Trust”. The Trust is the legal entity and Data Controller in terms of its own accountability with data protection law. The Velindre Oncology Academy is a provider of oncology and clinical skills education.

The Trust is a Data Controller and Data Processor in the following circumstances:

Data Controller – when processing your data to enable us to receive contact requests and course applications from you as a website user. The Trust is a Data Controller when you are using our Learning Management System, Moodle and plagiarism prevention software, Turnitin, as a learner. This is due to Moodle and Turnitin being accessible through the same site. These systems are used to provide learners access to their course material and assessments. The Trust is a Data Controller when your details are being processed through our Consumer Relationship Management system, which is the software we used to store and manage user data.

Data Processor – when supporting campaigns which are facilitated via Social Media Platforms.

This privacy notice explains how the Trust uses personal data. All references to ‘we’ or ‘us’ in this notice refer to the Velindre Oncology Academy (which is a part of Velindre University NHS Trust).

You can contact us via email on: voa@wales.nhs.uk

What information do we collect about you?

When we talk about personal data or personal information, we are only referring to information from which an individual person can be identified. It does not include data where the identity has been removed in such a way that the individual cannot be re-identified.

Our activities across the UK are fundamental to our success. We collect and process information with key stakeholders in order to deliver our services, and in order to help us continue to be the leading provider of oncology and clinical education in Wales, across the UK and Internationally. This information includes:

Identity data which includes your name

Contact data (email address and telephone number) and communication preferences.

Details of programmes of study, modules, timetables and room bookings, assessment marks and examinations.

Financial and personal information collected for the purposes of administering fees and charges, loans, grants, scholarships and hardship funds (this does not include credit/debit card details)

Information about an individual’s engagement with Velindre Oncology Academy such as attendance information and use of electronic services such as the Virtual Learning Environment

Other personal data* (including, profession, area of work/sector, date of birth, employment status, ID documents, gender, ethnicity, evidence of prior learning, prior experience and additional learning needs).

* This personal data is only collected from applicants for accredited courses. All the data above would be provided by the user manually.

To put this into context, it includes personal data collected as a result of:

You asking us about our activities

When you register with us for information

When you sign up for publications or newsletters

When you register or apply to complete a course with us

You are enrolled to our Learning Management System, Moodle

When you become involved in one of our campaigns

When you telephone, write, contact us online or text us or otherwise provide us with your personal data

We do not collect any data defined as special categories of personal data under Data Protection law about our supporters unless there is a clear reason for doing so, for example, we would give you the option to disclose your ethnicity and gender when applying for accredited programmes, so we are able to report on Equality and Diversity and equal opportunities within our Academy.

We will only collect special categories of personal data with the applicant’s/user’s explicit, clear and unambiguous consent, and clear notices will be provided on applications for courses, events and other relevant forms and communications, so you know what information we need and why we need it. Where we request Special Category Personal Data, the option “do not wish to disclose” will be included in the response options. You will be given the option to opt out from responding to questions requesting special category data.

How we collect your information, why we need it and how we use it

When you contact us regarding the work we do or the service offer, we will handle your data with the utmost care and are sensitive to the need to handle all data lawfully, fairly and transparently.

You should also be aware of our responsibilities under Freedom of Information legislation, our remit to provide information to meet internal and external audit requirements and our legal obligations (e.g. fraud prevention).

Use of automated decision making and profiling

The Trust does not undertake automated decision making and profiling.

The Use of Cookies and other technologies

We monitor user activity to enhance content provided on the site. Google Analytics (an external website) is a free service provided by Google (an external website) that generates statistics about the visitors to a website.

Information collected includes referring/exit web pages, click patterns, most/least viewed web pages, session duration, number of visitors, browser type, operating systems etc. Information is collected by using cookies.

This Notice lays out how and why we use cookies on the Velindre Oncology Academy website that will allow you to make an informed decision regarding the acceptance, rejection or deletion of any cookies that we use.

By using our website, you consent to our use of cookies, so we recommend that you read the information below. This cookies policy may change at any time, so please check it regularly.

A cookie is a small file of letters and numbers which often includes an anonymised, unique identifier. This means that it can be used to identify you without revealing your personal information. When you visit a website, it asks permission to store a cookie in the cookies section of your hard drive. Cookies are widely used on the internet to make websites work, to make them work more efficiently, or to provide information about your usage of the site to the site owner or other third parties. For example, if you add items to a shopping basket, a cookie allows the website to remember what items you are buying, or if you log in to a website, a cookie may recognise you later on so that you do not have to put in your password again.

How do we use cookies?

We use cookies to improve the way our website works. We also use third-party cookies set by Google Analytics to review our site functionality.

Third-party cookies

A third-party cookie is one that is associated with a different domain or website than the one that you visit. For example, on this site, we use third-party cookies built by Google to enable website analytics, but as our site is not on the Google domain, this makes their cookies “third-party” cookies. The Google Analytics cookie will recognise and count the number of people who visit our site, as well as providing other information such as how long visitors stay, where they move to on our site, and what pages receive the most visits. We cannot directly control how Google cookies behave.

How to Disable Cookies

To change your cookie settings:

Internet Explorer: Please follow this link http://windows.microsoft.com/en-gb/internet-explorer/delete-manage-cookies#ie=ie-9 (external website) for instruction on how to disable cookies.

Firefox: Please follow this link http://support.mozilla.org/en-US/kb/enable-and-disable-cookies-website-preferences (external website) for instruction on how to disable cookies

Chrome: Please follow: link https://support.google.com/chrome/answer/95647?hl=en&ref_topic=14666 (external website) for instruction on how to disable cookies.

What legal basis we have for processing your personal data

We always have a legal basis for processing personal data, the legal basis we use are as follows:

Where processing is necessary for the performance of a contract to which the data subject is party; or

Where the data subject has given consent to the processing of his or her personal data for one or more specific purposes; or

Where processing is necessary for compliance with a legal obligation to which we are subject; or

Where processing is necessary in order to protect the vital interests of the data subject or of another natural person; or

Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (the controller); or

Where processing is necessary for the purposes of legitimate interests pursued by us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data

To put the use of the six legal Basis’ we use for processing personal data into context we will use the personal data and information we collect for the following purposes:

We must have a lawful reason for processing your personal information. Most commonly, we will use your personal information in the following circumstances:

Deliver our education service

Quality assure our education service externally

Send newsletters (if consent has been provided) via email

Conduct research to better understand who our audience are and target marketing campaigns that are appropriate to their interests or relevant to their job role

Maintain and administer our contacts database and systems

In all cases, we balance our needs against your rights as an individual and make sure we only use personal data in a way or for a purpose that you would expect in accordance with this Policy and that does not intrude on your privacy or previously expressed preferences.

Where we process special categories of personal data (as mentioned above), we will make sure that we only do so in accordance with one of the additional lawful grounds for processing such as where we have your explicit consent or you have made that information manifestly public elsewhere. Those who use our services will be provided with the option “do not wish to disclose” in relation to the processing of their Special Category Personal Data

We will only use your personal information for the purposes for which we collected it, unless we consider that we need to use it for another reason and that reason is compatible with the original purpose. Information is only held for as long as there is a legitimate reason to do so, information that is no longer required is destroyed in such a way that it cannot be reconstructed. If you wish to obtain an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

When do we share personal data?

Disclosure of Information for legal or regulatory purposes, or for service provision.

We may need to disclose your information to a third party as part of ongoing programme management and audit requirements.

Additionally, as part of our remit to conduct due diligence we may also need to release information to progress governance checks for specific requirements, programmes, other parties (or projects. We will carry out this process lawfully, proportionately and securely).

We may also share your data with third parties, like Moodle, in order to be able to deliver our service to you as a learner. Third parties include:

External quality assurers (University of Wales Trinity St. David) directly engaged with programme/project delivery (please note that all advisors/consultants are bound by confidentiality requirements in their contracts);

Third party service providers like Moodle, Turnitin, Consumer Relationship Management (CRM) systems and Google.

We will ensure that if information is required to be shared, then it will be shared securely, and you will be informed that we have shared it, who we have shared it with and how we shared it.

Where do we store and process personal data?

Personal data is stored within NHS Wales electronic systems. We undertake regular security reviews of all our platforms and conduct risk assessments as required under Article 35 of the UK GDPR and Chapter 2 of the Data Protection Act 2018 (UK GDPR) to comply with our duty as a Data Controller as set out in Article 24 UK GDPR.

Where your data is processed by a third party, it will be stored on their cloud and systems. We have listed below a description of where the different systems we use store and process your personal data:

Rackspace (the cloud where this website is hosted) – The data centre where data is stored, is located in the UK.

Moodle/Synergy Learning – Synergy Learning’s primary hosting hardware is located in a data center in Dublin, Ireland.

Turnitin – Turnitin store data within the EEA, but personal data is processed in the USA. The Trust has in place the necessary legal protection required in accordance with Data Protection Law and ICO guidance

University of Wales Trinity St David (UWTSD) – The University has relationships with institutions and agencies worldwide which make it necessary for data to be transferred outside the EEA. Periodically the University uses third party processors who are based outside of the EEA and will necessitate an international transfer. Where transfers are made the University has in place processes to ensure that they are carried out in compliance with data protection laws located in the United Kingdom

Google – Google data processing occurs within the EU and USA

Please contact our Data Protection Officer for further information should you wish to understand how your data is processed.

How do we secure personal data?

We have in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised manner or otherwise used or disclosed.

To achieve this, we use encrypted secure technology to protect all personal information stored by us, and when it is being shared with third parties. We operate up to date and regularly review policies for Data Protection, Information Governance, Password Policy, Information Security and Business Continuity (including Risk Assessments via the Data Protection Impact Assessment (DPIA) process and individual risk assessments) to support our business processes and to ensure that all personnel are aware of the importance of data security.

Access to information is permitted on a need-to-know basis.

How long do we keep your personal data for?

We only keep and process personal data for as long as there is a contractual or business requirement to do so or we are otherwise obliged to keep the same under any contractual, regulatory or legal requirement. Once the requirement has expired, the information is deleted safely and securely from our systems in such a way that Information which is deleted is done so in accordance with current security regulations.

Keeping us up to date

As part of our responsibility to ensure that information we hold about you is up to date, we rely on you to keep us updated. We request that where any of your details change, that you inform us so that we may update out records accordingly.

If you tell us that you no longer want to receive further contact from us and you are on our supporter database, it may take a short while before our communications stop altogether as selection of supporter information for some of our appeals is done a few weeks in advance of mailing. If you request to receive no further contact from us, we will keep the information we hold on you and add you to our suppression lists to ensure that you do not receive unwanted materials in the future.

Your legal rights in relation to personal data including your rights to withdraw consent

As a data subject, you have rights in relation to your Personal data. These are:

You have a right to access your personal information

You have a right for incorrect information held about you to be rectified

You have a right for information which you no long wish us to hold to be erased (also known as the right to be forgotten)

You have a right for the processing of your information to be restricted

You have a right to data portability – for your personal information to be transported in a structured, commonly used, recognisable format

You have a right to object to the processing of your personal information

You have a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you

You also have the right to make a Subject Access Request. As part of this process you will be able to ascertain:

Whether or not your data is processed, and if so why

The categories of personal data concerned

The source of the data if you have not provided the original data

To whom your data may be disclosed, including outside the EEA and the safeguards that apply to such transfers

We reserve the right to validate your identity prior to release of information.

We will not make any charges for such requests, unless the requests made repeatedly and are considered excessive. We will respond to you request within 1 month of the date of request.

If you have provided consent to the Velindre Oncology Academy to process any of your data, then you also have a right to withdraw that consent unless we are contractually or legally obligated to retain data.

In cases where we do not need to retain data for contractual or legal reasons, we will delete the data as soon as possible and at the very least within 28 days.

How to contact us, including how to make a complaint with a supervisory authority

To exercise all relevant rights or should you have any objections or queries relating to how your personal data is being processed by us, please contact our Data Protection Officer at:

Velindre NHS Trust, Unit 2 Charnwood Court, Parc Nantgarw, Nantgarw, cardiff, CF15 7QZ

Email: VelindreInformationGovernance@wales.nhs.uk

For independent advice about data protection, privacy and data-sharing issues, or if you should ever be dissatisfied with the way we have handled your personal data you can contact the Information Commissioners Office (ICO) at:

ICO Wales contact details
Information Commissioner’s Office – Wales
2nd Floor, Churchill House
Churchill Way
Cardiff
CF10 2HH

Telephone: 029 2067 8400
Fax: 029 2067 8399
Email: wales@ico.org.uk

ICO Head Office Details

Information Commissioner’s Office – Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113 or 01625 545745
Fax: 01625 524510
Website: https://ico.org.uk/

Review of the Privacy Notice

We regularly review all of our policies and procedures, we will post updates on our documentation and webpage, this Privacy Notice was last reviewed and amended on the 11th December 2024.

Disclaimer

Care is taken to ensure that the website content is accurate. Nevertheless, content is provided for general information only, and you use it at your own risk. We will not be held liable for damage or loss ensuing from any act or omission resulting from the use of information on this website.

We reserve the right to make changes to the web site as appropriate from time to time.

Virus Protection

We make every effort to check and test material for viruses. However, it is recommended that you run an anti-virus program on all materials downloaded from the internet. We cannot accept responsibility for any loss, disruption or damage to your data or computer system which may occur whilst using material derived from this website.

External/Linked Websites

Velindre University NHS Trust is not responsible for the content or reliability of any linked websites. We accept no liability in respect of the content or for the consequences of following any advice included on such sites.

Listing should not be taken as an endorsement of any kind.

We cannot guarantee that these links will work all of the time and have no control over the availability of the linked pages or change of website address.

Velindre University NHS Trust reserves the right to reject or remove links to any website.