1. The data controller is HSR UK
The Director of HSR UK has responsibility for data protection, and can be contacted by:
email: [email protected]
2. The personal data we are collecting
This privacy notice applies to information we collect about:
- Visitors to our website
- Our members
- Individuals who sign up for mailing lists and bulletins, request information from us or use our services
- Delegates attending our events
- Clients booking our conference and meeting facilities
- Members who use our services, such as our mentoring programme
Personal data we routinely collect includes:
- Postal address
- Email address
- Telephone number
For our employees we will also collect:
- Demographic data
- Medical data
- Diversity monitoring data
- Bank account details
- National insurance number
For our conference delegates we will also collect
- Dietary and access requirements
- Job title and organisation / affiliation
For our mentoring programme applicants we will also collect
- Diversity monitoring data (with explicit consent)
3. How we collect personal data
We collect personal data through:
- Web forms online
- Paper forms
4. How we source data
We will find contact data from several sources, for example on institution websites for individuals, other online resources, Companies House and we will also be given contact details from an individual’s colleagues to add to our mailing lists.
We generally do not buy in data lists from third parties. If we felt this was necessary, we would conduct a data protection impact assessment.
5. The purpose for collecting data
We use the data to keep in touch with individuals interested in health services research. This could include:
- People working in higher education institutions, or organisations involved in research
- Political, business, media and policy contacts
- Attendees at our conferences and events
For the above groups, we will email news updates relating to their work and the wider health services research sector.
For our named member organisation representatives, we will use data for administrative purposes to manage membership.
For our mentoring programme participants, we will use data to match mentors and mentees should the mentee wish personal characteristics be taken into account
6. Your rights as an individual
You can unsubscribe from email communications at any time, using the unsubscribe button, or replying to emails with the instruction to be removed from a mailing list. As a data subject, individuals have a number of rights in relation to their personal data.
Subject access requests
If an individual makes a subject access request, HSR UK will tell him/her:
- whether or not his/her data is processed and if so why, the categories of personal data concerned and the source of the data if it is not collected from the individual;
- to whom his/her data is or may be disclosed, including to recipients located outside the European Economic Area (EEA) and the safeguards that apply to such transfers;
- for how long his/her personal data is stored (or how that period is decided);
- his/her rights to rectification or erasure of data, or to restrict or object to processing;
- his/her right to complain to the Information Commissioner if he/she thinks HSR UK has failed to comply with his/her data protection rights; and
- whether or not HSR UK carries out automated decision-making and the logic involved in any such decision-making.
HSR UK will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise. This will be provided within one month of the request being made to meet GDPR requirements.
To make a subject access request, the individual should send the request to [email protected]. In some cases, HSR UK may need to ask for proof of identification before the request can be processed. HSR UK will inform the individual if it needs to verify his/her identity and the documents it requires.
If a subject access request is manifestly unfounded or excessive, HSR UK is not obliged to comply with it. Alternatively, HSR UK can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which HSR UK has already responded. If an individual submits a request that is unfounded or excessive, HSR UK will notify him/her that this is the case and whether or not it will respond to it.
Individuals have a number of other rights in relation to their personal data. They can require HSR UK to:
- rectify inaccurate data;
- stop processing or erase data that is no longer necessary for the purposes of processing;
- stop processing or erase data if the individual's interests override HSR UK's legitimate grounds for processing data (where HSR UK relies on its legitimate interests as a reason for processing data);
- stop processing or erase data if processing is unlawful; and
- stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override HSR UK's legitimate grounds for processing data.
To ask HSR UK to take any of these steps, the individual should send the request to [email protected]
7. If you have a complaint
The supervisory authority is the Information Commissioner’s Office. Individuals can lodge a complaint directly with them.
Details of how to report concerns are on the ICO website. The helpline telephone number is 0303 123 1113.
8. The legal basis we are relying on
HSR UK will use legitimate interest for contacts and communications for the following groups:
- HE sector and members
- NHS Organisations
- Organisations that belong in the Insfrastructure of the National Institute of Health Research
- Policy, political, business and media contacts
- Income generation activities – including attendees of HSR UK conferences and events.
For these groups the data held will be:
- Full name
- Postal address (business address)
- Contact details including address, telephone number and email (business contact details)
Health Services Research UK believes that:
There is a genuine business reason (the legitimate interest) for processing this data, the purpose of HSR UK is:
- To formulate policies on any matters affecting or relevant to the health services sector in the UK
- To provide information, advice and assistance to research institutes, NHS organisations, parts of the infrastructure of the NIHR within the UK, or any of their representatives, on any aspect of educational affairs, including administrative and financial matters relating to or connected with health services
- To represent the health services sector in the UK and to conduct dealings and to liaise with the Government, any local, national or other institutions, authorities, agencies, bodies or persons, wheresoever in the world situated
- To promote and provide facilities for discussion and consultation between representatives of research institutes, NHS organisations, parts of the infrastructure of the NIHR in the UK, on any matters affecting or relevant to the health services sector in the UK
And for our income generating activities:
- To run workshops, events and conferences profitably to fund the work of HSR UK, therefore using contact details for direct marketing activities.
And has considered the necessity test:
Processing individual’s data for the purposes of communicating with members, health services research sector contacts, political, media, business and policy contacts is necessary to effectively service the needs and represent our members’ interests fully.
HSR UK considers the impact on the individual to be low (the balancing test):
- We believe there is value in individuals hearing about developments and opportunities in the sector.
- Providing opportunities for networking with peers.
- The individuals have already expressed an interest in our work through signing up for regular newsletter, using the facilities or attending an event.
- Users can opt out of communications.
- We are not using any special categories of data, in this case
- We will not transfer the data to third parties except when this has been explicitly stated at the point of collection (for example if HSR UK is managing registrations for an event held with a partner organisation).
There are safeguards in place:
- Opportunity for all contacts to unsubscribe from mailings
- Email ([email protected]) for individuals to practice their rights (see section 6).
- The amount of data held on individuals is restricted to only what is necessary, and kept no longer than necessary
- Data will not be shared with third parties, without making individuals aware and having a clear data sharing agreement
- Access to data is restricted to only staff who need it for the performance of their roles
- IT systems are secure, with regular security testing programme in place.
- Data protection training is undertaken by all staff as part of their probation.
9. Where our data is stored
Data is stored on premise at the Nuffield Trust offices in London. Where cloud hosted systems are in use, the data is stored in the EEA.
11. Our data retention policy
HSR UK has a policy on data and document retention. Retention periods are based on ICSA Guide to Document Retention (3rd Edition). If you have questions on our retention policy, email [email protected]
12. Leaving our website
Links to external websites are not our responsibility and that once a user clicks on a link to an external site it will be subject to that organisation’s privacy policies, not ours.
This policy was last updated July 2022. It will be reviewed annually, or before if we introduce any changes to our data practices.
When you visit our website, we may store some information on your computer. This information will be in the form of a 'cookie' or similar file and can help us in many ways. For example, cookies allow us to tailor a website to better match your interests and preferences. With most internet browsers you can erase cookies from your computer hard drive, block all cookies or receive a warning before a cookie is stored.
If you signup for our newsletter, there may cookies set by MailChimp (the newsletter service we use) containing anonymous, non personally-identifiable information to identify if you signed correctly and how you use MailChimp. We do not control these cookies. MailChimp privacy terms
We use YouTube to host video content. When you view a web page on our site with an embedded YouTube video, YouTube creates at least four cookies:
We use Wistia to host videos which we embed into the website. This creates one cookie:
- __utma Cookie
- __utmb Cookie
- __utmc Cookie
- __utmz Cookie
- __utmv Cookie
We use Siteimprove software for in-house analytics, it uses two cookies:
Used to store user preferences and information when viewing pages with Google maps on them.
We may use the Twitter “Follow Button” plugin to help us market our business using Twitter. The plugin detects whether you are logged in to Twitter when you visit our website and uses this information to present either a “Follow” or “You Follow” message with various other details from Twitter. Cookies we use are:
Most of our cookies expire within 30 days, although our analytics cookies may persist for 2 years.
How to reject or delete these cookies
Further information on how to prevent cookies from being stored on your computer can be found on All about cookies website under the 'manage cookies' section.