Privacy notice

eHealth Productivity and Innovation in Cornwall and Isles of Scilly (EPIC2)

Introduction
This privacy notice describes the personal data the eHealth Productivity and Innovation in Cornwall and Isles of Scilly (‘EPIC2’) project collects from you explaining why we collect this data, what we do with it, how long it is stored and whether it is shared with anyone.
Who are we and who is our representative?
EPIC2 is an European Regional Development Fund (‘ERDF’) project led by the University of Plymouth with key delivery partners in Kernow Health CIC and South West Academic Science Health Network (SW AHSN). 
The data controller is the University of Plymouth and is registered with the Information Commissioner’s Office (ICO) under registration number Z7546264. Its Data Protection Officer can be contacted at dpo@plymouth.ac.uk. The EPIC2 project can be contacted at epic@plymouth.ac.uk.
What information do we collect and why?
EPIC2 collects different types of personal data to provide the best possible experience and service, to ensure the effective operation of the project and to meeting statutory or contractual reporting obligations set out in this notice.
The following are examples of personal data (not exhaustive) which may be collected, stored and used:
  • Name, address and contact details
  • Email address
  • Event booking information 
  • Event attendance information – i.e. access or dietary requirements 
  • Commercial data – i.e. enquiries seeking support and/or information for research and evaluation 
In certain limited circumstances (e.g. event booking), special category data may be collected. These are more sensitive categories of identifying information including but not limited to the following: racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health or data concerning a natural person’s sex life or sexual orientation and data relating to criminal convictions.
When and how do we collect your data?
EPIC2 will collect your information in different ways during its relationship with you. These will include:
  • Information you provide directly to us such as when making an enquiry, booking an event, signing up for a newsletter, seeking advice or some other form of engagement with the EPIC2 project
  • Information you provide to partners involved with the EPIC2 project which is shared with us
  • We may also gain your personal data from third parties, for example our project delivery partners; South West Academic Health Science Network, Kernow Health CIC and Software Cornwall.
How do we use your personal data?
EPIC2 will use your personal data in the following ways:
  • Events – information will be used by the University to manage attendance at events booked through our events team. 
  • Communications – information will be used to distribute newsletters, project updates and other communications
  • Support – information will be used to correspond with you when accessing support, advice or some other engagement with the project
  • Research – information may be used to conduct research as part of the project and this will be governed by ethical standards, policies and procedures of the University
  • Evaluation – information will be used to evaluate the progress of the project against the project deliverables and the evaluation exercise will be governed under the MHCLG/ERDF privacy notice
What is the lawful basis for processing personal data?
EPIC2 must have a lawful basis in order to process personal data. For the processing of your data these have been identified as follows:
  • where it is necessary to perform the contract we have entered into with you;
  • where it is necessary for the performance of a task in the public interest;
  • where it is necessary to comply with a legal obligation;
  • where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
EPIC2 may also use your data, typically in an emergency, where this is necessary to protect your vital interests, or someone else’s vital interests. 
In relation to more sensitive personal data (special category data), the additional legal bases for these are: 
  • where we need to carry out our legal obligations,
  • where you have made the data public,
  • where it is necessary to protect your vital interests or those of another person and where you/they are physically or legally incapable of giving consent. This would be in an emergency situation where your health, wellbeing or welfare was at risk,
  • where processing is necessary for the establishment, exercise or defence of legal claims,
  • where we have your consent to do so,
  • where it is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
If consent is required for any additional uses of your personal information, including your image and more sensitive personal information we will collect it at the appropriate time and explain this to you. Where the University is processing your data on the basis of your consent, you can withdraw your consent at any time. We will not use your personal information to carry out any wholly automated decision-making that affects you.
How long do we hold your data?
General details of the University’s retention timescales can be found in the University Records Retention Schedule together with our Data Protection Policy. 
The EPIC2 project runs until April 2023. As a Grant Recipient, we are required to comply with and assist the Managing Authority to comply with document retention requirements under any applicable State Aid rules. Where Projects are operating under a State Aid scheme in accordance with the General Block Exemption Regulation (Commission Regulation (EU) No 651/2014) or De Minimis Regulation (Commission Regulation (EU) No 1407/2013), Grant Recipients must maintain detailed records with the information and supporting documentation necessary to establish that all the conditions laid down in the Regulation are fulfilled. Such records must be kept for 10 years after the last aid is granted under the scheme, meaning that documents will need to be retained until 2033.
Who do we share your data with?
Where there is a legitimate need or statutory obligations the University will disclose necessary personal data to third parties. Depending on individual circumstances, these may include the following:
MCHLG/ERDF
SWAHSN
Kernow Health CIC
Software Cornwall
Members of the EPIC2 team, including consultants
What rights do you have?
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 increased the number of rights an individual has in relation to the gathering, processing and storage of personal data. These are:
  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated processing and profiling
Please note the rights are not absolute and may not apply in all circumstances. Further information on accessing these rights can be found at Your information rights or by emailing dpo@plymouth.ac.uk.
Changes to this notice
This privacy notice is reviewed annually or when required, to ensure compliance with data protection legislation. If significant changes are made to this notice and the way we treat your personal information, we will make this clear and may seek to communicate this directly to you.
Date of Notice: September 2020