Published: 24 May 2018
This privacy notice is intended to provide transparency regarding what personal data CPPE may hold about you, how it will be processed and stored, how long it will be retained and who may have access to your data.
Personal data is any information relating to an identified or identifiable living person (the data subject). An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number or factors specific to the physical, genetic or mental identity of that person, for example.
CPPE is the main provider of continuing education, training and development for pharmacy professionals in England. NHS Health Education England (HEE) funding is provided to CPPE to assist registered pharmacy professionals in maintaining their fitness to practise and meeting their continuing professional development requirements, and to support the delivery of existing and new NHS services.
CPPE is based at the University of Manchester and therefore abides by University of Manchester compliance, as well as that of HEE. The General Pharmaceutical Council (hereafter ‘GPhC’) supplies CPPE with personal data for the purpose of allowing us to validate the identity of a CPPE registrant.
All the information we collect or receive is to support these objectives of providing continuing education, training and development for pharmacy professionals in England.
This privacy statement only covers the processing of personal data by CPPE that CPPE has obtained from data subjects accessing CPPE’s website and from its provision of services and exercise of functions. It does not cover the processing of data by any sites that can be linked to or from CPPE’s website, so you should always be aware when you are moving to another site and read the privacy statement on that website.
When providing CPPE with any of your personal data for the first time, for example, when registering with the CPPE website, or when you enrol in any CPPE learning, you will be asked to confirm that you have read and accepted the terms of this privacy statement. A copy of your acknowledgement will be retained for reference.
Personal data may be collected from you via the CPPE website registration process, applying for roles with CPPE, requesting to work on CPPE projects or engaging in CPPE training. Personal data may also be obtained from local education providers or employing organisations in connection with CPPE training.
Personal data is obtained from the General Pharmaceutical Council (GPhC) for GPhC registered pharmacists, pharmacy technicians and pre-registration trainee pharmacists. This data contains, name, registration type, address, date of registration. This data is used to validate CPPE website registration requests and to distribute national mailing campaigns to members of the GPhC register.
Your personal data is collected and processed for the purposes of and in connection with the functions that CPPE performs with regard to education, training and delivery of NHS services. The collection and processing of such data is necessary for the purposes of those functions.
A full copy of the relevant notification to the Information Commissioner setting out all of the types of processing that we undertake can be found on the Commissioner’s website. For further information please refer to the following registration numbers: Z6787610 for the University of Manchester and ZA120843 for Health Education England on the ICO’s website.
In connection with training, CPPE collects and uses your personal information for the following purposes:
We also collect personal data to ensure public and patient engagement with CPPE training, to maintain a pool of subject specialists, to engage with the wider pharmacy workforce via employers, and to report data to funding organisations to fulfil our contractual obligations.
When you access CPPE’s website, small amounts of information are sometimes placed on your device, including small files known as cookies. These pieces of information are used to improve services for you. For example, we use a series of cookies to monitor website speed and usage, as well as to ensure that any preferences you have selected previously are the same when you return to our website.
Google Analytics, for example, stores information about what pages you visit, how long you are on the site, how you got here and what you click on. Personal information (eg your name or address) is not however collected or stored so this information cannot be used to identify who you are. We do not allow Google to use or share our analytics data.
Full details on the cookies set by Google Analytics are published on the Google website. Google also publishes a browser add-on to allow you to choose that information about your website visit is not sent to Google Analytics.
On a number of pages we use ‘plug ins’ or embedded media. For example, we might embed YouTube and Vimeo videos in pages. We also embed Twitter feeds and Facebook share buttons. The suppliers of these services may also set cookies on your device when you visit the pages where we have used this type of content. These are known as ‘third-party’ cookies. To opt-out of third-parties collecting any data regarding your interaction on our website, please refer to their websites for further information.
CPPE is the data controller in respect of any personal data it holds concerning trainees in training, individuals employed by CPPE and individuals accessing CPPE’s website.
CPPE may occasionally collect additional data on behalf of funding organisations at the point of registration or during training. CPPE will make it clear at the point of collection the purpose of this collection, who it will be shared with and how long it will be retained for.
The GDPR requires that data controllers and organisations that process personal data demonstrate compliance with its provisions. This involves publishing our basis for lawful processing.
As personal data is processed for the purposes of delivering the CPPE contract on behalf of HEE, CPPE’s legal bases for the processing of personal data as listed in Article 6 of the GDPR are as follows.
For all users:
For GPhC registrants only:
Where CPPE processes special categories of personal data, its additional legal bases for processing such data as listed in Article 9 of the GDPR are as follows.
For all users:
Special categories of personal data may include data relating to racial or ethnic origin, political opinions, religious beliefs, sexual orientation and data concerning health.
Please note that not all of the above legal bases will apply for each type of processing activity that CPPE may undertake. However, when processing any personal data for any particular purpose, one or more of the above legal bases will apply.
We may seek your consent for some processing activities, for example for sending out invitations to you to training events and sending out material from other government agencies. If you do not give consent for us to use your data for these purposes, we will not use your data for these purposes, but your data may still be retained by us and used by us for other processing activities based on the above lawful conditions for processing.
We will occasionally send you information from CPPE on nationally important campaigns linked to national priorities. These communications are deemed by CPPE, in relation to data protection regulations, as being in the public interest. If you wish to opt out of these communications, please do so in writing.
The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.
Your data may only be transferred abroad where CPPE is assured that a third country, a territory or one or more specific sectors in the third country, or an international organisation ensures an adequate level of protection.
Our processing of all personal data complies with the General Data Protection Regulation principles in line with the University of Manchester’s data protection registration held with the Information Commissioners Office.
The personal data we hold may be held as an electronic record on data systems managed by CPPE or as a paper record. These records are only accessed, seen and used as required and/or permitted by law by staff who need access to personal data so they can do their jobs and other partner organisations under data sharing agreements.
The security of the data is assured through the implementation of the University of Manchester and CPPE’s policies on information governance management.
We make every effort to keep your personal information accurate and up to date, but in some cases we are reliant on you as the data subject to notify us of any necessary changes to your personal data. If you tell us of any changes in your circumstances, we can update the records with personal data you choose to share with us.
We will keep personal data for no longer than necessary, in line with our records management policy, and the University of Manchester records retention schedule.
So we can provide the right services at the right level, we may share your personal data within services across the University of Manchester, HEE and with other third party organisations such as the GPhC, NHS Digital, higher education institutions, NHS Trusts, clinical placement providers, NHS Trusts/Health Boards/Health and Social Care Trusts, approved academic researchers and other NHS and government agencies where necessary, to provide the best possible training and education and to ensure we deliver the CPPE contract appropriately. This will be on a legitimate need-to-know basis only.
CPPE also has data sharing agreements with other organisations to facilitate the delivery of NHS services. For example, an agreement with Pharmoutcomes to share data with respect to the Declaration of Competence system.
Users of CPPE may also choose to share their learning record on the internet using the CPPE Viewer functionality.
We may also share information, where necessary, to prevent, detect or assist in the investigation of fraud or criminal activity, to assist in the administration of justice, for the purposes of seeking legal advice or exercising or defending legal rights or as otherwise required by the law.
Where the data is used for analysis and publication by a recipient or third party, any publication will be on an anonymous basis, and will not make it possible to identify any individual. This will mean that the data ceases to become personal data.
You can manage your sharing preferences via the MyCPPE section of the website.
Right to rectification and erasure
The GDPR extends and strengthens your rights as a data subject. Under the GDPR you have the right to rectification of inaccurate personal data and the right to request the erasure of your personal data. However, the right to erasure is not an absolute right and it may be that it is necessary for CPPE to continue to process your personal data for a number of lawful and legitimate reasons.
Right to object
You have the right in certain circumstances to ask CPPE to stop processing your personal data in relation to any CPPE service. As set out above, you can decide that you do not wish to receive information from CPPE about national and local training and other news. However, the right to object is not an absolute right and it may be that it is necessary in certain circumstances for CPPE to continue to process your personal data for a number of lawful and legitimate reasons.
If you object to the way in which CPPE is processing your personal information or if you wish to ask CPPE to stop processing your personal data, please contact CPPE on firstname.lastname@example.org
However, if we do stop processing personal data about you, this may prevent CPPE from providing the best possible service to you.
You can access a copy of the information CPPE holds about you by writing to: email@example.com clearly stating you wish to make a subject access request. This information is generally available to you free of charge, subject to the receipt of appropriate identification.
The GDPR sets out the right for a data subject to have their personal data ported from one controller to another on request in certain circumstances. We have a number of facilities for you to access and share your learning record such as My CPPE and CPPE Viewer. Should you require data in a different format please submit your request in writing to: firstname.lastname@example.org clearly stating you wish to port your data to another provider.
If you want to complain about how we have used your personal data or to know more about how your information will be used, please contact: email@example.com
Alternatively, you can find contact details for the University of Manchester’s Information Governance Team at: www.staffnet.manchester.ac.uk/compliance-and-risk/information-governance/
Alternatively, you can also contact the Information Commissioner if you have a complaint about our processing of your personal data:
The Office of the Information Commissioner
It is important that you work with us to ensure that the information we hold about you is accurate and up to date so please inform CPPE if any of your personal data needs to be updated or corrected.
All communications from CPPE will normally be by email. It is therefore essential for you to maintain an effective and secure email address or you may not receive information or other important news and information about your employment or training.