Introduction
Data privacy is important to us. This means that we process data about identified or identifiable individuals, which is called personal data, with due care and in accordance with data protection law of the United Kingdom.
This Privacy Notice describes how medicalfeedback.org ("MeFB") processes personal data we collect from individuals in relation to their use of our website ("Service").
This Privacy Notice only covers data processing carried out by MeFB. The Privacy Notice does not address, and we are not responsible for, the privacy practices of any third parties, also in cases where our Service includes hyperlinks to third parties’ websites or when cookies are set by third parties.
MeFB User Types
MeFB has two user types. Users of our Service may be "Registered" tutors who create an accout with us and provide us with their personal data or they may be "Unregistered" users visiting to provide feedback to a registered user.
Personal data
The personal data we collect from individuals using our Service (“Users”) consists of user data, such as name, email address, professional registration number, profession and country of practice. This type of data is only colected from Registered users. No user data is collected from Unregistered users using our Service to provide feedback to a Registered user.
We also collect technical data in relation to Users, such as IP address, browser type and version, geographic location, operating system and computer platform, the full URL clickstream to, through, and from our Services, including date and time, websites accessed immediately before and after visiting our website and parts of our Services that Users have visited. Although we do not normally use technical data to identify individuals, sometimes individuals can be recognised from it, either alone or when combined or linked with user data. In such situations, technical data can also be considered to be personal data under law and we will treat the combined data as personal data. We collect technical data from both Registered and Unregistered users.
We use various technologies to collect and process technical data in relation to Users, including cookies. Cookies are small text files stored on Users’ computer by the internet browser. Cookies allow us to monitor the use of our Services. This helps us to improve our Services and better serve our Users. We also use cookies that make the use of the Services easier, for example by remembering preferences. Users may choose to set their web browser to refuse cookies, or to alert when cookies are being sent. This can usually be done through internet browser’s settings. Information about how to manage cookies can be found online. Some parts of our Services may not function properly if Users prefer not to accept the use of cookies.
Purposes
We process personal data for the following purposes:
- to allow us to offer and provide our Services,
- to enhance our Services and the use thereof,
- to perform research and analysis relating to our Services.
Storage period
We do not store the personal data for longer than is legally permitted under UK law and necessary for the use of our Service. The storage period depends on the type of personal data and the purposes and therefore varies per use.
We store User’s personal data for as long as the User remains registered with our Services and, thereafter, for no longer than is necessary for internal reconciliation purposes to close the User's account upon their instruction. This will take a maximum of one month.
We store technical data for as long as the User is using our Services and, thereafter, for up to one year for internal reporting purposes to analyse the use of our Services.
We erase personal data after the storage period or when the User requests us to erase his/her personal data.
Legitimate grounds for processing
We process personal data with the User's consent to run, maintain and develop our Services. Furthermore, we process personal data to comply with our legal obligations under UK Law.
Rights of Users
Right to access. Any person may contact us to get confirmation as to whether or not we are holding or processing their personal data. Where we do process personal data, we will inform the User of what personal data we hold and process regarding him/her, the processing purposes, the categories of recipients to whom personal data have been or will be disclosed and the envisaged storage period. Once a User has provided us with enough information to locate their personal data, we will respond to their request within one month.
Right to withdraw consent. Our processing relies on a consent granted by the User. The User may withdraw their consent at any time by contacting us. Withdrawing consent may lead to fewer possibilities to use our Services.
Right to rectification. Any User has the right to have inaccurate or incomplete personal data we store about them rectified or completed.
Right to object. Any User has the right to object at any time to our processing. We shall then no longer process the User’s personal data unless we demonstrate other compelling legitimate grounds for our processing that override User’s interests, rights and freedoms or for legal claims. Objecting to processing may lead to fewer possibilities to use our Services.
Right to data portability. Any User has the right to receive their personal data from us in a structured, commonly used and machine-readable format and to independently transmit those data to a third party.
Right to erasure. Any User has the right to have personal data we process about them erased from our systems unless we have a legitimate ground to not erase the data. We may not immediately be able to erase all residual copies from our servers and backup systems after the active data have been erased. Such copies shall be erased as soon as reasonably possible.
How to use these rights. To exercise any of the above mentioned rights, Users should send us an email to the address set out below under Contact. We may request additional information necessary to confirm User’s identity. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.
Security
We implement and maintain reasonable and appropriate technical and organisational security measures to protect the personal data we process from unauthorised access, alteration, disclosure, loss or destruction.
Should a security breach occur inspite of our security measures that is likely to result in a risk to the data privacy of Users, we will inform the relevant Users and other affected parties, as well as relevant authorities in the UK as required by data protection law, about the security breach as soon as reasonably possible.
Recipients
We do not share personal data with any third party unless one of the following circumstances applies:
For legal reasons. We may share personal data with third parties if we have good-faith belief that their access to and use of the personal data is necessary (i) to meet any applicable UK law and/or court order, (ii) to detect, prevent or otherwise address fraud, security or technical issues, and/or (iii) to protect the interests, properties or safety of us, our Users or the public, in accordance with UK law. We will notify Users about such disclosure, as far as reasonably possible.
In relation to our restructuring. If we are in a process of merger, acquisition or asset sale, we may transfer personal data to the involved third party. We continue to ensure the confidentiality of all personal data and will contact Users in advance of any data transfer.
Upon User’s consent. We may share personal data with third parties for other reasons than the ones mentioned above, if we obtained User’s explicit consent to do so. The User has the right to withdraw this consent at any time.
Location and transfer
Our Services are used in several locations in the world. Our web servers and operations are based in the United Kingdom and we operate under UK data protection legislation. Consequently, if our Services are used by Users outside the UK, we will transfer personal data to, or access it from, the United Kingdom.
Lodging a complaint
In case any User considers our processing of his/her personal data to be inconsistent with UK data protection law, a complaint may be lodged with the Information Commissioner's Office in the United Kingdom.
Changes
This Privacy Notice is dated 22 September 2019. We may update this Privacy Notice at any time if required in order to reflect changes in our data processing practices, in personal data protection laws or otherwise. For substantial changes to this Privacy Notice, we will use reasonable endeavors to provide notice thereof. The current version can be found on our website.
Contact
Any User with any question or request on this Privacy Notice or our privacy practices, can contact us by email at help@medicalfeedback.org