How we use your data
This privacy notice tells you what to expect when NICE collects your personal information. It explains your rights under data protection legislation. It also contains useful links and details of how to contact us.
Unless stated otherwise, NICE is the data controller for the processing activities detailed below.
Visitors to our websites
When you visit www.nice.org.uk we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of the site. This helps us improve the website and ensure it meets the needs of users.
We do not process this data in a way that identifies anyone and we do not make any attempt to find out the identities of anyone visiting our website.
If we do want to collect personal data through our website, for example in surveys or feedback, we will be upfront about this. We will make it clear when we collect personal data and will explain what we intend to do with it.
Marketing communications
Email communications
You can subscribe to various NICE e-newsletters, bulletins and services. When you sign up, you will be asked to provide your name and email address so we can send you the newsletter you have subscribed to. We also collect other data, such as your area of work and job role. We ask for this information so that we can tailor our newsletter content to your needs and ensure it is a valuable source of information for you.
We use a third-party provider, MailChimp, to deliver most of our e-newsletters and corporate email communications, others are sent through Microsoft Outlook. We gather statistics about email performance through Mailchimp to help us monitor and improve our email communications. Learn more about how MailChimp processes email data.
You can unsubscribe at any time by clicking on the ‘unsubscribe’ link, which can be found at the bottom of all email communications from NICE.
The legal basis we rely on to process your personal data is public task under article 6(1)(e) of the GDPR.
If you have previously provided consent when you subscribed the legal basis, we rely on to process your personal data is consent article 6 (1)(a) of GDPR
Marketing our products and services
We use a range of marketing techniques to raise awareness of NICE’s work among our audiences.
Digital advertising
We use paid advertising to raise awareness of our services, events and content. These adverts are shown on external websites, which are not owned or operated by NICE. There are various ways that you may see our online advertising:
- Advertising on particular types of websites, for example newspaper and magazine websites such as PharmaTimes Online or Pulse Today.
- On social media channels including Facebook, Twitter, LinkedIn and Google, as well as some other online platforms. This advertising is targeted based on what the platform knows about its users. For example, we may ask LinkedIn to show an advert to people working in the health and care sector, or those with a particular job role, such as commissioners.
- We use Google Analytics to understand how many people click on our adverts. This helps us to understand whether our marketing is effective. We also track people's interactions with our adverts. This allows us to make sure you see more adverts that are relevant to you.
Sharing your information
We sometimes share data (e.g. email address) held by NICE with trusted third-party agencies or media owners to inform the targeting of our advertising or paid communications. If we do share your personal information, we will only do so where the law allows, and we will only share the minimum amount of information that is necessary. Wherever possible, we will pseudo-anonymise your personal information before sharing with any third parties.
We share your data in one of the following ways:
- Provide our contracted digital media agency or social media platforms with information on the people who follow our social media channels, or email addresses of contacts who receive our email communications, for the purpose of targeting or excluding those individuals from receiving our advertisements. We may also use the data to target other, similar audiences. We do this to tailor marketing activity to those who are most likely to find our advertising relevant and useful, or to ensure people avoid receiving too much advertising.
- When we, or our contracted digital media agency, upload email addresses to online platforms (such as Google, LinkedIn or Twitter) they are ‘hashed’ by the platform. Email hashing is a method of coding an email address for privacy. The unrecognisable code cannot be traced back to the email address, but the behaviours attached to the email address are recorded. The online platform finds similar or ‘look-a-like’ audiences by matching these hashed email addresses to existing users and creating a group of people with similar characteristics. Our advertising is then served to them. The hashed data that we share is deleted after a short period of time (within 30 days) and not used for any other purpose. For more information, please view the respective privacy policies on the various social media platforms.
- If you do not wish to see these adverts, you can change your settings on the social media and search platforms (Facebook and Google, for example) to stop this kind of targeting from specific advertisers or from all advertisers.
- Commission media owners or news sites (such as.Wilmington Health, Pulse or RCNi) to send information to third party email data owned by them, on our behalf. This allows us to expand our reach when we have important messages we would like to communicate to a large audience. When doing this, we may provide the media owner with information on the people who already receive our newsletters (e.g. email address), for the purpose of excluding those individuals from receiving our paid email communications.
Use of cookies by NICE
You can read more about how we use cookies in our cookie statement.
Search engine
Search queries and results are logged anonymously to help us improve our website and search functionality. We do not collect any user-specific data.
NICE conference
We use a third party to organise and facilitate the NICE conference. Currently this is Political Engagement Limited (operating as Dods Events).
When you register for the NICE Conference, your data will be collected by Dods Events and used for the purposes set out in the Dods Events privacy notice. Dods Events will share your name, job title and contact information with us so we can contact you about future NICE conferences.
In the event that we use another third party to organise and facilitate future NICE conferences, we will share your data with them for the sole purpose of telling you about the NICE conference.
If you do not wish for us to share your data with third parties and/or you would like to be removed from our NICE conference contact list, you can email nice@nice.org.uk.
The legal basis we rely on to process your data is Article 6 (1)(e) of the GDPR ‘…exercise of official authority…’.
Disclosure of personal data
Where we share personal data, NICE is the data controller, and the third-party supplier is a data processor.
We only use data processors who provide a service for us. We have noted throughout the privacy notice where we use third parties.
We have contracts in place with our data processors. This means they cannot do anything with your personal data unless instructed by NICE and will not share your personal data with any organisation apart from NICE. Your personal data will be held securely and will retained for a period instructed by NICE.
Getting involved
NICE accounts
When you create a NICE account, we ask for your name and email address so we can establish who you are. We also ask for other information, such as the organisation you work for. It is not mandatory to provide this information - we only ask for it so we can prepopulate the login pages of other NICE services you use and save you time.
Your NICE account is used to authenticate your identity when signing into the following NICE services:
- NICE Docs appraisals
- META Tool
- NICE Syndication Services
- EPPI Reviewer 5
- Online consultations (Comment Collection system)
- when you register to participate in a consultation
The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’
Adoption and impact reference panel
The Adoption and Impact Reference Panel is an advisory body to NICE. The purpose of the panel is to review and comment on tools and resources produced by NICE and to provide ad hoc independent expert opinion if needed.
When you join the panel, we ask you to provide your name, job details, and contact information. We also ask you about your areas of interest so that our contact with you can be tailored to your expertise.
We ask for this information so we can administer membership of the panel and so that we know we have a wide variety of experts to work with to ensure our tools and resources are fit for purpose.
We will use your details to contact you, via email or phone, about one or more of the following:
- To provide us with a user perspective on draft resources and other products in line with your interests and expertise.
- To contribute to formal consultation exercises for draft tools and resources and to provide rapid and brief informal feedback.
- To advise us on the identification of appropriate networks that may assist in the development of tools and resources and wider promotion of NICE guidance.
- To provide us with expert advice on the levers and barriers to implementation of our guidance.
- To notify you of other opportunities to work with NICE related to your interests.
We ask you to fill out declarations of interest forms because the panel is intended to provide independent and impartial views on tools and resources that have been developed to support specific guidance topics. We also ask you to sign a confidentially form to show you have agreed to what is set out in that particular document.
We will send you an annual statement, which you can use in your professional development portfolio to demonstrate your contribution to the development of our guidance.
Any comments you provide during your time on the panel will either be incorporated into the tool or resource or a reason recorded for not including them. We keep a written record of how each comment is dealt with and will make this available to you upon request, following the publication of the tools.
Membership of the panel is for a period of up to three years and we may ask if you would like to extend this.
If your application to join the panel is unsuccessful, we will hold your data for six months then destroy it.
The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’
Audience insight community
The purpose of the audience insight community is to ensure the views, experiences, needs and expectations of NICE's current and potential audiences are systematically gathered and interpreted to support product and service planning, development and evaluation.
If you join the audience insight community, you will be asked for your name, email, and telephone number so we can contact you. We will also ask you questions about your background, for example your area of work and job role. We ask for this information so we can inform you about research most relevant to you.
We use a third-party supplier, SNAP Survey, to administer our surveys.
We rely on your consent to process your data. If you no longer wish to participate in the audience insight community, you can withdraw consent at any time by clicking the unsubscribe link in the emails you are sent or contacting us at audienceinsight@nice.org.uk.
Meetings in public
We hold a number of meetings in public as part of our commitment to having processes in place that are rigorous, open and transparent.
These meetings are being held via Zoom either as a meeting or webinar and your name, email and IP address will be processed. We also ask you to share any accessibility needs that would support you during the virtual meeting.
If the web meeting you are attending offers an interactive poll or Q&A session, participation is not mandatory, however your name may be processed with your poll responses and questions. We store this information in Zoom for 6 months.
After you have attended a meeting, we may also send you a feedback form so you can tell us about your experience and help us make any improvements. The feedback is anonymous and you cannot be identified.
The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’
Registering as a stakeholder and commenting on consultations
All of our guidance, quality standards, and other products are developed taking into account the opinions and views of the people who will be affected by them, including:
- patients, carers and members of the public
- health and social care professionals
- NHS organisations
- industry
- social care businesses
- local government.
Consultations
Our consultation process allows a range of individuals and organisations to comment on our recommendations throughout the development of our guidance and quality standards.
If you comment via the NICE website, depending on the product you are commenting on, you may be asked to give your name and your email address. We may use this data to:
- send you an email to inform you that you are eligible to comment
- contact you about the product you are commenting on
- send you a confidentiality acknowledgement and undertaking form.
Stakeholders
Our guidance is created by independent and unbiased advisory committees that include a diverse range of experts, from surgeons and midwives to health economists and social workers, as well as patients or carers or other members of the public.
In the case of our technology appraisals and highly specialised technologies guidance, in which we make recommendations about the use of new drugs and technologies within the NHS, we work with manufacturers to ensure that evidence they submit on the effectiveness of their products is the most appropriate to enable an evaluation to be undertaken.
We value the input of patients, carers and the general public in the development of our guidance and other products. By involving the people for whom the guidance will be relevant, we put the needs and preferences of patients and the public at the heart of our work.
Our Public Involvement Programme supports individual patients, carers and members of the public, as well as voluntary, charitable and community organisations involved with NICE's work.
If you register as a stakeholder, we ask for your name, job title, and contact details. We do this so that we can check your suitability to be a stakeholder, keep you updated on the development of the guidance, and seek your input at key stages.
If you are a manufacturer and register as a stakeholder, we ask for contact details for the person who will be our main contact and details of the person who we can ask technical questions about the product.
We ask for this information so that we can keep you updated on the development of the guidance and seek your input at key stages. We may share your contact details with colleagues so that they can provide additional support.
Once published, all NICE guidance is regularly considered for review and updated in light of new evidence if necessary. When we conduct a review, we may email you to inform you that the review is starting and see if you would like to register again as a stakeholder. If you do, we will:
- send you the review proposal for consultation
- send you the review decision.
When you register as a stakeholder, we will ask you if you would like to hear about other NICE work. This is so we can ensure we only contact you about areas of NICE work that you have an interest in.
The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’
Joint Information Group
The Joint Information Group (JIG) brings together information specialist representatives from NICE, organisations contracted by NICE, and from related organisations.
If you join the group as a representative, you will be asked to provide your name and email address. This information will be used to subscribe you to the Joint Information Group mailing list (JIG@jiscmail.ac.uk) so that you receive communications about meetings and related activities.
If you no longer wish to be part of the group, you can unsubscribe from the JIG list at any time.
If you have changed role or organisation, we would encourage you to contact Marion Spring at NICE so we can ensure a new representative from your organisation is invited to the group.
Stakeholder updates
Twice a year JIG representatives will ask all relevant organisations to supply a ‘stakeholder update’ for the group, for example about any IS-related projects they have been working on and to include contact details where relevant. Stakeholder updates will be circulated to the full NICE IS network. This includes to IS’s working at the following organisations:
- NICE
- EPPI-Centre
- External Assessment Centres (medical technologies)
- InterTASC ISSG/External Assessment Groups (diagnostics)
- National Guideline Alliance
- National Guideline Centre
- Public Health England
- members of the Cochrane Information Retrieval Methods Group.
The purpose of including a contact name and email address is to enable members of the network to engage with each other about projects and developments.
The legal basis we rely on for processing your personal data is Article 6(1)(e) ‘…exercise of official authority…’.
Field team
We use a Microsoft Dynamics customer relationship management system to process data, including personal data. The types of personal data we collect are name, job title and contact information. This data is used to help us plan, implement and evaluate the effectiveness of our engagement programmes and improve the service we offer.
We may provide anonymised feedback to internal teams within NICE and, on occasion, we may provide personal contact details to internal teams within NICE to:
- help them to evaluate similar NICE products, services and programmes to those we have engaged with you about
- raise awareness of and send invitations to events organised, or supported by NICE, again only for related topics.
We routinely delete personal data three years after the last time that we have engaged with the individual that it relates to.
The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR‘…exercise of official authority…’.
From time to time we may record meetings within Zoom. When this happens, a privacy statement will be supplied by the organisers. You'll be advised of the procedure to manage your own information at the start of the meeting. For further information about how Zoom manages information please read the Zoom privacy statement.
Our products
We use lots of data to inform our products and help us make decisions. Some of the data we use is personal data. Instances where we use identifiable and/or pseudonymised data are detailed below.
Information about how your confidential patient data is used in the health and care system for reason beyond your individual care, along with the choices you have about whether you want your data to be used in this way, can be found in the National data opt-out section.
Hospital Episode Statistics (HES)
HES data is an example of when we use pseudonymised data which contains details of all admissions, accident and emergency attendances and outpatient appointments at NHS hospitals in England. We also use pseudonymised data from other national datasets.
We use pseudonymised data to help inform reports, templates and statements that sit alongside our guidance. These tools detail the potential impact of implementing guidance on NHS finances and other resources (including workforce, capacity and demand, infrastructure and training and education). Many of these outputs are published on our website. We do not publish or share it with third parties.
We obtain data through trusted partners, such as NHS Digital, under Data Sharing Agreements.
Examples of data sets we process include:
- clinical information about diagnoses and operations
- patient information, such as age group, gender and ethnicity
- administrative information, such as dates and methods of admission and discharge
- geographical information such as where patients are treated and the area where they live.
We routinely delete this data in line with the NHS Records Management Code of Practice 2021. All data in a publishable format is retained for as long as it has business value.
The legal basis we rely on to process this data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ and, for the processing of special category data, Article 9(2)(j) of the GDPR ‘…statistical purposes…’.
Our services
When using our services your name, email address, job role and sector will be added to a relevant NICE email subscriber list so that you can receive the latest news about NICE's support for your sector. When you receive an e-newsletter from NICE, you can unsubscribe at any time.
We may also share your name, email address, job role and sector with contracted third-party marketing or research agencies. View marketing communications for more information on how your data may be used to inform marketing activities.
Your data will only be shared with contracted third-party research agencies to enable them to arrange and conduct primary research on behalf of NICE. Insights from such research will enable NICE to fulfil its public duty effectively. Any data shared with a third-party research agency will be used solely for the purpose of conducting primary research and deleted upon completion of the project.
META tool
The META tool© is an online platform that helps developers of medical technologies optimise their product development plans. It was developed by NICE in collaboration with Greater Manchester Academic Health Science Network, with their delivery partner TRUSTECH and Devices for Dignity, and is also available through other relevant organisations under licence.
When you sign up to use the META tool, you will be asked to create a product developer account. You’ll need to create a NICE Account first, then you’ll create an account for your company or product.
You’ll be asked to supply your name and contact details. This information will only be used for the following purposes:
- To allow your selected facilitating organisation to contact you to discuss the META tool process and agree timelines for the project.
- To add your name, email address and job role to a relevant NICE e-mailing list so that you can receive the latest news about NICE's support for the life sciences sector. When you receive an e-newsletter from NICE, you can unsubscribe at any time. We use a third-party provider, MailChimp, to deliver most of our e-newsletters and corporate email communications, others are sent through Microsoft Outlook. We gather statistics about email performance through Mailchimp to help us monitor and improve our email communications. Learn more about how MailChimp processes email data.
If you have expressed interest in becoming a facilitating organisation and requested a callback, we will only use the information you provided to contact you about this service. We will store your data for six months and delete it if we have no further interaction with you.
If you do go on to become a facilitating organisation, we will store your data for the duration of our contract with you and for six years after.
UK PharmaScan
UK PharmaScan is a key source of intelligence on new medicines, indications and formulations in clinical development for NHS horizon scanning organisations across the UK. It is a database owned by the Department of Health and hosted by NICE.
When a new organisation registers on UK PharmaScan, we ask for the company and personal details including the name, job title, and contact information of a champion user. The champion user is the senior user within an organisation responsible for registering that organisation with UK PharmaScan and will have the authority within their organisation to review, approve and maintain access permissions to other standard users within that organisation.
When an individual registers as a user, we ask for their personal details.
We use user data:
- to complete the organisation and user registration processes that are described on the UK PharmaScan 'how to register' page and to administer company and user accounts
- for authentication purposes when users log into the secure section of the UK PharmaScan site
- to communicate with users about database service problems, update releases, technical developments, user-initiated enquiries and training events and presentations
- to communicate with users, on behalf of the UK PharmaScan User Group or Oversight and Governance Committee, about changes to the database structure, the record management process, user agreement content, opportunities to participate in the management or development of the service or other relevant notifications about the service
- to communicate with users as a part of the UK PharmaScan record quality assurance process
- to resolve technical problems or help maintain the database.
Your name, email address and job role will also be added to a relevant NICE e-mailing list so that you can receive the latest news about NICE's support for the life sciences sector. When you receive an e-newsletter from NICE, you can unsubscribe at any time. We use a third-party provider, MailChimp, to deliver most of our e-newsletters and corporate email communications, others are sent through Microsoft Outlook. We gather statistics about email performance through Mailchimp to help us monitor and improve our email communications. Learn more about how MailChimp processes email data.
OpenAthens
OpenAthens user accounts
Eligible users may register for an NHS England OpenAthens account. This provides access to a range of content purchased by the NHS. The service is provided by Jisc.
This privacy statement should be read in conjunction with the privacy statement from Jisc.
NICE is the data controller and Jisc is a data processor. Other data processors in this system include providers of the online content. Providers of online content include, for example, providers of medical abstracting and indexing databases such as Medline, CINAHL and EMBASE, and providers of online journals.
When you register for an OpenAthens account, we ask you for your personal data including your name and email address, your organisation name and address, your work phone number and department, your job role and title, and whether your contract is permanent or temporary. You might also be asked to provide the following optional data: your title, fax number or staff or student number.
The data is stored by Jisc. Your complete data can be accessed by the national OpenAthens administrators at NICE, your regional and local NHS OpenAthens administrator and Jisc. All other NHS OpenAthens administrators can see your username, first name and last name, but no other details. The data are used:
- to assess your eligibility for an OpenAthens account and to complete the registration process
- for authentication purposes when you log on to your OpenAthens account
- to communicate with OpenAthens users about the OpenAthens service and content that can be accessed with an OpenAthens account.
The following data attributes are passed from Jisc to the other data processors in the system: persistent user identifier, organisation ID, username, email address, targeted ID, role and entitlement. This is so that you can see the online content that you are eligible to access.
OpenAthens administrators
Each organisation under the NHS account has its own administrator. When you register as the OpenAthens administrator for your organisation, we ask you for your name, your email address, and your organisation. The following data are optional: position, phone number, fax number, staff/student number, title, department, postal address, public contact details, discovery domain hint, geolocation, organisation aliases, trusted email domain, trusted IP address.
The data are stored by Jisc and can be accessed by the national OpenAthens administrator at NICE, your regional OpenAthens administrator and Jisc.
The data are used:
- to complete the OpenAthens administrator registration process and create an account
- to communicate with administrators about the OpenAthens service.
NICE Scientific Advice
When you submit an enquiry to our scientific advice team, we ask you to provide your contact details so we can contact you about your enquiry and tell you more about our service.
If you sign up to use our service, we will store your data so we are able to communicate with you and deliver our services.
We may also ask you to provide feedback about your experience. In some cases, we may use third-party suppliers to administer our feedback surveys. When we share information for the purposes of administering feedback surveys it might be one-off, long-term or ongoing.
We share personal data with third parties, including subscriber lists, in order to send research surveys to our stakeholders and collate feedback from them on our behalf. Current third parties we share information for the purposes of surveys and feedback are RAND Europe, Jotform and BJSS Ltd.
Stakeholders who subscribe to our surveys will be automatically added to our mailing lists so we can let you know about our updates to our products and services. You can opt out at any time by using the unsubscribe button in our updates. We use a third party supplier, MailChimp, to send out our updates.
We will store your data for as long as we are providing a service to you and for four years after unless we no longer require this data.
Office for Market Access
When you submit an enquiry to NICE’s Office for Market Access (OMA), we ask you to provide your contact details so we can contact you to assist with your enquiry and provide further information about the services that we can offer you.
Your name, email address and job role will also be added to a relevant NICE e-mailing list so that you can receive the latest news about NICE's support for the life sciences sector. When you receive an e-newsletter from NICE, you can unsubscribe at any time. We use a third-party provider, MailChimp, to deliver most of our e-newsletters and corporate email communications, others are sent through Microsoft Outlook. We gather statistics about email performance through Mailchimp to help us monitor and improve our email communications. Learn more about how MailChimp processes email data.
We will store your details for three years because OMA engages with the life sciences industry at any stage of the development to adoption pathway of a technology. Storing your details for this period of time ensures we can be as helpful as possible at the point you would like to engage. We will delete your details after three years if we’ve had no further interaction since your original enquiry submission.
If we deliver an engagement service for you, we will store your details to enable us to communicate and deliver an effective service. We keep your details for six years in this situation.
If you are an external expert who we have entered into a contract with, we ask for your name, job role, and contact information. We ask for these details so we can verify your identity and invite you to meetings.
Please note that on request, we will pass your details onto the company whose products you are advising on or reviewing.
Science Policy and Research Programme
When you submit an enquiry to our Science Policy and Research Programme, we ask you to provide your personal data so we can contact you about your enquiry.
If you have a general enquiry, we will store your personal data for one year and delete it if we have no further interaction with you.
If your enquiry is about involvement in or supporting a research project but no activity to progress this takes place, we will store your personal data for one year and delete it if we have no further interaction with you.
If we offer a letter of support for your research, we keep a copy of this on record. We will delete other personal data after two years.
If we support or collaborate with you on an application for a research project, including for funding, and this is not successful, we will store your personal data for two years after the decision date.
If you contact us in relation to a live project we collaborate on or are involved with, we may be subject to the privacy notice of the project management office or funder. Please see the relevant projects' or funders' websites for their privacy notice. If we are the data controller, we will hold your personal data for six years after the project ends. You can email us if you are unsure which privacy notice your personal data is subject to.
If we support or collaborate with you on an application for research funding and this is successful, we will store your personal data for six years after the project end date.
All research projects we support, collaborate or participate in will be entered on NICE’s research register to comply with NICE’s Research Governance Policy.
The legal basis we rely on to process your data under ‘Our Services’ is Article 6(1)(e) of the GDPR ‘…exercise of official authority…
Science policy and research events
Your personal data will be processed to organise and manage the event and any subsequent communication and events related to it. This can include:
- creating a contact list
- asking about any special requirements, for example to accommodate dietary requirements or reasonable adjustments
- asking about details needed to support booking travel, accommodation or paying expenses.
Your personal data will be held for six years after the last meeting, or the project end date, whichever is the later.
The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’.
When we process information about dietary or access requirements, we rely on Article 9(2)(b) of the GDPR ‘…processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’.
Health Tech Connect
Health Tech Connect is an online, single point of entry that connects companies to relevant information and support to help the development, evaluation and adoption of health technologies in the UK. It is a database owned by NHS England and hosted by NICE.
From 1 August 2022 Health Tech Connect closed to new registrations and to new technologies being added by existing registered companies, however the service will continue until existing registrants have been managed down over a period of 1-2 years.
When an individual registered to use HealthTech Connect for the first time to input details about their health technology, we asked for the name of their organisation and personal details including the name, email address, and phone number of the person registering. We asked the individual registering for the name and contact details of a responsible director within their company to ensure the appropriate authority and approvals were in place for entering and sharing details of the health technology.
We use this data:
- to complete the organisation and user registration processes that are described on the HealthTech Connect website
- for authentication purposes when users log into the secure section of the HealthTech Connect website
- to communicate with users about database service problems, update releases, technical developments, user-initiated enquiries and training events and presentations
- to communicate with users, on behalf of the HealthTech Connect User Group or Oversight and Governance Committee, about changes to the database structure, the record management process, user agreement content, opportunities to participate in the management or development of the service or other relevant notifications about the service
- to communicate with users as a part of the HealthTech Connect record quality assurance process
- to resolve technical problems or help maintain the database.
Your name, email address and job role will also be added to a relevant NICE e-mailing list so that you can receive the latest news about NICE's support for the life sciences sector. When you receive an e-newsletter from NICE, you can unsubscribe at any time. We use a third-party provider, MailChimp, to deliver most of our e-newsletters and corporate email communications, others are sent through Microsoft Outlook. We gather statistics about email performance through Mailchimp to help us monitor and improve our email communications. Learn more about how MailChimp processes email data.
The legal basis we rely on to process your data is Article 6(1)(e) ‘…exercise of official authority…’
We also use user data to share your name and contact details, only with your explicit consent, with authorised data accessors who aim to provide help and support to your company for the development, evaluation and adoption of your technology.
The legal basis we rely on to process your data is Article 6(1)(a) ‘...has given consent..’
National data opt-out
We are one of many organisations working in the health and care system to improve care for patients and the public.
Whenever you use a health or care service, such as attending accident and emergency or using community care services, important information about you is collected in a patient record for that service. Collecting this information helps to ensure you get the best possible care and treatment.
The information collected about you when you use these services can also be used and provided to other organisations for purposes beyond your individual care, for example to help with:
- improving the quality and standards of care provided
- research into the development of new treatments
- preventing illness and diseases
- monitoring safety
- planning services.
Most of the time, anonymised data is used for research and planning so that you cannot be identified in which case your confidential patient information isn’t needed.
You have a choice about whether you want your confidential patient information to be used in this way. If you are happy with this use of information, you do not need to do anything. If you do choose to opt out, your confidential patient information will still be used to support your individual care.
To find out more or to register your choice to opt out, please visit www.nhs.uk/your-nhs-data-matters.
We do not process any identifiable patient data at NICE and are in compliance with the national data opt-out policy.
Information about how we use pseudonymised data can be found under the Our products section of this privacy notice.
Archival collections
A very small percentage of records containing personal information are selected for permanent preservation at The National Archives and other repositories because of their significance. They are made available in accordance with the Freedom of Information Act 2000, as amended by the Data Protection Act 2018.
Working for NICE
Your data will be processed to support the recruitment process for vacancies advertised here at NICE.
NICE is the data controller for the information you provide during the recruitment process and your employment, unless otherwise stated.
Application stage
The information you provide during the recruitment process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.
We ask you for your personal details, including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. You will be asked to complete a criminal records declaration to declare any unspent convictions.
We will use the contact details you provide to us to contact you to progress your application. The other information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t.
We also ask for you to provide us with equal opportunities information. This is data about things like your racial or ethnic origin, religion, disability, gender and sexual orientation. This is not mandatory information - if you don’t provide it, it will not affect your application. It is not part of the recruitment process and it is used to produce anonymised statistics on our recruitment process as part of our duties under equalities legislation.
NHS Jobs
If you submit an application to NICE using NHS Jobs, the information you supply will be transferred during the campaign to our applicant tracking system.
Shortlisting
Once you have submitted an application, your data is shared as follows.
The HR recruitment team at NICE will access the data you submitted as part of your application on NHS Jobs or via our applicant tracking system. This includes equality monitoring data. The HR recruitment team is not involved in candidate selection.
The recruitment panel (those who shortlist applicants) will have access to your application apart from your name, contact details, and equality monitoring information. If you are asked to submit a CV and it includes your name, contact details and equality monitoring information, this will not be removed or anonymised and will be visible to the recruitment panel. The recruitment panel is usually made up of 3 staff members.
If you are successful at shortlisting and invited to interview, the recruitment panel will have access to your name and contact details regardless of application method. At no point does the recruitment panel see the equality monitoring information unless you include this on your CV.
Assessments
We might ask you to participate in assessment days, complete tests and/or attend an interview - or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information will be collected in hard copy and then scanned and uploaded to our applicant tracking system.
In the case of recruitment to some senior posts, you may be asked to participate in a psychometric test. We sometimes use a third party to carry out these questionnaires. The profiles generated are shared with NICE’s senior HR business partners. These are distilled into a short summary before being shared with the recruitment panel.
If you are unsuccessful following assessment for the position you have applied for, your data will be retained on our applicant tracking system for 6 months after the post you have applied for has been filled.
You can opt in or out of our talent pool, where we will use your details to identify and select you for future vacancies. If you are selected, you will be encouraged to apply for the vacancy that you have been matched to. You can choose not to be considered for that vacancy and you will have the opportunity to opt out of the talent pool at any time. On this basis we may use your details to identify and select you for future vacancies.
If you are successful, your assessment data is uploaded to our applicant tracking system. This data will be added to your recruitment file on the system and retained on your personal employee file.
Talent pool
By submitting an application to NICE, you will automatically be added to our talent pool. This allows us to access your profile and consider you for future job opportunities across our organisation.
By being a part of our talent pool, you can be matched to suitable roles, receive alerts and notifications from us and have a registered account within our recruitment system. You can delete your account at any time by logging into your candidate portal, visiting Settings / Profile and choosing to delete your profile. You can also control how we communicate with you from your Settings.
Offer of employment
If we make a conditional offer of employment, we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer.
We are required to confirm the identity of our staff and their right to work in the United Kingdom. We also need to check that you hold the relevant qualifications required and our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, or if they are active within a political party.
You will be required to provide:
- proof of your identity and right to work in the UK - you will be asked to attend our office with original documents, and we will take copies of these
- proof of any essential qualifications - you will be asked to attend our office with original documents, and we will take copies of these
- a declaration of interests.
We will contact your referees, using the details you provide in your application, directly to obtain references.
We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work - see the Occupational health section for more information.
If we make a final offer, we will also ask you for the following:
- bank details - to process salary payments
- emergency contact details - so we know who to contact in case you have an emergency at work
- membership of an NHS Pension scheme - so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme.
If you accept a final offer from us, some of your personnel records will be held on the Electronic Staff Record (ESR). This is an HR and finance records system. The rest of your data will be held on NICE’s network drive with restricted access.
Occupational health
We are joint data controllers with a third party supplier, People Asset Management, to supply our occupational health service. They also supply our employee assistance service.
Agency workers
For temporary vacancies, we use relevant recruitment agencies approved by Crown Commercial Services.
As the employment relationship is with the agency, we only hold limited data about agency workers. This may include CVs sent by your agency and notes made about you if you attended an interview with us.
Data relating to HR and payroll is held by the agency. For more information about how individual recruitment agencies process your data, please visit their websites or contact them directly.
Apprentices
We recruit our apprentices through third party suppliers. These third parties longlist candidates for us and may also conduct initial telephone interviews. If you are successful at this stage, your CV will be sent to the recruitment panel and HR apprentice lead at NICE for shortlisting.
If you are unsuccessful at interview, NICE will delete your data 6 months after the post has been filled.
If you are successful at interview please see the Offer of employment section for information about how your data will be processed.
If you would like more information about how your particular apprentice provider handles your data, please visit their websites or contact them directly.
Committee members
If you are applying to join a committee, you will be recruited either directly by NICE or by one of our collaborating centres.
At application stage, depending on the role you are applying for, we may ask you to provide the following information:
- cover letter explaining how you meet the criteria in the person specification and your motivation for applying for the role (maximum 2 pages)
- brief CV, including details of any relevant academic or other research work
- an application form
- completed declarations of interests form
- completed equalities monitoring form
- names and contact details for 2 referees.
We ask for this information so we can assess your suitability for the role and monitor the diversity of candidates to ensure we comply with the Equality Act 2010.
We ask you to fill out a declaration of interests form because we are required to identify and manage any potential conflicts of interest.
If you are successful in your application, the interest you declare may be published. We do this because it supports a culture in which we are open and transparent about the interests of those who are members of, or work with, our advisory committees, so that the effect of interests is known, understood and managed. This is essential if health and care professionals, and the public, are to maintain confidence in our work.
You may also be asked to fill in a confidentiality form. This data will be used to record your agreement to the terms set out in each document.
We will also share your email address with the committee chair. This is to help ensure you receive appropriate support and induction in your role.
The legal basis we rely for processing your data is:
Article 6(1)(b) ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.
Article 6(1)(c) ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.
Article 6(1)(e) - ‘…exercise of official authority…’
Article 9(2)(b) ‘…processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’.
Article 9(2)(h) ‘…processing is necessary for the purposes of preventive or occupational medicine…assessment of the working capacity of the employee…the provision of health or social care…’
Communicating with NICE
Enquiries
We use a Microsoft Dynamics customer relationship management system to provide NICE’s enquiry handling service. The details you provide by email, phone or web form are held in our database in order to respond to your enquiry and shared with the NICE staff who will respond to your enquiry.
If your enquiry relates to a NICE product or a service we provide, we may provide anonymised feedback to internal teams about the impact of our products or services. We routinely delete the enquiry record we hold for you three years after it is closed.
We record all calls made to the NICE enquiry line (0300 323 0141) and internal calls transferred to the NICE enquiry line by our reception or press office teams. We use this information to help train our staff and improve our customer service to you. Calls are recorded and stored for two months.
The legal basis we rely on to process your data is Article 6(1)(e) ‘…exercise of official authority…’.
Information requests
Freedom of information
What is the Freedom of Information Act 2000?
The Freedom of Information Act 2000 provides public access to recorded information held by public authorities and sets out exemptions to that right of access, for example, if the information is confidential.
How we process a Freedom of Information Act request?
A freedom of information act can only be made in writing. If you have made a freedom of information act request, it will be dealt with by our enquiry handling service. A case file will be created to log and progress your request. This will include your contact details and any other information you included in your request. Your request may be shared with other relevant staff members to help us respond to you.
If you would like to find out more, please see our freedom of information page.
Individual rights request made under the General Data Protection Regulation
What are your rights?
Under Regulation 2016/679 (General Data Protection Regulation) and other information rights laws, you have rights as an individual to ask for information we hold about you in a recorded form. Read more about these rights.
Access to your personal data
The information governance and records management team will manage responses to individual rights requests.
We will be as open as possible when it comes to giving you access to your personal information. You can find out if we hold any personal information about you by making a ‘subject access request’ under the General Data Protection Regulation.
If we do hold information about you, we will:
- give you a description of it
- tell you why we are holding it
- tell you who it could be disclosed to
- let you have a copy of the information in an intelligible form.
How we will process your request
When we receive a request, we will create a case file to log and progress your request. We may ask for you to provide further information to confirm your identity, or to help us answer your request. To enable us to process your request we will share details of your request with other relevant staff members to help us respond to you. We have one calendar month to provide you with the information you requested or to notify you that we have amended or erased your information accordingly.
How to request information about yourself
To make a request for any personal data, or to ask us to correct any mistakes on information we hold on you please contact the Data Protection Officer's email.
If you want to make a complaint about the way we have processed your personal data please follow our general complaints policy and procedure (Word).
If you feel that we have not met our responsibilities under the General Data Protection Regulation, you have a right to request an independent assessment from the Information Commissioner’s Office (ICO). You can find more details on the ICO website.
The legal basis we rely on to process your personal data is Article 6(1)(C) ‘…processing is necessary for compliance with a legal obligation…’
Complaints
If you make a complaint to NICE, we will make up a file containing the details of the complaint. This normally contains details of the complainant (you) and any other people involved in the complaint. We will only use the personal data we collect to investigate and respond to the complaint.
We may have to share your identity with others involved in the complaint if this is necessary to investigate the complaint. If you do not want your data to be shared, we will respect this and investigate the complaint accordingly.
We will keep personal data contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for 10 years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle.
If you escalate your complaint to the Parliamentary and Health Service Ombudsman or the Information Commissioner’s Office, we will pass information relating to your complaint to them so they can investigate our response to your complaint.
The legal basis we rely on to process your data is Article 6(1)(e) ‘…exercise of official authority…’
Visiting NICE
CCTV
CCTV is installed in our offices for the purpose of security only and may be disclosed to the police. NICE will ensure the operation of its CCTV is in accordance with guidance provided by the Information Commissioner’s Office.
Visitor books
When you visit our offices, we ask you to sign our visitor book. We do this for security reasons - we want to make sure we know who is in the building and to ensure visitors are authorised to be here. We are also required to report on numbers of visitors to our offices to ensure we have adequate space.
Visitor books are destroyed six months after they have been replaced.
The legal basis we rely on for processing your personal data is:
Article 6(1)(c) ‘…for compliance with a legal obligation …
Article 6(1)(e) ‘…exercise of official authority…’
Useful information
Links to other websites
This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.
Our public task
We rely on our ‘public task’, or Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’, as our legal basis for processing much of the personal data we collect.
Our public task consists of the functions we are under a legal duty to perform. These are set out in:
- the Health and Social Care Act 2012 (HSCA 2012)
- the National Institute for Health and Social Care Excellence (Constitution and Functions) and the Health and Social Care Information Centre (Functions) Regulations 2013 (the 2013 Regulations).
You may also find our charter useful.
Changes to this privacy notice
We keep our privacy notice under regular review.
This privacy notice was last updated on 12 May 2023.
Our Data Protection Officer
Our Data Protection Officer is:
James Siddall
Head of information governance and records management/data protection officer
Level 1A,
City Tower,
Piccadilly Plaza,
Manchester,
M1 4BT
Email: dpo@nice.org.uk
Our Senior Information Risk Owner (SIRO):
Our SIRO is:
Boryana Stambolova
Interim Director of Finance
Our Caldicott Guardian
Our Caldicott Guardian is:
Jonathan Benger
Chief Medical Officer
How to contact us
We aim to meet the highest standards when processing personal data and want to be as open and transparent as possible.
If you have a question about our privacy policy you can email us or write to:
Data protection officer
National Institute for Health and Care Excellence
Level 1A,
City Tower,
Piccadilly Plaza,
Manchester,
M1 4BT