We are committed to safeguarding the privacy of our website visitors. This policy sets out what data we collect, the conditions under which we may process any information that we collect from you and how that data is kept safe. It covers information that could identify you “personal information” and information that could not. In the context of the law and this notice, "process" means collect, store, transfer, use or otherwise act on information.
Our website incorporates privacy controls which affect how we will process your personal data. By using the privacy controls, you can specify whether you would like to receive direct marketing communications or not.
If you are not happy with any of the points below, we recommend that you do not use our website or services.
NHS Staff Benefits is for employees working within NHS, Hospice, GP practices, NHS Dental Services and HSCNI only. If you do not work within these areas, you are not permitted to use this website.
The personal data that we collect
We collect personal data from you, your name, email address, job title and the Health Board / Trust in which you work. This information is to help ensure you are eligible to access the service and to provide a basic account function for you to login. You can view and update the personal data held by clicking into your Account and Edit profile.
The account data that we collect includes your account identifier, name, email address, job title, Health Board and marketing preferences. The primary source of the account data is from you when you register with NHS Staff Benefits, although some elements of the account data may be generated by our website.
We may process information contained in any communication that you send to us or that we send to you, (communication data). The communication data may include the communication content and metadata associated with the communication. Our website will generate the metadata associated with communications made using the website contact forms.
We may process data about your use of our website and services (usage data). The usage data may include your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views and website navigation paths, as well as information about the timing, frequency and pattern of your service use. You cannot be identified from the usage data as this does not contain your personal data.
Encryption of data sent between us
We use Secure Sockets Layer (SSL) certificates to verify our identity to your browser and to encrypt any data you give us. Whenever information is transferred between us, you can check that it is done so using SSL by looking for a closed padlock symbol or other trust mark in your browser’s URL bar or toolbar.
What we do with the data we collect.
Operations - We may process your personal data for the purposes of operating our website, answering your enquiries, running competitions and where you have opted in; the sending of regular newsletters. The basis for this processing is the proper administration of our website and the NHS Staff Benefits program.
Competitions – We may process your personal data for the purpose of running competitions. Your entry will include your contact data, name and email address under which you are registered. We do not pass competition entries to any third party. We will contact the winner within 7 days of the competition end date via the email address provided. Only the winning entry will be forwarded to the relevant third party i.e. the company providing the prize. The basis for this processing is to facilitate the running of the competition.
Publications - We may process “usage data” such as the number of current members and the area in which they work for the purposes of publishing such data on our website and elsewhere through our services. The basis for this processing is namely to ensure we are providing the most appropriate services to our members and to engage with new retailers and service providers in the UK to develop the program for the benefit of its members.
Direct marketing - We may process contact data and/or account data, where you have opted-in to receive newsletters by email. The legal basis for this processing is consent. Members can update their direct marketing preference at any time by clicking into their Account and editing their profile, you can also unsubscribe to the newsletter at any time by clicking the unsubscribe button at the bottom of the newsletter. The purpose of the emails is to promote our business and to communicate marketing messages and offers to our website visitors.
Research and analysis - We may process usage data and/or transaction data for the purposes of researching and analysing the use of our website and services, as well as researching and analysing other interactions with our business. The basis for this processing is our legitimate interests, namely monitoring, supporting, improving and securing our website, services and business generally.
Record keeping - We may process your personal data for the purposes of creating and maintaining our databases and our business records generally. The basis for this processing is our legitimate interests, namely ensuring that we have access to all the information we need to properly and efficiently run our business in accordance with this policy.
Security - We may process your personal data for the purposes of security and the prevention of fraud and other criminal activity. The basis of this processing is our legitimate interests, namely the protection of our website, services and business.
Providing personal data to others
Except as set out below, we do not share, or sell, or disclose to a third party, any information collected through our website.
Competition winners –Contact name and email address are included in competition entries. The company supplying the competition prize will be provided with the winner’s contact details to allow for distribution of the prize.
Personal data held in our website database will be stored on the servers of our hosting services provider: Linode. (https://www.linode.com)
The personal data of Members that opt in to receive direct marketing newsletters, will be stored on the servers of our newsletter provider Mailchimp. (https://mailchimp.com/about/security)
These third parties my access, process or store your data to perform tasks only for the purpose we’ve authorized, and we require them to provide at least the same level of protection for your information as described in this policy.
Retaining and deleting personal data
Personal data that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
We will retain personal data as follows:
personal/account data will be retained for a minimum period of 24months following the date of the most recent contact between you and us, and for a maximum period of 36 months.
communication data will be retained for a minimum period of 3 months following the date of the communication in question, and for a maximum period of 12 months.
Your principal rights under data protection law are:
(a) the right to access - you can ask for copies of your personal data;
(b) the right to rectification - you can ask us to rectify inaccurate personal data and to complete incomplete personal data;
(c) the right to erasure - you can ask us to erase your personal data;
(d) the right to restrict processing - you can ask us to restrict the processing of your personal data;
(e) the right to object to processing - you can object to the processing of your personal data;
(f) the right to complain about our processing of your personal data; and
Your rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/.
You may exercise any of your rights in relation to your personal data by written notice to us, using the contact details set out below.
A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and is stored by the browser. The identifier is then sent back to the server each time the browser requests a page from the server.
Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiry date, unless deleted by the user before the expiry date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.
Cookies may not contain any information that personally identifies a user, but personal data that we store about you may be linked to the information stored in and obtained from cookies.
Cookies used by our service providers
Most browsers allow you to refuse to accept cookies and to delete cookies. The methods for doing so vary from browser to browser, and from version to version. You can however obtain up-to-date information about blocking and deleting cookies via your browser provider.
Blocking all cookies will have a negative impact upon the usability of many websites.
If you block cookies, you will not be able to use all the features on our website.
We may update this policy from time to time by publishing a new version on our website. You should check this page occasionally to ensure you are happy with any changes to this policy.
This website is owned and operated by PSSB Ltd.
PSSB Ltd is registered in Scotland under registration number S219325, registered office: 21 Forbes Place, Paisley, PA1 1UT.
Our principal place of business is at Dykebar Hospital, Grahamston Road, Paisley, PA2 7DE.
You can contact us:
- by post, to the postal address given above;
- using our website contact form;
- by telephone, on 0141 314 4016; or
- by email, using [email protected]
Data protection officer
Our data protection officer's contact details are: Joe Quinn, [email protected]