Privacy Policy

We are committed to protecting your personal information. This policy explains how we collect, use, and store your data in line with GDPR and other relevant regulations.

Privacy Policy
Cookie Policy

1.1 Responsible party

The responsible party within the meaning of the UK GDPR is:

NHS Scotland Assure
(on behalf of SHBEN – Scottish Healthcare Built Environment Network)
Gyle Square
1 South Gyle Crescent
Edinburgh, EH12 9EB
Scotland, United Kingdom

Email: shben@napier.ac.uk

1.2 Data Protection Officer

You can reach our Data Protection Officer:

by mail at:
NHS Scotland Assure

  • Data Protection Officer –
    Gyle Square
    1 South Gyle Crescent
    Edinburgh, EH12 9EB
    Scotland, United Kingdom

or by email at:
[insert DPO email]

1.3 Data subject rights and supervisory authority

You can exercise the following rights:

  • Right to information about your data stored by us and its processing (Art. 15 UK GDPR),
  • Right to correct incorrect personal data (Art. 16 UK GDPR),
  • Right to have your data stored by us deleted (Art. 17 UK GDPR),
  • Right to restriction of data processing if we are not yet allowed to delete your data due to legal obligations (Art. 18 UK GDPR),
  • Right to portability of data if you have consented to data processing or have concluded a contract with us (Art. 20 UK GDPR),
  • Right to object to the processing of your data by us (Art. 21 UK GDPR).

To exercise your rights, you can contact us by email at [insert contact email].

For identification purposes, we ask you to provide the following information:

  • First and last name
  • Email address

In individual cases, further information may be required for unique identification. The processing of your request and the identification of your person is based on Art. 6 para. 1 lit. c UK GDPR.

You may at any time pursuant to Art. 77 UK GDPR file a complaint with a supervisory authority. The relevant supervisory authority for Scotland is the Information Commissioner’s Office (ICO), which can be contacted at https://ico.org.uk or by telephone on 0303 123 1113.

1.4 Processing of data, purpose and legal basis

We process your personal data in accordance with the provisions of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The legal basis for all our processing activities is based on Art. 6 para. 1 UK GDPR.

We use your data based on your consent pursuant to Art. 6 para. 1 lit. a UK GDPR for specific purposes, in particular:

  • for sending newsletters with updates on SHBEN activities, events, and research opportunities
  • to receive information about research themes, projects, and publications
  • to support usage processes of the website
  • for analytical purposes to optimise our offer for you.

Consent given can be revoked at any time. The revocation of consent only takes effect for the future and does not affect the lawfulness of the data processed until the revocation.

In addition, we process your data to protect our legitimate interests in accordance with Art. 6 para. 1 lit. f UK GDPR:

  • for responding to enquiries submitted via our contact form
  • for the assertion of legal claims including collection and defence in legal disputes
  • for purposes of compiling statistics to improve our services
  • for contacting you, insofar as a professional relationship with you or your organisation exists or is intended (professional contacts)
  • for managing event registrations and participant communications

In addition, we will process your data pursuant to Art. 6 para. 1 lit. c UK GDPR, insofar as we are legally obliged to do so, for example, in order to comply with our retention obligations under applicable law.

1.5 Storage period

We take all reasonable steps to ensure that your personal data is only processed for the period required in each case according to the purpose of processing. If the storage period is not specified below, your personal data will be deleted or blocked as soon as the purpose or legal basis for storage ceases to apply. Personal data will not be deleted if storage is required by law. Furthermore, we may store your personal data until the expiry of the statutory limitation periods (usually 6 years under Scottish law), provided that this is necessary for the assertion, exercise or defence of legal claims.

1.6 Data security

To protect the security of your data during transmission, we use technical and organisational security measures, in particular the encryption of our website to prevent unauthorised access by third parties. The encryption via HTTPS is enforced within the framework of an HSTS header. Our security measures are continuously improved and adapted according to technological developments.

1.7 Transmission to service providers

We use service providers for the provision of our services. These service providers act only according to our instructions and are contractually obligated to comply with the provisions of Art. 28 UK GDPR. If not further specified below, service providers are contracted for the following services:

  • Maintenance of IT systems and related services
  • Handling our enquiries and managing contact form submissions
  • Email newsletter distribution
  • Event management and registration
  • Measurement of website performance
  • Website hosting

1.8 Data transfer to third countries

Unless otherwise stated below, your data will not be transferred to a third country outside the United Kingdom. Your personal data will only be transferred to third countries if the requirements of Art. 44-49 UK GDPR are met, in particular standard contractual clauses, binding corporate rules, or adequacy decision of the Secretary of State.

1.9 No obligation to provide data / No profiling

There is no legal or contractual obligation to provide us with data. However, some services can only be provided if the required data is provided by you. Your personal data will not be used for automated individual decision making including profiling.

Our website offers different areas with different functionalities for the visitor, which are described in more detail below.

2.1 Server protocols

Nature and purpose of data processing:

When you access our website, information of a general nature is automatically collected. This information, known as server log files, includes:

  • IP address
  • Name of the access provider
  • Browser type, browser software version and browser language
  • Operating system
  • Date and time of access
  • Content of the access
  • Amount of data transferred
  • Access status (successful transmission/error)
  • Web page(s) from which the access was redirected
  • Visited web pages

Processing is performed for the following purposes:

  • Ensuring a trouble-free connection to the website
  • Ensuring smooth use of our website
  • Evaluation of system security and stability

Legal basis:

Processing is carried out pursuant to Art. 6 para. 1 lit. f UK GDPR based on our legitimate interest in hosting the website and improving and monitoring the security, stability and functionality of the website.

Recipient:

The recipient of the data is a technical service provider who is responsible for the operation (hosting) and maintenance of our website. As a processor, the service provider is obliged to process the data only within the scope of our instructions.

Transfer to third countries:

The servers through which our website is offered are located in the United Kingdom. No data is transferred to third countries for hosting purposes.

Retention period:

Server log files are deleted after 90 days at the latest.

2.2 Consent management

Nature and purpose of processing:

Our website uses cookies for various processing activities for which your consent is required. In order to obtain such consent and store it, we use a consent management platform. As part of this, a cookie – a small text file – is set on your terminal device to register your selection/consent. For this purpose, we process your IP address, among other things. On our website, you can make privacy settings regarding these cookies.

Legal basis:

The processing is based on our legitimate interests in documenting compliance with the provisions of the UK GDPR regarding obtaining consent (Art. 6 para. 1 lit. f UK GDPR).

You can find more information under the item “Cookies”.

2.3 Newsletters

Nature and purpose of processing:

On our website, we offer you the opportunity to sign up for an email newsletter with updates regarding SHBEN activities, research themes and projects, upcoming events, news and insights, and opportunities (including research calls, studentships, and fellowships). For these purposes, we need to process your name, email address, and optionally your organisation and professional role. This data is processed in order to send you the previously mentioned information.

Legal basis:

The processing is based on your consent (Art. 6 para. 1 lit. a UK GDPR).

Recipients:

The recipients of the data are technical service providers responsible for email distribution. As processors, the service providers are obliged to process the data only within the scope of our instructions.

Transfer to third countries:

[To be completed based on your chosen email service provider – if using Mailchimp or similar US-based service, include appropriate transfer mechanism details]

Retention period:

We process your data until you unsubscribe from our newsletter, revoke your consent, or request that we delete it.

Withdrawal of consent:

If you no longer wish to receive newsletters from us in the future and/or wish to object to the processing of your data, please use the “unsubscribe” link contained in each newsletter or send us an email at [insert contact email].

2.4 Contact form

Nature and purpose of processing:

In order to provide you with support and respond to your enquiries, we offer you the possibility to contact us via a contact form on the website or by email. In this context, we process your name, email address, organisation (if provided), and the contents of your enquiry.

Legal basis:

The data is processed to protect our legitimate interests (Art. 6 para. 1 lit. f UK GDPR). We have a legitimate interest in responding to enquiries and facilitating communication with researchers, clinicians, estates professionals, policymakers, and other stakeholders interested in healthcare built environment research and collaboration.

Recipients:

The recipients of the data are technical service providers responsible for website hosting and form processing. As processors, the service providers are obliged to process the data only within the scope of our instructions. Your enquiry may also be shared internally with relevant SHBEN team members or academic partners where necessary to respond appropriately.

Transfer to third countries:

[To be completed based on your hosting provider and form processing tools]

Retention period:

Contact form submissions are retained for 24 months after the date of submission, unless an ongoing relationship or correspondence requires extended retention. Data will be deleted sooner upon request.

2.5 Event registration

Nature and purpose of processing:

When you register for SHBEN events (including seminars, workshops, sandpits, and conferences), we collect your name, email address, organisation, professional role, and any additional information you provide (such as dietary requirements or accessibility needs). This data is processed to manage event registrations, send joining instructions, accommodate specific needs, and provide follow-up materials.

Legal basis:

The data is processed for the implementation of pre-contractual or contractual measures (Art. 6 para. 1 lit. b UK GDPR) and to protect our legitimate interests (Art. 6 para. 1 lit. f UK GDPR) in organising and delivering events that facilitate knowledge exchange and collaboration.

Recipients:

The recipients of the data are technical service providers responsible for event management platforms. As processors, the service providers are obliged to process the data only within the scope of our instructions. Event registration data may be shared with co-hosting organisations or venues where necessary for event delivery.

Transfer to third countries:

[To be completed based on your chosen event management platform]

Retention period:

Event registration data is retained for 12 months following the event date to enable follow-up communications and evaluation. Data will be deleted sooner upon request.

2.6 Research opportunities and applications

Nature and purpose of processing:

When you apply for research opportunities advertised through SHBEN (including rapid response research calls, studentships, fellowships, secondments, or collaboration calls), we collect your CV, academic qualifications, professional experience, contact details, and any supporting documents you provide. This data is processed to assess applications and facilitate the selection process.

Legal basis:

The data is processed for the implementation of pre-contractual measures (Art. 6 para. 1 lit. b UK GDPR) and to protect our legitimate interests (Art. 6 para. 1 lit. f UK GDPR) in identifying suitable candidates for research opportunities.

Recipients:

Application data is shared with relevant selection panels, which may include representatives from NHS Scotland Assure, academic partners, and other stakeholders involved in the specific opportunity. All recipients are bound by confidentiality obligations.

Transfer to third countries:

Application data is not transferred to third countries.

Retention period:

Successful applications are retained in accordance with NHS Scotland Assure’s record retention policies. Unsuccessful applications are retained for 12 months following the selection decision, after which they are securely deleted unless you have consented to be kept on file for future opportunities.

2.7 Website analysis

Nature and purpose of data processing:

This website uses cookie-based technologies to help us better understand how the website is used and how we can further optimise it for the benefit of performance and user experience. We do this by compiling reports about activity on the website that do not identify specific individuals. Analytics cookies process your IP address and data about usage behaviour on our website (e.g. which pages were visited and which links were clicked) for this purpose.

Legal basis:

The processing is carried out with your consent in accordance with Art. 6 para. 1 lit. a UK GDPR.

You can find more information under the item “Cookies”.