Our programmes

GDPR privacy notice for Health Economics Explained

Last updated Jan 2025

Introduction

Welcome to 33n Ltd’s (33n) privacy notice for Health Economic Explained (HEX). 33n is a company of NHS clinicians, data analysts, and data scientists and is a “data controller”, which means 33n is responsible for deciding how the personal information outlined in this privacy notice is processed.

33n is required under data protection legislation to notify you of the information contained in this privacy notice.

33n respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data and it will tell you about your privacy rights and how the law protects you, in accordance with the UK General Data Protection Regulation (GDPR).

This privacy notice applies to all individuals attending HEX, as delivered by 33n.

We are collecting your data to gain insight into your experience of HEX for the purposes of improving content, improving the delivery of, and promoting, HEX.

If you have any questions or concerns about the below or would like to know more, please contact 33n’s Data Protection Officer (DPO) by emailing dpo@33n.co.uk.
You also have the right to make a complaint to the Information Commissioner’s Office (ICO) which is the UK supervisory authority for data protection issues. You can find out more on the ICO website.

1. The data we collect about you

Personal data/information means any information about an individual from which a person can be identified. This includes pseudonymous data. It does not include data where the identity has been removed (anonymous data).

We will collect, store, and use the following categories of personal information about you:

  • Contact data (name, title, work email addresses).
  • Demographic data (age and gender).
  • Location data (place of employment or workplace).
  • Employment data (employer and job titles).
  • Your feedback on your experience of HEX.
  • Your preferences for marketing and communications.
  • Transaction data.
  • Usage data

2. How is your personal information collected?

We obtain personal information in several ways including:

  • When you sign up to attend a HEX.
  • When you fill in a form (including questionnaires).
  • When you participate in an interactive education lessons.
  • When your employer gives us your contact and role information in a form, by post, email, phone or otherwise.
  • When you email or call 33n.
  • When you give 33n a business card.

3. How we will use information about you and legal bases

We will only use your personal information when the law allows us to. The lawful basis for using your information is identified in the purposes outlined below.

It is also possible that there may be some circumstances where 33n use your data to where we need to comply with a legal obligation.

If you are paying to attend HEX directly from 33n, we receive transaction data. This will include contact data, payment method information, and information about that transaction.

If you are attending HEX where you are not paying 33n directly, we may provide information to the individual or organisation paying for your attendance to confirm your attendance (eg name and date of attendance).

We may process your personal information to gather insight into how you are experiencing HEX for the purposes of improving content and delivery of HEX.

Information you input into the learning platform, or other websites or products used by 33n, as part of HEX, and data analytics generated by your use of these platforms, may be used by 33n to assess, and improve, user experience.

Information you provide may be used in marketing material, across 33n channels ie social media platforms. Where you have consented for use of your personal data for these purposes, your name and job role will be mentioned.

We might contact you after your involvement in HEX is completed to see if you are interested in becoming involved in similar programmes and courses at a future date, or if you would like to receive programme updates and news. You will be able to opt out of these communications at any time.

We will only use your personal information for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. We can use automated decision-making in the following circumstances:

  1. Where we have notified you of the decision and given you 21 days to request a reconsideration.
  2. Where it is necessary to perform the contract with you and appropriate measures are in place to safeguard your rights.
  3. In limited circumstances, with your explicit written consent and where appropriate measures are in place to safeguard your rights.

You will not be subject to decisions, as part of the focus group, that will have a significant impact on you based solely on automated decision-making unless we have a lawful basis for doing so and we have notified you.

We do not envisage that any decisions will be taken about you using automated means, however we will notify you in writing if this position changes.

4. Data sharing

We will never share your personal data with any third parties.

5. Transferring information outside the UK

33n uses third-party processing tools and as a result may make limited amounts of international transfers as part of a processing tool’s data redundancy and back-up, policies and procedures. All such transfers are governed by suitable safeguards, specifically use of Standard Contractual Clauses which ensure your personal information is treated by those third parties in a way consistent with, and which respects, the EU and UK laws on data protection.

If you require further information about this protective measure, you can request it from the DPO.

6. Data security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. Details of these measures are available upon request.

In addition, we limit access to your personal data to those employees, agents, and contractors who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

7. Data retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for including for the purposes of satisfying any legal or reporting requirements. Details of retention periods for different aspects of your personal information are available in our retention policy which is available from the DPO.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorised use or disclosure of your personal data; the purposes for which we process your personal data and whether we can achieve those purposes through other means; and the applicable legal requirements.

We may anonymise your personal information so that it can no longer be associated with you in which case we may use such information without further notice to you.

8. Rights of access, correction, erasure, and restriction

Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you if, for example, you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information; object to the processing of your personal data; or request that we transfer a copy of your personal information to another party, please contact the DPO.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

9. Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

If you have any questions about this privacy notice, please contact the DPO at dpo@33n.co.uk.