During the course of our activities, Avalere Health (Avalere Health Group Limited on behalf of itself and its affiliated companies, and collectively referred to as the ‘Group’) collects, stores and processes personal information about our staff, customers, suppliers and other third parties such as Names, contact details and in some circumstances, financial details. We recognise the need to treat personal data in appropriate fair, lawful and transparent manner, in accordance with prevailing UK and other relevant international Data Protection law including the General Data Protection Regulation 2016 (“The GDPR”). This policy covers all registered entities of the Group. In the UK, our business entities are registered with the Information Commissioner’s Office and are listed as a Data Controller for defined purposes. The Group also acts as a Data Processor when handling data on behalf of Third Parties.

• Fishawack Medical Communications Limited (registration number: ZA267403)
• Avalere Health Global Limited (registration number: Z5586262)
• Avalere Health Limited (registration number: Z672068X)
• Fishawack Indicia Limited (registration number: ZA267398)
• Carling Communications Limited (registration number: ZA426313)
• Healthcircle Advertising Limited (registration number: ZB210630)
• Avalere Health London Limited (registration number: ZA197441)
• PRMA Consulting Limited (registration number: Z1548109)
• The Health Hive Group Limited (registration number: ZA224220)
• The Health Hive Limited (registration number: ZA722382)
• Pollen Health Limited (registration number: ZA722402)

This document is a statement of the data protection policy adopted by The Group and provides transparency information about the way we use personal data. All staff must be familiar with and apply this policy, and seek further advice if in doubt as to its application or otherwise when required. This policy applies to treatment of personal data and sensitive personal data.

DEFINITIONS

“Personal data” means any data relating to a living individual who can be identified from those data. This includes when the information can directly or indirectly identify an individual by any means reasonably likely to be used. Personal data can therefore be factual (such as a name, address or date of birth) or it can be an opinion. It can also mean location data and online identifiers such as cookies and IP addresses. Such personal information must be dealt with properly however it is collected, recorded and used – whether on paper, electronically, or by other means.

“Special Categories of Personal Data” includes information about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, genetic or biometric data used to identify an individual, physical or mental health condition, sex life and sexual orientation. Special category data can only be processed under strict conditions. Criminal conviction data are to be processed in a similar way to special category data with the conditions being set out under the Data Protection Act 2018 in Parts 1, 2 and 3 of Schedule 1.

WHY WE COLLECT PERSONAL DATA

The Group needs to collect and use certain personal and special category data relating to the individuals with whom it deals in order to operate. These include current, past and prospective parties such as employees, suppliers, clients and their external contacts e.g. the healthcare community.

THE DATA WE COLLECT ABOUT YOU

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

• Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
• Contact Data includes address, email address and telephone numbers.
• Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
• Usage Data includes information about how you use our website and services.
• Marketing and Communications Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

HOW YOUR PERSONAL DATA IS COLLECTED

We use different methods to collect data from and about you including through:

• Direct interactions. You may give us your Identity and Contact by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:
  • subscribe to our service, newsletter or publications;
  • apply for any vacancies via our website;
  • request marketing to be sent to you;
  • give us feedback or contact us.
• Automated technologies or interactions. As you interact with our website, we will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies.

PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity	Type of data	Lawful basis for processing including basis of legitimate interest
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to leave a review or take a survey (c) In response to any of your interactions on our website including applying for any vacancies, subscribing to our newsletter or accessing articles.	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Technical	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical	Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, services, marketing, customer relationships and experiences	(a) Technical (b) Usage	Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about services that may be of interest to you	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications	Necessary for our legitimate interests (to develop our products/services and grow our business)
To provide you with any of our digital services offerings and applications	(a) Identity (b) Contact (c) Technical (d) Usage (e) Account Data (f) Work Product Data	Necessary for our legitimate interests (to provide the digital services which we have licensed to our client and which they have asked you (as a member of their staff) to use for the operation of their business).

DATA PROTECTION PRINCIPLES

The Group regards the lawful and correct treatment of personal data and special category data as important to the achievement of our objectives, to the success of our operations and to maintaining confidence between those with whom we deal and ourselves. We therefore ensure that our organisation treats personal information fairly, lawfully and transparently. To this end the Group fully endorses and adheres to the 7 Data Protection Principles, as set out in the GDPR. These principles must be adhered to by anyone who processes personal data. “Processing” is any activity that involves use of the data, such as obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring personal data to third parties and other countries both inside and outside of the European Economic Area.

We will adhere to these principles when obtaining, handling, processing, transporting and storing personal data.

Specifically, the principles we must abide by require that personal information:

• shall be processed fairly, lawfully and transparently;
• shall be obtained only for one or more specified, explicit and legitimate purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes;
• shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed – known as data minimisation;
• shall be accurate and, where necessary, kept up to date;
• shall not be kept for longer than is necessary for that purpose or those purposes;
• shall be subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data; and
• be processed in accordance with the accountability requirement in article 5(2) of the GDPR.

In addition, we will, through appropriate management, strict application of criteria and controls, comply with the principles of data protection by design and default. This will include ensuring that The Group:

• observes fully the conditions regarding the fair and transparent collection and use of information. This means that the data subject (i.e. the individual to whom the personal data relates) must be told who the data controller is (in this case, Avalere Health), the purpose for which the data are to be processed, and the identities of anyone to whom the data may be disclosed or transferred. For personal data to be processed fairly, lawfully and transparently, certain conditions have to be met. These may include, among other things, requirements that the data subject has consented to the processing, or that the processing is necessary for the legitimate interest of the data controller or the party to whom the data is disclosed (such as part of a contract entered into between the data subject and The Group). When special category personal data are being processed, more than one condition must be met. In most cases the data subject’s explicit consent to the processing of sensitive personal data will be required, although there are other conditions which may lawfully be used;
• meets its legal obligations to specify the purposes for which information is used. This means that personal data will not be collected for one purpose and then used for another. If it becomes necessary to change the purpose for which the data are processed, the data subject will be informed of the new purpose before any processing occurs;
• collects and processes appropriate information, and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements. Any data which are not necessary for the relevant purpose will not be collected in the first place;
• ensures the quality and accuracy of information used. Information which is incorrect or misleading is not accurate and steps will therefore be taken to check the accuracy of any personal data at the point of collection and at regular intervals afterwards. Inaccurate or out-of-date data will be destroyed or rectified at the earliest opportunity;
• applies checks to determine the length of time information is held. Unless we explain otherwise to the data subject, we will hold personal information based on the following criteria:
  • For as long as we have reasonable business needs, such as managing our relationship with you and managing our operations;
  • For as long as someone could bring a claim against us;
• ensures retention periods are in line with legal and regulatory requirements or guidance;
• ensures that data are processed in accordance with data subjects’ rights under the GDPR and other prevailing data protection legislation. These include: the right to be informed that processing is being undertaken, the right of access to personal information, the right to object to processing in certain circumstances, the right to correct, rectify, block or erase information which is regarded as wrong information and the right to be informed of the use of automated decision making or profiling using personal information;
• puts in place appropriate technical and organisational security measures to safeguard personal data from the point of collection to the point of destruction;
• ensures that personal information is not transferred outside of the EEA without suitable safeguards in accordance with the GDPR and other prevailing data protection legislation;
• treats people justly and fairly whatever their age, religion, disability, gender, sexual orientation or ethnicity when dealing with requests for information; and
• sets out clear procedures for responding to requests for information from third parties. When dealing with enquiries from third parties, we will take steps before disclosing any personal information held by us to ensure that this is done in accordance with permissive provisions in the legislation or applicable exemptions. In particular, we will:
  • check the identity of the person making the enquiry and whether they are legally entitled to receive the information they have requested;
  • request that the third party confirm their request in writing so the third party’s identity and entitlement to the information may be verified;
  • refer requests to our Data Protection team for assistance in difficult situations; and
  • where providing information to a third party, do so in accordance with the law.

In addition, we will ensure that:

• there is always someone with specific responsibility for and knowledge of data protection who will act as the internal and external point of contact, handle complaints from data subjects and report to the business on data protection risk;
• everyone handling personal information understands that they are contractually responsible for following good data protection practice;
• any third parties engaged to process personal data on our behalf are engaged under a contract which safeguards the data and complies with Article 28 GDPR;
• everyone handling personal information is appropriately trained to do so and that this training is refreshed at suitable intervals;
• everyone handling personal information is appropriately supervised;
• anybody wanting to make enquiries about handling personal information knows what to do and who to refer enquiries to;
• queries about handling personal information are promptly and courteously dealt with;
• methods of handling personal information are clearly described;
• a regular review and audit is made of the way personal information is held, managed and used, including where new categories of personal data are processed or where processing takes place or if processing is deemed to present a risk to the rights and freedoms of individuals;
• appropriate records of processing records are maintained in accordance with Article 30 GDPR;
• methods of handling personal information are regularly assessed and evaluated, particularly if new processing takes place or if processing is deemed to present a risk to the rights and freedoms of individuals;
• performance with handling personal information is regularly assessed and evaluated;
• breaches of personal data are promptly assessed, contained and mitigated;
• breaches of personal data are reported to the ICO and data subjects where necessary; and
• a breach of the rules and procedures identified in this policy by a member of staff may lead to disciplinary action being taken.

YOUR LEGAL RIGHTS

Under certain circumstances, you have rights under data protection laws in relation to your personal data. Your rights include:

Your right of access – You have the right to ask us for copies of your personal information.

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at dataprotection@avalerehealth.com if you wish to make a request.

Personal Information collected through use of our website

Any information provided to us through use of our website, will only be used for the purposes that it is provided. Any personal information that is subsequently held by us as a result of any interaction with our website, will be subject to a periodic review to ensure that it is not unreasonably retained. Data subjects have the right to request deletion of personal data held as a result of interactions with our website.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see https://avalerehealth.com/cookies/

IT security

The Group will take appropriate security measures against unlawful or unauthorised Processing of Personal Data, and against the accidental loss of, or damage to, Personal Data. We have procedures and technologies in place which are designed to maintain the security of Personal Data from the point of collection to the point of destruction.

Right to access personal information

Under the GDPR, data subjects have a right to request a copy of the personal data we hold about them, or to request that it be updated, corrected or removed (in which case we will address your request promptly and will notify our clients of all such requests or changes). Where we are able, we will update your information as requested by you. In line with the GDPR, we will respond to any subject access requests within 1 month, or 2 months for complex requests.

Data breaches

We take any breach of personal data very seriously. Any breach will be fully investigated and reported to the ICO within 72 hours in line with the GDPR and other legislation. Where there is potential for the harm of individuals, data subjects will also be informed.

Status of this policy

Responsibility for the updating and dissemination of the policy rests with The Group’s Data Protection team. Any questions or concerns about the operation of this policy should be referred in the first instance to the Data Protection team at the details below.

Email: dataprotection@avalerehealth.com

Post: The Data Protection Team, Avalere Health, The Featherstone Building, 66 City Road, London, EC1Y 2AL, UK

This policy is subject to regular review and will be updated as necessary to reflect any changes in The Group’s operational activities, best practice in data management, security and control and to ensure compliance with any changes or amendments made to applicable law.

In the event that an individual is not satisfied with the way in which we are processing their personal data, they have the right to make a complaint with the Information Commissioner’s Office.