How we use your data

This privacy notice tells you what to expect when NICE collects your personal information, it explains your rights under data protection legislation. It also contains useful links and details of how to contact us.

Unless stated otherwise, NICE is the data controller for the processing activities detailed below.

Visitors to our websites

When you visit www.nice.org.uk we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to various parts of the site. This helps us improve the website and ensure it meets the needs of users. We do not process this data in a way that identifies anyone and we do not make any attempt to find out the identities of anyone visiting our website. If we do want to collect personal data through our website, for example in surveys or feedback, we will be upfront about this. We will make it clear when we collect personal data and will explain what we intend to do with it.

Use of cookies by NICE

You can read more about how we use cookies on our terms and conditions page.

Search engine

Search queries and results are logged anonymously to help us improve our website and search functionality. We do not collect any user-specific data.

Back to top


Communicating with NICE

Enquiries

We use a Microsoft Dynamics customer relationship management system to provide NICE’s enquiry handling service. The details you provide by email, phone or web form are held in our database in order to respond to your enquiry and shared with the NICE staff who can respond to your enquiry. If your enquiry relates to a NICE product or a service we provide, we may provide anonymised feedback to internal teams about the impact of our products or services. We routinely delete the enquiry record we hold for you 3 years after it is closed. 

We record all calls made to the NICE enquiry line (0300 323 0141) and internal calls transferred to the NICE enquiry line by our reception or press office teams. We use this information to help train our staff and improve our customer service to you. Calls are recorded, and are stored for 2 months.

The legal basis we rely on to process your data is Article 6(1) (e) of the GDPR‘…exercise of official authority…’. 

Information requests

Freedom of Information

If you have made a freedom of information request it will be dealt with by our enquiry handling service. A case file will be created to log and progress your request, this will include your contact details and any other information you included in your request.  Your request may be shared with other relevant staff members to help us respond to you.

Subject access requests and other request made under the GDPR

The Corporate office team manages responses to subject access requests. When we receive a request, we will create a case file to log and progress your request. We may ask for you to provide further information to confirm your identity, or to help us answer your request.

Details of your request may be shared with other relevant staff members to help us respond to you.

The legal basis we rely on to process your personal data is Article 6(1)(C) of the GDPR ‘processing is necessary for compliance with a legal obligation…’

Back to top

Complaints

If you make a complaint to NICE we will make up a file containing the details of the complaint. This normally contains details of the complainant (you) and any other people involved in the complaint.

We will only use the personal data we collect to investigate and respond to the complaint.

We may have to share your identity with others involved in the complaint, if this is necessary to investigate the complaint.  If you do not want your data to be shared, we will respect this and investigate the complaint accordingly.

We will keep personal data contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for 10 years from closure. It will be retained in a secure environment and access to it will be restricted according to the ‘need to know’ principle. If you escalate your complaint to the Parliamentary and Health Service Ombudsman or the Information Commissioner’s Office we will pass information relating to your complaint to them, in order they can investigate our response to your complaint.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 


Newsletters

You can subscribe to various NICE newsletters, bulletins and services, and in some cases manage your preferences here.

When you sign up you will be asked to provide your name and email address, this is so we can send you the newsletter you have subscribed to.

We use a third-party provider, MailChimp, to deliver some of our e-newsletters. We gather anonymous statistics around email opening to help us monitor and improve our e-newsletter.

For more information about how MailChimp process personal data please see their privacy notice.

The legal basis we rely on to process your personal data is your consent under article 6(1)(a) of the GDPR. You can unsubscribe at any time by following instructions in your newsletter.

Back to top


Getting involved

NICE Accounts

When you create a NICE account we ask for your name and email address so we can establish who you are.

We also ask for other information such as the organisation you work for. It is not mandatory to provide this information; we only ask for it so we can prepopulate the login pages of other NICE services you use and save you time.

Your NICE account is used to authenticate your identity when signing in to the following NICE services:

  • NICE Docs appraisals
  • Pathways
  • META Tool
  • NICE Syndication Services
  • when you register to participate in a consultation

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

Adoption and impact reference panel

The Adoption and Impact Reference Panel is an advisory body to NICE. The purpose of the panel is to review and comment on tools and resources produced by NICE and to provide ad-hoc independent expert opinion if needed.

When you join the panel we ask you to provide your name, job details and contact information. We also ask you about your areas of interest so that our contact with you can be tailored to your expertise.

We ask for this information so we can administer membership of the panel and so that we know we have a wide variety of experts to work with to ensure our tools and resources are fit for purpose.

We will use your details to contact you (via email or phone) about one, or more of the following:

  • to provide us with a user perspective on draft resources and other products in line with your interests and expertise;
  • contribute to formal consultation exercises for draft tools and resources and to provide rapid and brief informal feedback;
  • advise us on the identification of appropriate networks that may assist in the development of tools and resources and wider promotion of NICE guidance;
  • provide us with expert advice on the levers and barriers to implementation of our guidance, we may also;
  • notify you of other opportunities to work with NICE related to your interests.

We ask you to fill out declarations of interest forms as the panel is intended to provide independent and impartial views on tools and resources that have been developed to support specific guidance topics. We also ask you to sign a confidentially form to show you have agreed to what is set out in that particular document.

We will send you an annual statement which you can use in your professional development portfolio to demonstrate your contribution to the development of our guidance.

Any comments you provide during your time on the panel will either be incorporated into the tool or resource or a reason recorded for not including them. We keep a written record of how each comment is dealt with and will make this available to you upon request, following the publication of the tools.

Membership of the panel is for a period of up to 3 years and we may ask if you would like to extend this.

If your application to join the panel is unsuccessful - we will hold your data for 6 months then destroy it.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

Audience insight community

The purpose of the audience insight community is to ensure the views, experiences, needs and expectations of NICE's current and potential audiences are systematically gathered and interpreted to support product and service planning, development and evaluation.

If you join the audience insight community you will be asked for your name, email and telephone number so we can contact you. We will also ask you questions about your background, for example, your area of work and job role. We ask for this information so we can inform you about research most relevant to you.

We use third-party supplier SNAP Survey to administer our surveys, for more information about how they process personal data please see their privacy notice.

We rely on your consent to process your data – if you no longer wish to participate in the audience insight community you can withdraw consent at any time by clicking the unsubscribe link in the emails you are sent or contact us at AudienceInsight@nice.org.uk.

Citizen’s Council

It is important to NICE that the Citizens Council broadly reflects the demographics of the UK adult population. We ask for personal data during member recruitment to assess demographic suitability and ensure Council diversity. We also use personal data to monitor and ensure demographic diversity for individual meetings and other Citizens Council activities.

We use contact information for communications about arrangements for Citizens Council meetings, reports and other Council activities. Names, and occasionally photographs, of members who attend a Citizens Council meeting are published in the corresponding meeting report, available on the NICE website. As Citizens Council reports are prepared by an independent report writer, names or photographs of members who attended that particular meeting may be shared with the report writer prior to publication as part of the drafting process.

The overall demographic profile of the Citizens Council may be shared with third parties, for example in order to respond to general enquiries, Freedom of Information requests, or to share best practice with other organisations. In such cases the data will be anonymised (name and contact information removed) and the profile will not provide demographic information for individual members, only the Council as a whole.

For Citizens Council members, we keep different types of personal data for different lengths of time. Any names and photographs that are publicly available within Citizens Council reports are retained indefinitely. Contact information and unpublished photos are held for up to five years after a member’s last involvement with NICE. Demographic information is held permanently so that we can monitor any changes in the demographic profile of the Citizens Council over time.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

Meetings in public

We hold a number of meetings in public as part of our commitment to having processes in place that are rigorous, open and transparent.

If you register to attend a meeting held in public we will ask for your name and contact details. We need this data so we can provide you with information about the event you are registering for.

We also ask about any special needs or requirements you have (for example any mobility issues or the use of hearing loops) that we should know about to ensure your safety and comfort.

If you are attending a public board meeting, please note that we use a third-party supplier to help us coordinate these events, the information you supply will be passed to them for this purpose. They are required to hold this data securely and cannot use it for any other purpose.

After you have attended a meeting we may also send you a feedback form so you can tell us about your experience and help us make any improvements. The feedback is anonymous and you cannot be identified.

Two months after the meeting we will delete your personal data.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

Registering as a stakeholder and commenting on consultations

All of our guidance, quality standards, and other products are developed taking into account the opinions and views of the people who will be affected by them, including patients, carers and members of the public, as well as health and social care professionals, NHS organisations, industry, social care businesses and local government.

Consultations

Our consultation process allows a range of individuals and organisations to comment on our recommendations throughout the development of our guidance and quality standards.

If you comment via the NICE website, depending on the product you are commenting on may be asked to give your name and your email address.   We may use this data to:

  • send you an email to inform you that you are eligible to comment
  • contact you about the product you are commenting on
  • send you a confidentiality acknowledgement and undertaking form.

Stakeholders

Our guidance is created by independent and unbiased advisory committees that include a diverse range of experts from surgeons and midwives, to health economists and social workers, as well as patients or carers or other members of the public.

In the case of our technology appraisals and highly specialised technologies guidance, in which we make recommendations about the use of new drugs and technologies within the NHS, we work with manufacturers to ensure that evidence they submit on the effectiveness of their products is the most appropriate to enable an evaluation to be undertaken.

We value the input of patients, carers and the general public in the development of our guidance and other products. By involving the people for whom the guidance will be relevant, we put the needs and preferences of patients and the public at the heart of our work.

Our Public Involvement Programme supports individual patients, carers and members of the public, as well as voluntary, charitable and community organisations involved with NICE's work.

If you register as a stakeholder, we ask for your name, job title, and contact details.  We do this so that we can check your suitability to be a stakeholder, keep you updated on the development of the guidance, and seek your input at key stages.

If you are a manufacturer and register as a stakeholder, we ask for contact details for the person who will be our main contact, and details of the person who we can ask about technical questions about the product.  

We ask for this information so that we can keep you updated on the development of the guidance and seek your input at key stages.  We may share your contact details with colleagues so that they can provide additional support

Once published, all NICE guidance is regularly considered for review, and updated in light of new evidence, if necessary.  When we conduct a review we may email you to:

  • Inform you that the review is starting and see if you would like to register again as a stakeholder. If you do, we will:
  • Send you the review proposal for consultation
  • Send you the review decision

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

When you register as a stakeholder we will ask you if you would like to hear about other NICE work. This is so we can ensure we only contact you about areas of NICE work that you have an interest in.

Student champions

As part of our education work, we run the NICE Evidence search student champion scheme (NICE ES SCS). You can find out more about the scheme here.

If you are a student champion we ask for your name and email address so that our SCS staff can keep in touch with you and support you throughout your time on the scheme. We also need to be able to send you things like the tools you need to develop, plan and deliver your own hands-on learning sessions for your fellow students.

We ask for your home address so that we can send you hard copy certificates. This is not an essential part of the scheme, so if you do not want to provide this data, you don’t have to, but it will mean that we can’t post certificates to you. You will be asked to opt in to this when you complete your final reflective reports.

If you attend a student champion led session, you’ll be given a link to a pre- and post-session survey by your school’s academic lead or the student champions. These surveys ask for your name and email address, this is so we can email you a certificate of participation. Again this is optional.

As part of the survey we ask if you are happy for us to use your email address to contact you about your experience with Evidence Search, this is optional.

You will also have the option of whether or not your anonymised answers are included in our report

We will hold the information of student champions for 2 years after your participation in the scheme has come to an end.

If you attended a workshop and provided us with your contact details – we will delete these 18 months after sending you a survey and/or contacting you for feedback.

If you fill in one of our surveys please note that we use Survey Monkey, their servers are hosted in the USA – further information about how they process data can be found here.

If you would like more information about the information your University holds about you, please contact them directly.

For student champions we rely on Article 6(1)(b) – ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

If you are a workshop attendee the legal basis we rely on to process your personal data is your consent under article 6(1)(a) of the GDPR.

You can withdraw your consent at any time by contacting us at studentchampions@evidence.nhs.uk

Back to top


Visiting NICE

CCTV

CCTV is installed in our offices for the purpose of security only and may be disclosed to the police. NICE will ensure the operation of its CCTV is in accordance with guidance provided by the Information Commissioner’s Office.

Visitor books

When you visit our offices we ask you to sign our visitor book. We do this for security reasons, we want to make sure we know who is in the building and to ensure visitors are authorised to be here.

We are also required to report on numbers of visitors to our offices to ensure we have adequate space.

Visitor books are destroyed 6 months after they have been replaced.

The legal basis we rely on for processing your personal data is Article 6(1)(f) ‘…for the purposes of the legitimate interests…’

Back to top


Our services

Health Tech Connect

Health Tech Connect is an online, single point of entry that connects companies to relevant information and support to help the development, evaluation and adoption of health technologies in the UK. It is a database owned by NHS England and hosted by the National Institute for Health and Care Excellence (NICE).

When an individual registers to use HealthTech Connect for the first time to input details about their health technology, we ask for the name of their Organisation and personal details including the name, email address and phone number of the person registering. We ask the individual registering for the name and contact details of a responsible Director within their company to ensure the appropriate authority and approvals are in place for entering and sharing details of the health technology.

We use this data:

  • to complete the organisation and user registration processes that are described on the HealthTech Connect website
  • for authentication purposes when users log into the secure section of the HealthTech Connect website
  • to communicate with users about database service problems, update releases, technical developments, user-initiated enquiries and training events and presentations
  • to communicate with users, on behalf of the HealthTech Connect User Group or Oversight and Governance Committee, about changes to the database structure, the record management process, user agreement content, opportunities to participate in the management or development of the service or other relevant notifications about the service
  • to communicate with users as a part of the HealthTech Connect record quality assurance process
  • to resolve technical problems or help maintain the database.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’

We also use user data to:

  • share your name and contact details, only with your explicit consent, with authorised data accessors who aim to provide help and support to your company for the development, evaluation and adoption of your technology.

META tool

The META tool © is an online platform that helps developers of medical technologies optimise their product development plans.

It was developed by NICE in collaboration with Greater Manchester Academic Health Science Network, with their delivery partner TRUSTECH and Devices for Dignity, and is also available through other relevant organisations under licence.

When you sign up to use the META tool you will be asked to create a product developer account; you’ll need to create NICE Account first then you’ll create an account for your company or product.

You’ll be asked to supply your name and contact details. This information will only be used to allow your selected facilitating organisation to contact you to discuss the META tool process and agree timelines for the project.

If you have expressed interest in becoming a facilitating organisation and requested a callback, we will only use the information you provided to contact you about this service. We will store your data for 6 months and delete it if we have no further interaction with you.

If you do go on to become a facilitating organisation we will store your data for the duration of our contract with you and for 6 years after.

As a facilitator your contact details will be made available to the users of the META tool.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

UK PharmaScan

UK PharmaScan is a key source of intelligence on new medicines, indications and formulations in clinical development for NHS horizon scanning organisations across the UK. It is a database owned by the Department of Health and hosted by the National Institute for Health and Care Excellence (NICE).

When a new organisation registers on UK PharmaScan we ask for the company details and personal details including the name, job title and contact information of a champion user. The champion user is the senior user within an organisation responsible for registering that organisation with UK PharmaScan and will have the authority within their organisation to, review, approve and maintain access permissions to other standard users within that organisation.

When you register as a user we ask you for your personal details including name, job title, address and contact details.

We use user data:

  • to complete the organisation and user registration processes that are described on the UK PharmaScan “how to register” page and to administer company and user accounts,
  • for authentication purposes when users log into the secure section of the UK PharmaScan site,
  • to communicate with users about database service problems, update releases, technical developments, user-initiated enquiries and training events and presentations,
  • to communicate with users, on behalf of the UK PharmaScan User Group or Oversight and Governance Committee, about changes to the database structure, the record management process, user agreement content, opportunities to participate in the management or development of the service or other relevant notifications about the service,
  • to communicate with users as a part of the UK PharmaScan record quality assurance process,
  • and to resolve technical problems or help maintain the database.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

OpenAthens

This privacy statement should be read in conjunction with the privacy statement from Eduserv

OpenAthens user accounts

Eligible users may register for an NHS England OpenAthens account. This provides access to a range of content purchased by the NHS. The service is provided by Eduserv.

NICE is the data controller and Eduserv is a data processor. Other data processors in this system include the provider of the link resolver and knowledge base service and providers of the online content. The provider of the link resolver and knowledge base is Wolters Kluwer. Providers of online content include, for example, providers of medical abstracting and indexing databases such as Medline, CINAHL and EMBASE, and providers of online journals.

When you register for an OpenAthens account we ask you for your personal data including your name, your email address, your organisation name and address, your work phone number and department, your job role and title and whether your contract is permanent or temporary. You might also be asked to provide the following optional data: your title, fax number or staff/student number.

The data are stored by Eduserv. They can be accessed by the national OpenAthens administrators at NICE, your regional and local NHS OpenAthens administrator and Eduserv. The data are used:

  • to assess your eligibility for an OpenAthens account and to complete the registration process;
  • for authentication purposes when you log on to your OpenAthens account;
  • to communicate with OpenAthens users about the OpenAthens service and content that can be accessed with an OpenAthens account.

The following data attributes are passed from Eduserv to the other data processors in the system: persistent user identifier, organisation ID, username, role and entitlement. This is so that you can see the online content that you are eligible to access.

OpenAthens administrators

Each NHS organisation has its own NHS administrator. When you register as the OpenAthens administrator for your organisation we ask you for your name, your email address and your organisation. The following data are optional: position, phone number, fax number, staff/student number, title, department, postal address, public contact details, discovery domain hint, geolocation, organisation aliases, trusted email domain, trusted IP address.

The data are stored by Eduserv and can be accessed by the national OpenAthens administrator at NICE, your regional OpenAthens administrator and Eduserv.

The data are used:

  • to complete the OpenAthens administrator registration process and create an account;
  • to communicate with administrators about the OpenAthens service.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

NICE Scientific Advice

When you submit an enquiry to our scientific advice team, we ask you to provide your contact details so we can contact you about your enquiry and tell you more about our service.

We will store your data for 12 months and delete it if we have no further interaction with you.

If you sign up to use our service we will store your data so we are able to communicate with you and deliver our services. We may also ask you to provide feedback about your experience. We use third party supplier SNAP Survey to administer our feedback surveys, for more information about how they process personal data please see their privacy notice

We will store your data for as long as we are providing a service to you and for 4 years after.

The legal basis we rely on to process your data is Article 6(1)(e) of the GDPR ‘…exercise of official authority…’ 

If you opt-in to receiving marketing from us we will let you know about updates to our products and services. You can opt out at any time by using the unsubscribe button in our updates.

We use third-party supplier MailChimp to send out our updates.

Office for Market Access

When you submit an enquiry to NICE’s Office for Market Access (OMA), we ask you to provide your contact details so we can contact you to assist with your enquiry and provide further information about the services that we can offer you.

We will store your details for 3 years because OMA engages with the life sciences industry at any stage of the development to adoption pathway of a technology. Storing your details for this period of time ensures we can be as helpful as possible at the point you would like to engage. We will delete your details after 3 years if we’ve had no further interaction since your original enquiry submission.  

If we deliver an engagement service for you, we will store your details to enable us to communicate and deliver an effective service. We keep your details for 6 years in this situation.

If you are an external expert who we have entered into a contract with, we ask for your name, job role and contact information. We ask for these details so we can verify your identity and invite to meetings.

Please note that on request we will pass your details onto the company whose products you are advising on/ reviewing.

The legal basis we rely on to process your data is Article 6(1) (e) of the GDPR ‘…exercise of official authority…’ 

Back to top


Working for or with us

NICE is the data controller for the information you provide during the recruitment process and your employment unless otherwise stated.

Staff

Application stage

The information you provide during the recruitment process will only be used for the purpose of progressing your application, or to fulfil legal or regulatory requirements if necessary.

We ask you for your personal details including name and contact details. We will also ask you about your previous experience, education, referees and for answers to questions relevant to the role you have applied for. You will be asked to complete a criminal records declaration to declare any unspent convictions.

We will use the contact details you provide to us to contact you to progress your application.

The other information we ask for is used to assess your suitability for employment. You don’t have to provide what we ask for but it might affect your application if you don’t. 

We also ask for you to provide us with equal opportunities information, this is data about things like your racial or ethnic origin, religion, disability, gender and sexual orientation. This is not mandatory information – if you don’t provide it, it will not affect your application. It is not part of the recruitment process and it is used to produce anonymised statistics on our recruitment process as part of our duties under equalities legislation.

NHS Jobs

If you submit an application to NICE using NHS Jobs the information you supply will be processed by NHS BSA, who managed this process on behalf of NICE.

More information about how the data you supply on NHS jobs is processed can be found here.

Shortlisting using TRAC

Once you have submitted an application NHS BSA transfer data from NHS jobs onto TRAC, a web-based system that we use to manage recruitment.

TRAC, data is shared as follows:

HR recruitment manager – this job role as NICE has access to all the data you submitted as part of your application on NHS jobs, this includes equality monitoring data. Please note the HR recruitment manager is not involved in candidate selection.

The recruitment panel (those who shortlist applicants) will have access to your application apart from your name, contact details, and equality monitoring information. The recruitment panel is usually made up of 3 staff members.

If you are successful at shortlisting and invited to interview, the recruitment panel will then have access to your name and contact details. At no point does the recruitment panel see the equality monitoring information.

Assessments

We might ask you to participate in assessment days; complete tests and/or to attend an interview – or a combination of these. Information will be generated by you and by us. For example, you might complete a written test or we might take interview notes. This information will be collected in hardcopy and then scanned and uploaded to TRAC.

In the case of recruitment to some senior posts, you may be asked to participate in a psychometric test. We use 3rd party ERAS to carry out these tests. The reports generated by ERAS are shared with NICE’s senior HR business partners, these are distilled into a short summary before being shared with the recruitment panel.

If you are unsuccessful following assessment for the position you have applied for your data will be deleted from TRAC 200 days after the after the post you have applied for has been filled. Any other data we hold will be deleted after 6 months.  We may ask if you would like your details to be retained, if you say yes, we may contact you should any further suitable vacancies arise. 

If you are successful, data collected at your assessment and uploaded to TRAC will be shared with NHS BSA. We do this so NHS BSA can include this data in your recruitment file which they send to relevant staff in the NICE HR and payroll team.

Offer of employment

If we make a conditional offer of employment we will ask you for information so that we can carry out pre-employment checks. You must successfully complete pre-employment checks to progress to a final offer. We are required to confirm the identity of our staff and their right to work in the United Kingdom. We also need to check that you hold the relevant qualifications required and our Code of Conduct requires all staff to declare if they have any potential conflicts of interest, or if they are active within a political party. You will be required to provide: 

  • Proof of your identity and right to work in the UK– you will be asked to attend our office with original documents and we will take copies of these.
  • Proof of any essential qualifications – you will be asked to attend our office with original documents and we will take copies of these.
  • A declaration of interests
  • We will contact your referees, using the details you provide in your application, directly to obtain references.

We will also ask you to complete a questionnaire about your health. This is to establish your fitness to work –see the occupational health section for more information.

If we make a final offer, we will also ask you for the following:

  • Bank details – to process salary payments
  • Emergency contact details – so we know who to contact in case you have an emergency at work
  • Membership of an NHS Pension scheme – so we can send you a questionnaire to determine whether you are eligible to re-join your previous scheme.

If you accept a final offer from us, some of your personnel records will be held on the Electronic Staff Record (ESR), this is a HR and finance records system. The rest of your data will be held on NICE’s network drive with restricted access.

Occupational health

We are joint data controllers with our use third-party supplier Health Assured to supply our occupational health service. They also supply our employee assistance service. If we make you a conditional offer, we will ask that you complete a questionnaire which will help to determine if you are fit to undertake the work that you have been offered, or advise us if any adjustments are needed to the work environment or systems so that you may work effectively.

We will send you a link to the questionnaire which will take you to Health Assured’s website. The information you provide will be held by Health Assured who will provide us with a fit to work certificate or a report with recommendations. With your consent this report will be shared with relevant members of staff.

If an occupational health assessment is required, you will be asked to provide your consent before being referred.

If during your employment with NICE you access our employee assistance programme Health Assured may ask for your name and email address – none of this data will be disclosed to NICE. Health Assured only supply us with anonymised, usage statistics.

For more information about how Health Assured process your data, please see their privacy notice.

Agency workers

For temporary vacancies, we use relevant recruitment agencies approved by Crown Commercial Services.

As the employment relationship is with the agency, we only hold limited data about agency workers – this may include CV’s sent by your agency and notes made about you if you attended an interview with us.

Data relating to HR and payroll is held by the agency. For more information about how individual recruitment agencies process your data, please visit their websites or contact them directly.  

Apprentices

We recruit our apprentices through 3rd party suppliers. These 3rd parties longlist candidates for us and may also conduct initial telephone interviews. If you are successful at this stage your CV will be sent to the recruitment panel and HR apprentice lead at NICE for shortlisting.

If you are unsuccessful at interview NICE will delete your data 6 months after the post has been filled.

If you are successful at interview please see the Offer of employment section for information about how your data will be processed.

If you would like more information about how your particular apprentice provider handles your data, please visit their websites or contact them directly.  

Staff survey

We use a third-party survey provider to administer our staff surveys. They are provided with staff emails in order to collect views from our staff and report on staff engagement within the organisation.

Payroll and Pensions 

We use NHS Shared Business Services (SBS) to help manage our payroll. SBS access relevant information about you through ESR THIS IS SO THEY CAN pay your salary and any expenses you may claim, to make appropriate deductions and to comply with our legal and statutory obligations.

Legal basis for processing

For entering into and managing contracts with the individuals concerned, for example our employees the legal basis is Article 6(1)(b) – ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.

For other processing of personal data about our employees, our legal basis is Article 6(1)(e) – ‘…exercise of official authority…’

Where we process special categories data for employment purposes the condition is: Article 9(2)(b) – ‘…processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’.

For the processing of information about the health of our workforce, the legal basis is: Article 9(2)(h) – ‘…processing is necessary for the purposes of preventive or occupational medicine…assessment of the working capacity of the employee…the provision of health or social care…’

Committee members

If you are applying to join a committee you will be recruited either directly by NICE or by one of our collaborating centres.

At application stage, depending on the role you are applying for, we may ask you to provide the following information:

  • cover letter explaining how you meet the criteria in the person specification and your motivation for applying for the role (maximum 2 pages)
  • brief CV, including details of any relevant academic or other research work
  • an application form
  • completed declarations of interests form
  • completed equalities monitoring form
  • names and contact details for 2 referees.

We ask for this information so we can assess your suitability for the role and monitor the diversity of candidates to ensure we comply with the Equality Act 2010.

We ask you to fill out a declaration of interest form as we are required to identify and manage any potential conflicts of interest.

If you are successful in your application, the interest you declare may be published. We do this as it supports a culture in which we are open and transparent about the interests of those who are members of, or work with, our advisory committees, so that the effect of interests is known, understood and managed. This is essential if health and care professionals, and the public, are to maintain confidence in our work.

You may also be asked to fill in a confidentiality form – this data will be used to record your agreement to the terms set out in each document.

Legal basis for processing

For entering into and managing contracts with the individuals concerned, the legal basis is Article 6(1)(b) – ‘processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract’.

Where we have a specific legal obligation that requires the processing of personal data, the legal basis is Article 6(1)(c) – ‘processing is necessary for compliance with a legal obligation to which the controller is subject’.

For other processing of personal data about our employees, our legal basis is Article 6(1)(e) – ‘…exercise of official authority…’

Where we process special categories data for employment purposes the condition is: Article 9(2)(b) – ‘…processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law…’.

Back to top


Your rights

Under Regulation 2016/679 (General Data Protection Regulation) and other information rights laws, you have rights as an individual which you can exercise in relation to the information we hold about you.

You can read more about these rights here.

Access to your personal data

We will be as open as possible when it comes to giving you access to your personal data. You can find out if we hold any personal data about you by making a ‘subject access request’ under the General Data Protection Regulation. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

To make a request for any personal data we may hold you need to put the request in writing addressing it to our Data Protection Officer, or writing to the address provided below.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Data Protection Officer.

Disclosure of personal data

In most circumstances we will not disclose personal data without consent. However, there may be circumstances when we need to, for example to comply with the law.

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide some service for us. We have noted above where we use third parties. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will not share your personal information with any organisation apart from us. They will hold it securely and retain it for the period we instruct. 

Freedom of Information

The Freedom of Information Act 2000 provides a right of access to recorded information held by public authorities and sets out exemptions to that right of access, for example, if the information is confidential.

If you would like to find out more, please see our freedom of information page.

Useful information

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Our public task

We rely on our ‘public task’ or Article 6(1)(e) ‘processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’, as our legal basis for processing much of the personal data we collect.

Our public task consists of the functions we are under a legal duty to perform.

These are set out in:

You may also find our charter useful.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 25th May 2018.

Our Data Protection Officer

Our Data Protection Officer is:

Kelly Parry
Governance Manager: information
Corporate Office
Level 1a, City Tower
Piccadilly Plaza
Manchester
M1 4BT

E-mail: dpo@nice.org.uk

How to contact us

We aim to meet the highest standards when processing personal data and want to be as open and transparent as possible.

If you have a question about our privacy policy you can email us or write to:

Data Protection Officer
NICE
Level 1a, City Tower
Piccadilly Plaza
Manchester
M1 4BT

If you want to make a complaint about the way we have processed your personal data please follow our general complaints policy and procedure.

If you feel that we have not met our responsibilities under the General Data Protection Regulation, you have a right to request an independent assessment from the Information Commissioner’s Office (ICO). You can find more details on their website.

Back to top