NDRS ("We"; "Us"; "Our"), will hold certain information about you and your organisation, which will usually contain personal data. Personal data means any information relating to an identified or identifiable living person (‘data subject’ ‘You’).

For the purposes of clarity, we will refer to this information as 'Your personal data'. We are the data controller for this information, and this privacy statement sets out how we will use this information.

If You are an existing subscriber/user of the MyLearningSpace as part of Our service provision to You We will process information about You to manage access control, password recovery and personalised certificates. Unless agreed otherwise with You, We will store and process this information in accordance with this privacy statement.

If you have any queries regarding Our handling of Your data, you can contact our Data Protection Officer (DPO) at NHS Digital (NHSD), The Leeds Government Hub, 7&8 Wellington Place, Leeds LS1 4AP.

The types of personal data we collect and use

The information we collect in order to provide the MyLearningSpace is your name, email address and organisation and job title.

Using Your personal data: the legal basis and purposes

We will process Your personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Security and retention of Your personal data

In order to ensure that Your personal data is kept safe, we adhere to an internal security policy in line with industry best practice and Information Governance Toolkit requirements. As part of this policy, all of the information We hold electronically is stored on encrypted disks (known as 'encryption of data at rest').

We will retain Your personal data for as long as you subscribe to the MyLearningSpace. We will remove this information from Our records if You ask us to, subject to our legal obligations as outlined above.

Your rights under applicable data protection law

Your rights are as follows (noting that these rights don't apply in all circumstances):

  • The right to be informed about Our processing of Your personal data;
  • The right to have Your personal data corrected if it's inaccurate, and to have incomplete personal data completed;
  • The right to object to processing of Your personal data;
  • The right to restrict processing of Your personal data;
  • The right to have Your personal data erased;
  • The right to request access to Your personal data* and information about how We process it;
  • The right to move, copy or transfer Your personal data;
  • Rights in relation to automated decision making (please note that We do not engage in this practice).

* A request by You for Us to provide Your personal data is called a Subject Access Request. The requested data will be provided to You within 40 days, except where the information requested is legally exempted from disclosure.

You have the right to complain to the Information Commissioner's Office. It has enforcement powers and can investigate compliance with data protection law. Their website is at ico.org.uk.

If you have any queries regarding Our handling of Your data or any aspect of the above statement, you can contact our Data Protection Officer (DPO) at enquiries@nhsdigital.nhs.uk.

Last modified: Tuesday, 5 October 2021, 2:49 PM