OPRI PRIVACY NOTICE
What this information is about
This website privacy notice (“Notice”) tells you how Observational & Pragmatic Research Institute Pte Ltd and Observational & Pragmatic Research International Limited (“OPRI”, “Company”, “we”, “us” or “our”) collects, stores and uses your personal data when you contact us, use our website, or use one of our services in accordance with the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”) or the Personal Data Protection Act (‘PDPA’) (Singapore) depending on the region of applicability (collectively “Data Protection Laws”). Personal data is information that can identify you. This Notice explains what you should expect OPRI to do with the personal data that we have collected from you where OPRI is the controller of the personal data that we hold.
Your Personal data
Personal Data means information which relates to a living individual who can be identified either directly or indirectly from that information. Personal data contains information or identifiers that can identify the person the data relates e.g. name, date of birth, address, contact information, etc.
Personal Data about visitors to our site is collected only when knowingly and voluntarily submitted. For example, we may need to collect such information to provide you with further services or to answer or forward any requests or enquiries. It is our intention that this Notice will protect your personal information from being dealt with in any way that is inconsistent with applicable Data Protection Laws.
Use of Personal Data
Personal information that visitors submit to our site is used only for the purpose for which it is submitted or for such other secondary purposes that are related to the primary purpose, unless we disclose other uses in this Notice or at the time of collection. Copies of correspondence sent from the web site, that may contain personal information, are stored as archives for record-keeping and back-up purposes only.
We may also use information we collect about you:
- to administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to improve our site to ensure that content is presented in the most effective manner for you and your computer; and/or
as part of our efforts to keep our site safe and secure.
Who we collect personal data from
As part of registering with us, we collect personal information about you in order for you to take full advantage of our services. To do this it may be necessary for you to provide additional information to us as detailed below.
Registration. Registration is completely optional. Registration may include submitting your name, email address, address, telephone numbers, option on receiving updates, research, education material and other information. You may access this information at any time by contacting us on the details below.
Why we collect personal data (lawful basis)
• UK GDPR Article 6(1)(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• UK GDPR Article 6(1)(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
• UK GDPR Article 6(1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
• UK GDPR Article 6(1)(f): Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
• Personal Data Protection Act 2012 (‘PDPA’) Section 13: an organisation cannot collect, use, or disclose personal data about an individual unless the individual gives, or is deemed to have given, his/ her consent to the collection, use, or disclosure.
• PDPA Section 14: an individual has not given consent unless the individual has been notified of the purposes for which his/ her personal data will be collected, used, or disclosed, and the individual has provided his consent for those purposes.
• PDPA Section 15 An individual is deemed to consent to the collection, use or disclosure of personal data about the individual by an organisation for a purpose if –
(a) the individual, without actually giving consent mentioned in section 14, voluntarily provides the personal data to the organisation for that purpose; and
(b) it is reasonable that the individual would voluntarily provide the data.
Your data protection rights
Under Data Protection Laws, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Note that these rights apply to the data we hold in our capacity as data controller.
- Your right to be informed
- Your right of access
You have the right to ask us for copies of your personal data held by OPRI.
- Your right to rectification
You have the right to ask OPRI to change or correct information you think is inaccurate about you. You also have the right to ask OPRI to complete information you think is incomplete.
- Your right to erasure
You have the right to ask OPRI to erase your personal data in certain circumstances.
- Your right to restriction of processing
You have the right to ask OPRI to restrict the processing of your information in certain circumstances.
- Your right to object to processing
You have the right to object to processing if we are able to process your information because the process is in our legitimate interests.
- Your right to data portability
This only applies to information you have given to OPRI. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information with your consent.
You are not required to pay any charge for exercising your rights. We have one month to respond to you. Please note that we are only able to help you exercise your data protection rights if we hold your personal data and we can identify you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
What personal data we collect
We collect only information that we need for a particular function, and only hold it for as long as it remains necessary for the purposes for which it was collected. We only use or disclose personal data for the purposes for which the individual gave it to us for, or for directly related purposes the individual would expect, or other purposes if agreed with the individual.
I. Personal data collected from phone and email contact
We may collect personal data when individuals contact our services by phone or email. We use this information for administering our services and to correspond with service users.
II. Personal data collect from our suppliers
We collect information regarding contacts at our suppliers such as names, telephone numbers, email addresses, postal address in order to maintain the relationship and ensure the continued supply of services from those parties.
III. Personal data from curriculum vitae (CVs) and job applications
We collect information from you when you apply for a job with us or send us your CV. Please refer to the separate candidate privacy notice for further information in relation to how we use the personal data we collect.
IV. Personal data collected on our website
We collect personal data when individuals visit our website, complete forms or questionnaires on our website, apply for employment with us via our website, or provide contact details through our website. The personal data we collect from users of this website will include the IP address you use to access this website, and the URLs of any of our web pages which you visit and the time of your visit. We use this information to respond to the user’s enquiry, or to provide a requested service or to make improvements to our website.
Our website cookies do not contain personal information about users. However, cookies can identify a user’s browser. The cookies transferred by our website are used for such things as capturing information about a user’s web browser, controlling a pop-up window or enabling login access to password protected areas of the website. The cookies have an expiration date set 24 months from the most recent website visit date.
We use a third-party service, Google Analytics, to collect information regarding visitor activity to the website. This is not used to identify the user as an individual but is collated into aggregate results or classifications. We do not make an attempt to find out the identities of the visitors to our website.
VI. Personal data collected on our social media
We use a number of social media platforms, including Facebook, Twitter and LinkedIn to update and inform our service users and the public. Comments posted on our social media are open to the public. We may collect personal data from social media posts that are uploaded to these platforms.
VII. Personal data from our events and educational activities
We collect personal data from individuals invited to, attending or participating in events and educational activities supported by OPRI. We use this information to organise and run the events, and to support individuals attending or participating in the events. In some cases, information on the education or participation activity status of individuals may be disclosed to relevant institutions or accreditation bodies for the purpose of certifying completion or participation or for recording continuing professional development.
VIII. Personal data from images and photos
We will seek an individual’s consent prior to taking a video, photo or image, and using it. In some cases that consent may be implied, such as the taking of photos at events to be used in publications. If the video, photo or image contains sensitive information about a person e.g. information relating to their health, we will obtain the individual’s consent to take the video, photo or image and specify what it will be used for. This consent should be informed and freely given by the individual whose photo or image is to be shared. Individuals may withdraw their consent at any time. If this occurs, we will take all reasonable steps to stop using the image or photo from the time the consent is withdrawn.
IX. Data received in connection with clinical trials
Personal data is not collected from any OPRI supported clinical trials or research. All data collected from any clinical trial or research is anonymised data and no person can be identified. Due to the anonymised nature of the data, the data collected by OPRI in a clinical trial or research shall not fall under the requirements of UK GDPR/DPA or PDPA. If you have questions about the use of your data in a clinical research study or trial, please contact your healthcare provider who will hold records about your involvement.
How we use personal data
We may use personal data to:
- respond to enquiries from individuals, service users and suppliers;
- conduct evaluations of our products, materials, programs and services;
- provide and promote educational activities, events and conferences;
- contact individuals for feedback on products, materials, programs and services;
- assist us to perform our corporate, regulatory and contractual obligations
We will not:
- sell your personal data to third parties
- share your personal data with third parties for marketing or insurance purposes
How we disclose or share personal data
Personal data that we hold is only shared or disclosed in line with data protection laws. We will disclose personal data if we are required to do so by law, by court order, government department or to prevent fraud or other crime.
We do not disclose personal data to third parties for marketing purposes. We do not sell personal data or confidential information to third parties. We do not disclose any personal data collected in the UK to overseas entities.
We may disclose personal data to contractors to whom we outsource certain functions, or which provide services to us. We take all reasonable measures with contractors to ensure they comply with the law on data protection. Contractors must not disclose any personal data or confidential information without prior approval in writing from OPRI, unless they are required to disclose the information by law, court order, or to prevent fraud or crime.
How we store personal data
OPRI is committed to ensuring that any personal data we hold is as safe as reasonably possible, both while it is being processed and when it is stored. We store the personal data we collect on secure databases, electronic and hard copy files. Personal data is only stored in the UK and within the European Economic Area (EEA) or within Singapore in line with data protection laws.
We have policies and procedures for the secure, permanent destruction of personal data when it is no longer required.
How long we keep personal data
We retain the personal data we collect for as long as needed to continue to meet the purposes for which the information is collected. We will delete personal data in line with our records retention policy or as required by law.
Data security – how we protect and secure personal data
To safeguard your personal data from unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks, we have introduced appropriate administrative, physical and technical measures to secure all storage and transmission of personal data by us and disclosing personal data both internally and to our authorised third-party service providers and agents only on a need-to-know basis.
The steps we take to keep the personal data we collect secure include:
- Regularly assessing the risk of misuse, loss, interference, modification, unauthorised access or disclosure of personal data.
- Putting measures in place to address the above risks including robust information technology security, data encryption, restricted user access, and data security and protection policies.
- Regularly ensuring that our staff and contractors only access personal data when needed.
- Ensuring our staff and contractors are regularly trained on data protection at least annually.
- Conducting regular internal audits to assess compliance with these measures and the UK GDPR/DPA or PDPA.
- Observational & Pragmatic Research International Limited is a registered data controller with the Information Commissioner’s Office, registration number: Z190430X.
You should be aware, however, that no method of transmission over the Internet or method of electronic storage is completely secure. While security cannot be guaranteed, we strive to protect the security of your information and are constantly reviewing and enhancing our information security measures.
If you have any questions or complaints or you require any information about how we handle personal data at OPRI, please contact our Data Protection Team by email, phone or post using the details below:
Write to us: Warren House, Sankence, Aylsham, Norfolk, UK NR11 6UN
Email us: firstname.lastname@example.org
Phone us: 01223 967 855 (UK) or (+65) 3105 1489 (Singapore)
Our Data Protection Officer is Sophie Harriman. You can email her at email@example.com or write to her using our postal address above. Please mark the envelope ‘Data Protection Officer’.
In the UK, you can make a complaint about the way we process your personal data to the Information Commissioner’s Office (ICO) using their contact information below. You can also request independent advice from the ICO.
Phone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
ICO website: https://ico.org.uk/make-a-complaint/
In Singapore, you can make a complaint about the way we process your personal data to the Personal Data Protection Commission.
Phone: +65 6377 3131
Post: 10 Pasir Panjang Road, #03-01 Mapletree Business City Singapore 117438
Changes to this Privacy Notice
This Notice applies in conjunction with any other policies, notices, contractual clauses and consent clauses that apply in relation to the collection, use and disclosure of your personal data by us.
We keep our Notice under regular review to make sure it is up to date and accurate. When we make changes to this Notice, we will amend the last updated date at the bottom of this page. Any update to this Notice will be applied to the handling of personal data as of that update date.
Privacy Notice last updated 9 September 2022