1.1. Welcome to Frontier Medical Group’s (Frontier) privacy notice (the ‘Notice’). Frontier respects your privacy and is committed to protecting your personal data. This Notice will inform you how we look after your personal data as a customer of or supplier to Frontier. It will also tell you about your privacy rights and how the law protects you.
1.2. The Notice also demonstrates our compliance with the EU’s General Data Protection Regulation (GDPR) that became effective from 25th May 2018.
1.3. Many of the GDPR’s main concepts and principles are the same as those in the current Data Protection Act 1998 – to which we were already complying – and so much of our approach to compliance remains valid and provides a sound base from which to build. We do, however, fully understand the new elements and enhancements with GDPR and have followed guidance issued by the Independent Commissioner’s Office (ICO) to ensure ongoing compliance. As a result, we have increased the awareness of the importance of data protection across our business and embedded a number of new processes and controls that we consider to be wholly reasonable and proportionate.
1.4. Frontier only processes personal data for:
• Staff administration (incl. payroll);
• Accounts and records (i.e. invoices and payments) and
• Advertising, marketing and public relations in connection with our own business activity.
These are defined as Core Business Activities and we are therefore not required to register as either a Data Controller or Data Processor with the Independent Commissioner’s Office (ICO). However, we have voluntarily elected to do so for each of the core trading entities in the Group in line with good industry practice.
1.5. This Notice will also inform you how we look after your personal data when you visit our website (regardless of where you visit it from).
• Frontier’s website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Frontier does not control these third-party websites and is not responsible for their privacy statements. We encourage you to read the Notice of every website you visit.
• Frontier’s website is not intended for children and we do not knowingly collect data relating to children
1.6. This notice explains how Frontier collects and uses information during the course of its core business activities. This notice covers the following and may be updated from time to time:
• What is personal information?
• How do we collect personal information?
• What information do we collect?
• How do we use your information and what is the legal basis that permits us to do this?
• What happens if you do not provide information that we request?
• How do we share your information?
• How do we keep your information secure?
• When do we transfer your information overseas?
• For how long do we keep your information?
• Your rights in relation to your information
1.7. The Table at the end of this notice provides an overview of the data that we collect, the purposes for which we use that data, the legal basis which permits us to use your information and the rights that you have in relation to your information.
1.8. We have appointed a Data Protection Officer (DPO) who has responsibility for advising us on our data protection obligations. You can contact the DPO using the following details.
• Name: Data Protection Officer
• Email: firstname.lastname@example.org
• External: 01485 235 800
• Address: Frontier Medical Group, Newbridge Road Industrial Estate, Newbridge Road, Blackwood, South Wales, NP12 2YN
1.9. We have follow guidance from the ICO raise awareness about the important of data protection on a regular basis, following e.g. in the form of posters)
2. How Frontier collects and uses information
What is personal information?
2.1. Personal information is any information that tells us something about you. This could include information such as your name and contact details.
How do we collect personal information?
2.2. Direct Interactions: For customers of and suppliers to Frontier, we collect personal information directly from you, primarily when you engage in Core Business Activities with us e.g. purchasing our products, supplying us with goods/services, requesting that marketing be sent to you;
2.3. Third parties or publicly available sources: We may also collect information from third party sources such as:
• Publicly held available information e.g. Companies House, Electoral Register;
• Third parties if we check references. We will only obtain personal data from such activities after obtaining written consent from you to do so.
What information do we collect?
2.5. As a customer of, or supplier to Frontier, we would typically collect the following categories of information about you:
• Identity data: Includes first name, last name, title
• Contact data: Includes contact address, email address and telephone numbers (including any phone number used to call our office number)
• Marketing and Communications Data: Includes your preferences in receiving marketing from us and our third parties and your communication preferences
2.6. For visitors to our website, we will collect:
• Technical data: Includes your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access frontier’s website. This data collected is anonymised and we cannot link this to the underlying individual.
• Usage Data: Includes information about how you use our website, products and services including the full Uniform Resource Locators (URL), clickstream to, through and from our sites (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page, and any phone number used to call our office number.
• Marketing Permissions: Includes information submitted on our website, which will be used to communicate updates and marketing. Consent to receive marketing communications will be gathered with a positive opt-in. Individuals can change their mind at any time by clicking the unsubscribe link in the footer of any email you receive from us.
• Online Store: Includes information submitted on our website when placing an order, which is used to process any order, dispatch your goods, communicate updates and marketing. Consent to receive further communications will be gathered with a positive opt-in. Individuals can change their mind at any time by clicking the unsubscribe link in the footer of any email you receive from us.
2.7. We may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Notice.
2.8. We do not collect any ‘special categories’ of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.
How do we use your information and what is the legal basis that permits us to do this?
2.9. Under data protection legislation we are only permitted to use your personal information if we have a legal basis for doing so. We will therefore only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
• To consider your application for a role with us;
• Where we need information to enter into a contract with you e.g. as a customer or supplier;
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests;
• Where we need to comply with a legal or regulatory obligation.
2.10. In more limited circumstances we may also rely on the following legal bases:
• Where we need to protect your interests (or someone else’s interests);
• Where it is needed in the public interest or for official purposes.
2.11. Generally we do not rely on consent as a legal basis for processing your personal data, but on occasions may seek consent as an additional control.
2.12. The Table at the end of this notice provides more detail about the information that we use, the legal basis that we rely on in each case and your rights.
What happens if you do not provide information that we request?
2.13. We need some of your personal information in order to perform our contract with you. For example, if you are a customer and we do not have your contact details, we might not be able to satisfy your order request.
2.14. Where we need to collect personal data whether by law, under the terms of a contract we have with you or to consider your application for a role with us, if you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service you have with us or we may not be able to progress your application for a role with us. We will notify you if this is the case at the time.
How do we share your information?
2.15. We share your personal information in the following ways:
• With other entities in our group as part of our regular reporting activities and in the context of a business reorganisation or group restructuring exercise.
• If we sell any part of our business and/or integrate it with another organisation your details may be disclosed to our advisers and to prospective purchasers or joint venture partners and their advisers.
2.16. Where we share your personal information with third parties we ensure that we have appropriate measures in place to safeguard your personal information and to ensure that it is solely used for legitimate purposes in line with this Notice.
2.17. In general, we do not share your personal data with third parties for marketing purposes.
How do we keep your information secure?
2.18. Personal data for customers and suppliers is held and stored in:
• Frontier’s Enterprise Resource Planning (ERP) system. This is a secure and fully supported IT system that provides automated, end-to-end transaction processing throughout our business.
• Frontier’s Customer Relationship Management (CRM) systems. This is also a secure and fully supported IT system that allows the business to record customer data (e.g. name, contact details, employer) and activity with customers e.g. dates of meetings, key actions etc. This system also supports our marketing activity and helps record key actions agreed at such meetings.
2.19. Access to personal information is restricted to employees working within our group on a need to know basis e.g. access to our IT systems is granted only to teams/employees where it is relevant and appropriate to their roles within the business. Training will be provided to any employees working within the group who need access to your personal information to ensure it is secured at all times.
2.20. Additionally, all computers/pcs/laptops issued to employees are fully secured, encrypted and password protected. Passwords are set to expire at set periods and so are changed regularly. System and software updates are automated to ensure computers/pcs/laptops are updated on a timely basis to keep them safe and secure.
When do we transfer your information overseas?
2.21. We do not transfer your personal information to countries outside of the UK and the European Economic Area.
2.22. If this were to ever change, we recognise that countries outside of the UK and the European Economic Area may not offer an equivalent level of protection for personal information to the laws in the UK. We would therefore ensure that appropriate safeguards were put in place to protect your personal information and establish adequacy mechanisms to protect your personal information.
For how long do we keep your information?
2.23. As a general rule we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
2.24. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
2.25. Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.
2.26. In some circumstances you can ask us to delete your data: see below request erasure for further information.
2.27. In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your rights in relation to your information
This Notice provides details on how we use your personal information. You also have a number of rights in relation to your personal information. These include the right to:
2.28. Request access: obtain access to your personal information that we hold. You may request a copy of certain personal information that you have provided to us in a commonly used electronic format. This right relates to personal information that you have provided to us that we need in order to take steps to enter into a contract with you and personal information where we are relying on consent to process your personal information;
2.29. Request correction: request that your personal information is corrected if you believe it is incorrect, incomplete or inaccurate;
2.30. Request erasure: request that we erase your personal information in the following circumstances:
• if we are continuing to process personal data beyond the period when it is necessary to do so for the purpose for which it was originally collected;
• if we are relying on consent as the legal basis for processing and you withdraw consent;
• if we are relying on legitimate interest as the legal basis for processing and you object to this processing and there is no overriding compelling ground which enables us to continue with the processing;
• if the personal data has been processed unlawfully (i.e. in breach of the requirements of the data protection legislation);
• if it is necessary to delete the personal data to comply with a legal obligation.
2.31. Request restriction of processing: ask us to restrict our data processing activities where you consider that:
• personal information is inaccurate;
• our processing of your personal information is unlawful;
• where we no longer need the personal information but you require us to keep it to enable you to establish, exercise or defend a legal claim;
• where you have raised an objection to our use of your personal information;
2.32. Object to processing: object to our processing of your personal information where we are relying on legitimate interests or exercise of a public interest task to make the processing lawful. If you raise an objection we will carry out an assessment to determine whether we have an overriding legitimate ground which entitles us to continue to process your personal information;
2.33. Withdraw consent at any time: if we are relying on consent as the legal basis for processing and you withdraw consent. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
2.34. If you would like to exercise any of your rights or find out more, please contact the DPO at email@example.com. The Table at the end of this notice provides more detail about the information that we use, the legal basis that we rely on in each case and your rights.
2.35. You will not have to pay a fee to access your personal data or to exercise any of the other rights although we expect that any such requests are fully justified/explained (i.e. evidence that shows we are not in compliance with this Notice). We will also require evidence of identification (two forms including passport or driving license) to ensure we are engaging directly with the correct individual and not breaching regulation.
2.36. We reserve the right to charge a reasonable fee (minimum £10 per request) if any request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. Any such charge must be paid upfront in advance of the SAR being addressed and the DPO will aim to provide the data within 30 days
3.1. If you have any complaints about the way we use your personal information or have identified a potential breach in the way we are using your personal data, please contact the DPO (firstname.lastname@example.org) who will try to resolve the issue. If we cannot resolve your complaint you have the right to escalate your complaint to:
• the Board of Directors; or
• the data protection authority in your country (e.g. the ICO in the UK).
4. Table: Quick check of how we use your personal information
|Purpose||Data used||Legal Basis|
|4.1. To register you as a potential or new customer/ supplier||a) Identity
c) Marketing Communications Data
|a) Performance of contract with you
b) Necessary for our legitimate business interests (to keep our records updated market to you and provide services to you)
|4.2. To consider your application for a role with us||a) Identity
|a) Necessary for our legitimate business interests (to recruit staff for our business).|
|4.3. To manage our relationship with you which will include:
b) Asking you to leave a review of take a survey
c) Marketing and Communications Data
|a) Performance of a contract with you
b) Necessary to comply with a legal obligations
c) Necessary for our legitimate business interests (to keep our records updated and to study how customers use our products/ services).
|4.4. To enable you to partake in a prize draw, competition or similar||a) Identity
d) Marketing and Communications Data
|a) Performance of a contract with you
b) Necessary for our legitimate business interests (to study how customers use our products/ services and to develop and grow our business).
|4.5. To administer and protect our business and our website (incl. trouble-shooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||a) Identity
|a) Necessary for our legitimate business interests (for running our business, provision goods/ services, network security and in the context of a business reorganisation or group restructuring exercise)
b) Necessary to compel with a legal obligation
|4.6. To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you||a) Identity
e) Marketing and Communications Data
|a) Performance of contract with you (to inform you of availability of new products and/ or market and clinical updates)
b) Necessary for our legitimate business interests (to study how customers use or products/ services and to inform our marketing strategy)
c) Necessary for our legitimate business interests (to develop our products/ services and grow our business)
|4.7. To use data analytics to improve our website, products/ services, marketing customer and supplier relationships and experiences||a) Technical
|a) Necessary for our legitimate business interests (to define types of customers for our products/ services, customer and supplier relationships and experiences|
|4.8. To make suggestions and recommendations to you about products and services that may be of interest to you||a) Identity
|a) Necessary for our legitimate business interests (to develop our products/ services and grow our business)
b) Consent will be sought if you are not a direct customer/ Supplier, nor a person with who we have an obvious legitimate business interest (e.g. to develop our products/ services and grow our business)
5. Raising Awareness
5.1. ICO has created the following suite of posters to help employees take extra care when sharing work information. These cover some of the most common mistakes, including sending information to the wrong recipient, leaving work documents in public view or not appropriately disposing of information.
5.2. Frontier has reproduced these posters under permission from ICO and distributed them throughout the organisation to help raise awareness of the continued and growing importance of personal data protection.