2020 Delivery Ltd (trading as The PSC) is committed to protecting the privacy and security of personal information. 2020 Delivery Ltd is a "data controller", as defined by the Data Protection Act 1998 and all applicable laws which replace or amend it, including the General Data Protection Regulation. This means that we are responsible for deciding how we hold and use personal information1. This privacy notice describes how we collect and use personal information, in accordance with the General Data Protection Regulation (GDPR). It applies to anyone whose data we receive, including individuals whose data is included in data we receive from public service providers we support, such as NHS Digital.
The PSC is a team of public service consultants united by the belief that better public services are the key to a stronger society. We choose to work only in public services and are proud to partner with inspiring leaders and teams across healthcare, central government, education, and beyond.
Who we are
2020 Delivery Ltd is a limited liability company (company number: 05671510), trading as The PSC.
Our registered address is 45 Pall Mall, London SW1Y 5JG.
We may be contacted at firstname.lastname@example.org, or via https://thepsc.co.uk
How we collect and use information about individuals
The PSC collects and processes personal data to support the aims of the organisation.
Such data may be accessed by a number of individuals within The PSC. They are all subject to confidentiality agreements and to our processes for ensuring secure and legal handling of personal data.
Data about applicants
We collect personal information about individuals through the application and recruitment process, either directly from candidates or from third parties including recruitment agencies, former employers, background check agencies.
We process data in order to take relevant steps prior to entering into a contract with you. We also use personal information to pursue legitimate interests including:
- making decisions about appointment, terms, assignment, training, promotion or remuneration for an individual, and administering a contract of employment
- verifying the identity of a potential employee
- complying with health and safety obligations
- maintaining a record of recruiting decisions
- monitoring equal opportunities
Some of the above grounds for processing will overlap and there may be several grounds which justify our use of personal information.
Data about visitors to our website
In some areas of our website we ask users to provide information that will enable us to supply them with our services or contact them after their visit. We may also use this information to contact you to advise you of other services that may be of interest to you.
The information you provide will be kept confidential and will not be disclosed to third parties without your consent.
We will respect personal information and undertake to comply with all applicable UK data protection legislation currently in force, both in respect of the personal information supplied and in respect of any personal information which we may process.
Website users agree that the information provided by them on the contact form may be used in accordance with the purposes for which information has been obtained. If you do not wish to receive marketing material from us, please contact us.
What are cookies and how do we use them?
You can block all cookies (including functional cookies) by activating the setting on your browser that allows you to refuse the setting of cookies. However, if you do this you may not be able to access some parts of our site. You can find more information about enabling and disabling cookies at www.allaboutcookies.org.
The cookies we use are from Google Analytics: These enable us to estimate our audience size and usage pattern, and to recognise your IP address, operating system and browser type. For more information click here. Using these cookies helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. These cookies do not personally identify any individual user. These are usually third party cookies, which we use to deliver a better user experience.
Data about public service staff and users
As part of our work supporting public service providers, we are sometimes granted access to data on public service users, and staff members, and this could include data about you. For example, we may receive data from NHS Digital which relates to patient activity (hospital episode statistics data) in hospitals. We will process this data in order to support public service providers to make better decisions about their organisations. This could include strategic decisions and operational improvements to improve their quality and efficiency of services for the public.
All data we receive will be “pseudonymised” which means that it will not directly identify individuals, e.g. there will be no names or NHS numbers.
The PSC does not use this data for any automated decision making and nor will our third-party service providers.
We may hold some data about individuals which is particularly sensitive, such as data relating to health (including hospital attendances, diagnoses, procedures) or protected characteristics (age, disability, gender reassignment, race, religion or belief, sex, sexual orientation, marriage and civil partnership, and pregnancy and maternity). This data will be part of a wider dataset and will be pseudonymised. We only hold the information relevant to our analysis.
The PSC has a legitimate interest in processing pseudonymised health data to support the NHS and other public service organisations to improve their services for the benefit of patients and other service users. The legal basis to carry out this processing derives from Article 6 1 (f) of the EU General Data Protection Regulations 2016/679 (GDPR). 2020 Delivery Ltd, and the clients we support, would not be able to achieve an equivalent impact using publicly available datasets. We are complying with all relevant laws and regulations regarding this data.
The processing meets the requirement of point (j) of Article 9(2) of the General Data Protection Regulations, as the data processing is required for statistical research in the public interest, in order to improve services for public-service users.
The Health and Social Care Act 2012 provides a legal basis for providing this data as the data requested has been pseudonymised to the standard set out in the Information Commissioner’s Anonymisation Code of Practice. This means the data is not classified as ‘personal data’, as no individuals could be identified using this dataset in conjunction with other publicly available data.
Do we need your consent?
We will always ask for consent to collect identifiable information and individuals may refuse to provide the information. Individuals may also withdraw their consent for us to process this information at any stage though we may already have disposed of the information.
In the case of pseudonymised data, we have gained consent from the public service providers who have supplied the data, and they hold it based on consent that individuals have given when interacting with those organisations. Because this information is pseudonymised, we cannot identify individuals from the data. For this reason, we cannot respond to subject access requests, or apply the 'right to be forgotten' to this data. For more information on pseudonymised data, and what that means for individual's rights, please see the Information Commissioner's Office's anonymisation code of practice.
We may have to share personal data with third parties, including third-party service providers, where required by law, where it is necessary to administer the working relationship with you or where we have another legitimate interest in doing so. We require third parties to respect the security of this data and to treat it in accordance with the law. We may transfer personal information outside the EU, for example when using a cloud service to store this information, where we are confident in the third party’s standards of data protection and information security.
All our third-party service providers and other entities in the group are required to take appropriate security measures to protect personal information in line with our policies. We do not allow our third-party service providers to use personal data for their own purposes. We only permit them to process personal data for specified purposes and in accordance with our instructions.
Data security and retention
We have put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify individuals and any applicable regulator of a suspected breach where we are legally required to do so.
We will only retain personal information for as long as necessary to fulfil the purposes for which we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements, and management of our business. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Your rights relating to your personal data
It is important that the personal information we hold is accurate and current.
Individuals have a number of rights in relation to the personal information that we hold about them, for which we will not charge a fee. We may need to confirm your identity before responding to any request from you.
- Be informed: to be informed about the collection and use of their personal data
- Access: Individuals have the right to access their personal data
- Correction: to have any incomplete or inaccurate information corrected
- Erasure: to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing
- Object to processing: where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.
- Restriction of processing: to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it
- Data portability: allows individuals to obtain and reuse their personal data for their own purposes across different services
- Withdraw consent, in the limited circumstances where you have provided consent.
Further details of our and your legal obligations and duties can be found at the Information Commissioner’s Office website.
How to contact us or raise a concern or complaint
Contacting The PSC (2020 Delivery Ltd)
If you have any concerns about how your personal data is being collected and processed, or wish to exercise any of your rights detailed in this Privacy Notice please contact us at:
Contacting the Information Commissioner’s Office
If you have wider concerns about how 2020 Delivery Ltd manages information or wish to make a complaint, please contact the Information Commissioners Office (ICO). The ICO can be contacted at https://ico.org.uk/global/contact-us/. Concerns can also be logged via the ICO website https://ico.org.uk/concerns/
Public – Controlled document QP 48 - v3 – 01/07/2020
Footnote 1: Personal information means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).