Privacy Notice

Privacy & Cookies Policy

This Web site is owned and controlled by NHS Innovations South East.

Key points:

  • Our use of your data: We typically use your personal information in order to carry out consultancy work for you or your employer or to supply you with company updates.
  • Marketing and legal updates: We may send you marketing information, usually in the form of an email or e-newsletter.  You may ask us to stop sending you newsletters, or marketing information at any time.
  • Sharing: We may share your data with selected third parties such as service providers, subject to appropriate confidentiality protections (eg. providing instructions to a patent agent or lawyer).  We will never share your data with any other organisation for marketing purposes.
  • Security: We respect the security of your data and treat it in accordance with the law.
  • International: We do not usually transfer your data outside the EU and, if we do, you can expect a similar degree of protection in respect of your personal information.


Under the Data Protection Act 1998 and the General Data Protection Regulation 2016 (the data protection laws), we are required to explain to you why we are asking for information about you, how we intend to use the information you provide and whether we will share this with anyone else.

This statement applies to

  • all individual public sector and commercial clients and prospective clients; and
  • all current and former employees, workers and contractors for clients or prospective clients.


We are NHS Innovations South East Limited; a company incorporated in England, (registered number 05210174), whose registered office is at Units 4 & 5, Swinford Farm, Eynsham, Oxford, OX29 4BL and whose business address is PO Box 652, Abingdon, Oxfordshire, OX14 9JU


Some of the information that you provide to us is required for us to provide you with our consultancy services under you or your employer’s contractual agreement with us.  Without this information, we will not be able to enter into a contract with you or provide services via your employer.

We will also hold your information in our CRM database to allow us to provide and offer further services to you and your employer.  If you would like your personal details to be removed from our CRM database, please email specifying “opt out” in the subject heading.

Finally, we hold a small amount of your information in our CRM and email systems which we use to hold details of our contacts generally and more specifically for managing client work.

4.1 Non-personally-identifiable information we use on our website

As a standard practise, NHS Innovations South East assigns a random number to each user for anonymously tracking content preferences and traffic patterns. This random number lets us keep track of “how many” times users are doing specific things – like visiting our site each month – without really knowing who those users are (unless they specifically tell us). We analyse this data for trends and statistics, such as which parts of our site users are visiting and how long they spend there. We also gather information about what users are searching for. We use all this information in order to improve our content, plan site enhancements, and measure overall site effectiveness.


We are collecting information about you in order to achieve the purposes set out in clause 3 above. This includes:

Personal details of contacts
Client personal details (such as name and job title);

Client contact details (such as your work address, work telephone number(s) and email address);

Employee personal details (such as name, date of birth, occupational health details and copies of personal identification such as passport);

payment information for employees (such as bank account details or information about any other payment method);

HMRC and pension details for employees

Personal details relevant to commercial activities
contact details of any person associated with a commercial project or intellectual property registration (such as name, work address, telephone number and email address);

Marketing contact details
details held in our CRM database which include the following standard categories: name, organisation, job title, postal address, email address, and phone number;

Marketing and survey information
your responses to our e-newsletters via Mailchimp;

details of any agreement or objection to receiving marketing information from us;


The information which we collect about you will be obtained through a variety of sources which may include:

Information provided by you

from any communication you have with us in relation to any IP or innovation matter or potential instruction;
in relation to attendance at any of our training or marketing events;
when you sign up for a newsletter;
when you complete surveys that we use for research purposes;
Information collected automatically about you
Information collected from third parties

Information from your employer who may be a client of our services.


The information which you provide to us will be used for the following purposes:

it will be stored and used by us in accordance with this privacy statement and also in accordance with your rights under the data protection laws;

it will be collected and used by us for the purpose of providing our consultancy services to you;

it will be used to improve the services you receive from us; and

it will allow us to offer you further information and services which may be useful to you.


In accordance with the data protection laws, we need a “legal basis” for collecting and using information about you. There are a variety of different legal bases for processing personal data which are set out in the data protection laws.
The lawful bases on which we rely in order to use the information which we collect about you for the purposes set out in this notice will be:

using your information pursuant to our legitimate interests is necessary for us to perform the consultancy contract between us; and

using your information is necessary for us to comply with legal and regulatory obligations to which we are subject; and

using your information pursuant to our legitimate interests, namely to hold your data for marketing purposes.


Contractors and sub-contractors
We may share information about you with our contractors and sub-contractors.  The contractors and sub-contractors shall be contractually required to ensure that they adhere to the security requirements imposed by the data protection laws.
Our contractors and sub-contractors will only be able to use the information when completing work on behalf of us.  Examples of subcontractors we use regularly are:

Hosted web services, (Microsoft Office 365,, who may access your information for the purposes of maintenance of their service; and

Contractors or associates commissioned by NISE to assist in the delivery of consultancy services to our clients.

Regulators and other legal obligations

We may also be required to share your information with organisations or authorities where we have a legal obligation to share the information with them.


We may need to share your information with our insurers in certain circumstances, to ensure protection of the company and of you.

Other organisations

We may from time to time share your information with other organisations but only to the extent required to allow them to maintain services provided to us and always subject to appropriate confidentiality provisions.


We are not aware of any routine personal data being transferred outside the EU and have taken steps under GDPR to ensure that personal data remains within the EU.  In very limited circumstances we may need to transfer the information which you provide to us to the US because the organisations we use to organise events (Eventbrite) and to carry out client surveys (Surveymonkey) are located in that country.
These organisations are subject to the US/EU Privacy Shield.  This means that both organisations are part of a scheme which is designed adequately to protect your personal information. Further details are available on the websites of each of these organisations.


The information that you provide will be stored securely on our electronic and hard copy filing systems.  We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

We are certified to Cyber Essentials standard (IASME consortium) which requires the company to:

  • systematically examine information security risks, taking account of relevant threats, vulnerabilities, likelihood, impacts and apply treatments to mitigate risks;
  • implement a comprehensive set of information security controls and ensure that the specific security objectives are met.


In limited circumstances we may use your information for a purpose other than those set out in this policy. If we intend to do so, we will provide you with information relating to that other purpose before using it for the new purpose and will undertake a Data Protection Impact Assessment.


We will store personal data which you provide to us in accordance with our Records Management and Data Retention policy.  For matters closed on or after 1 May 2018 we will store your data for 7 years after the date of file closure unless:

we have a formal written agreement with you to retain a file or category of files for a specified period of time, in which case the agreed period of time will prevail;
we write to you proposing a different date for document and data retention, normally either in the matter engagement or a file closing letter;

This means that we will hold your file for the relevant time period after which we will delete or destroy it.  If you wish to retain copies of any documents or data beyond that time period you must contact us before the expiry of the relevant time period.  Charges may apply to any extended retention period or if you would like us to provide a copy of your file.
In addition, we will store some of your personal data including name, job title, organisation, email address:
In our CRM database for marketing purposes for so long as we consider it to be useful.  You may ask us to remove your details from our CRM database at any time. In addition whenever we contact you, we will provide you with the option to unsubscribe.


If you have any questions about our use of your personal data, you are welcome to contact us.  You will find our contact details in clause 3.  If you notice any errors in your personal data, you have the right to have them corrected.

Under certain circumstances, by law you have the right to:

Request access to your personal information (commonly known as a “data subject access request”).  This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it;

Request correction of the personal information that we hold about you.  This enables you to have any incomplete or inaccurate information we hold about you corrected;
Request erasure of your personal information.  This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it.  You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below);
Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground.  You also have the right to object where we are processing your personal information for direct marketing purposes;
Request the restriction of processing of your personal information.  This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it;
Request the transfer of your personal information to another party.


In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time.  To withdraw your consent, please contact the NISE Chief Executive using the contact details set out in clause 3.  Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.


You also have the right to complain to the Information Commissioner’s Office (the “ICO”) if you are not satisfied with the way we use your information.  You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.


We may amend this privacy statement at any time so please review it frequently and at least each time you submit personal information to us.  Our current privacy statement applies to all information that we have about you and your matters.