City, University of London (‘City’) is the ‘data controller’ of this information. This means that City decides what your personal information is used for, and the ways in which it is processed. You can find additional information at www.city.ac.uk/about/governance/legal including City’s Data Protection Policy.
City provides users with access to use the CARA Portal to help account holders (such as clinicians, researchers) learn about therapies and assessments for people with aphasia and use them with people with aphasia. We also provide tools to host and conduct tasks in a self-service capacity directly and through the Site. (These are from now on collectively, the 'Services').
If you want to register an account with us you will need to provide us with some additional personal information so that we can ensure the information provided to you is relevant and to be certain that we are placing any new information you create as a user of the Site in the appropriate category. If you do choose to create and account or otherwise to provide us with your personal information, we will collect that information for our own use and for the purposes described in this Policy.
What type of personal information does the CARA portal collect?
The personal information we collect from you, including where you choose to provide personal details to us, and where we obtain information about you, will include the following data which we require in order to provide our Services and to communicate with you:
- your full name;
- your e-mail address and CARA Portal password;
- your address and contact details;
- your credit or debit card details if you decide to purchase the Services.
Where you fail to provide this data, or other data requested that we need to collect by law, or under the terms of another contract we have with you, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with our Services). In this case, we may have to cancel a service you have with us but we will notify you if this is the case at the time. The other personal information we may collect from or about you, includes:
- Your organisation and department;
- Information you voluntarily submit to us (including through the Site) from time to time as part of user generated content (or through other means);
- Details of visits to our website (which enable our website to remember information about you and your preferences) and use of our site. This may include:
- Usage data, such as the URLs of pages visited and the times and dates of those visits
- Error data, such as the URLs and contextual information for any errors encountered while using the site
- Referral data, such as the site that referred you to the CARA Portal and the site that the CARA Portal referred you to
- Technical data, such as the browser you use to access our site, the device and operating system that you use, and your time zone
- Any information necessary for legal compliance
The information above will be collected primarily from you as information voluntarily provided by you to us, but we may also collect it where lawful to do so from (and combine it with information from) public sources, your university, employer, third party service providers, individuals who you have indicated have agreed for you to provide their personal information, government, tax or law enforcement agencies and other third parties
On what basis can we process your information?
Data Protection legislation requires that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a “lawful basis” for processing. The basis for processing will be as follows:
- Public task. The processing of your personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
How does the Cara Portal use information about you?
The Cara Portal uses information about you for the following purposes:
- In order to provide you with our Services;
- to respond and/or deal with your request or enquiry;
- to administer the Site;
- to administer the Services, including support and consultancy services;
- for internal record keeping, including:
- Financial transactions (for tax and accounting purposes)
- Subscription usage (for billing)
- Data ownership (to denote which account holder is the owner of which data)
- Feature usage and server load (to denote which features are popular or need changing, and to ensure adequate server provision)
- to contact you by e-mail or phone for any of the above reasons;
- to provide you with information at your request, or as a result of searches undertaken using the Site; and
- for compliance with legal, regulatory and other good governance obligations.
This list is not intended to be exhaustive and may be updated from time to time as business needs and legal requirements dictate.
City may also convert personal information into anonymous data and use it (normally on an aggregated statistical basis) for research and analysis to monitor and improve Site performance and/or for promotional purposes.
How long we keep your data for
We will keep your details on record for so long as you have a registered account with the CARA portal. If you would like to close your registered account, you can do so via the Site. When you close your account:
- Subscription usage and financial records are kept as part of our usage records
- Identifying information about you (name, email address) is deleted from your account, and your account data is pseudonymised to form part of our aggregated statistics
Do we share personal information with third parties?
Your personal information will only be made available for the purposes mentioned above (or as otherwise notified to you from time to time including in this Policy) to our staff who properly need to know these details for their functions within City.
Your personal information may also be made available to third parties (within or outside of City) providing us with relevant services on our behalf, such as your organisation, auditors and compliance managers and IT hosting and IT maintenance providers. These companies will only have access to or use your information where necessary to perform their functions on our behalf. A list of these organisations is available here
Will your personal information be transferred abroad?
Whilst we hold your data on secure servers within the European Economic Area ('EEA') certain transfers of personal information to third party recipients take place, as explained above. Please be aware that such recipients of your personal information (as set out in this notice), may not be located within the EEA but instead located in countries which do not have equivalent protection for personal information to that within the EEA. Where we transfer your information outside the EEA we will either undertake an assessment of the level of protection in light of the circumstances surrounding the transfer or:
- Only transfer it to a non-EEA country with privacy laws that give the same protection as the EEA; or
- Ensure we have an agreement in place with the recipient under which they are under a duty to protect your data to the same standards as those in place in the EEA; or
- Transfer it to US organisations that are signed up to the EU-US Privacy Shield scheme; or
- We will make sure that any transfers are not repetitive and only limited to the minimum amount of information possible. In certain circumstances we may need to seek your consent unless there is an overriding legal need to transfer the information; and
- In all cases where your information is transferred outside the EEA, you have a right to contact us for information on the measures we have put in place. Those current measures in place are here
What safeguards are in place to protect your personal information?
While we take efforts to safeguard your personal information which are consistent with relevant laws, the nature of the internet is such that we cannot guarantee absolutely the security of any personal information you disclose online.
How you can access and update your personal information
You can find out if City hold any personal information by making a ‘subject access request’, normally free of charge, under data protection legislation. If we do hold information about you we will let you have a copy of that information unless a legal exception applies, in which case we will inform you of this at the time. You also have the right to request that information we hold about you which may be incorrect, incomplete, or which has been changed since you first told us, is updated or removed. To make a request to exercise either of these rights, please email your request to email@example.com.
How you can request erasure of your data
You can ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
How you can restrict or object to us using your data
You can ask us to suspend the way in which we are using your information in certain scenarios, or object to our processing your data where we are relying on a legitimate interest ground (or those of a third party) and you feel it impacts on your fundamental rights and freedoms, or where we are processing your personal data for direct marketing purposes or profiling your data. In some cases where you object, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Please note that if you want us to restrict or stop processing your data this may impact on our ability to provide our Services. Depending on the extent of your request we may be unable to continue providing you with our service.
Any queries or concerns about the way in which your data is being used can be sent to firstname.lastname@example.org
Moving your information to another organisation
In the event that we process your data by automated means where you have either provided us with consent for us to use your information or where we used the information to perform a contract with you, you have the right to request that we send to you or to another organisation, an electronic copy of the personal data we hold about you, for example when you are dealing with a different service provider. If you would like us to move, copy, or transfer your information please let us know by email to email@example.com. We will respond to you within one month after assessing whether or not this is possible, taking into account the technical compatibility with the other organisation in question.
Automated decision making and Profiling
We do not use your information for automated decision making or profiling that has legal or similarly significant effects on you.
Changes to this Policy
We keep this Policy under regular review. We may change this Policy from time to time by updating this page in order to reflect changes in the law and/or our privacy practices. The date at the top of this Policy will be updated accordingly.
We encourage you to check the date of this Policy when you visit the Site for any updates or changes. We will notify you of any modified versions of this Policy that might materially affect the way we use or disclose your personal information.
This Policy only extends to the Site and does not, therefore, extend to your use of, provision of data to and/or collection of data on any website not connected to us to which you may link by using the hypertext links within this website. Contact/address details
If you have any questions about this Policy, please contact us at firstname.lastname@example.org.
Or alternatively at:
Information Assurance Team City, University of London Northampton Square London EC1V OHB United Kingdom
Complaints about the use of your personal data
If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can contact our Data Protection Officer at email@example.com. Alternatively you may complain to the UK data protection regulator, the Information Commissioner’s Office. Further details can be found at www.ico.org.uk or 0303 123 1113.