EDGE Privacy Statement

(updated 21st November 2024)

Introduction:

This privacy statement sets out the privacy practices for the EDGE Local Portfolio Management System application (“EDGE LMPS”) provided by the Clinical Informatics Research Unit (“CIRU”) at the University of Southampton (“the University”).

EDGE LPMS registered users (“subscribers”) register their personal information with the University and it is vital for us to share how we protect that data. Personal data refers to the personal information that we hold about you from which you can be identified (either alone or in combination with other data available to the University).

The University is the data controller, which means that we are responsible for deciding how we hold and use personal data about you. This statement makes you aware of how and why your personal data will be used, namely for the purposes of providing you with our services, and how long it will usually be retained for. It provides you with information under the General Data Protection Regulation ((EU) 2016/679) (GDPR).

We keep this Privacy statement under regular review and it may be amended from time to time.


Data Protection Principles:

We will comply with data protection law and principles, which means that your data will be:

  • Used lawfully, fairly and in a transparent way.

  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

  • Relevant to the purposes we have told you about and limited only to those purposes.

  • Accurate and kept up to date.

  • Kept only as long as necessary for the purposes we have told you about.

  • Kept securely.


A list of the types of data we collect is set out below. Processing means doing anything with your data, such as collecting, recording, or holding the data, as well as disclosing, destroying, or using the data in any way.

In order to provide access to the EDGE LMPS application the following personal information is required within a subscriber account profile (“EDGE Profile”) to enable service delivery:

  • First Name

  • Surname

  • Email Address

 In addition to name and email address, subscribers can also voluntarily provide the following personal data identifiers within the EDGE Profile:

  • Title

  • Gender

  • Date of Birth

  • Personal URL

  • Professional Registration Number

  • ORCID ID

  • Telephone contact data

Subscribers can also voluntarily upload personal data characteristics within the EDGE Profile these include:

  • CV’s

  • Record of Qualifications

  • Record of Training Courses and Certificates

What if you do not provide your personal data?

Certain data, such as your contact details, have to be provided to enable us to enter a contract with you. If you do not provide this data we will not be able to provide our services to you.

How will your personal data be collected?

We will only collect your data from you or your local administrator and not from any third party organisations.

Data you provide to us:


Information regarding our subscribers derived from their access and use of the EDGE LPMS is shared with the University to enable the delivery of services to subscribers. The University shall not sell or rent this information to any third party. Your personal information will be shared with selected third parties as part of enabling service delivery.(See ‘Information Use’ below).

Information Processing:


Lawfulness of Processing:

Processing of this data is necessary for the performance of the Master Service Agreement Contract with your organisation or Local Comprehensive Research Network. We will only process your data for the specific purpose or purposes that we tell you about or if specifically permitted under any privacy legislation and will only process your data to the extent necessary for that specific purpose or purposes.


Information Use:

Application Access
In order to access the application subscribers must have registered a contact name and email address.

Sub processors
We have partnered with various providers to offer a reliable service. All of our partners take personal data privacy seriously and are fully compliant with GDPR. We have signed a data processing agreement (DPA) with each of them.

To be fully transparent, here is the complete list of the providers who come in direct contact with our subscriber’s personal data.

Name: Telefonica Tech UK
Services:
Cloud Solutions Provider
Location: UK
GDPR Compliance: GDPR Compliant https://www.cancom.co.uk/privacy-policy/
DPA Signed: YES

Name: Microsoft Azure

  • EDGE Australia

  • EDGE Belgium

  • EDGE Canada

  • EDGE Cyprus

  • EDGE India

  • EDGE New Zealand

  • EDGE South Africa

  • EDGE UK

Services: Web Servers, Database Hosting
Location: AU / EU / CA / IN / NZ / ZA / UK
GDPR Compliance: GDRP Compliant https://privacy.microsoft.com/en-gb/privacystatement
DPA Signed: YES

Name: SendGrid (Twilio)
Services: Transactional Email
Location: UK
GDPR Compliance: GDPR Compliance https://sendgrid.com/resource/general-data-protection-regulation-2/
DPA Signed: YES

Name: Active Campaign
Services: Marketing Comms
Location: EU
GDPR Compliance: GDPR Compliance
https://www.activecampaign.com/legal/gdpr-updates/privacy-framework
DPA Signed: YES

Name: Bettermode
Services: Community Forum Platform
Location: EU
GDPR Compliance: GDPR Compliance
https://bettermode.com/legal/data-processing-agreement
DPA Signed: YES

Name: Salesforce
Services: Help Desk
Location: UK
GDPR Compliance: GDPR Compliance
https://www.salesforce.com/uk/gdpr/overview/
DPA Signed: YES

Audit Reports
All actions within the EDGE LPMS application are audited to comply with 21 CFR Part 11. This requires the logging of user identifiers (First Name & Surname) with a date and time stamp against system actions. 

Surveys
From time-to-time, the Clinical Informatics Research Unit may request voluntary participation in a survey relating to the application or delivery of service. Information requested may include contact information and demographic information. Survey Information will be used to monitor and improve the services provided by the Clinical Informatics Research Unit.

EDGE Developments and Updates
The EDGE Communications Team send our subscribers updates and announcements about the EDGE service including the release of the monthly EDGE LPMS application upgrades. Subscribers are able to unsubscribe from these announcements by clicking the ‘Unsubscribe’ link at the bottom of the email communication. Communications with users will be by e-mail, telephone or standard mail service.

Data Storage
Data provided to the Clinical Informatics Research Unit regarding a subscriber is stored within secure hosting service platforms in the following regions:

EDGE Instance: EDGE Australia
Data Hosting Provider and Location: Microsoft Azure – Australia East Data Centre (New South Wales, Australia)

EDGE Instance: EDGE Belgium
Data Hosting Provider and Location: Microsoft Azure - EU Data Centre West (Netherlands)

EDGE Instance: EDGE Canada
Data Hosting Provider and Location: Microsoft Azure - Canada Data Centre West (Toronto)

EDGE Instance: EDGE Cyprus
Data Hosting Provider and Location: Microsoft Azure - EU Data Centre West (Netherlands)

EDGE Instance: EDGE India
Data Hosting Provider and Location: Microsoft Azure - India West Data Centre (Mumbai, India)

EDGE Instance: EDGE New Zealand
Data Hosting Provider and Location: 
Microsoft Azure - Australia East Data Centre (New South Wales, Australia)

EDGE Instance: EDGE South Africa
Data Hosting Provider and Location: MS Azure - South Africa West Data Centre – (Cape Town, South Africa)

EDGE Instance: EDGE UK
Data Hosting Provider and Location: 
MS Azure - UK Data Centre South – (London – UK)

Holding and retaining your data
We create and hold your personal data electronically. We will only hold your Data for the duration that your organisation is contracting with EDGE for the purpose or purposes that we have collected it.

Who has access to your personal data?
Your data will be shared internally with staff within CIRU. We may have to disclose your Data if required to do so by law in order to comply with a legal obligation, to protect our rights, interests or property and those of others, act in urgent circumstances to protect the personal safety of our staff, students and the public or to protect us against any legal liability.

Correcting/Updating Personal Information
Subscribers to the EDGE application can update their Information at any time through their ‘User Profile’ pages, via Local EDGE administrators or by contacting the EDGE Team directly on edge@soton.ac.uk

Security
This Clinical Informatics Research Unit takes every precaution to protect our subscribers’ information. Only staff members who need a subscriber’s (personal) information to perform a specific job are granted access to the Information. The University’s staff operate within the University’s policies and procedures for Information Security. Staff are also bound by the confidentiality provisions in their employment contract and are kept up-to-date on National, Local and departmental security and privacy practices. They are regularly notified and audited to safeguard customer privacy.

Accurate data
We will keep the Data we store about you accurate and up to date. Data that is inaccurate or out of date will be destroyed. If your data is not accurate then please update your User Profile through the EDGE LPMS application, contact your Local EDGE Administrator or email us at: edge@soton.ac.uk


Your rights:

You have a number of rights. You can:

  • Access and obtain a copy of your data on request;

  • Require us to change incorrect or incomplete data;

  • Require us to delete or stop processing your data, for example where the data is no longer necessary for the purposes of processing;

  • Object to the processing of your data where we are relying on our legitimate interests as the legal ground for processing; and

  • Ask us to stop processing data for a period if data is inaccurate or there is a dispute about whether or not your interests override the organisation's legitimate grounds for processing data.

If you would like to exercise any of these rights, please contact us at: AskHR@soton.ac.uk

If you believe that the organisation has not complied with your data protection rights, you can complain to the Information Commissioner.

How do you access your data?

If you would like to exercise any of your rights please make a request using our online form or in writing to:

The Data Protection Officer
Legal Services
University of Southampton, Highfield
Southampton, SO17 1BJ
Email: data.protection@soton.ac.uk

In certain circumstances you can request your Data for reuse for your own purposes across different services by emailing us at: edge@soton.ac.uk.


Our registration number with the Information Commissioner’s Office is Z6801020

ICO Registration:


If you would like to find out more about how we use your personal data please contact: edge@soton.ac.uk. We also have additional policies and guidelines concerning particular activities. If you would like further information, please see our Publication Scheme.

If you are unhappy with the way that we have handled your data you can contact us at: edge@soton.ac.uk or contact the Information Commissioner’s Office via their website.

To download this page as a PDF click here

Further information: