Privacy policy

Independent Care Review Privacy Notice

How we gather and use personal data

Where there is a word in bold in this document, we have explained what it means in the Glossary at the end.

Who we are

The Independent Care Review is based at the University of Strathclyde. Our address is 94 Cathedral Street, Glasgow, G4 0LG. The University of Strathclyde have a dedicated Data Protection Officer. Any enquiries on the data protection legislation which underpins this document can be made to

The Independent Care Review gather and use personal data about the individuals and organisations it works with. This document explains why it does this and what it does with the information it has. Gathering and using personal information like this means the Independent Care Review are a ‘data controller’.

If you have any questions about this document, or how we use information and data, you can write to us at:

Independent Care Review, 94 Cathedral Street, Glasgow, G4 0LG

email us at:

or call us on:

0141 444 8527

All of the personal data we hold will be treated in accordance with the terms of GPPR. We will regularly check this document covers everything we need it to and update it when necessary.

The types of personal data we collect

The work of the Independent Care Review means it gathers different types of information. These are outlined below:

  • Your name
  • Your email address
  • The organisation you work for
  • Any other relevant contact details, such as telephone or post
  • The events we have run which you have attended
  • Information on the areas of our work you are interested in
  • Information on how you have used our website

GDPR says some types of information are sensitive information. This information is given special protection. We will only collect it if we need it for insurance purposes, we need to know it to keep you safe at a meeting or event (such as allergies or health needs) and you have given us your consent to store and use it. Information we routinely gather which counts as sensitive information is:

  • Information on your dietary and access requirements
  • Information on your health needs
  • Information on your support needs

How we collect personal data

Some of the personal data held by the Independent Care Review is given by people themselves. When people register for any of our events, conferences or meetings, they give us their name, the name of the organisation they work for, their contact details and sometimes their personal preferences, like what they would like to eat, or whether they need any help with access or support. People might also provide these details when they get in contact through the website or social media, or by filling out the forms on the website to get involved.

If personal information is collected from you directly, you will be told what it will be used for and asked for your consent to do this.

Personal information is also gathered through the course of the work the Independent Care Review does. If you are involved in any of the participation work, creatives in residence group, workgroups or other methods of engagement, information on who you are might be stored. This would include your name, the name of the organisation you work for, how you have been contacted, your contact details and which areas of work you are interested in.

This document does not cover the data gathered on your experiences or opinions through research, participation or engagement projects. Exemptions from GDPR mean these have their own Privacy Notices. If you are involved in any of the research, participation or engagement projects, you will receive a copy of the relevant document.

Where you have been involved with work directly, or had contact with members of the Independent Care Review Secretariat or Chair, and the details you have given have been stored, you will told and asked for your consent.

When you use the website, information is automatically collected on the pages you have visited, how long you have spent on them, the links you have clicked and the documents you have downloaded. One way this is done is by using cookies which help us to know more about website users. You will be asked whether you consent to us using cookies when you visit the website. You can view our Cookie Policy here.


Our how we store personal data

All data collected and stored by the Independent Care Review is transferred to secure servers hosted by the University of Strathclyde. Where removable hardware is used, such as laptops or hard drives, it is fully encrypted and password protected.

Our legal basis for gathering and using personal data

GDPR sets out the lawful bases organisations must meet to store and use personal data. The personal data the Independent Care Review use will have been collected under the lawful basis of consent. This means where your personal data is being stored or used, you will have been given an explanation of how this is done and asked for your consent. You can withdraw your consent at any time, for all or part of your information, by contacting us using any of the methods above.

If the Independent Care Review have purchased a service from you or there is a contract in place between us, the personal data collected relating to this will be stored under the lawful basis of contractual obligation. This means this data is necessary to be able to carry out our work with you and will only be used in this way.

How we use personal data  

Personal data will be used to:

  • Let you know about news, events and activities the Independent Care Review Secretariat think you might like to hear about.
  • Better understand the types of organisations being reached and engaged with.
  • Ensure we are engaging with as diverse and representative a group of people as possible.
  • Help us to provide you with specific support when you engage with us.

Personal data will not be used to:

  • Use a computer or software to make any decisions about you based only on the personal data held.

If the Independent Care Review Secretariat want to use the personal data held on you for a new purpose not covered above we will contact you and explain this new use. This will be done and you will be asked for your consent before your personal data is used in the new way.

Who personal data is shared with

The personal data we have is treated as confidential and only shared with organisations whose services and software are needed to help us provide the best possible service. To do this, other organisations are sometimes used to help process data, such as event bookings or how our website is used. This will only be done after you have given consent. Each of these organisations has provided us with details of their own GDPR compliance. If you would like to see the privacy policy of an organisation we work with, please contact us using any of the methods above.


How long we keep personal data for

Personal data is kept for as long as is necessary to carry out the work it relates to. This depends on the reason your personal data is stored in the first place.

When data is collected for the purposes of events or meetings, it is held until the end of our events process and then deleted from our records, unless you have an ongoing relationship with us and we have consent to keep your information.

When an individual makes a specific information request to or from the Independent Care Review, their data will be held until the completion of this information request and then deleted from our records, unless the individual has made a further request to stay involved.

How we will keep in touch

If you have given us your personal data to register for an event, meeting or conference we will use the contact details you have given us to keep in touch with information about the event you are attending, and any further work you might be interested in if you have given us consent to do that. This might be by post, email or telephone.

If you have given us your personal data and are actively involved with the Independent Care Review through its workgroups or other groups, your information will be stored until the end of the work, unless you withdraw consent sooner.

Your rights and who to contact

You have the right to:

  • Ask for a copy of the personal data held about you. You will not be charged for this.
  • Ask that we correct any personal data we hold about you which is incorrect or out of date.
  • Ask that we delete the personal data we hold about you.
  • Withdraw consent to us using your personal data in the ways you’ve said we can.
  • Ask that we send all the personal data we hold on you to another company or organisation.
  • Ask us to stop using your personal data until you’re happy it is correct and being used in a way you are comfortable with.
  • Object to the ways we use personal data.
  • Complain to the Information Commissioners Office about the ways we gather or use personal data.

To do any of the above, you can write to us at:

Independent Care Review, 94 Cathedral Street, Glasgow, G4 0LG

email us at:

or call us on:

0141 444 8527.

If you would like to request access to the data that the website holds about you as a website user, please also use the contact details above.

The Information Commissioners Office can be written to at:

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

emailed at:

or called on:

0303 123 1113



personal data

Personal data is information about a person which could be used to identify them. We might know who you are from the information itself, or by linking that data to other information we have access to. GDPR tells us the rules we must obey when gathering and using personal data.

data controller

GDPR identifies organisations as data controllers. Being a data controller for GDPR means we decide what personal data we collect and how we will use it.

sensitive information

GDPR says some personal data is sensitive information. This data is information we would think of as personal, such as your health, your religion and your ethnicity.


If you have given us consent, you have said we are allowed to use your personal data. To get your consent, we will always tell you what personal data we will be gathering and how we will be using it.



Cookies are small pieces of data sent from our website to your computer. They remember useful information and tell organisations more about the people using their website.

exemptions from GDPR

Certain information we collect is not covered by GDPR and we are required to treat this differently. Where this is the case, there will be a separate Privacy Notice advising you of how this is done.

privacy notices

GDPR says organisation must give information about how they obey the laws on gathering and using data. The document containing this information is called a privacy notice. 

lawful bases

GDPR sets out the lawful bases we must use to gather and use personal data. These are the reasons we must give whenever we want to do this.

legitimate interests

Refers to the lawful basis on which we process data. To comply with the GDPR 2018 we must evaluate the purpose and necessity of processing any personal data before processing takes place. We must also balance any data processing activity with the rights and freedoms of the individual (e.g. ensure that data processing does not infringe rights) before processing data.

If these three conditions are satisfied, legitimate interest is proved and we can therefore process the data in question.


Information and data that is confidential will be kept private. If information is confidential, we won’t share it with anyone.

withdraw consent

If you withdraw consent, you are telling us that we are not allowed to use your personal data any more. You can withdraw consent at any time.