Privacy Policy

Privacy Policy

This document provides you with everything you need to know about how we handle data, which data we control and which data we process on behalf of our clients, why we process it and what your rights are.

This Privacy Notice concerns the data for which we are the Data Controller.

In addition to this Notice we provide information about our role as Data Processor working on behalf of our clients who may be your Data Controller.

You can quickly skip to any particular section you wish to review by clicking through:

Summary

Who are MES?

                Definition of Data Controller and Data Processor

Who is our Data Protection Officer?

What information is gathered on our corporate website (www.membra.co.uk)?

How long will we keep this information?

Use of ‘client data’

Use of ‘prospect data’

How information gathered on our sites operated on behalf of our clients is used

                The Legal Basis for processing your data

How information gathered by other means is used

How long will MES keep information collected on behalf of its clients?

Access to your details and other rights

Will we share this information with outside parties?

What security controls are in place?

Cookies

Improving our sites

Email Disclaimer

Copyright

Who is the supervisory authority?

* This Privacy Notice may be referenced elsewhere and by others as a Privacy Policy, Privacy Statement or Fair Processing Notice.

SUMMARY

    • MES is registered with the Information Commissioner’s Office as a Data Controller. However for many of our activities we are the Data Processor working on behalf of a client; the client is the ‘Data Controller’.
    • We keep to a minimum the information we hold about you
    • If you are visiting our corporate website, we use your data to offer our services to you, respond to your enquiries, manage our relationship with you, collect your details if you wish to receive more information about any MES news or any of our services, meet our legal obligations and improve our website.  In this capacity we are working as a Data Controller.

    • If you are submitting information on a website, platform or service that that we supply on behalf of a client (to whom you are associated e.g. a member, patient or stakeholder or wish to provide feedback to or join), we use your data to help that client provide their services to you, respond to your enquiries, manage their relationship with you, collect your details if you wish to receive more information from them, assist them in meeting their legal obligations and improve our website or platform.  In this capacity we are usually working as a Data Processor, but on occasion with regard to particular research services we provide on behalf of some clients, a Data Controller.  We refer you to that organisation to which you are associated (e.g. a member, patient or stakeholder) or wishing to provide feedback to or join, to inspect their Privacy Notice describing their role as Data Controller in relation to your data, and to find details of their DPO.

    • We delete your data when it is no longer needed for these things
    • Generally, we do not give your information to third parties, but there are some exceptions in order to deliver particular elements of our service
    • You have privacy rights as described by the GDPR and Data Protection Act and we operate in accordance with these, taking security and privacy extremely seriously
    • If you need any further information we are happy to help and you should contact us at dpo@theERSgroup.com

WHO ARE MES?

We are a specialist engagement consultancy working across sectors helping organisations engage effectively with their stakeholders, staff, patients, members, and the public.  Our work is broad and varied, providing digital platforms, research services, communication and mailing services and more. Our corporate website is www.membra.co.uk.

If you have reached us either on our corporate website or a website/platform provided on behalf of one of our clients, it is hosted and maintained by Membership Engagement Services Ltd (MES), 33 Clarendon Road, London, N8 0NW.

MES is part of The ERS Group (www.theERSgroup.com), a Civica Group company.

MES is a ‘Data Processor’ registered with the ICO working on behalf of our clients, the ‘Data Controllers’. You can find the ICO’s definitions of Data Controller and Data Processor here.

WHO IS OUR DATA PROTECTION OFFICER (DPO)?

Our DPO for the ERS Group of companies is:

Ian Robinson

33 Clarendon Road

London

N8 0NW

The DPO can be contacted at DPO@theERSgroup.com

WHAT INFORMATION IS GATHERED VIA OUR CORPORATE WEBSITE (WWW.MEMBRA.CO.UK)?

Information in this site is gathered in two ways: indirectly (for example, through our site’s technology); and directly (for example through information that you enter). Examples of information we collect indirectly are your internet (IP) address which is automatically collected and is placed in our internet access logs, and the date and time of when you access the site. Examples of information collected directly are the details you may enter in order for us to be able to communicate with you.

We may also use Cookies, which are small text files stored on your computer or device when you visit a website, which allow the website to work properly and help keep it secure, and help us understand how people are using the website so that we can improve it. For more information about the cookies we use, please read our Cookie Information below.

With regard to our corporate website we are acting as a Data Controller.

HOW LONG WILL WE KEEP THIS INFORMATION?

We will only keep information for as long as it is needed for the purposes described when it was collected. The information will not be kept for longer than legislation permits. You may also request that your information is removed or forgotten, that processing is restricted or consent is withdrawn by emailing DPO@theERSgroup.com or writing to the address below.

USE OF ‘CLIENT DATA’

Purpose of using data – We provide engagement solutions (based around technology, communication and research services) to businesses and organisations (i.e. not individuals). As part of the delivery of our services, we collect and store certain data relating to relevant roles at the organisations we work with. This data includes the individual’s name, job title, organisation, work address, work email address and work telephone (and/or work mobile). We use this data to communicate with our client contacts throughout the duration of their contract, to ensure a) successful delivery of services as contracted and b) to ensure each client experiences the best level of service possible. We ensure the individual has the option of opting out of electronic marketing communications.

USE OF ‘PROSPECT DATA’


Purpose of using data – MES’ sales are exclusively business-to-business. We provide engagement solutions (based around technology, communication and research services). As part of our business development and marketing operations, we collect and store certain data relating to relevant roles at organisations who may be interested in our solutions. This data includes the individual’s name, job title, organisation, work address, work email address and work telephone (and/or work mobile). We use this data to inform the relevant roles of the products and services that could assist their organisation in the delivery of their business operations. This allows the individual and their organisations to find out what we can offer and how we can help, in a way that is not intrusive to the individual. We only use an individual’s data in a way they would reasonably expect, and we ensure the individual has the option of opting out of electronic marketing communications. This option is available via every electronic message sent. As such, this data is used with legitimate interest.

HOW INFORMATION GATHERED ON SITES OPERATED ON BEHALF OF OUR CLIENTS IS USED

MES provides its clients with a number of types of website and online platforms to assist them in delivering their work.

If you are submitting information on a website, platform or service that that we supply on behalf of a client, (to whom you are associated e.g. a member, patient or stakeholder or wish to provide feedback to or join), we use your data to help them provide their services to you, respond to your enquiries, manage their relationship with you, collect your details if you wish to receive more information from them, assist them in meeting their legal obligations and improve our website or platform.

In this capacity we are a Data Processor. Our clients, clearly identified on those sites are the Data Controllers for their members, stakeholders, patients providing feedback and other interested parties and we refer you to their Privacy Notice and DPO if you wish to review or contact them.

The legal basis for the use of your personal information will typically be one of the following reasons (for more details, see your Data Controller’s Privacy Notice):-

  1. the Data Controller needs to process your personal information to satisfy their legal obligations or statutory duties
  2. the Data Controller need to process your personal information for the performance of a task carried out in the public interest or while exercising their official authority (i.e. as a public body)
  3. the Data Controller needs to process your personal information in pursuit of their legitimate interests
  4. you have given the Data Controller your consent to process your data
  5. the processing is necessary for the performance of a contract to which you are party.

Here is more specific information on each type of site:

Membership Application Forms

The purpose of this site is to gather the personal data required in order to sign up and become members (or similarly named) of the organisation on whose behalf we are working i.e. the organisation named on the membership form page. These details may then be used by that organisation to communicate with you about general membership matters. We also collect demographic data based on your postcode to enable the organisation to report the makeup of its membership to NHS Improvement, the Regulator (https://improvement.nhs.uk) as and when required.

The information gathered on these site is the named organisation’s.  They are the Data Controller and MES is the Data Processor, working on their behalf.

‘ClickRSVP’: Online RSVP Tool

The purpose of this page is to gather your RSVP to an invitation sent to you by the organisation you are a member of.  Because you are a member, they already have your details, and this RSVP is logged against them.

The information gathered on these site is the named organisation’s.  They are the Data Controller and MES is the Data Processor, working on their behalf.

‘ClickSurvey’: Online Survey Tool

The purpose of this site is to gather survey responses for the organisation on whose behalf we are working.  It is up to the organisation and dependent on the specific survey which details are being gathered and how personal they are.  If you are asked for contact information, then these details may be used by that organisation to communicate with you about general membership matters.  If you are asked for you postcode, we also collect demographic data based on your postcode to enable the organisation to report the makeup of its membership to NHS Improvement, the Regulator (https://improvement.nhs.uk).

If your survey is anonymous, it will say so and your answers will not be connected to you by your email.

If your survey is not anonymous, you are a member of the organisation running the survey, and your answers will be connected to your membership details for analysis, such as your demographics.

The information gathered on these site is the named organisation’s.  They are the Data Controller and MES is the Data Processor, working on their behalf.

Engage and Connect Membership & Stakeholder Database Sites

The purpose of these sites are to enable our clients to engage and work with their memberships better.  The details may also be necessary in order to include you in statutory elections such as a Foundation Trust’s Council of Governors (or similarly named).  Personal details about you are captured to ensure that you are able to participate fully, placed in the correct electoral constituency, invited to relevant activities and involvement opportunities and communicated with effectively. Communication may be by post, email, telephone or SMS text depending on what information you have chosen to provide. In addition we also analyse your postcode using software called Acorn provided by CACI to understand your socio demographic characteristics.  Again, this enables our clients to communicate with you in a more targeted and meaningful way, as well as enabling them to report the characteristics of their memberships to NHS Improvement, the Regulator, which is a statutory requirement.  To find out more about the purpose and legal basis for processing this data please contact your Data Controller and check their Privacy Notice.

For authorised administrative users of one of these sites, your email address may be used to communicate with you in the event of password refreshes.  This organisation does not use your login’s email address to communicate with you beyond system communications you request.

The information gathered on these site is the named organisation’s.  They are the Data Controller and MES is the Data Processor, working on their behalf.

Patient & Staff Experience Survey Pages and App

The purpose of this site is to gather feedback survey responses for the organisation on whose behalf we are working.  It is up to the organisation and dependent on the specific survey which details are being gathered and how personal they are but since it is not required to gather personal information for feedback surveys we have not been requested to support personal information up to now.  Demographic information, such as gender and ethnicity, may be gathered and, if you choose to give it, this information will be used for demographic analysis of survey responses.  The surveys are anonymous.  If you have been emailed a link to this survey, your email will not be used to connect the responses you give to you therefore we cannot trace back to the survey taker.

The information gathered on these site is the named organisation’s.  They are the Data Controller and MES is the Data Processor, working on their behalf.

Patient & Staff Experience Site

The purpose of this site is to administer the Surveys and analyse and get reports on the Experience Survey responses (feedback).  The data collected about your survey recipients is anonymous.  Demographic information may be given for demographic analysis.
Personal details about staff users are not required, other than the email address for logging in and for system notifications.  This organisation does not use your email address, or any other personal information about you provided, beyond these system functions.  The information gathered on this site is yours and used by you.

The information gathered on these site is the named organisation’s.  They are the Data Controller and MES is the Data Processor, working on their behalf.

Declarations of Interest Feedback Capture Site (‘Declare’)

The purpose of this site is to capture NHS staff declarations of interest related to their employing organisations. Personal data held and/or requested about staff include a member of staff’s Electronic Staff Record, i.e. First Name, Last Name, Job Role, Department, Pay Band, Assignment Number,  and Email Address.  In addition individual declarations of conflict of interest are captured upon entry by an individual member of staff or organisational stakeholder (e.g. Governor). This information is only used for the express purposes as set out by NHS England and in accordance with the organisation’s own policies.

The information gathered on these site is the named organisation’s.  They are the Data Controller and MES is the Data Processor, working on their behalf.

All sites

Some information is gathered indirectly for example, through our site’s technology; Examples of information we collect indirectly are your internet (IP) address which is automatically collected and is placed in our internet access logs, and the date and time of when you access the site. We collect IP addresses for the purpose of providing technical support and troubleshooting.

We may also use Cookies, which are small text files stored on your computer or device when you visit a website, which allow the website to work properly and help keep it secure, and help us understand how people are using the website so that we can improve it. For more information about the cookies we use, please read our Cookie Information below.

HOW INFORMATION GATHERED BY OTHER MEANS IS USED

Research and Communities Services

MES work on behalf of clients (Data Controllers) to assist them in gaining insights and generating reports through analysis of data collected from individuals. Methods used to collect data include online surveys, postal surveys, face to face survey data collection, face to face focus groups, face to face workshops and depth telephone interviews. The data that we collect on behalf of our clients through these methods include personal details and demographics such as name, DOB, marital status, employment status, disabilities, ethnicity, gender, accommodation type, occupation, and income. Information will be requested such as communication preferences which are captured to ensure that you are able to participate fully, invited to relevant activities and involvement opportunities and communicated with effectively. Communication may be by post, email, telephone or SMS text depending on what information you have chosen to provide.

All of the information that you provide via any method will only be used to meet the objectives of the research and nothing else. When we carry out research on behalf of our clients, we will not share your data with them in a way that you would be identified as an individual – unless otherwise specified. On the rare occasion that this would occur, this would be disclosed before you are asked to participate.

All of MES’s online surveys are hosted on Qualtrics, a professional online survey tool. MES uses this tool to design, distribute, host and analyse online and sometimes postal surveys. Although MES uses Qualtrics to run surveys, MES owns and controls all of the data that is collected and hosted on the Qualtrics platform. This means that MES decides what is done with the data.

However, ultimately it is up to you what we are permitted to do with your data before, during and after you have provided it to us. Before you start any survey, we will inform you about the purpose of the research, how your data will be used, who it will be shared with and asking your explicit consent to submit personal data. You will always have the option of not submitting any personal data by selecting ‘prefer not to say’.

All of the data collected and hosted on Qualtrics is stored in a single secure data centre. All of the data collected through Qualtrics is stored at an EU data centre, and their support centres are located in Dublin, Ireland. All data on Qualtrics is safeguarded using industry best security practices that prevent unlawful disclosure. Qualtrics is presently undergoing certification under the FedRAMP program, the “gold standard” of security compliance. FedRAMP has over 900 controls based on the highly-regarded NIST 800-53, and requires constant monitoring and periodic independent assessments. More information is found at https://www.fedramp.gov.

Qualtrics does not have access to your data, personal or otherwise. However,

Qualtrics does process other data for the purpose of providing software and services to customers. This includes using data to figure out whether their platform is running smoothly or whether additional products or services could be useful to their customers. Qualtrics will never transfer data onto another third party without the written consent of MES, and this is something that MES will never do.

HOW LONG WILL MES KEEP INFORMATION COLLECTED ON BEHALF OF ITS CLIENTS?

We will only keep information for as long as it is needed for the purposes described when it was collected. The information will not be kept for longer than legislation permits. You may also request that your information is removed or forgotten, that processing is restricted or consent is withdrawn by emailing your Data Controller’s Data Processing Officer or writing to them.

ACCESS TO YOUR DETAILS AND OTHER RIGHTS

You have the right to request personal information held and to have any inaccurate information, such as your name or contact details, corrected. You also have the right to object to processing on grounds relating to your particular situation. Such requests or objections should go to the Data Controller i.e. the client on whose behalf MES is working. You may also contact the MES and ERS Group Data Protection Officer via dpo@theERSgroup.com, but please be aware that there may be a delay while your request is forwarded to the relevant Data Controller. Finally, if you are not happy with the way the Data Controller responds to your request or objection, you have the right to complain to the Information Commissioner at https://ico.org.uk/concerns/handling.

WILL WE SHARE THIS INFORMATION WITH OUTSIDE PARTIES?

The information is provided only to the organisation on whose behalf we are working. It is not given to any other party unless requested by this organisation you are signing up to become a member of and/or to maintain the quality and accuracy of the data, or legally required to do so. That is, if we have a good-faith belief that such action is necessary to comply with a current judicial proceeding, a court order or legal process served on our website. Neither MES nor ERS will sell individual information.

MES does work with certain third party suppliers for elements of our service.  These are clearly detailed in our Data Processing Agreements with our clients, and MES also has Data Sub-Processing Agreements in place with them. These parties are bound by contracts and Non-Disclosure Agreements and where these people are supporting with work related to Research and Communities are also bound by the Market Research Society (MRS) Code of Conduct.

Data does not leave the UK.

WHAT SECURITY CONTROLS ARE IN PLACE?

We want you to be secure when visiting our site and are committed to maintaining your privacy when doing so. MES and ERS have physical security in our facilities to protect against the loss, theft, misuse, or alteration of information. There are also different layers of security implemented throughout our website platform, for example hardware and application firewalls; intrusion detection systems; and SSL encryption. In addition both organisations are accredited to the Cyber Essentials scheme click here to view our certificate.

COOKIES

If this site uses cookies, it uses Session Cookies, which simply allows secure navigation from one page to the next once you have logged in. The Session Cookie is a first party cookie (i.e. only placed by MES websites) and is temporary (i.e. it is deleted when your session ends). An example of our Session Cookie is SiteID.

Some MES websites use Google Analytics cookies, which allow us to collect information such as the browser, operating system and screen resolution used, the pages you visit on our website, an anonymised version of your IP address, and your location (country only). This information helps us to improve the usability and performance of the website. These Google Analytics cookies are first party cookies (i.e. only placed by MES websites) and may persist on your computer for up to two years. The anonymous information collected is sent to Google so that we can use their analytics reporting tools. We do not send personally identifiable information to Google. For more information on how Google uses the data we send them, please see https://www.google.com/policies/privacy/partners/.

If you do not want Analytics to be used by your browser, you can install the Google Analytics opt-out add-on from https://tools.google.com/dlpage/gaoptout . Examples of Google Analytics cookies include _ga, _gid, __utma, __utmb etc.

On webpages that include videos, there are third party cookies placed by vimeo.com, we cannot show videos without these.

Finally, some of our websites use a first party, persistent cookie called cookieconsent_status, which is used to prevent the re-display of the cookie policy banner on subsequent website visits if it has been previously closed.

IMPROVING OUR SITES

MES may also analyse information gathered to determine what is most effective about our sites, to help us identify ways to improve it. If data is used for any other purposes, we will describe these to you at the point we collect the information. Neither MES nor ERS pass the data on to any other third party unless requested to do so by the organisation you are signing up to become a member of.

EMAIL DISCLAIMER

  1. The email you have received is confidential to the addressee. If you are not the addressee you are not permitted to use or copy the email or its attachments nor may you disclose the same to any third party. If it has been sent to you in error please notify us as soon as possible.
  2. Unless stated to the contrary, any opinions expressed in the message are personal and may not be attributed to any of the following:
    Membership Engagement Services Limited (MES)
    Electoral Reform Services Limited (ERS)
    Xpress Software Solutions Limited (Xpress)
    Modern Mindset
    Shaw and Sons Limited
  3. The e-mail message has been cleared for Viruses and Content by MailMarshal Email Content Filter. Mailmarshal does not scan outbound emails as we have sophos antivirus installed on each endpoint which should pick up a virus before it’s attached to an email. We endeavour to exclude viruses from our data but it is the obligation of the recipient to check any attachments for viruses.
  4. Internet e-mails are not necessarily secure. We will try to deliver the emails securely over TLS. If TLS is not accepted by the receiving SMTP server its then sent in plain text. MES, ERS, Xpress and Modern Mindset do not accept responsibility for changes made to messages after they have been sent.
  5. Membership Engagement Services Limited (MES) is a company registered in England and Wales with company number: 5872670.

COPYRIGHT

Copyright © 2004-2018 Membership Engagement Services Limited. All rights reserved.

Unless otherwise stated, the contents of this site including, but not limited to, the text and images contained herein and their arrangement are the property of MES. All trademarks used or referred to in this website are the property of their respective owners. Nothing contained in this site shall be construed as conferring by implication, estoppel, or otherwise, any license or right to any copyright, patent, trademark or other proprietary interest of MES, the ERS Group of companies or any third party. This site and the content provided in this site, including, but not limited to, graphic images, audio, video, html code, buttons, and text, may not be copied, reproduced, republished, uploaded, posted, transmitted, or distributed in any way, without the prior written consent of ERS, except that you may download, display, and print one copy of the materials on any single computer solely for your personal, non-commercial use, provided that you do not modify the material in any way and you keep intact all copyright, trademark, and other proprietary notices.

WHO IS THE SUPERVISORY AUTHORITY?

The Information Commissioner’s Office: https://ico.org.uk/

 

MES is registered with the ICO and our registration number is Z110099X.