• People who call or email Morningside regarding a medical enquiry
• People who use the ‘Send Enquiry’ service on the Morningside website
• Customers and Suppliers
• Job applicants
For the purposes of the data protection laws in the UK, Morningside is the data controller and is therefore responsible for your personal data. Morningside’s contact details are set out below.
Where a legitimate interest is relied upon Morningside makes sure it considers and balances any potential impact on the individual (both positive and negative) and the individuals rights before it process their personal data for its legitimate interests. Morningside does not use personal data for activities where its interests are overridden by the impact on the individual (unless the individual has consented or it is otherwise required or permitted to by law). You can obtain further information about how Morningside assesses its legitimate interests against any potential impact on an individual in respect of specific activities by contacting the Privacy Manager on the details set out below.
1. People who call or email Morningside regarding a medical enquiry
When an individual calls or emails Morningside regarding a medical enquiry, the trained personnel in the Quality Assurance (QA) Department may where necessary collect personal data from that individual including the patient name, address, contact details, medicines and relevant health data. The personal information collected by Morningside shall be the minimum which is necessary in order to appropriately deal with and respond to the enquiry.
Where the individual who calls or emails Morningside is a healthcare professional or other third party the collection of this personal information is in accordance with Morningside’s legitimate interests of providing good customer services and support and ensuring patient safety. Where the information collected includes an individuals health data, it is collected on the basis that it is necessary for the purposes of preventative or occupational medicine, medical diagnosis, the provision of healthcare or treatment or pursuant to a contract with a health care professional which requires it to do so.
Where the individual who calls or emails Morningside is the patient, Morningside will process the personal information given to them by the individual concerned for the purpose for which it was provided in accordance with the individual’s requests and instructions which shall include investigating and responding to any query which the individual may raise.
Morningside may also process personal information provided by people who call or email with a medical enquiry in order to comply with its legal and regulatory obligations including those relating to its Marketing Authorisation for a medicinal product (MA). It may also be necessary for this data to be shared with Morningside Healthcare Ltd as the MA holder of the medicinal product and with the Pharmacovigilance (drug safety) provider, APCER Life Sciences.
In relation to email communications, Morningside uses Transport Layer Security (TLS) to encrypt and protect email traffic in line with government guidelines. If the individual’s email service does not support TLS, they should be aware that any emails Morningside send or receive may not be protected in transit.
Morningside will also monitor any emails sent to it, including file attachments, for viruses or malicious software. Please be aware that the individual has a responsibility to ensure that any email sent to Morningside are within the bounds of the law and do not contain any viruses or malicious software.
2. People who use the ‘Send Enquiry’ service on the website
If an individual uses the ‘Send Enquiry’ service, Morningside will receive an email which contains their name, email address, occupation, address, country of residence and the contents within the message. This information will not be shared with any other organisations and will be used solely for the purpose of dealing with that enquiry as requested by the individual concerned and in accordance with our legitimate interests including that of providing a response to such enquiries. Whilst Morningside would prefer that enquiries submitted in this manner do not contain any health information relating to an identified individual where they do so this information will be processed for the purposes of preventative or occupational medicine, medical diagnosis, the provision of healthcare or treatment, pursuant to a contract with a health care professional which requires it to do so or where the individual concerned has sent their own health information for a specific purpose for the purpose for which it was provided (on the basis that the individual has in providing the information and requesting it be used in this manner explicitly consented to such use).
3. Customers and Suppliers
Morningside’s primary market is Business to Business therefore Morningside will only email, call or send direct marketing materials to customers or suppliers who are individuals or to named or identified individuals within a customer or supplier organisation, where there is either evidenced consent or where Morningside has a legitimate interest to do so. In relation to direct marketing, individuals will only receive marketing communications from Morningside if they have requested information from Morningside or purchased goods or services from Morningside and, in each case, have not opted out of receiving that marketing. Morningside will ask for express consent before sharing personal data with any third party for marketing purposes. You can ask Morningside to stop sending marketing communications at any time.
4. Job applicants
Morningside is the Data Controller for the information provided during the recruitment process unless otherwise stated. Any queries about the process or how information is handled should be forwarded to the Privacy Manager whose details are set out below.
What will Morningside do with the information provided?
All information provided during the application process will only be used for the purpose of progressing applications, or to fulfil legal or regulatory requirements.
Morningside will not share any of the information provided during Morningside’s internal recruitment process with any third parties for marketing purposes.
Morningside will use the information provided by an individual or any third party recruitment agency as part of the recruitment process to:
• assess the applicant’s skills, qualifications and suitability for the role;
• carry out background and reference checks, where applicable;
• communicate with the individual about the recruitment process;
• keep records related to the recruitment processes;
• comply with legal or regulatory requirements;
• make a decision about your recruitment or appointment;
• determine the terms on which an individual is offered a position; and
• check an individual is legally entitled to work in the UK.
It is in Morningside’s legitimate interests to decide whether to appoint an individual to a role since it would be beneficial to its business to do so. Having received a CV and/or covering letter and/or any applicable application form Morningside will then process that information to decide whether the individual meets the basic requirements to be shortlisted for the role. If the individual does, Morningside will decide whether the application is strong enough to invite the individual for an interview. If Morningside decides to call an individual for an interview, it will use the information provided at the interview to decide whether to offer the individual the role. Morningside may also make use of assessments/tests during any selection process, and use information from that to help it make recruitment decisions. If Morningside decides to offer the individual the role, it will take up references and/or may carry out a criminal record check (if relevant and legally required) before confirming any appointment.
What information do Morningside ask for?
Morningside do not collect more information than needed to fulfil the stated purposes and will not retain it for longer than is necessary.
The applicant does not have to provide the information requested, but it may mean that it is not possible to process their application any further if they do not.
Applications may be received by email, post or through a third-party recruitment agency. The application will include the applicant’s personal details including name, title, address, telephone number, and personal email address. Morningside will also ask about the applicant’s previous employers, experience, education, referees, and for answers to questions relevant to the role they have applied for. The individual will also be asked for information relating to any work permits which they require in order to work in the UK. The Human Resources (HR) Department and the hiring manager will have access to this information.
The applicant may also be asked to provide information falling with a special category of data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic/biometric data, health, sex life or sexual orientation for the purpose of complying with its equality and diversity obligations. This is not mandatory information and if not provided will not affect the individual’s application. This information will not be made available to anyone other than the HR Department.
The hiring managers shortlist applications for interview. They will be provided with the applicant’s name and contact details. However, they will not be provided with special category information if it has been provided.
Morningside might ask the applicant to participate in assessment days; complete tests or occupational personality profile questionnaires; and/or to attend an interview – or a combination of these. Information will be generated by the applicant and by Morningside as a result of these exercises which will be used to assess the applicant’s application and as set out above.
Information in relation to an applicant’s health or any disabilities may be used for the purpose of making reasonable adjustments for the assessments in accordance with Morningside’s legal obligation to do so.
If the applicant is unsuccessful following assessment for the position they have applied for, Morningside may retain the applicant’s details in the talent pool for a period of up to two years in accordance with its legitimate interests and unless informed by the applicant that they do not wish their information to be retained for this purpose.
If Morningside make a conditional offer of employment they will ask the successful applicant for further information so that the HR Department can carry out pre-employment checks. The successful applicant must successfully complete pre-employment checks to progress to a final offer. Morningside are required to confirm the identity of their staff, their right to work in the United Kingdom (UK) and seek assurance as to their trustworthiness, integrity and reliability.
The successful applicant will therefore be required to provide:
• Proof of identity – they will be asked to attend the Head Office with original documents, the HR Department will take copies.
• Proof of qualifications – they may be asked to attend the Head Office with original documents, the HR Department will take copies.
The successful applicant may be asked to complete a criminal records declaration to declare any unspent convictions (where it is lawful to do so) and the HR Department will contact referees, using the details provided in the application form, directly to obtain references.
Morningside will also ask the successful applicant to complete a questionnaire about their health. This data is only provided to the Health & Safety Manager or Health & Safety Senior Officer to establish the successful applicant’s fitness to work.
If Morningside make a final offer, Morningside will also ask for the following:
• Bank details – to process salary payments.
• Emergency contact details – to contact in case of an emergency at work.
How Morningside handles special category and criminal conviction data
Morningside will use special categories of personal information in the following ways:
• It will use information about an individual’s disability status to consider whether it needs to provide appropriate adjustments during the recruitment process, for example whether it needs to make adjustments for the interview or any assessment and once a conditional offer has been made to assess a successful applicant’s fitness to work.
• It will use information about an individual’s race or ethnic origin, religious or philosophical beliefs, sex life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.
Criminal conviction data will only be processed where Morningside is legally required to do so taking into account the nature of the role applied for. Where processing of criminal conviction data is necessary the individual will be informed in advance and Morningside will ensure that it has in place appropriate safeguards. Morningside will only use information relating to criminal convictions where the law allows it to do so.
Use of Data Processors related to Recruitment:
Data processors are third parties who provide elements of Morningside’s recruitment or employment service on their behalf such as recruitment agencies, HR consultants or third parties providing pre-employment assessment tests on Morningside’s behalf. Morningside have contracts in place with these data processors.
This means that third parties cannot do anything with individual’s personal information unless Morningside have instructed them to do so. These third parties will not share any personal information with any organisation unless Morningside has given explicit permission or where there is a legal obligation to do so. They will hold it securely and retain it for the period Morningside instruct.
If an individual is employed by Morningside, relevant details about them will be provided to a number of third-party providers, including payroll and pensions providers. All employees will be given an Employee Data Privacy Notice to explain this in detail.
How long is recruitment information retained for?
If an applicant is successful, the information they provided during the application process will be retained by Morningside as part of their employee file for the duration of their employment plus 7 years following the end of their employment. This includes their criminal records declaration, fitness to work, records of any security checks and references.
If they are unsuccessful at any stage of the process, their CV shall be retained for up to 24 months and any other information (including special category data) they have provided as part of the recruitment and assessment processes will be retained for 6 months from the closure of the campaign. If an applicant would prefer for Morningside to delete their CV or any other information provided, they must contact the HR Department or the Privacy Manager whose details are provided below.
If prior to the above stated deadlines, Morningside have no ongoing legitimate business need to retain the personal information, Morningside will either delete or anonymise it or, if this is not possible (for example, because the personal information has been stored in backup archives), securely store the personal information and isolate it from any further processing until deletion is possible.
In most circumstances Morningside will not disclose personal data to any third parties without consent, unless legally obliged to do or as part of contractual obligations with business customers (where an individual is party to the agreement or service).
Morningside may however disclose an individual’s personal information to the following categories of recipients:
• To Morningside Healthcare Ltd as the MA holder;
• To APCER Life Sciences, the Pharmacovigilance (drug safety) provider;
• To any competent law enforcement body, regulatory, government agency, court or other third party where Morningside believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, or (iii) to protect an individual’s vital interests or those of any other person
• To enforce or apply Morningside’s terms of service or other agreements or to protect Morningside and its customers (including with other companies and organisations for the purposes of fraud protection and credit risk reduction)
• To any other person with an individual’s consent to the disclosure
Data sent electronically or processed by Morningside will be stored within the UK and in the European Economic Area by Morningside and its third-party processors. Where any personal data is processed by any third-party processor Morningside shall ensure that such processors have appropriate levels of security and organisational controls to meet data protection requirements and to ensure a level of protection appropriate to any risk to the rights and freedoms of the individual. The information provided will be held securely by Morningside and/or the data processors whether the information is in electronic or physical format.
Morningside will only retain personal information for as long as is necessary to fulfil the purposes it collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, Morningside considers the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which Morningside process the personal data and whether Morningside can achieve those purposes through other means, and the applicable legal requirements.
Individuals have the following rights in respect of their personal data:
• The right to be informed
• The right of access
• The right for any inaccuracies to be corrected (rectification)
• The right to have information deleted (erasure)
• The right to restrict the processing of the data
• The right to portability
• The right to object to the inclusion of any information
• The right to regulate any automated decision-making and profiling of personal data
More information about these rights can be found on the ICO website (https://ico.org.uk/for-the-public/is-my-information-being-handled-correctly – visit here).
To make a request for any personal information Morningside may hold regarding the individual requesting the information or to exercise any of the other rights identified above, the individual should put the request in writing to the address provided below.
In addition, if at any time where Morningside is relying on consent to process an individual’s personal data the individual has a right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before the individual withdraws consent. An individual can ask us to stop sending them marketing messages at any time by following the “unsubscribe” (or similar) links on any marketing message sent to them or by contacting Morningside at any time. Where an individual opts out of receiving these marketing messages, this will not apply to personal data provided to Morningside as a result of a purchase, product/service experience or other transaction.
For the avoidance of any doubt no personal data supplied to Morningside will be subject to any automated processing.
Morningside tries to meet the highest standards when collecting and using personal information. For this reason, Morningside take complaints very seriously. Morningside encourages individuals to bring it to the attention of the Privacy Manager if they think that the collection or use of their personal information is unfair, misleading, inappropriate or contrary to the data protection laws. Morningside would also welcome any suggestions for improving the current procedures.
This privacy notice was produced with brevity and clarity in mind. Additional information and/or explanation can be provided if needed. Any requests for this should be sent to the Privacy Manager whose contact details are set out below.
If an individual wants to make a complaint about the way Morningside has processed their personal information, they can contact the ICO in their capacity as the UK supervisory authority for data protection issues, see www.ico.org.uk/concerns. However, Morningside would appreciate the chance to deal with any individual’s concerns before they approach the ICO and would ask that any individual contact it in the first instance.
Please note that Morningside procedures do not cover the links on the Morningside website linking to other websites. Morningside encourages individuals to read the privacy statements on the other websites that they visit.
Morningside keeps the Privacy Notice and documents under regular review. This privacy notice was last updated October 2018.
Morningside Pharmaceutical Ltd, 5 Pavilion Way, Castle Business Park, Loughborough, Leicestershire, LE11 5GW
Please address all correspondence in respect of this notice, the manner in which Morningside handle personal data or the exercise of an individual’s rights in respect of their personal data to ‘The Privacy Manager’.
Alternatively they can contact Morningside’s Privacy Manager, by email at firstname.lastname@example.org
Last Updated, October 31, 2018