Privacy Policy

Health Policy Watch privacy policy

Last updated on 25 May 2018 (version 1.0)

Your privacy is important to us. In this policy we set out how Health Policy Watch collects, uses, processes and protects the data that you provide to us.

We encourage you to read the policy carefully to understand our practices regarding your personal data.

We will update our privacy policy from time to time. The latest version of our privacy policy can always be found on this page. As of 25 May 2018, we will keep track of the changes we make. These can be found in section 14 of our privacy policy.

If you have any questions or comments regarding our privacy policy, please contact privacy@healthpolicy-watch.org.

1. Who are we?

Health Policy Watch is published by Global Policy Reporting to provide professional, independent reporting on global health policymaking, trends and data. Global Policy Reporting is a non-profit independent news service that reports on global policymaking. We have offices in Geneva and are registered as a non-profit association in Geneva, Switzerland. Our registered address is 1-5 route des Morillons, CP 2100, Geneva 1211, Switzerland.

2. Which data protection regulations do we comply with?

Our privacy policy is in accordance with the EU General Data Protection Regulation (GDPR), which applies to all EU member states as of 25 May 2018.

The GDPR aims to better protect the personal data of all EU citizens and therefore affects all EU organisations and non-EU organisations doing business in EU countries.

Regardless of whether you are an EU or a non-EU citizen: we will treat your personal data in the same, confidential manner.

3. Who deals with our data and privacy matters?

Some organisations and companies are required to appoint a Data Protection Officer. We are not. Instead, our Managing Editor, Elaine Fletcher, is responsible for privacy matters. You can reach her at privacy@healthpolicy-watch.org or by telephone at: +41 (0) 22 791 67 16.

4. What data do we collect, and why? Where do we store it, and for how long? And who has access?

At Health Policy Watch, we collect different types of information about our users for four main reasons:
• To provide personalised services unique to individual users.
• To help us to monitor and improve the services we offer.
• To sell advertising space on the site.
• If we have permission from the user, or where otherwise allowed by law, to market services to them.

Our principles
• We do our very best to protect your privacy by using security technology appropriately. This means:
o we make sure that we have appropriate security measures to protect your information; and
o we make sure that when we ask another organisation to provide a service for us, they have appropriate security measures.
• We will respect your privacy. You should receive marketing (whether by email, post, SMS or telephone) only from us. We will make sure it is clear when you can make these choices, for example, we have boxes you need to tick if you want to receive news or marketing for new services and you can change your preferences if you no longer want to receive them. However, we may email you occasionally with information or questions about your registration, your subscription account or postings, for example, with reminders, warnings or copyright requests.
• We will collect and use individual user details only if we have your permission or we have sensible business reasons for doing so, such as collecting enough information to manage subscriptions.
• We will be clear in our dealings with you as to what information about you we will collect and how we will use it.
• We will use personal information only for the purposes for which it was originally collected and we will make sure we delete it securely.
• Our site is accessible via the internet. This means that people around the world who access our website can see anything you post on the website, for example, comments about an article.

We may collect and process the following data about you:

A. Information that you provide by filling in forms on our website (www.healthpolicy-watch.org)

When you subscribe to one or more of our newsletters, we ask you for your email address and name, which we will use to contact you and to personalise our newsletters. We also ask you for your organisation name. This information helps us identify who our audience is broadly and deliver a better service.

After you have subscribed, you will receive an email asking you to confirm your subscription. We will store your personal data in our external email database, which is only accessible by our communications and ICT teams. Your data will be saved for a maximum period of twenty years; after that your data will be permanently deleted from our system.

We lawfully process this information on the basis of consent and performance of contract; meaning you have given us permission to process this data and you have requested a service which we deliver to you. In addition, we process your information on the basis of legitimate interests pursued by Health Policy Watch (personalisation and general audience analysis help us deliver a better service).

When you leave a comment on one of our stories, we ask you for your name and email address. Your name will be publicly visible after you commented, but your email address will not be published. We will use your email address to notify you of follow-up comments, should you wish to receive those. When follow-up from our staff is required, we may contact you via email directly.

We may use the content of your comments in internal reports and reports to our funders, to meet our contractual reporting obligations. We do that to indicate the level of engagement or discussion that our blogs or publications stimulated, which serves as an impact measurement of our work. We will pseudonymise to the maximum possible extent, meaning we will never include your name and email address in those reports; only your message.

Your comments, name and email address are stored in our website content management system, which is only accessible by our communications and ICT teams. Our website developers also have access to that system, but we require that they comply strictly with our policy and prohibit the use of your personal information for their own business purposes.

We may also store the content of your comment in our internal reporting systems. Your data will be saved for a maximum period of ten years; after that your data will be permanently deleted from our systems.

We lawfully process this information on the basis of consent (you agree to submitting a comment) and legitimate interests pursued by Health Policy Watch (impact measurement needed for reporting to our funders).

When you register for one of our events, we ask you for your email address and name, which we will use to identify you during the event and to send you any relevant updates before or after the event. We may also ask you for your organisation name, the sector you work in and the global region you come from. This information helps us identify who our audience is broadly and deliver a better and more personalised service.

We may share an indication of the people who participated with our funders to meet our contractual reporting obligations. This helps us indicate the level of participation from several groups, needed to determine the success of our events. We will pseudonymise to the maximum possible extent, meaning we will not include your name or other personal data that may identify you, but rather give an indication of the level of attendance from certain organisations and areas of expertise.

We will store your information on our cloud storage and potentially our internal reporting system. Your data will be saved for a maximum period of ten years; after that your data will be permanently deleted from our systems.

We lawfully process this information on the basis of consent and performance of contract; meaning you have given us permission to process this data and you have requested a service which we deliver to you. In addition, we process your information on the basis of legitimate interests pursued by Health Policy Watch (general audience analysis and impact measurement needed for donor reporting).

When you fill out a feedback survey, we may ask you for an indication about the sector you work in, the type of organisation you work for and the global region you come from. We ask for that information to be able to broadly analyse the feedback and the audience who participated in the survey. Our surveys are always anonymous; we will not record your IP-address, e-mail address or name. However, your feedback may include details that make it possible for us to identify you.

We may share the results of feedback surveys with our funders to meet our contractual reporting obligations. Feedback helps us determine the success of our work or point to areas for improvement. We will store your information on our cloud storage and potentially our internal reporting system, both of which are accessible only by Health Policy Watch staff, for a maximum period of five years.

We lawfully process this information on the basis of consent; meaning you have given us permission to process this data by participating in the survey. In addition, we process your information on the basis of legitimate interests pursued by Health Policy Watch (feedback collection and impact measurement needed for donor reporting).

B. If you apply to any of our vacancies, we will store your personal details and CV

If you apply to a job position at Health Policy Watch, we ask you for the following personal information: name; date and place of birth; email address; phone number; your areas of interest; your position of interest; your availability; your employment history; your qualifications; contact details of your references; your motivation to work at Health Policy Watch; and your CV. You may also chose to submit additional information, such as a photo or examples of your work.

We will store this information on a confidential section of our cloud storage, which is only accessible by our Director, human resources and ICT teams.

After the vacancy has closed, we will keep your information in our system for one year. We are often looking for policy staff with very specific areas of expertise, and another relevant position may open up at a later point in time. After one year, your data will be permanently deleted from our system. If you wish that we do not keep your details after the vacancy deadline has passed, you may indicate this in your application.

We lawfully process this information on the basis of consent (by agreeing to submitting your application) and steps needed for potentially entering into a contract with Health Policy Watch, at your request.

C. If you contact us, we may keep a record of that correspondence

If you contact Health Policy Watch or our staff members via email or phone, we may keep a record of your correspondence in our mail inbox and we may collect your name, phone number, organisation name and email address to ensure we can follow up on your request. We will keep a record of your correspondence in our email inbox for as long that particular email account exists. Our staff may need to keep records of past correspondence for effective communication.

If you provide feedback about our work or staff in your correspondence, we may use that for internal reports or reports to funders to meet our contractual reporting obligations. Feedback helps us determine the success of our work or point to areas for improvement. We will pseudonymise that feedback and will never use your name or other personal data that may identify you – unless you’ve given explicit permission. We will store feedback in our internal reporting system for a maximum period of five years.

We lawfully process this information on the basis of consent (you have contacted us), performance of contract (we may have to respond to a request made by you) and legitimate interests pursued by Health Policy Watch (feedback collection and impact measurement needed for donor reporting).

D. We may store your business contact details in our contact database, provided you give explicit permission for that

If you have been in touch with or provide your business card to our staff members, we may contact you via email to ask for your permission to store your business contact details in our contact database. Those details may include your name, phone number, email address and organisation.

Our contact database helps us store all business-related contact details of people in our network in one place. It is basically like a phonebook, which can be consulted by our staff members if they need the contact details of a specific member of our network. We also use the database to send invitations for events or specific publications to targeted groups.

That database is accessible to all Health Policy Watch staff members. The data we store in our contact database will be saved for a maximum period of twenty years; after that your data will be permanently deleted from our system.
We lawfully process this information on the basis of consent; meaning we only include your details in our database if you give us permission for that.

E. Cookies: We track which parts of our website you visit and the resources you access

When you visit our website, our analytics system may collect information about your device, operating system, browser type, language and location. The first time you visit our website you will be asked to accept or refuse cookies. Cookies allow our analytics system to identify your computer as you view different pages on our website. They also allow our system to see how many people use the website and what pages they visit.

This is statistical data about our website visitors’ browsing actions and patterns when using our site, and does not identify any individual. It helps us identify who our audience is broadly and deliver a better and more personalised service. Our system can see your IP-address to be able to collect information, but masks your address for us. That means that we cannot see or retrieve your IP-address. This information is stored in our analytics system for a maximum period of 50 months. This system is only accessible by our ICT and communications teams. We may extract reports from that system which we will store on our internal cloud storage, accessible to all Health Policy Watch staff, for a maximum period of five years.

We lawfully process this information on the basis of consent (by accepting cookies) and legitimate interests pursued by Health Policy Watch (general audience analysis).

F. We may store messages or interactions addressed to us from your social media accounts

If you follow us on social media (Facebook, Twitter, YouTube and LinkedIn), we may collect statistical information about your age, country, language, gender or any other publicly available information from your profile. That data collection does not identify any individual. This information helps us broadly identify our audience and deliver a better and more personalised service.

This information is stored on our social media accounts, which are only accessible to our Director, and ICT and communications teams. We may extract reports which we will store on our internal cloud storage, accessible by all Health Policy Watch staff, for a maximum period of five years.

We lawfully process this information on the basis of consent (by agreeing to Facebook, Twitter, YouTube and LinkedIn policies and by choosing to follow our accounts) and on the basis of legitimate interests pursued by Health Policy Watch (general audience analysis).

If you interact with us or our staff members on social media, we may use your interactions in internal reports and reports to our funders, to meet our contractual reporting obligations. We do that to indicate the level of engagement or discussion that our blogs or publications stimulated, which serves as an impact measurement of our work to indicate the level of engagement or discussion that our posts or work stimulated. We will pseudonymise to the maximum possible extent, meaning we will not include your name or other personal data that may identify you without your explicit permission.

This information is stored on our, or our staff members’, social media accounts, which are only accessible to our ICT and communications teams or to individual staff members. We may extract reports, which we will store on our internal cloud storage, accessible by all Health Policy Watch staff, for a maximum period of five years.

We lawfully process this information on the basis of consent (by agreeing to Facebook, Twitter, YouTube and LinkedIn policies and by choosing to follow our accounts) and on the basis of legitimate interests pursued by Health Policy Watch (general audience analysis and impact measurement needed for donor reporting).

Collection, storage and processing of personal data of our staff members, partners and third parties is outlined in our contracts

5. How do we secure your personal data?

In section 4 of our privacy policy we outline the places where we store your data and who has access. In all those cases, we take great care in holding your information securely.

Our contact database is stored on-premise where business security measures, on-site and off-site encrypted backups, and internal guidelines for staff are in place to protect your data.

Other data that we collect from you may be transferred to and stored in external systems, some of which are outside the European Economic Area (EEA). Examples are our email database, our social media platforms, our website content management system and our shared cloud storage. These are all GDPR-compliant. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps necessary to ensure that your data is treated securely and in accordance with this privacy policy.

Please note that transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the sites where we host your data – so any transmission is at your own risk. Once we have received your information, strict procedures and security features are in place to prevent unauthorised access.

6. Will you share my information with other parties?

In principle not. We do not share your personal information with our partners, funders or third parties – unless we have your explicit permission or disclosure is required by law.

We may share pseudonymised messages or feedback that was given by you in reports to our funders (see section 4 for more information). We do that to indicate the level of engagement or discussion that publications or events stimulated – which is necessary to be able to show the impact of our work. We will never include your name or any other personal details in those messages or feedback without your explicit permission.

In some cases, we may use third parties to process your information. On these occasions, we will require that these third parties comply strictly with our policy and will prohibit the use of your personal information for their own business purposes.

7. Can you check if we hold any information on you?

Yes, you can. If you want to know whether we hold any information on you, please email us at privacy@healthpolicy-watch.org.

8. Can you get a copy of the information we hold on you?

Yes, you can. You can request access to the information we hold on you by emailing info@ip-watch.org. We will then submit a full copy of your details to the email address you provide to us within 30 days after your request. You may also ask us to send a copy of those details to another party. In both cases, no fees will be charged to you.

If you are subscribed to one or more of our newsletters, you can view your subscription details by clicking the link at the bottom of any of the newsletter issues you have received from us.

9. Can we change or update your information?

Yes, of course. If any information we hold on you is incomplete or incorrect, please inform us by contacting privacy@healthpolicy-watch.org.

10. Can we remove your data from our systems?

Yes, you have the right to be removed from our data systems – unless we are required by law to keep some of your data. For example: we may be legally obliged to keep personal data relating to tax matters.

If you want to be removed from our systems, please contact us at privacy@healthpolicy-watch.org. We will answer your request for removal within 30 days after you have contacted us.

Please note that we will take utmost care of deleting your details everywhere, but that we may need to keep some of your data in (parts of) our systems if we are legally obliged to or if other legal grounds apply, such as legitimate interests.

11. Can you object to us processing your data?

Yes, you can. If you feel our grounds for processing your data are not legitimate, you have the right to object. You can contact us at privacy@healthpolicy-watch.org.

12. What can you do in case your privacy rights are violated?

If you feel we do not respect your privacy rights, please contact us at privacy@healthpolicy-watch.org.

If we haven’t adequately addressed your request to respect your privacy rights, or if you become aware that there is a data breach (see section 13) on our end, you may notify the data protection authority in your country. In case of a data breach, we would of course be happy if you would notify us too, by contacting privacy@healthpolicy-watch.org.

13. What are data breaches, and how do we deal with them?

A data breach is an incident where the confidentiality, integrity or availability of personal data has or may have been compromised. For example: a device that contains personal data is lost or stolen; an unauthorised party has access to the personal data we store; or personal data we store is shared or made public without explicit permission.

If we encounter a data breach on our end that poses a risk to the personal data we store, we must notify the Swiss Data Protection Authority within 72 hours of becoming aware of the data breach.

In case the data breach poses a serious threat to the safety of your personal data, we will notify you too – provided the contact details we hold on you are correct and up-to-date

14. Can you see the updates of our privacy policy?

Yes, you can. Any changes we may make to our privacy policy after 25 May 2018 will be posted here.

Unless we make fundamental changes, we reserve the right to change our privacy policy without prior notice

15. What about links to and from our site?

On our website (www.healthpolicy-watch.org) you may find links to other websites, or you may have been referred to our website via another website.

Please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. We recommend you to check the privacy policies of these website before you submit any personal data on those websites.

16. Can I contact you for more information about this privacy policy?

Of course. If you have any questions or comments regarding our privacy policy, please contact privacy@healthpolicy-watch.org.

You may also reach out to our Managing Editor, Elaine Fletcher, who is responsible for data protection. He can be reached at fletchere@hp-watch.org or by telephone at: +41 (0) 22 791 67 16.