Data protection policy

Introduction

This Data Protection Policy outlines how United Patients Alliance (UPA) collects, uses, stores, and protects personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Bill 2025.

Data Protection Principles

We adhere to the following principles when processing personal data:

  • Lawfulness, Fairness, and Transparency: We process personal data lawfully, fairly, and in a transparent manner.

  • Purpose Limitation: We collect personal data for specified, explicit, and legitimate purposes and do not process it further in a manner incompatible with those purposes.

  • Data Minimisation: We collect only the personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed.

  • Accuracy: We take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date.

  • Storage Limitation: We keep personal data in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed.

  • Integrity and Confidentiality: We process personal data in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.

  • Accountability: We are responsible for, and able to demonstrate compliance with, these principles.

Lawful Bases for Processing

We process personal data based on one or more of the following lawful bases:

  • Consent

  • Contract

  • Legal obligation

  • Vital interests

  • Public task

  • Legitimate interests

Data Subject Rights

Data subjects have the following rights regarding their personal data:

  • Right to Access: The right to obtain confirmation as to whether personal data concerning them is being processed or not, and, where that is the case, access to the personal data.

  • Right to Rectification: The right to obtain the rectification of inaccurate personal data concerning them.

  • Right to Erasure: The right to obtain the erasure of personal data concerning them in certain circumstances.

  • Right to Restrict Processing: The right to obtain the restriction of processing in certain circumstances.

  • Right to Data Portability: The right to receive the personal data concerning them in a structured, commonly used, and machine-readable format and have the right to transmit those data to another controller.

  • Right to Object: The right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them.

Data Security Measures

We implement the following data security measures to protect personal data:

  • Access controls

  • Staff training

  • Regular audits

Data Breach Procedures

In the event of a data breach, we will:

  1. Identify and contain the breach.

  2. Assess the risk to individuals as a result of the breach.

  3. Notify the Information Commissioner’s Office (ICO) within 72 hours if the breach is likely to result in a risk to the rights and freedoms of individuals.

  4. Notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms.

  5. Investigate the cause of the breach and take steps to prevent a recurrence.

Data Retention and Disposal

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. We securely dispose of personal data that is no longer needed.

Third-Party Processors

We ensure that any third-party processors we use to process personal data on our behalf have appropriate technical and organisational measures in place to protect personal data.

We have written contracts in place with all third-party processors that include data protection obligations.

Review and Updates

This policy is reviewed and updated regularly to ensure it remains compliant with applicable data protection laws and reflects our current data processing practices. The latest version of this policy is available on our website.

Effective Date: 28 May 2025

Agreed and signed by: United Patients Alliance