Privacy notice

Jisc is committed to protecting your privacy. This policy explains how we use, store and share the information we collect about you.

We are the controller of the personal data processed for the purposes set out below and we are responsible for looking after it. You can exercise your rights in respect of that information and the procedures that we have in place to safeguard your privacy. This policy supplements any other fair processing or privacy notice that may be provided to you from time to time.

There are also some circumstances where Jisc are operating a service provided to you by someone else (for example your university or college). In these circumstances, you should submit any queries or exercise any of your rights directly with them and we’ll keep your personal data for as long as the provider needs us to.

Some Jisc services have their own privacy notices with further information about how they use your personal data. Links to these notices can be found at the end of this privacy notice.

Company details

We are Jisc, a not-for-profit company limited by guarantee, registered in England.

  • Company number: 05747339
  • Charity number: 1149740
  • ICO registration number: Z9546606
  • Registered office: 4 Portwall Lane, Bristol, BS1 6NB

Jisc is the designated data body (DDB) for higher education in England.

What personal data will we collect about you?

Personal data means any information that relates to an identified or identifiable individual and Jisc processes a variety of personal data about its data subjects. This includes contact information and information you provide us directly, but also information about your education or employment. We have grouped together the kinds of personal data that we may collect below. Additional information about the types of data we collect may be provided to you in other service specific privacy notices.

More detail on the personal data we collect

  • Identity and contact data: includes first name, last name, email address, address, and telephone numbers. We may collect this information from you when you contact us or when you request services from us.
  • Organisation and Affiliations: includes information such as your job title and information about your institution or relationships with funders or publishers. We may collect this information from you when you contact us or when you request services from us, or from publicly available sources.
  • Technical and usage data: includes information we obtain from your device or browser (such as IP address, your login data, version and device identifiers, time zone setting and location, browser plug-in types and versions and operating system) as well as how you use our website and services
  • Information that we need if you join a research project or receive our services: includes additional information relating to your use of the services or role in the project. We collect this when you use the service or take part in the project
  • Information collected when you contact us: includes information in emails and other communications with us, or call recordings when you phone us. This may include the different types of content (eg, photographs, articles, comments) you send to us when contacting us, or through social media accounts with third parties, or any other information that you want to share with us
  • Job application information: If you apply for a job with us, we will also collect your application data, which includes your contact information (including name, postal address, email address and phone number), job history, curriculum vitae, contact details of your referees and any other personal information you choose to submit along with your application when applying for a job at Jisc

How do we use your personal data?

Jisc will process your personal data for a variety of purposes, relying on different lawful basis. These will include providing you with the service you requested, communicating with you, undertaking research and undertaking our statytory obligations.

We will always ensure that our processing activities are fair and proportionate.

More detail on why we process your personal data

The following information sets out why we process your personal data and also our lawful basis for processing your personal data. We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.

Performance of a contract

  • To provide you with a service that you have requested, including creation of a user account where necessary. This may include contacting you about the service for contract management purposes
  • To contact you about products, services or events which may be of interest to you or your organisation
  • To respond to your requests for information, complaints or feedback.
  • To deliver events and training
  • To consider your application for a job

Legitimate Interests

  • To monitor usage and identify problems or ways to improve our service.
  • To run a research (including market research) project, study, survey, working group, workshop or user group that you are participating in
  • To collect, analyse, share and publish data relating to higher education. Some of this data is personal data about students, graduates, and staff of higher education providers
  • To contact you about products, services or events which may be of interest to you or your organisation. This may include processing your personal data to understand what may be of interest to you, or to provide you with marketing materials
  • To respond to your requests for information, complaints or feedback
  • To record meetings, events and workshops through video, audio or transcription (including in-person and virtual)
  • To undertake internal analysis, planning and reporting
  • To maintain the security of our systems, services and physical premises
  • To provide evidence where this is required to exercise or defend legal claims
  • To consider your application for a job

Legal obligation

  • To comply with laws and to respond to and comply with requests from the government, regulators and other third parties with legal authority
  • To investigate, detect and prevent fraud or crime and carry out related risk assessments
  • To consider your application for a job
  • Monitoring for service improvement involving the use of cookies or similar technologies on our website(s) and application(s) (more detail is available in our cookie policy)

Explicit consent

  • To publicly publish case studies and blog posts
  • To include you in competitions and prize draws
  • To record meetings, events and workshops through video, audio or transcription (including in-person and virtual)
  • To share your information with other delegates when you attend a workshop
  • To comply with laws and to respond to and comply with requests from the government, regulators and other third parties with legal authority

In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises that we carry out when relying upon this lawful basis for processing your personal data.

Security

We have in place appropriate policies, rules, and technical and organisational measures to protect your personal data from unauthorised or unlawful processing, and against accidental loss, destruction or damage. We also have procedures in place to deal with any data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.

Even though we take these steps to keep your personal data secure, you should be aware that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the internet. If you have a username or password to access any services that we provide to you, you are responsible for protecting your username and password and must not share it with, or disclose it, to anyone.

If you want you to learn more about how to protect your data and your devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org.

Sharing your personal data

To ensure your information is protected we use carefully selected third parties to provide services on our behalf who are contractually prohibited to use your information for anything other the services requests by Jisc.

We will only disclose your personal data to:

  • Companies within our group
  • A third party who has purchased or merged with our organisation, in which case personal data held by us about you will be transferred to that third party to carry on our business
  • Our professional advisors (including without limitation, tax, legal or other corporate advisors who provide professional services to us)
  • Other third party suppliers, business partners and sub-contractors for business administration, support, processing, services, or IT purposes
  • Analytics or search engines that enable us to optimise and improve your website experience
  • Third parties that you approve (including without limitation, social media sites and third party payment providers)
  • Our regulators, law enforcement or fraud prevention agencies, as well as our legal advisers, courts, the police and any other authorised bodies, for the purposes of investigating any actual or suspected criminal activity or other regulatory or legal matters
  • HMRC or other tax bodies or agencies to comply with our legal and regulatory obligations

International transfers of your personal data

We may transfer your personal data to countries outside the United Kingdom in order to provide our services. The laws in these countries may not offer the same level of protection for personal data as in the United Kingdom.

If we transfer personal data to countries outside of the United Kingdom, we will do so in a lawful way and may rely on:

  • An adequacy decision from the Secretary of State, which says that the recipient country provides an adequate level of protection of personal data
  • Appropriate safeguards to protect the personal data (for example, the approved standard contractual clauses or international data transfer agreement)
  • A lawful exception to the rules relating to overseas data transfers (for example, the transfer is necessary to perform a contract with you, which is in your interests)

Please contact dataprotection@jisc.ac.uk to obtain a copy of these safeguards or if you have any questions about how your personal data is used.

How long will we keep your personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your personal data. Please see below for more information about your right to erasure.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes.

Your rights

You have certain rights in relation to your personal data, such as the right to access and the right erasure. Please be aware that these rights do not apply in all circumstances, but we will always look to fulfil your request where possible.

More details about your rights

Informed

A right to be informed about the personal data we hold about you.

Access

A right to access the personal data we hold about you.

Rectifications

A right to require us to rectify any inaccurate personal data we hold about you.

Erasure

A right to ask us to delete the personal data we hold about you. This right will only apply where (for example):We no longer need to use the personal data to achieve the purpose we collected it for. Where you withdraw your consent if we are using your personal data based on your consent. Where you object to the way we process your data (see the right to object described below)

Restrict Processing

In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where, for example, you dispute the accuracy of the personal data held by us. Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead. Where we no longer need to use the personal data to achieve the purpose we collected it for, but you need the data for the purposes of establishing, exercising or defending legal claims

Data Portability

In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.

Objection

A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights or which are for the establishment, exercise or defence of legal claims.

Automated decision-making and profiling

A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you. For the avoidance of doubt, Jisc does not undertake automated decision-making of this kind.

Withdraw consent

A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters).

If you would like to contact us with any queries or comments, request further information or exercise any of your available rights set out above, please email us at: dataprotection@jisc.ac.uk. If you would like this notice in another format please contact us using the details above.

You also have the right to complain. We encourage you to contact us first if you have any queries, comments or concerns about the way we handle your personal data. If we are not able to resolve the issue to your satisfaction, you can also make a complaint to the data protection supervisory authority. In the UK, this is the Information Commissioner's Office (ICO) and they can be contacted at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Tel: 0303 123 1113

Email: casework@ico.org.uk

Changes to this policy

Any changes to this policy in the future will be posted on this page. Please check back frequently to see any updates or changes to this policy.

Please note: this policy does not cover third party websites that we may link to from our website and we are not responsible for the privacy policies and practices (including use of cookies) of such third parties. We recommend that you check the policy of each website you visit and contact the owner or operator of such website if you have concerns or questions.

Last updated: 23 November 2023

Contacting us

Email dataprotection@jisc.ac.uk to contact our data protection officer.

Please contact us at this email address if you have any questions, comments or concerns about this policy or how we handle your personal data, or if such information changes at any time.

Privacy notices for Jisc services

Building digital capability

This privacy notice is part of Jisc’s overarching privacy notice and provides further details that are either unique to this service or contains additional information about the service that you may find useful.

Building digital capability is a service organised and managed by Jisc that helps individuals and organisations to enable and motivate digital practices, including the use of discovery tool to self-assess digital capability. Further information about this service can be found on the building digital capability website.

Your data will be processed in accordance with the Jisc privacy notice by Jisc as a data controller, however this privacy notice provides supplementary information about the personal data processing that will be used as part of this service.

What personal data will we collect about you?

  • Email address
  • Name
  • Education and skills
  • Organisation
  • Student/staff status

How do we use your personal data?

In addition to the purposes provided in the main Jisc privacy notice, we will also process personal data for the following purposes.

  • To provide credentialling to users, as part of the service offering – namely digital badges
  • To allow the organisational lead to view organisation level data reports, add organisational level resources and be subscribed to the building digital capability service mailing list
  • To allow Jisc to improve the service in line with customer expectation

This processing is carried out in our legitimate interests.

Sharing your personal data

As part of these services Jisc will may need to disclose your personal data to the following recipients:

  • Overt - So they can provide secure log-in services. Our contract prohibits them from using the information for anything else
  • Potential.ly - So that users can access, and are shown, the correct content within the tool and to provide anonymised and aggregated data visualisations at institutional level
  • Credly - If you are eligible and wish to obtain a digital badge, your name and email address will be shared with Credly who produce them; our contract prohibits them from using the information for anything else. To receive your badge, your personal data will be transferred outside the European Economic Area to Credly in the U.S, however rights are protected under EU Standard Contractual Clauses. View Credly’s Privacy policy.

Digital experience insights

This privacy notice is part of Jisc’s overarching privacy notice and provides further details that are either unique to this service or contains additional information about the service that you may find useful.

Our digital experience insights surveys show how students and staff are using the technology offered by the institutions Jisc works with, what is making a difference to their learning or working experiences, and where improvements can be made.

The surveys deliver valuable data to inform digital strategy, investment plans and help institutions respond to changing environments. They also provide a structured process to engage students and staff in conversations about how you can develop and improve your offering. Further information about the service can be found on our digital experience insights website.

Your data will be processed in accordance with the Jisc privacy notice by Jisc as a data controller, however this privacy notice provides supplementary information about the personal data processing that will be used as part of this service.

For customers/institutions

Jisc are a data controller in respect of the personal data collected about the institutions and staff using the digital experience insights service and will be processed in accordance with the Jisc privacy notice.

What personal data will we collect about you?

  • Full name
  • Cookie information and IP address
  • Contact details
  • Purchase history and account information

How do we use your personal data?

In addition to the purposes provided in the main Jisc privacy notice, we will also process personal data for the following purposes:

To produce case studies and implementation stories for the building digital capability and/or digital experience insights services. These case studies and implementation stories, together with any associated images, animations and artefacts that form part of the study/story, will be publicly available on our website for an unlimited period of time, with the aim of providing guidance to others in the HE and FE sectors. In some cases, contributors may be quoted in these studies or stories. Where this occurs, the names, roles and institutions will be attributed and may be cited in quotes. We will only publish these details if we receive your permission to place these details in the public domain.

We’ll use the material from your interview/s to create supporting text based on the findings of our research with you and your colleagues. If you would like your information to be removed at any time, please contact the Jisc helpdesk (help@jisc.ac.uk) with ‘digital capability’ or ‘digital experience insights’ in the subject line.

We may in some cases (with your permission) record your interview on an audio device to refer to when writing up the case study.

The processing undertaken to identify any notable case studies is necessary for our legitimate interests but any subsequent publishing will require your explicit consent.

You may instruct us to stop processing it at any time by emailing (help@jisc.ac.uk) and asking to be removed from communications around this service. Until then, we’ll use it only to contact you regarding the service, including updates on progress and purchasing information.

For survey respondents

If you are a participant taking part in one of our surveys,. Jisc will only use this information held in an anonymous form for analysis, publication public reports and presentations. Any queries or requests in regard to your personal data should be directed to the organisation you are affiliated with.

What personal data will we collect about you?

  • Full name
  • Cookie information and IP address
  • Contact details
  • Organisations/affiliations
  • Age
  • Gender
  • Special category data including racial or ethnic origin and disability

How do we use your personal data?

This processing is carried out on the instructions of the data controller:

  • To provide the responses collected during surveys to the organisation that has requested our services
  • Aggregate data is used to inform our research and development, for publication and for any technical support needed

UK ORCiD

This privacy notice is part of Jisc’s overarching privacy notice and provides further details that are either unique to this service or contains additional information about the service that you may find useful.

ORCiD is an open, non-profit, community-based initiative to provide researcher identifier solutions that enable a wide range of improvements to the scholarly communications ecosystem. The ORCiD service is being offered to UK universities through a national consortium arrangement. Benefits include reduced membership costs and UK-based technical and community support for implementation. Jisc supports the ORCiD network by providing technical support and access to community resources. Further information about this service can be found on the UK ORCID support website.

Your data will be processed in accordance with the Jisc privacy notice by Jisc as a data controller, however this privacy notice provides supplementary information about the personal data processing that will be used as part of this service.

What personal data will we collect about you?

  • Email address
  • First name
  • Last name
  • Affiliations/organisations
  • Job title
  • Telephone number

How do we use your personal data?

In addition to the purposes provided in the main Jisc privacy notice, we will also process personal data for the following purposes:

  • To facilitate your submission of guides and documents for Jisc UK ORCiD support service community resources
  • If you would prefer to be deidentified from your guides and documents, please contact us informing us of your wish
  • To facilitate UK ORCiD membership for your organisation and to receive support from Jisc and ORCiD
  • To facilitate you submitting a reply to a blog post on the Jisc UK ORCiD support service website. As part of the service, we’ll include your name and comment that you add to your reply in a publicly viewable listing. If you would prefer to be deidentified from your reply, please contact us informing us of your wish
  • To allow you to download the spreadsheet on the community resources page on the Jisc UK ORCiD support service website. We’ll keep the information until we are told that you are no longer performing the role of the main, technical or support desk ORCiD contact. If you would prefer to be deidentified from the list, please contact us informing us of your wish

Equipment data

This privacy notice is part of Jisc’s overarching privacy notice and provides further details that are either unique to this service or contains additional information about the service that you may find useful.

Equipment sata aggregates a range of university and research facility equipment catalogues. The service enables searching across all published UK research equipment databases through one portal allowing greater accessibility, with the aim to improve efficiency and stimulate greater collaboration in the sector. Further information about this service can be found on the equipment data website.

Your data will be processed in accordance with the Jisc privacy notice by Jisc as a data controller, however this privacy notice provides supplementary information about the personal data processing that will be used as part of this service.

What personal data will we collect about you?

  • Full name
  • Affiliations/organisations
  • Work email address
  • Work contact number (if given)

How do we use your personal data?

In addition to the purposes provided in the main Jisc privacy notice, we will also process personal data for the following purposes:

If you are the named contact within an equipment record provided by your institution, we will process your personal data to provide the record of your institution's equipment inventory on the equipment data website managed by Jisc. The service enables searching across all published UK research equipment databases through one aggregation portal. This information is publicly available on the website and is provided to us by your institution.

If you are the designated contact for an equipment register, we will process your personal data to manage your institution's equipment register. This will be stored by Jisc in our CRM for the purpose of managing your institution's equipment register and will not be publicly available. We'll keep the information until we are told that you are no longer the contact for this equipment record.