Privacy notice

• Basic identity and contact data: name, email address, job title, institution worked for or representing, telephone number and postal address
• More detailed identity data: personal pronouns, date of birth, gender, password
• Special category personal data: equality and diversity data, data concerning health and data revealing political opinions
• Higher education and professional information: information about your place and dates of study, subject and grade achieved, professional qualifications and memberships
• Log data: technical and usage data including information we obtain from your device or browser (such as IP address, your login data, version and device identifiers, time zone setting and location, threat indicators, browser plug-in types and versions and operating system) as well as how you use our website and services. Your username, profile picture and other information you choose to share when interacting with our social media accounts
• Freeform data: any additional information submitted by you when communicating, making enquiries or taking part in activities run by us, such as our research and survey work
• Communications data: information collected when you contact us: including information in emails and other communications with us. This may include the different types of content (eg, photographs, articles, comments) you send to us when contacting us, or through social media accounts with third parties, or any other information that you want to share with us
• CCTV images: moving or still images taken at our office premises
• Criminal offence data: information relating to actual or suspected criminal activities, including allegations, investigations and proceedings
• Other visual and audio data: moving or still images and associated audio captured and recorded by technologies used for virtual meetings, events and communications
• Preference data: information about your choice to receive or opt-out of receiving information and communications from us

Public task

We rely on the lawful basis of public task when processing personal data for activities in the public interest and laid out in law or when official authority has been vested in us. Jisc is not a public authority, but we collect, assure and disseminate data about higher education in the UK for public authorities who require it to carry out their statutory and/or public functions. We may also rely on public task when delivering our charitable objectives in the public interest.

HESA, the Higher Education Statistics Agency, is part of Jisc. Through HESA we fulfil our duties as the designated data body for England as defined by the Higher Education and Research Act 2017. We have a statutory duty to compile and publish information about HE providers and courses in England. We also fulfil a similar role for the HE funding bodies in the devolved nations.

Read HESA’s collection notices for privacy information relating to this area of our business.

Contract

We rely on the lawful basis of contract when it’s necessary for us to process your personal data in relation to a contract we have with you or because you’ve asked us to do something before entering into a contract. Including, for example:

• When we agree to enter into a contract for the provision of your services as an independent contractor
• When you request a quote or buy one of our services in your personal capacity
• When you sign up to attend one of our events or training sessions or when you apply to join one of our community groups subject to published terms and conditions
• When you enter a prize draw connected to participating in a research project

Legitimate interests

We rely on the lawful basis of legitimate interests when it’s necessary and proportionate to process personal data for identified legitimate purposes. Including, for example:

• In creating, maintaining and managing member and customer data for record keeping, communication and management purposes. We use customer relationship management applications to organise and store your data
• When running a research (including market research) project, study, survey, working group, workshop or user group that you are participating in
• When organising and managing a Microsoft Teams community that you join
• In collecting, analysing, sharing and publishing data relating to further and higher education, outside of our public tasks
• When contacting you about products, services or events which may be of interest to you or your organisation. This may include processing your personal data to understand what may be of interest to you
• When responding to your requests for information, complaints or feedback
• In recording calls, meetings, events and workshops through video, audio or transcription means
• In undertaking internal analysis, planning and reporting
• In monitoring website and service usage to identify problems or ways to improve
• For operational reasons such as improving efficiency, training, quality control and in obtaining professional advice
• In maintaining the security of our systems, information, services and physical premises
• In preventing and detecting a crime or fraud against you or us. This includes using CCTV and, in some cases, sharing the footage with the police or our insurers
• In collating knowledge relating to identified or emerging cyber threats to support the proactive defence of cyber security incidents or vulnerabilities. This may include sharing data with our members so they can take action to mitigate threats and improve security. We may also share data with government agencies, for example, the National Cyber Security Centre, to enrich our understanding of specific events
• When we wish to obtain legal advice, establish, exercise or defend legal rights and in connection with any legal proceedings, including prospective proceedings
• To protect, grow or realise the value in our business and assets, share your data with our subsidiary companies or third parties that will or may take control or ownership of some or all of our business in connection to a significant corporate transaction or restructuring
• In retaining personal data within our historic Janet network records insofar as necessary for archiving in the public interest

You have the right to object whenever we’re relying on legitimate interests to process your personal data. See the section on your rights, below, for more information.

Legal obligation

We rely on the lawful basis of legal obligation to process your personal data when it’s necessary to comply with the law. Including, for example:

• For the purposes of complying with employment and health and safety legislation
• When complying with the requirements of our regulators and other government agencies who oversee compliance with legislation relevant to our activities as a registered UK charity and company
• In complying with any court order imposing an obligation on us to process your data in a particular way
• When we need to disclose information subject to a police search warrant and to cooperate with law enforcement authorities when we’re obliged by law to do so

Consent

We rely on the lawful basis of consent to process your personal data in cases where we assess your rights and freedoms override any legitimate interest we may have or for more general ethical reasons. Including, for example:

• In publicly publishing case studies, blogs and podcasts
• When, outside of our legitimate interests, you have agreed to the visual and/or audio recording of your attendance and/or contribution at a meeting, workshop or event we’re running
• When we can’t rely on legitimate interests to contact you about products, services or events which may be of interest to you
• When we deploy cookies and similar technologies where consent is required

The right to be informed

You have the right to know what personal data we hold about you and why and how we process it. We’re obliged by law to provide you with privacy information and we do this through our privacy notices.

The right of access

You have the right to ask us for a copy of the personal data we hold about you. This is known as making a subject access request or SAR.

You can ask us for a copy of any information we’re holding about you, but there are times when the law says we may not need to provide it. We’ll make a reasonable and proportionate search for your data and may withhold information that reveals the personal data of someone else.

The easiest way to make a SAR is by emailing the privacy team. We’ll be able to search and respond more quickly if you specify your relationship with us, what information you’d like, any applicable dates and relevant background context.

The right of rectification

You have the right to ask us to correct or delete inaccurate personal data. If you think we’re holding incomplete data about you, you can also ask us to complete it by adding more details.

The right of erasure

You have the right to ask us to delete personal data we’re holding about you. This is sometimes called ‘the right to be forgotten’ and only applies in limited circumstances. Generally, we can delete your data if:

• We no longer need it for the original purpose it was collected for
• You initially gave consent for us to use your data but you’ve since withdrawn your consent
• We were using your data for direct marketing purposes and we don’t have an overriding legitimate interest to continue to hold it
• You’ve objected to our use of your data and your interests outweigh ours
• We collected or used your data unlawfully
• We’re under a legal obligation to delete your data
• The data was collected from you when you were a child via one of our online services

We can refuse to delete your data in some cases, including when we’re carrying out a task in the public interest, when it’s needed for legal claims, when erasure might prejudice research or archiving activities and when we’re legally obliged to retain it.

The right to restrict processing

In certain circumstances you have the right to ask us to restrict, or temporarily limit, the way we’re processing your data. For example, when you’ve challenged the accuracy of your data or objected to our use of it, you might ask us to stop doing something with your data until these issues are resolved.

You can also make a restriction request when you’d like to stop us from deleting it. For example, we may no longer need your data but you’ve asked us to keep it in order to create, exercise or defend legal claims.

Data portability

In some cases, and where technically feasible, you have the right to receive the personal data you’ve given us, in a structured, commonly used and machine-readable format. You also have the right to require us to transfer this personal data to another organisation.

This right only applies when we’ve relied on your consent to do something with your data or when we’ve processed it as part of a contract we have with you.

The right to object

You have the right to object to the way we’re using your personal data at any time. However, this doesn’t mean we’ll always stop using your data for the purposes you’ve objected to. We’ll consider your interests and rights and determine if these outweigh our legitimate reasons for continuing.

Your right to object to us using your data for direct marketing purposes is absolute. If you exercise your right to object, we’ll stop using your data for this purpose.

The right to withdraw consent

At any time after providing consent for us to use your data, you may withdraw your consent.

Automated decision making and profiling

You have rights relating to decisions based solely on automated processing, including profiling, where such decisions affect your legal rights or other similarly important matters.

Jisc does not undertake these activities as a matter of course. Should any occasional activity occur, supplemental information will be provided explaining how we’ll comply with data protection law, what information is used and what the implications of any decision might be, and how people can make representations, contest decisions and ask for human intervention.