Privacy notice

Introduction

Jisc is committed to protecting your privacy. We are the controller of the personal data processed for the purposes set out below and we are responsible for looking after it. This policy explains how we use, store and share the information we collect about you, how you can exercise your rights in respect of that information and the procedures that we have in place to safeguard your privacy. This policy supplements any other fair processing or privacy notice that may be provided to you from time to time.

Jisc is the designated data body (DDB) for higher education in England.

Read the privacy notice for HESA data, powered by Jisc.

Contacting us

We have appointed a data protection officer who can be contacted at dataprotection@jisc.ac.uk. Please contact us at this email address if you have any questions, comments or concerns about this policy or how we handle your personal data, or if such information changes at any time.

What personal data will we collect about you?

Personal data means any information that relates to an identified or identifiable individual. We have grouped together the kinds of personal data that we may collect below. Additional information about the types of data we collect may be provided to you in other service specific privacy notices.

Identity and contact data: includes first name, last name, email address, address and telephone numbers. We may collect this information from you when you contact us or when you request services from us
Technical and usage data: includes information we obtain from your device or browser (such as IP address, your login data, version and device identifiers, time zone setting and location, browser plug-in types and versions and operating system) as well as how you use our website and services
Information that we need if you join a research project or receive our services: includes additional information relating to your use of the services or role in the project. We collect this when you use the service or take part in the project
Information collected when you contact us: includes information in emails and other communications with us, or call recordings when you phone us. This may include the different types of content (eg, photographs, articles, comments) you send to us when contacting us, or through social media accounts with third parties, or any other information that you want to share with us
Job application information: If you apply for a job with us, we will also collect your application data, which includes your contact information (including name, postal address, email address and phone number), job history, curriculum vitae, contact details of your referees and any other personal information you choose to submit along with your application when applying for a job at Jisc

How do we use your personal data?

The following table sets out why we process your personal data and also our lawful basis for processing your personal data. We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.

Purpose/activity	Lawful basis for processing
To provide you with a service that you have requested	The processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract. It may also be necessary in our legitimate interests (for example, for contract management purposes).
To identify problems or ways to make our service better	The processing is necessary for our legitimate interests (for example, for running our business, provision of our administration and IT services, network security, and providing a functional website).
To run a research project which you are participating in	This processing is carried out for our legitimate interests (to achieve the purposes of the research project).
To contact you about products or services which may be of interest to you or your organisation. This may include processing your personal data to understand what may be of interest to you, or to provide you with marketing materials.	The processing may be necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract. It may also be necessary in our legitimate interests (for example, to contact you about an event). You will receive marketing communications from us if you have requested information from us or you (or your organisation) have purchased or contacted us about similar goods or services. We may do this where we determine that this is necessary for our legitimate interests. We may also send you marketing communications when you have given your consent for us to do so. You can opt-out of receiving marketing communications from us or withdraw your consent at any time.
To respond to your requests for information, complaints or feedback	The processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering into a contract. It may also be necessary in our legitimate interests (for example, to improve our relationship with you or your organisation or to improve our services).
To comply with laws and to respond to and comply with requests from the government, regulators and other third parties with legal authority	The processing is necessary to comply with a legal obligation.
To provide evidence where this is required to exercise or defend legal claims	The processing is necessary in our legitimate interests (for example, to defend ourselves against a legal claim that you or your organisation may make against us).
To investigate, detect and prevent fraud or crime and carry out related risk assessments	The processing is necessary to comply with a legal obligation.
To consider your application for a job	The processing is necessary to comply with a legal requirement. This processing is also necessary to take steps at your request prior to entering into an employment contract with you. The processing will also be necessary in our legitimate interests (for example, to ensure you have appropriate qualifications for the job).

In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises that we carry out when relying upon this lawful basis for processing your personal data.

Security

We have in place appropriate policies, rules, and technical and organisational measures to protect your personal data from unauthorised or unlawful processing, and against accidental loss, destruction or damage. We also have procedures in place to deal with any data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.

Even though we take these steps to keep your personal data secure, you should be aware that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the internet. If you have a username or password to access any services that we provide to you, you are responsible for protecting your username and password and must not share it with, or disclose it, to anyone.

If you want you to learn more about how to protect your data and your devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org.

Sharing your personal data

We will only disclose your personal data to:

Companies within our group
A third party who has purchased or merged with our organisation, in which case personal data held by us about you will be transferred to that third party to carry on our business
Our professional advisors (including without limitation, tax, legal or other corporate advisors who provide professional services to us)
Other third party suppliers, business partners and sub-contractors for business administration, support, processing, services, or IT purposes
Analytics or search engines that enable us to optimise and improve your website experience
Third parties that you approve (including without limitation, social media sites and third party payment providers)
Our regulators, law enforcement or fraud prevention agencies, as well as our legal advisers, courts, the police and any other authorised bodies, for the purposes of investigating any actual or suspected criminal activity or other regulatory or legal matters
HMRC or other tax bodies or agencies to comply with our legal and regulatory obligations

International transfers of your personal data

We may transfer your personal data to countries outside the United Kingdom in order to provide our services. The laws in these countries may not offer the same level of protection for personal data as in the United Kingdom.

If we transfer personal data to countries outside of the United Kingdom, we will do so in a lawful way and may rely on:

An adequacy decision from the Secretary of State, which says that the recipient country provides an adequate level of protection of personal data
Appropriate safeguards to protect the personal data (for example, the approved standard contractual clauses or international data transfer agreement)
A lawful exception to the rules relating to overseas data transfers (for example, the transfer is necessary to perform a contract with you, which is in your interests)

How long will we keep your personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your personal data. Please see below for more information about your right to erasure.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes.

Your rights

You have certain rights in relation to your personal data. We have summarised these rights below:

Right	Description
To be informed	A right to be informed about the personal data we hold about you.
Of access	A right to access the personal data we hold about you.
To rectification	A right to require us to rectify any inaccurate personal data we hold about you.
To erasure	A right to ask us to delete the personal data we hold about you. This right will only apply where (for example): We no longer need to use the personal data to achieve the purpose we collected it for Where you withdraw your consent if we are using your personal data based on your consent Where you object to the way we process your data (see the right to object described below)
To restrict processing	In certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example): You dispute the accuracy of the personal data held by us Where you would have the right to ask us to delete the personal data but would prefer that our processing is restricted instead Where we no longer need to use the personal data to achieve the purpose we collected it for, but you need the data for the purposes of establishing, exercising or defending legal claims
To data portability	In certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.
To object	A right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights or which are for the establishment, exercise or defence of legal claims.
In relation to automated decision-making and profiling	A right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you.
To withdraw	A right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters).
To complain	You have the right to make a complaint to our supervisory authority, which is the UK's Information Commissioner's Office.

If you would like to contact us with any queries or comments, request further information or exercise any of your available rights set out above, please email us at: dataprotection@jisc.ac.uk. If you would like this notice in another format please contact us using the details above.

We encourage you to contact us first if you have any queries, comments or concerns about the way we handle your personal data.

Changes to this policy

Any changes to this policy in the future will be posted on this page.Please check back frequently to see any updates or changes to this policy.

Please note: this policy does not cover third party websites that we may link to from our website and we are not responsible for the privacy policies and practices (including use of cookies) of such third parties. We recommend that you check the policy of each website you visit and contact the owner or operator of such website if you have concerns or questions.