Privacy notice

Jisc is committed to protecting your privacy. This policy explains how we use, store and share the information we collect about you.

We are the controller of the personal data processed for the purposes set out below and we are responsible for looking after it. You can exercise your rights in respect of that information and the procedures that we have in place to safeguard your privacy. This policy supplements any other fair processing or privacy notice that may be provided to you from time to time.

We are Jisc, a not-for-profit company limited by guarantee, registered in England.

  • Company number: 05747339
  • Charity number: 1149740
  • ICO registration number: Z9546606
  • Registered office: 4 Portwall Lane, Bristol, BS1 6NB

Jisc is the designated data body (DDB) for higher education in England.

Read the privacy notice for HESA data, powered by Jisc.

What personal data will we collect about you?

Personal data means any information that relates to an identified or identifiable individual. We have grouped together the kinds of personal data that we may collect below. Additional information about the types of data we collect may be provided to you in other service specific privacy notices.

  • Identity and contact data: includes first name, last name, email address, address and telephone numbers. We may collect this information from you when you contact us or when you request services from us
  • Technical and usage data: includes information we obtain from your device or browser (such as IP address, your login data, version and device identifiers, time zone setting and location, browser plug-in types and versions and operating system) as well as how you use our website and services
  • Information that we need if you join a research project or receive our services: includes additional information relating to your use of the services or role in the project. We collect this when you use the service or take part in the project
  • Information collected when you contact us: includes information in emails and other communications with us, or call recordings when you phone us. This may include the different types of content (eg, photographs, articles, comments) you send to us when contacting us, or through social media accounts with third parties, or any other information that you want to share with us
  • Job application information: If you apply for a job with us, we will also collect your application data, which includes your contact information (including name, postal address, email address and phone number), job history, curriculum vitae, contact details of your referees and any other personal information you choose to submit along with your application when applying for a job at Jisc

How do we use your personal data?

The following table sets out why we process your personal data and also our lawful basis for processing your personal data. We may rely on more than one lawful basis for processing your personal data depending on the context of the processing activity.

Why we process your personal data and also our lawful basis for processing it
Purpose/activityLawful basis for processing
To provide you with a service that you have requested, including creation of a user account where necessary. This may include contacting you about the service for contract management purposes.The processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering a contract. It may also be necessary in our legitimate interests (for example, for contract management purposes).
To monitor usage and identify problems or ways to improve our service. This may involve the use of cookies or similar technologies on our website(s) and application(s). Please refer to the Cookie Policy associated with each service.The processing is necessary for our legitimate interests (for example, for running our business, provision of our administration and IT services, network security, and providing a functional website). Where the processing involves the use of cookies or similar technologies, we will ask for your consent to use any cookies which are not strictly necessary.
To run a research (including market research) project, study, survey, working group, workshop or user group that you are participating in.This processing is carried out for our legitimate interests (to achieve the purposes of the research project, study, survey, working group, workshop or user group).
To collect, analyse, share and publish data relating to higher education. Some of this data is personal data about students, graduates, and staff of higher education providers.This processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Jisc (see GDPR Article 6(1)(e)). This processing may also be necessary for the purposes of the legitimate interests of Jisc in disseminating higher education information, or the legitimate interests of third parties in undertaking research in the field of higher education (See GDPR Article 6(1)(f)). Processing of Special Categories of data is necessary for reasons of substantial public interest in accordance with the Equality Act (Article 9(2)(g), UK GDPR and paragraph 8, part 2, schedule 1, Data Protection Act 2018); and necessary for statistical and research purposes in accordance with Article 89(1) and research purposes based on the duties in the Equality Act 2010, Section 75 of the Northern Ireland Act 1998, or the Digital Economy Act 2017 or equivalent subsequent legislation, or for other research purposes (Article 9(2)(j), UK GDPR, and paragraph 4, part 1, schedule 1, Data Protection Act 2018). Please refer to the privacy notice for HESA data, powered by Jisc for more information.
To contact you about products, services or events that may be of interest to you or your organisation. This may include processing your personal data to understand what may be of interest to you, or to provide you with marketing materials.The processing may be necessary for the performance of a contract with you, or to take steps at your request prior to entering a contract. It may also be necessary in our legitimate interests (for example, to contact you about an event).You will receive marketing communications from us if you have requested information from us or you (or your organisation) have purchased or contacted us about similar goods or services. We may do this where we determine that this is necessary for our legitimate interests. We may also send you marketing communications when you have given your consent for us to do so.You can opt-out of receiving marketing communications from us or withdraw your consent at any time.
To publish publicly available case studies and blog posts.The processing is undertaken to identify any notable case studies necessary for our legitimate interests but any subsequent publishing will require your explicit consent.
To include you in competitions and prize draws.The processing will require your explicit consent.
To respond to your requests for information, complaints or feedback.The processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering a contract. It may also be necessary in our legitimate interests (for example, to improve our relationship with you or your organisation or to improve our services).
To deliver events and training.The processing is necessary for the performance of a contract with you, or to take steps at your request prior to entering a contract. It may also be necessary in our legitimate interests (for example, to administer and maintain records of training and seminars).
To record meetings, events and workshops through video, audio or transcription (including in-person and virtual).This processing may be necessary for our legitimate interests to promote our work and services. It may also require your explicit consent in some circumstances. The lawful basis will be made clear to you at the outset.
To undertake internal analysis, planning and reporting.The processing is necessary for our legitimate interests (to inform and improve the business).
To comply with laws and to respond to and comply with requests from the government, regulators and other third parties with legal authority.The processing is necessary to comply with a legal obligation.
To maintain the security of our systems, services and physical premises.It is necessary in our or a third party’s legitimate interests (eg to ensure Jisc’s or our customer’s confidential information is kept securely).
To provide evidence where this is required to exercise or defend legal claims.The processing is necessary in our legitimate interests (for example, to defend ourselves against a legal claim that you or your organisation may make against us).
To investigate, detect and prevent fraud or crime and carry out related risk assessments.The processing is necessary to comply with a legal obligation.
To consider your application for a job.The processing is necessary to comply with a legal requirement. This processing is also necessary to take steps at your request prior to entering an employment contract with you. The processing will also be necessary in our legitimate interests (for example, to ensure you have appropriate qualifications for the job).

In certain circumstances, we will process your personal data based on our legitimate interests. We have decided this by carrying out a balancing exercise to make sure our legitimate interest does not override your privacy rights as an individual. We document the balancing exercises that we carry out when relying upon this lawful basis for processing your personal data.

Security

We have in place appropriate policies, rules, and technical and organisational measures to protect your personal data from unauthorised or unlawful processing, and against accidental loss, destruction or damage. We also have procedures in place to deal with any data security breach. We will notify you and any applicable regulator of a data security breach where we are legally required to do so.

Even though we take these steps to keep your personal data secure, you should be aware that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal information which is transferred from you or to you via the internet. If you have a username or password to access any services that we provide to you, you are responsible for protecting your username and password and must not share it with, or disclose it, to anyone.

If you want you to learn more about how to protect your data and your devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org.

Sharing your personal data

We will only disclose your personal data to:

  • Companies within our group
  • A third party who has purchased or merged with our organisation, in which case personal data held by us about you will be transferred to that third party to carry on our business
  • Our professional advisors (including without limitation, tax, legal or other corporate advisors who provide professional services to us)
  • Other third party suppliers, business partners and sub-contractors for business administration, support, processing, services, or IT purposes
  • Analytics or search engines that enable us to optimise and improve your website experience
  • Third parties that you approve (including without limitation, social media sites and third party payment providers)
  • Our regulators, law enforcement or fraud prevention agencies, as well as our legal advisers, courts, the police and any other authorised bodies, for the purposes of investigating any actual or suspected criminal activity or other regulatory or legal matters
  • HMRC or other tax bodies or agencies to comply with our legal and regulatory obligations

International transfers of your personal data

We may transfer your personal data to countries outside the United Kingdom in order to provide our services. The laws in these countries may not offer the same level of protection for personal data as in the United Kingdom.

If we transfer personal data to countries outside of the United Kingdom, we will do so in a lawful way and may rely on:

  • An adequacy decision from the Secretary of State, which says that the recipient country provides an adequate level of protection of personal data
  • Appropriate safeguards to protect the personal data (for example, the approved standard contractual clauses or international data transfer agreement)
  • A lawful exception to the rules relating to overseas data transfers (for example, the transfer is necessary to perform a contract with you, which is in your interests)

Please contact dataprotection@jisc.ac.uk to obtain a copy of these safeguards or if you have any questions about how your personal data is used.

How long will we keep your personal data?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances you can ask us to delete your personal data. Please see below for more information about your right to erasure.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes.

Your rights

You have certain rights in relation to your personal data. We have summarised these rights below:

Your rights in relation to your personal data
RightDescription
To be informedA right to be informed about the personal data we hold about you.
Of accessA right to access the personal data we hold about you.
To rectificationA right to require us to rectify any inaccurate personal data we hold about you.
To erasureA right to ask us to delete the personal data we hold about you. This right will only apply where (for example):We no longer need to use the personal data to achieve the purpose we collected it forWhere you withdraw your consent if we are using your personal data based on your consentWhere you object to the way we process your data (see the right to object described below)
To restrict processingIn certain circumstances, a right to restrict our processing of the personal data we hold about you. This right will only apply where (for example):You dispute the accuracy of the personal data held by usWhere you would have the right to ask us to delete the personal data but would prefer that our processing is restricted insteadWhere we no longer need to use the personal data to achieve the purpose we collected it for, but you need the data for the purposes of establishing, exercising or defending legal claims
To data portabilityIn certain circumstances, a right to receive the personal data you have given us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation, at your request.
To objectA right to object to our processing of the personal data we hold about you where our lawful basis is for the purpose of our legitimate interests, unless we are able to demonstrate, on balance, legitimate grounds for continuing to process the personal data which override your rights or which are for the establishment, exercise or defence of legal claims.
In relation to automated decision-making and profilingA right for you not to be subject to a decision based solely on an automated process, including profiling, which produces legal effects concerning you or similarly significantly affects you. For the avoidance of doubt, Jisc does not undertake automated decision-making of this kind.
To withdrawA right to withdraw your consent, where we are relying on it to use your personal data (for example, to provide you with brochures and newsletters). 
To complainYou have the right to make a complaint to our supervisory authority, which is the UK's Information Commissioner's Office.

Please email us at dataprotection@jisc.ac.uk if you would like to contact us with any queries or comments, request further information or exercise any of your available rights set out above. If you would like this notice in another format please contact us using the details above.

We encourage you to contact us first if you have any queries, comments or concerns about the way we handle your personal data.

Changes to this policy

Any changes to this policy in the future will be posted on this page. Please check back frequently to see any updates or changes to this policy.

Please note: this policy does not cover third party websites that we may link to from our website and we are not responsible for the privacy policies and practices (including use of cookies) of such third parties. We recommend that you check the policy of each website you visit and contact the owner or operator of such website if you have concerns or questions.

Last updated: 12 October 2023

Contacting us

Email dataprotection@jisc.ac.uk to contact our data protection officer.

Please contact us at this email address if you have any questions, comments or concerns about this policy or how we handle your personal data, or if such information changes at any time.