The General Data Protection Regulation (GDPR) is a Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to data protection that includes the Data Protection Act (DPA) 2018. The GDPR and DPA 2018 set out requirements for how organisations will need to process personal data from 25 May 2018.
The ERAMMP website is maintained and hosted by the Centre for Ecology & Hydrology (CEH). This privacy notice tells you what to expect when your personal information is collected. It will be revised as required and you are encouraged to revisit the privacy notice regularly to read the latest version. This version is dated 24 May 2018.
Please read the following carefully to understand our views and practices regarding your personal data and how we will process it. By visiting www.ceh.ac.uk and affliated websites you are accepting and consenting to the practices described in this policy.
Who we are
1. The name and contact details of our parent organisation:
UK Research and Innovation
Please see the UKRI privacy notice.
2. The name and contact details of our data protection representative:
The CEH Data Protection Officer is Mark Hinder - UKRI NERC.
3. Why and how we process personal data
This section of the privacy notice provides information on: the purpose of the data processing; the lawful basis for the processing; further information where the lawful basis is legitimate interests for the processing; the categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
Visitors to our website and to affiliated and hosted websites
The relevant section of our privacy notice will depend on the purpose of your visit to our website. We use the following lawful grounds for processing personal information to support our work when we carry out processing in pursuit of our purposes laid out in Article 93 of the Higher Education and Research Act 2017: in the most part, our lawful basis for processing your personal information falls under Public task, ie the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law, but we also make use of Contractual, Legitimate and Consent-based processing.
- Job Applicants
4. The details of transfers of personal data to any third countries or international organisations
Unless otherwise indicated, your information is processed in the UK and European Economic Area (EEA).
In those instances where your information is being processed outside of the UK or EEA, we work with our partners to do all we can to ensure your personal data is processed in line with the data protection requirements of GDPR and the DPA 2018. The CEH website is hosted by Pantheon in the USA and covered by the EU - US Privacy Shield. Some of our newsletters are hosted by Mailchimp, which is also certified by the EU-US Privacy Shield.
5. The retention periods for personal data
Personal data retention is guided by the UKRI retention schedule. Science Research project records may be kept for 10 and 20 years after the project is completed or in exceptional circumstances will be retained permanently.
6. The rights available to individuals in respect of the processing
The GDPR / DPA 2018 provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
For further details on individual rights, please visit the ICO guide to GDPR.
The lawful basis for CEH processing personal data can affect which rights are available to individuals. For example some rights will not apply.
Table: the X entries indicate where individual rights do not apply
An individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies. The remaining rights are not always absolute, and there are other rights which may be affected in other ways. If CEH is relying on legitimate interests more detail will be provided in the privacy notice to comply with the right to be informed. Further details on how the lawful basis for processing your data affect the rights available to you are outlined below:
If we are processing your data on the basis of contract, your right to object and your right not to be subject to a decision based solely on automated processing will not apply. However, you will have a right to data portability.
If your data is being processed on the basis of legal obligation, you have no right to erasure, right to data portability, or right to object.
Your rights to erasure and data portability do not apply if your data is processed on the basis of public task. However, you do have a right to object.
Where CEH is relying on legitimate interests, the right to data portability does not apply.
7. The right to withdraw consent (if applicable)
Where your personal data is processed using consent as the lawful basis, you have the right to withdraw consent at any time. You will be informed about the ways you can withdraw your consent.
8. The right to lodge a complaint with a supervisory authority
Initially please raise your concern with CEH: please contact the team who process your data. Any continuing concerns you may have can be raised with the CEH Data Protection Officer: Mark Hinder - UKRI NERC
If UKRI/ CEH has not resolved your information rights concern you can raise the matter with the Information Commissioner’s Office via live chat or by phoning 0303 123 1113.
9. Provision of Privacy Information
There are a variety of ways in which CEH provides privacy information, including:
- Providing individuals with privacy information at the time we collect their personal data from them.
- If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:
- within a reasonable of period of obtaining the personal data and no later than one month;
- if we plan to communicate with the individual, we will do this at the latest when the first communication takes place;
- if we plan to disclose the data to someone else, we will do this at the latest, when the data is disclosed.
10. How CEH provides privacy information
We aim to provide the information in a way that is:
- Easily accessible; and
- Uses clear and plain language.
11. Changes to the information
- We regularly review and, where necessary, update our privacy information.
- If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
12. Register of Processing Activities
- UKRI/ NERC/ CEH undertake an information audit to find out what personal data we hold and what we do with it.
- UKRI/ NERC/ CEH put ourselves in the position of the people we’re collecting information about.
- UKRI/ NERC/ CEH will carry out user testing to evaluate how effective our privacy information is.
13. Delivering Privacy Information
When providing our privacy information to individuals, we use a combination of appropriate techniques.
14. Affiliated and Hosted Websites
Where this privacy notice applies to hosted / affiliated websites, the site will provide a link to this privacy notice, along with any additional privacy information that is applicable.
15. Users of our website and affiliated websites
We use different methods to collect data from and about you on our CEH-hosted websites. Your information is used to deliver services you have requested and to contact you, including but not restricted to, software downloads, data licensing requests, publication orders, registration on training courses, subscription to our newsletter and general enquiries, as well as to improve the website experience for our users.
Automated technologies or interactions
When you use our websites (including but not restricted to, the CEH website and our affiliated websites) we may collect the following information about you:
- the IP address used to connect your computer to the Internet
- your time zone setting
- your Internet provider
- your name, address, email address, telephone number, organisation, where you have specifically provided this information on a web submission form.
We may also collect the following information about your visit:
- the full Uniform Resource Locators etc.
- the pages you viewed, including our products and software pages;
- page response times;
- length of visits to certain pages;
- page interaction information (such as clicks, downloads, web form submissions)
We will use this information to provide the best possible service to our web users. It allows us to administer our site, including our efforts to keep it safe and secure, and to carry out internal operations including troubleshooting, data analysis, testing, and statistical research. This means we can improve our websites to ensure that content is presented in the most effective manner for you.
17. Third party services
Some parts of CEH may use third party services including Twitter, Facebook, Microsoft O365, Outlook and Google+ as a method to allow you to share content. CEH uses Mailchimp for distributing some of its newsletters. See more details of our third party usage.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy notices and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. Please check these policies before you submit any personal data to these websites or use these services.