The General Data Protection Regulation (GDPR) is a Europe-wide law that is part of the wider package of reform to data protection that includes the Data Protection Act (DPA) 2018. The GDPR and DPA 2018 set out requirements for how organisations will need to process personal data from 25 May 2018.
The ERAMMP website is maintained and hosted by the UK Centre for Ecology & Hydrology (UKCEH). This privacy notice tells you what to expect when your personal information is collected. It will be revised as required and you are encouraged to revisit the privacy notice regularly to read the latest version. This version is dated 1st December 2019.
Please read the following carefully to understand our views and practices regarding your personal data and how we will process it. By visiting www.ceh.ac.uk and affliated websites you are accepting and consenting to the practices described in this policy.
Who we are
1. The name and contact details of our organisation:
UK Centre for Ecology & Hydrology
Maclean Building, Benson Lane
T: +44 (0)1491 838800
F: +44 (0)1491 692424
We are a not-for-profit company limited by guarantee with charitable status. We serve as a strategic delivery partner for the Natural Environment Research Council (NERC), part of UK Research and Innovation.
2. The name and contact details of our data protection representative:
The UKCEH Data Protection Officer is Quentin Tucker.
3. Why and how we process personal data
This section of the privacy notice provides information on: the purpose of the data processing; the lawful basis for the processing; further information where the lawful basis is legitimate interests for the processing; the categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
Visitors to our website and to affiliated and hosted websites: The relevant section of our privacy notice will depend on the purpose of your visit to our website.
The legal conditions we rely on to process personal information
The law on data protection sets out the reasons we may collect and process your personal data. We rely on the following legal conditions to process your personal data:
Contract: where it is necessary for the performance of an agreement, contract or licence to which you are a party or for processes related to entering into an agreement, contract or licence;
Legitimate interests: in specific situations, we require your data to undertake our legitimate business interests of running our business as a membership organisation, and professional body, and which does not materially impact your rights, freedom or interests.
Legal compliance: if the law requires us to, we may need to collect and process your data.
Consent: in specific situations, we can collect and process your data with your permission.
There are specific notices for:
- Contributors to NERC / UKCEH science research in the public interest
- Contributors to NERC / UKCEH science research: funded through competitively won income
- Users of our Products, Services, Websites and General enquiries
- Job applicants
4. The details of transfers of personal data to any third countries or international organisations
Unless otherwise indicated, your information is processed in the UK and European Economic Area (EEA).
In those instances where your information is being processed outside of the UK or EEA, we work with our partners to ensure your personal data is processed in line with the data protection requirements of GDPR and the DPA 2018. The UKCEH website is hosted by Pantheon in the USA and covered by the EU - US Privacy Shield.
5. The retention periods for personal data
Personal data retention is guided by the UKCEH retention schedule. Science Research project records may be kept for 10 and 20 years after the project is completed or in exceptional circumstances will be retained permanently.
6. The rights available to individuals in respect of the processing
The GDPR / DPA 2018 provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision-making and profiling
For further details on individual rights, please visit the ICO guide to GDPR.
The lawful basis for UKCEH processing personal data can affect which rights are available to individuals. For example some rights will not apply.
An individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies. The remaining rights are not always absolute, and there are other rights which may be affected in other ways. If UKCEH is relying on legitimate interests more detail will be provided in the privacy notice to comply with the right to be informed. Further details on how the lawful basis for processing your data affect the rights available to you are outlined below:
If we are processing your data on the basis of contract, your right to object and your right not to be subject to a decision based solely on automated processing will not apply. However, you will have a right to data portability.
If your data is being processed on the basis of legal obligation, you have no right to erasure, right to data portability, or right to object.
Your rights to erasure and data portability do not apply if your data is processed on the basis of public task. However, you do have a right to object.
Where UKCEH is relying on legitimate interests, the right to data portability does not apply.
7. The right to withdraw consent (if applicable)
Where your personal data is processed using consent as the lawful basis, you have the right to withdraw consent at any time. You will be informed about the ways you can withdraw your consent.
8. The right to lodge a complaint with a supervisory authority
Initially please raise your concern with UKCEH: please contact the team who process your data. Any continuing concerns you may have can be raised with the UKCEH Data Protection Officer: Quentin Tucker
If UKCEH has not resolved your information rights concern you can raise the matter with the Information Commissioner’s Office via live chat or by phoning 0303 123 1113.
9. Provision of privacy information
There are a variety of ways in which UKCEH provides privacy information, including:
Providing individuals with privacy information at the time we collect their personal data from them.
If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information:
- within a reasonable of period of obtaining the personal data and no later than one month;
- if we plan to communicate with the individual, we will do this at the latest when the first communication takes place;
- if we plan to disclose the data to someone else, we will do this at the latest, when the data is disclosed.
10. How UKCEH provides privacy information
We aim to provide the information in a way that is:
- Easily accessible
- Uses clear and plain language
11. Changes to the information
We regularly review and, where necessary, update our privacy information. If we plan to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
12. Register of processing activities
UKCEH undertake an information audit to find out what personal data we hold and what we do with it.
UKCEH put ourselves in the position of the people we’re collecting information about.
UKCEH will carry out user testing to evaluate how effective our privacy information is.
13. Delivering privacy information
When providing our privacy information to individuals, we use a combination of appropriate techniques.
14. Affiliated and hosted websites
Where this privacy notice applies to hosted / affiliated websites, the site will provide a link to this privacy notice, along with any additional privacy information that is applicable.
15. Users of our website and affiliated websites
We use different methods to collect data from and about you on our UKCEH-hosted websites. Your information is used to deliver services you have requested and to contact you, including but not restricted to, software downloads, data licensing requests, publication orders, registration on training courses, subscription to our newsletter and general enquiries, as well as to improve the website experience for our users.
Automated technologies or interactions
When you use our websites (including but not restricted to, the UKCEH website and our affiliated websites) we may collect the following information about you:
- the IP address used to connect your computer to the Internet
- your time zone setting
- your Internet provider
- your name, address, email address, telephone number, organisation, where you have specifically provided this information on a web submission form.
We may also collect the following information about your visit:
- the full Uniform Resource Locators etc.
- the pages you viewed, including our products and software pages;
- page response times;
- length of visits to certain pages;
- page interaction information (such as clicks, downloads, web form submissions)
We will use this information to provide the best possible service to our web users. It allows us to administer our site, including our efforts to keep it safe and secure, and to carry out internal operations including troubleshooting, data analysis, testing, and statistical research. This means we can improve our websites to ensure that content is presented in the most effective manner for you.
17. Third party services
Some parts of UKCEH may use third party services including Twitter, Facebook, Microsoft O365, Outlook as a method to allow you to share content. UKCEH uses Mailchimp for distributing some of its newsletters. See more details of our third party usage. The ERAMMP project does not use MailChimp and has a separate newsletter privacy notice accessible here.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy notices and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. Please check these policies before you submit any personal data to these websites or use these services.