Privacy policy

Purpose of UKRIO’s Privacy Policy:

Your privacy is important to us. This policy sets out how and why UK Research Integrity Office (UKRIO) uses personal information, what information we collect and how we use it, how we go about protecting privacy, and how we ensure that individuals are aware of their rights and choices regarding this information. We will be clear about what data we collect, hold and what is done with it. UKRIO aims to protect the users of UKRIO’s services, particularly those using our Advisory Service and to protect UKRIO’s staff, volunteers, other individuals and subscribers.

A PDF version of this policy is available at: https://ukrio.org/wp-content/uploads/UKRIO-Privacy-Policy.pdf

Data protection principles

UKRIO needs to keep certain information about employees, volunteers, service users and suppliers to allow it to carry out the activities for which it was established. It also uses this information to monitor performance, achievements and for health and safety purposes. It is also necessary to process information so that staff can be recruited and paid, services supplied, events organised and legal obligations complied with.

To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully. To do this, UKRIO must comply with the Data Protection Principles and user privacy which are set out in the Data Protection Act 2018 and from the 1^st January 2021, the General Data Protection Regulation (UK General Data Protection Regulation (UK GDPR).

UKRIO and all staff, volunteers or other associates who process or use any personal information must ensure that they follow these principles at all times.

Policy statement

UKRIO will:  

• Comply with both the law and good practice.
• Respect individuals’ rights.
• Be open and honest with individuals whose data is held.
• Provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently.

In addition to being open and transparent, UKRIO will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used. This policy is effective from 25^th May 2018 and is subject to regular review (see above).

Who we are

In this Privacy Policy, “UK Research Integrity Office”, “UKRIO”, “we”, or “our” means UK Research Integrity Office, charitable company limited by guarantee and registered in England and Wales (registered charity number 1147061 and company number 07444269). UKRIO’s registered office is Impact Hub London Euston, 1 Triton Square NW1 3DX.

UKRIO is also registered as a data controller with the Information Commissioner’s Office (ICO) under The Data Protection Act 2018 (under registration number Z3554391).

UKRIO is a registered charity that provides independent impartial support on research integrity to the UK research community and the Public. We promote and support good research practice and related topics such as research culture, research ethics, research governance, integrity in research design and collaborative research, and good practice in publication and authorship. We provide advice to help direct individuals, organisations and the public to regulatory bodies when issues fall within their jurisdiction – and fill gaps where no overall regulation might apply. Click here to learn more about UKRIO’s role and remit.

How we collect information about individuals

We collect data from individuals from the following sources:

Directly from individuals

We may collect individual’s data when someone contacts us directly.  This may be when:

• they request information about us;
• they attend UKRIO events such as training workshops, webinars, consultations, or conferences;
• an individual becomes a UKRIO volunteer, is a member of staff, or is staff, a student or other individual associated with a subscribing institution; and/or,
• an individual contacts UKRIO for confidential advice.

Use of Cookies:

UKRIO uses cookies on its web pages. Further information can be found in Appendix 1 below.

Information provided to us indirectly

Information may be shared with us by a third party. An example of this maybe through a subscribing institution, or through an enquiry.

Information provided to us by other sources

Depending on the user settings or the privacy policies for social media such as LinkedIn and Bluesky, individuals may have given us permission to access personal information from those services.

What personal information may we collect

We collect, store and use the following kinds of personal information:

• names;
• contact details (including postal address, telephone number, e-mail address and/or social media identity);
• date of birth;
• gender;
• bank or credit card details that were provided to make a payment or make expenses claims;
• if an individual applies to be a volunteer or to work for UKRIO, where necessary personal information will be used to process these applications and assess suitability (which may include for example employment status, and previous experience);
• information about activities on our website and about the devices used to access these, for instance IP addresses and geographical location;
• information about training events, topics and activities which we consider to be of interest to individuals;
• audio and visual data collected through recordings of webinars or virtual events;
• any other personal information that is provided to us.

How we use personal information

UKRIO will use personal information to:

• provide information and services within the remit of UKRIO;
• keep a record of relationships between UKRIO and individuals;
• respond to the advisory service, to address complaints and queries made to UKRIO;
• understand how we can improve the remit of UKRIO by conducting surveys and analysis research;
• manage UKRIO training events, workshops and annual conference;
• further our charitable objectives;
• maintain and update records;
• register, administer and personalise subscriber online accounts;
• send correspondence and communications;
• administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems;
• test our technical systems to make sure they are working as expected;
• display UKRIO’s website in a way appropriate to an individual’s device;
• generate reports on the work of UKRIO, its work and events;
• safeguard our staff and volunteers;
• monitor UKRIO’s website use to identify visitor location, guard against disruptive use, monitor website traffic and/or personalise information which is presented to an individual;
• process an application for a job or volunteering position at UKRIO;
• conduct training and quality control;
• audit and administer our accounts; and/or
• meet our legal obligations, for instance to perform contracts between individuals and UKRIO, or our obligations to regulators, government and/or law enforcement bodies.

Data processing and Artificial Intelligence (AI)

Any personal data we collect is handled exclusively through the data processing practices described in this policy.

Sensitive personal information is never inputted into AI or used to train AI systems. We may use artificial intelligence tools to assist with internal content editing and formatting tasks, such as improving the clarity, structure, or presentation of text. These tools are used for editorial purposes and are not used to make decisions or generate ideas based on your personal information.

Our employees follow an internal AI Code of Conduct which ensures consistence with our approach to AI. All staff employees familiarise themselves with the ICO guidance on AI and data protection

Sensitive personal data, or business data must not to be entered into AI tools or systems

• We adopt ICO’s definition of personal data What is personal data? | ICO
• We define business data such as financial data, trade secrets, or commercially sensitive information

UKRIO Advisory Service  

UKRIO’s Advisory Service provides independent, expert and confidential advice on the conduct of research, from promoting good practice to addressing poor practice and misconduct. It covers all subject areas and any issues relating to research practice. Our Advisory Service is open to all, including members of the public, research participants, patients, individual researchers, research students and research organisations. UKRIO welcomes enquiries on general or hypothetical topics, as well as those on specific research projects, issues and cases.

The full Terms of use for accessing our Advisory Service can be found here: Get advice from UKRIO – UK Research Integrity Office.

Personal information that is given to us when ‘an individual’ contacts our advisory service may be part of a data set that UKRIO may publish using anonymised, aggregate data to illustrate the work of the Advisory Service. However, such information would not identify any individuals or organisations.

Similarly, UKRIO may publish or otherwise circulate case studies for use as training or educational material. Case studies will always be anonymised and published with the permission of the service user(s) who brought the matter to our attention.

In addition, UKRIO may create fictional scenarios for educational and training purposes. These illustrative ‘case study’ scenarios draw upon UKRIO’s experiences in assisting with issues of research integrity but are not based on any particular real-life situation. No individuals or organisations are named in these scenarios.

How we use personal information to tell individuals about UKRIO

When individuals have asked to be sent information about UKRIO (inclusive of a UKRIO events, information on our work programme or for recruiting volunteers), we will contact the individual via email or verbally with the relevant information. Occasionally, we may include information for other organisations who support us in this communication in alignment with UKRIO’s remit. We operate an ‘opt-in only’ communication policy, for example our newsletters will only be sent out to subscribers and individuals who have requested the newsletter.

Lawful basis for processing

Data protection laws mean that UKRIO must have a valid lawful basis to process personal data. The relevant legal bases are set out in current UK data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. At least one of the following must apply whenever UKRIO processes personal data:

1.      Consent

Consent will normally not be sought for most processing of information about staff and volunteers, with the following exceptions:

• Staff details will only be disclosed for purposes unrelated to their work for UKRIO (e.g. financial references) with their consent.
• Volunteers and staff working from home will not normally have any means of contact made public. All contact will be routed through the UKRIO office. Consent will be sought for any exceptions, which would be on a case-by-case basis, and generally only to a specific service user.
• Information about volunteers will be made public according to their role, and consent will be sought for any publication of information which is not essential for their role. In general, UKRIO publishes short biographies and a picture of its Trustees and volunteers on the UKRIO website. As a matter of transparency, UKRIO also publishes Trustees’ declaration of competing interests, with their consent. UKRIO also generally publishes names and pictures of its volunteer expert community on its website.

The consent of service users is sought in a variety of ways. For example, via emails acknowledging requests for assistance, the Terms for accessing UKRIO’s Advisory service, listed on the enquiry submission form page on UKRIO’s website, and the terms and conditions for accessing UKRIO’s events and training.

• Seeking advice from UKRIO: when a person seeks advice from UKRIO, they choose what information they send to us when they contact us. Our Terms for Seeking Advice from UKRIO can be found here: Get advice from UKRIO. Further information on how UKRIO addresses requests for assistance, including our role and remit, can be found in our UKRIO protocol for responding to requests for assistance.
• Events: when a person books a place at a UKRIO event, we ask them for their name and contact details. We use these to contact them in relation to the event, for invoicing them if relevant, and for pursuing any late payments. Their name, title and organisation may be included in the delegate list which will be provided to all delegates at the event, and which may be made available to them electronically in advance. The delegate list is also available to speakers and any exhibitors at the event. After the event (and when their payment has been received), their data is archived and can only be accessed by staff of UKRIO. When a person participates in one of our online webinars, consultations, or other virtual events, we may also collect video and audio recordings, and chat and QA logs.
• Training: When a subscribing organisation opts-in to access UKRIO’s training courses, they must accept the Terms & Conditions listed on our website, which include our overall terms of use, including examples of both permitted and prohibited uses of the training courses. In addition, they are advised that UKRIO will only hold data for the purposes of this policy and receive a link to this policy.

Consent may be given verbally. Records of enquiries made to UKRIO’s Advisory Service will note whether the role and remit of UKRIO etc. were explained to the enquirer.

2.     Legal Obligation

UKRIO may use personal information to comply with its legal or regulatory responsibilities. For example, it may be necessary to share personal information with the Charity Commission, the Information Commissioner, or government bodies such as law enforcement or HMRC.

3.     Vital Interest

Under specific circumstances of vital interest UKRIO may process personal information. The below gives an example of vital interest which may result in harm to an individual or research subject:

When an enquiry is received by UKRIO, it is assessed to determine whether:

• It concerns a situation that may require immediate action to prevent further risk or harm to research participants, patients or other persons, improper treatment of animal subjects of research, improper use or storage of human tissue, materials or personal data, or negative environmental consequences (a ‘Situation’).
• It may involve criminal activity.

If the enquiry fulfils any of the above criteria, the Data Protection Officer will report to the Chief Executive Officer, liaising with the Chair of Trustees to take appropriate action to address the issue(s) in question, informing the enquirer and record the immediate actions taken and the reasons for their decision(s) in writing.

• If an enquiry involved criminal activity or a Situation, we would first strongly encourage the enquirer to report the matter to appropriate organisation(s), which we would identify for them.
• If this did not take place in a timely manner, UKRIO, despite its role as a confidential advisory body, reserves the right in such circumstances to make disclosures, in confidence if necessary, to relevant external bodies. Such a decision would be taken by the Chief Executive Officer and the Chair of Trustees, consulting with UKRIO’s Board of Trustees, staff or volunteers with relevant expertise, and/or legal counsel, as appropriate. In some cases, UKRIO may be legally required to make such disclosures. We also reserve the right to disclose details of our advice and correspondence if that advice is later misrepresented by an enquirer.

If it would be beneficial for a third party to work alongside UKRIO to resolve an enquiry, or would be a more appropriate source of support, then UKRIO would approach that body only with the explicit permission from the person(s) making the enquiry. The exception to this, again, would be if there was clear evidence of criminal activity or a ‘Situation’, as described above.

4. Legitimate Interests 

UKRIO may use personal information if it is reasonably necessary to do so and in UKRIO/the individual’s “legitimate interests”. UKRIO ensures the information is used fairly and does not impact on the individual’s rights. For example, the use of personal information to administer, review and keep an internal record of the people we work with, including volunteers and institutional contacts.

How we keep data safe

Scope

This section of the policy only addresses security issues relating to personal data and other confidential data. UKRIO is based in a co-working office space, where access is secure and is monitored.

The premises are fitted with an alarm system. The building in which UKRIO’s office is based, the Impact Hub London Euston, follows standard security practices for office buildings (i.e. lockable, has an alarm system, etc.). A reception desk is staffed during office hours and access to the office areas of the building is via key card only.

• Paper records While paper records are rarely used, UKRIO uses a secure locker at the Impact Hub London Euston for proper storage.
• Electronic records and data are stored within Microsoft’s data centres and retained within their retention policies. UKRIO uses Microsoft SharePoint to securely access folders and files. The risk of loss of irrecoverable data is regarded as low-to-medium. Whether accessed via a desktop or mobile device, our security protocols remain mandatory. For the avoidance of doubt, access to electronic records on personal devices is permitted only though the encrypted Microsoft portal. Employees must not store sensitive records on the local storage of a personal device.
• Accessing systems where personal data is stored, is only allowed (wherever technically possible) through two-factor authentication (2FA), as an additional layer of security to protect personal information. Similarly, wherever technically possible, we also enforce automatic session and device logouts.
• UKRIO-owned devices, such as desktop computers, laptop computers and portable memory devices are also encrypted and require a password to decrypt the contents. UKRIO use Bitlocker for this, it is password protected encryption: (https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/)
• UKRIO-owned computers are further password-protected, with each user given a unique password. Users are given ‘administrator’ rights only when required by their duties.
• Files which contain information deemed to be particularly sensitive are password-protected. Files relating to UKRIO’s Advisory Service are anonymised wherever possible (see above).
• Security system testing is done by the anti-virus (AV) and Endpoint Detection and Response (EDR) software Datto, which are integrated solutions designed to enhance cybersecurity. More information on these services is listed here.
• Human resources, payroll and accounts payable information: these functions are carried out on behalf of UKRIO by a third-party accountancy and payroll provider, Sussex Innovation Centre (SINC, sinc.co.uk ).
• Payment processing is handled by Stripe ; data is retained in accordance with their Privacy Policy: Privacy Policy (stripe.com).

How long do we keep information for

UKRIO follows the guidance on retention of records given in the JISC online Records retention management guidance and retention schedules, available from: https://www.jisc.ac.uk/guides/records-retention-management.

Retention schedule

The retention schedule for records relating to UKRIO’s services, including subscriptions, Advisory Services, events and training, is given below:

* Note that retention for a longer period may be appropriate:

• If the enquiry/ request for assistance concerned a situation that may have required immediate action to prevent further risk or harm to research participants, patients or other persons, improper treatment of animal subjects of research, improper use or storage of human tissue, materials or personal data, or negative environmental consequences. For further information, see the UKRIO Protocol for responding to requests for assistance, available from: Protocol for responding to requests for assistance
• If the enquiry/ request for assistance involved, or was reported to (by any party), a statutory regulator, the Police or other body with a legal responsibility to address the matter in question.
• If the enquiry/ request for assistance was used as the basis of a case study for educational and training purposes. Case studies will always be anonymised and published with the permission of the service user(s) who brought the matter to our attention (this does not include fictional scenarios, as above).
• If the enquiry/ request for assistance, or the handling of the enquiry/ request for assistance, could be a basis for legal action against UKRIO.

Sharing information with other organisations

UKRIO will never sell or rent personal information to third parties. However, we may need to disclose information to third parties in connection with purposes set out in this policy, such as with organisations that fund, subscribe to or otherwise support UKRIO as well suppliers and sub-contractors who may process information on our behalf and IT/web based related support and services.

Where we are under a legal or regulatory duty to do so, we may disclose information to the police, regulatory bodies or legal advisors, and/or, where we consider it necessary to protect the rights, property or safety of UKRIO, its personnel, visitors, volunteers, advisory board, users or others.

UKRIO may use suppliers who operate partially or fully outside the European Economic Area (EEA) – potentially within a country that may have different data protection laws. In such examples, UKRIO will take steps to ensure all suppliers provide an adequate level of data protection, in accordance with the UK law and regulations.

Sharing contact lists

UKRIO has the policy of sharing contact lists (or carrying out joint or reciprocal mailings) only on an occasional and tightly controlled basis, with the appropriate consent from individuals. Details will only be used for any of these purposes where the Data Subject has been informed of this possibility, along with an option to opt in.

UKRIO undertakes to obtain external lists only where it can be guaranteed that the list is up to date and those on the list have been given an opportunity to opt in.

Electronic contact

UKRIO does not currently conduct marketing via telephone, and it is considered unlikely that it will do so in future. However, in this event, it will only do so where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.

Whenever email addresses are collected, any future use for marketing will be identified, and the provision of the address made optional (opt-in).

Keeping individual’s data up to date

Accuracy

UKRIO regularly reviews its procedures for ensuring that its records remain accurate and consistent and, in particular:

• ICT systems are be designed, where possible, to encourage and facilitate the entry of accurate data.
• Data on any individual is held in as few places as necessary, and all staff and volunteers are discouraged from establishing unnecessary additional data sets.
• Effective procedures are in place so that all relevant systems are updated when information about any individual changes.

Staff or volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.

Updating and rectification

Under Article 16 of the UK GDPR, individuals have the right to have inaccurate personal data rectified without undue delay, or have incomplete personal data completed. If personal data about an individual is inaccurate the individual may request a rectification, either verbally or in writing, UKRIO will facilitate this request within one month of receipt. All requests can be made to the Data Protection Officer. To recognise a verbal request, UKRIO will contact the requester in writing to ensure a log is kept and the data is rectified.

UKRIO appreciates if subscribers, volunteers and suppliers keep us up to date of any changes in contact details. UKRIO uses MailChimp ® (https://mailchimp.com/ as our marketing automation platform, SurveyMonkey ® (www.surveymonkey.com) for collecting feedback and insights, and Zoom (https://www.zoom.com/en/) to conduct online webinars, conferences, or consultations. UKRIO also uses Maximiser to store personal details for contact purposes. UKRIO will regularly inform contacts via email, SurveyMonkey) or Zoom, of any changes relating to policies and terms. The Privacy Notices or Statements for each respective provider can be accessed via their individual websites.

Individual Rights

UKRIO respects the rights of individuals in relation to their personal information as provided in the UK GDPR. If you want to exercise any of the below rights, please contact the Data Protection Officer (DPO) Sarah Grimm, Operations Manager , you can do so using the UKRIO contact form, via email to info@ukrio.org or by writing to:

Data Protection Officer
UK Research Integrity Office
Impact Hub London Euston
1 Triton Square
NW1 3DX

The DPO may ask for further information and/or evidence of identity. UKRIO will endeavour to respond fully to all requests within one month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.

Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the UK’s Information Commissioner’s Office (ICO).

Where an ‘individual’ requests their rights to any points in the list below, they must contact UKRIO either verbally or in writing. UKRIO will facilitate this request within one month of receipt. All requests can be made to the Data Protection Officer. To recognise a verbal request, UKRIO will contact the requester in writing to ensure a log is kept of the ‘right to be forgotten’.

1. The right of access 

Individuals have the right to request a copy of the personal data that UKRIO holds about them. This is called a ‘subject access request’. We will provide these unless legal exceptions apply.

Subject access requests must be in writing (email is acceptable).

All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.

Where the individual making a ‘subject access’ request is not personally known to the Data Protection Officer their identity will be verified before providing any information.

In line with legislation and regulatory guidance, UKRIO will respond to a subject access request free of charge, in the vast majority of cases. We reserve the right to charge a reasonable fee to cover administrative costs where a request is considered manifestly unfounded or excessive, or in rare cases, we may refuse to act on the request. Where a fee applies, will inform notify you in writing of the amount and the reasons before proceeding.

In such cases, any fee charged will reflect the actual cost of handling the request (e.g. printing costs or operational resource), and will not exceed what is reasonable in the circumstances).

The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.

2. The right to rectification 

Individuals have the right to have inaccurate or incomplete information we hold about them corrected. Please contact us if you feel we hold inaccurate or incomplete data about you and where applicable, UKRIO will correct any errors.

3. The right to erasure 

An individual may ask us to delete some or all of the personal information we have on record, where it is no longer necessary for UKRIO to use it, where the individual has withdrawn consent, or where we have no lawful basis to keep it.

When personal data or confidential data is no longer required, or has passed its retention date, paper records must be shredded. If there is a significant amount of material which cannot be dealt with by normal shredding machines, this should be disposed of securely, using a reputable disposal contractor.

Computerised records must be permanently deleted, with particular care taken that ‘hidden’ data cannot be recovered. UKRIO’s nominated IT contractor can assist with the permanent deletion of computerised records.

4. The right to restrict processing 

Individuals have the right to request that UKRIO restrict the processing of their personal data in the following events: if some of the data we hold is wrong; UKRIO is not legally allowed to use it; when and individual needs us to retain the data in order for them to use it in a legal capacity; or they believe their privacy rights conflict with our legitimate interests in the information for a specific task and they have made an objection to this.

5. The right to data portability 

An individual has the right to ask UKRIO to provide them or another service provider with some of the personal information that we hold about them to be presented in a readily available electronic form, to ensure that it can be transferred easily.

6. The right to object 

Article 21 of the UK GDPR gives individuals the right to object to UKRIO from processing their personal data. This effectively allows individuals to ask UKRIO to stop processing their personal data, even when we are processing personal information based on our legitimate interests, scientific/historical research or for statistics.

7. Rights related to automated decision-making including profiling 

UKRIO does not use automated individual decision-making (making a decision solely by automated means without any human involvement); nor profiling (automated processing of personal data to evaluate certain things about an individual).

How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us by contacting the Data Protection Officer at UKRIO.

You may contact the Data Protection Officer using the UKRIO contact form, via email to info@ukrio.org or by writing to:

Data Protection Officer

UK Research Integrity Office
Impact Hub London Euston
1 Triton Square
NW1 3DX

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House
Water Lan
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: www.ico.org.uk

Changes to this Policy

UKRIO may need change this Privacy Policy in the future, especially in response to changes in applicable data protection and privacy legislation. If significant changes are made, we will make it clear on the UKRIO website or by contacting individuals directly.

Contact Us

Please contact us if you have any queries, suggestions or comments regarding this policy, either using the UKRIO contact form, via email to info@ukrio.org or by writing to us at:

UK Research Integrity Office
Impact Hub London Euston
1 Triton Square
NW1 3DX

Appendix 1: Use of Cookies

Cookies

When an individual uses our website, it may use “cookies” – small text files – that are placed on the user’s device. These cookies are used to store information to help the site provide a better user experience and provide us with anonymised tracking and browser data to help us identify and improve how people use our website. For example, they may store information about whether you have visited our website before. We do not obtain any personally identifiable information from cookies. However, you may prefer to disable cookies on our website and on others. The most effective way to do this is to disable cookies in your browser.

We suggest consulting the Help section of your browser or visiting www.aboutcookies.org, which offers guidance for all modern browsers or YourOnlineChoices.

Cookies may be either, persistent or session cookies. A persistent cookie will remain valid until a set expiry date specified in the cookie itself, is reached. A session cookie, on the other hand, will expire once the web browser is closed.

Third party cookies set by UKRIO

UKRIO uses a number of third-party suppliers who set cookies on our website to allow them to provide us with services. We have outlined the third parties in the table below as appropriate.

This page was last updated on 28/04/2026.