The purpose of this policy is to describe how and why UK Research Integrity Office (UKRIO) uses personal information, how we go about protecting privacy and to ensure that individuals are aware of their rights and choices regarding this information. We will be clear about what data we collect, hold and what is done with it. UKRIO aims to protect the users of UKRIO’s services, in particular those using our Advisory Service and to protect UKRIO’s staff, volunteers, other individuals and subscribers.
A PDF version of this policy is available at http://ukrio.org/wp-content/uploads/UKRIO-Privacy-Policy-May-2018.pdf
Data protection principles
UKRIO needs to keep certain information about employees, volunteers, service users and suppliers to allow it to monitor performance, achievements, and health and safety, for example. It is also necessary to process information so that staff can be recruited and paid, services supplied, events organised and legal obligations complied with. To comply with the law, information must be used fairly, stored safely and not disclosed to any other person unlawfully. To do this, UKRIO must comply with the Data Protection Principles and user privacy which are set out in the Data Protection Act 1998 (the 1998 DPA Act) and from the 25th May 2018 the General Data Protection Regulation (EU General Data Protection Regulation 2016 (GDPR) (EU 2016/679).
UKRIO and all staff, volunteers or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, UKRIO has developed this policy.
- Comply with both the law and good practice.
- Respect individuals’ rights.
- Be open and honest with individuals whose data is held.
- Provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently.
In addition to being open and transparent, UKRIO will seek to give individuals as much choice as is possible and reasonable over what data is held and how it is used.
This policy is effective from 25th May 2018.
Who we are
UKRIO is an independent charity, offering support to the public, researchers and organisations to further good practice in academic, scientific and medical research. We promote integrity and high ethical standards in research, as well as robust and fair methods to address poor practice and misconduct. We pursue these aims through our publications on research practice, in-depth support and services for research employers, our education and training activities, and by providing expert guidance in response to requests for assistance from individuals and organisations. Please visit our ‘About Us’ page to learn more about what we do.
UKRIO is registered as a data controller with the Information Commissioner’s Office (ICO) under the Data Protection Act 1998 – registration number Z3554391.
How we collect information about individuals
We collected individual’s data from the following sources:
Directly from individuals
We may collect individual’s data when someone contacts us directly. This maybe when:
- they request information about us;
- they attend UKRIO events such as training workshops or our annual conference;
- an individual becomes a UKRIO volunteer, is a member of staff, or is staff, student or other individual associated with a subscribing institution; and/or,
- an individual contacts UKRIO for confidential advice.
When an individual uses our website, we collect personal information using “cookies” -small text files that are placed on your machine to help the site provide a better user experience. In general, cookies are used to retain user preferences, store information for things like shopping carts, and provide anonymised tracking data to third party applications like Google Analytics. However, you may prefer to disable cookies on this site and on others. The most effective way to do this is to disable cookies in your browser. We suggest consulting the Help section of your browser or taking a look at www.aboutcookies.org which offers guidance for all modern browsers or http://www.youronlinechoices.eu/. Common website practice also allows us to receive information about the type of device you are using to access UKRIO’s website. Additionally, information about the operating system, device settings and as to why a crash happened.
Cookies may be either, persistent or session cookies. A persistent cookie will remain valid until a set expiry date specified in the cookie itself, is reached. A session cookie, on the other hand, will expire once the web browser is closed.
Third party cookies set by UKRIO
|ShareThis||This cookie allows you to use the ‘Share’ buttons on each page across various social networks such as Twitter. The cookie monitors web pages viewed, navigation and time spent on each page. The ShareThis service only personally identifies you if you have separately signed up with ShareThis and given them your consent.|
|Google Analytics 360||These cookies are used to collect information about how visitors use the UKRIO website. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come from to the site and the pages they visited.|
|Wordfence||Wordfence WordPress Security plugin is used on the UKRIO website:|
1. The plugin after it verifies the website visitor isn’t a Bot.
2. The cookie generated to confirm the user from Wordfence, Wordfence tracks a user’s duration so that so that the page views can be grouped together
UKRIO uses a number of third party suppliers who set cookies on our website to allow them to provide us with services. More information about these suppliers and their privacy policies is listed below:
Information provided to us Indirectly
Information may be shared with us by a third party. An example of this maybe through a subscribing institution, or through an enquiry.
Information provided to us by other sources
Depending on your settings or the privacy policies for social media such as LinkedIn and Twitter, you may have given us permission to access personal information from those services.
What personal information may we collect
We collect, store and use the following kinds of personal information:
- contact details (including postal address, telephone number, e-mail address and/or social media identity);
- date of birth;
- bank or credit card details that were provided to make a payment or make expenses claims;
- if an individual applies to be a volunteer or to work for UKRIO, where necessary personal information will be used to process these applications and assess suitability (which may include for example employment status, and previous experience);
- information about activities on our website and about the devices used to access these, for instance IP addresses and geographical location;
- information about training events, topics and activities which we consider to be of interest to individuals;
- any other personal information that is provided to us.
How we use personal information
UKRIO will use personal information to:
- provide information and services within the remit of UKRIO;
- keep a record of relationships between UKRIO and individuals;
- be able to respond to the advisory service, to address complaints and queries made to UKRIO;
- understand how we can improve the remit of UKRIO by conducting surveys and analysis research;
- manage UKRIO training events, workshops and annual conference;
- further our charitable objectives;
- maintain and update records;
- register, administer and personalise subscriber online accounts;
- send correspondence and communications;
- administer our websites and to troubleshoot, perform data analysis, research, generate statistics and surveys related to our technical systems;
- test our technical systems to make sure they are working as expected;
- display UKRIO’s website in a way appropriate to an individual’s device;
- generate reports on the work of UKRIO, its work and events;
- safeguard our staff and volunteers;
- monitor UKRIO’s website use to identify visitor location, guard against disruptive use, monitor website traffic and/or personalise information which is presented to an individual;
- process an application for a job or volunteering position at UKRIO;
- conduct training and quality control;
- audit and administer our accounts; and/or
- meet our legal obligations, for instance to perform contracts between individuals and UKRIO, or our obligations to regulators, government and/or law enforcement bodies.
UKRIO Advisory Service
UKRIO provides independent, expert and confidential advice on the conduct of academic, scientific and medical research, from promoting good practice to addressing poor practice and misconduct. We cover all subject areas and any issues relating to research practice. Our Advisory Service is open to all, including members of the public, research participants, patients, individual researchers, research students and research organisations. UKRIO welcomes enquiries on general or hypothetical topics, as well as those on specific research projects, issues and cases. Personal information that is given to us when ‘an individual’ contacts our advisory service may be part of a data set that UKRIO may publish anonymised, aggregate data to illustrate the work of the Advisory Service. However, such information would not identify any individuals or organisations.
Similarly, UKRIO may publish or otherwise circulate case studies for use as training or educational material. Case studies will always be anonymised and published with the permission of the service user(s) who brought the matter to our attention.
In addition, UKRIO may create fictional scenarios for educational and training purposes. These illustrative ‘case study’ scenarios draw upon UKRIO’s experiences in assisting with issues of research integrity but are not based on any particular real-life situation. No individuals or organisations are named in these scenarios.
For additional information on the confidentiality provisions which apply to UKRIO’s Advisory Service and related aspects of our work, including what we expect of our staff and volunteers, please see our Confidentiality Policy at http://ukrio.org/wp-content/uploads/UKRIO-Confidentiality-policy-May-2018.pdf.
How we use personal information to tell individuals about UKRIO
When individuals have asked to be sent information about UKRIO (inclusive of a UKRIO events, information on our work programme or for recruiting volunteers) we will contact the individual via email or verbally with the relevant information. Occasionally, we may include information for other organisations who support us in these communication in alignment with UKRIO’s remit. We operate an ‘opt-in only’ communication policy. An example of this, is our newsletters will be sent out to subscribers and individuals who have requested the newsletter.
Lawful basis for processing
Data protection laws mean that UKRIO must have a valid lawful basis in order to process personal data. The relevant legal bases are set out in the General Data Protection Regulation (EU Regulation 2016/679) and in current UK data protection legislation. At least one of the following must apply whenever UKRIO processes personal data;
Consent will normally not be sought for most processing of information about staff and volunteers, with the following exceptions:
- Staff details will only be disclosed for purposes unrelated to their work for UKRIO (e.g. financial references) with their consent.
- Volunteers and staff working from home will not normally have any means of contact made public. All contact will be routed through the UKRIO office. Consent will be sought for any exceptions, which would be on a case-by-case basis, and generally only to a specific service user.
- Information about volunteers will be made public according to their role, and consent will be sought for any publication of information which is not essential for their role. In general, UKRIO publishes short biographies and a picture of its Trustees and the Members of its Advisory Board on the UKRIO website ukrio.org . Other information on volunteers is not normally made public.
The consent of service users is sought in a variety of ways. For example, via emails acknowledging requests for assistance, the enquiry submission form on UKRIO’s website (http://www.ukrio.org/get-advice-from-ukrio/ ), and the terms and conditions for booking a place on a UKRIO event.
- Seeking advice from UKRIO: when a person seeks advice from UKRIO, they choose what information they send to us when they contact us. Our Guidelines for Seeking Advice from UKRIO can be found here: Get advice from UKRIO. Further information on how UKRIO addresses requests for assistance, including our role and remit, can be found in our UKRIO Protocol for Responding to Requests for Assistance.
- Events: when a person books a place at a UKRIO event, we ask them for their name and contact details. We use these to contact them in relation to the event, on their invoice and in pursuing any late payments. Their name, title and organisation will be included in the delegate list which will be provided to all delegates at the event, and which may be made available to them electronically in advance. The delegate list is also available to speakers and any exhibitors at the event. After the event (and when their payment has been received), their data is archived and can only be accessed by staff of UKRIO.
Consent may be given verbally. Records of enquiries made to UKRIO’s Advisory Service will note whether the role and remit of UKRIO etc. were explained to the enquirer.
- Legal Obligation
UKRIO may use personal information to comply with its legal or regulatory responsibilities. For example, it maybe necessary to share personal information with the Charity Commission or the Information Commissioner.
- Vital Interest
Under specific circumstances of vital interest UKRIO may process personal information. The below gives an example of vital interest which may result in harm to an individual or research subject:
When an enquiry is received by UKRIO, it is assessed to determine whether:
- It concerns a situation that may require immediate action to prevent further risk or harm to research participants, patients or other persons, improper treatment of animal subjects of research, improper use or storage of human tissue, materials or personal data, or negative environmental consequences (a ‘Situation’).
- It may involve criminal activity.
If the enquiry fulfils any of the above criteria, the Chief Executive, liaising with the Chair, takes appropriate action to address the issue(s) in question, informing the enquirer and recording the actions taken and the reasons for his/ her decisions in writing.
- If an enquiry involved criminal activity or a Situation, we would first strongly encourage the enquirer to report the matter to appropriate organisation(s), which we would identify for them.
- If this did not take place in a timely manner, UKRIO, despite its role as a confidential advisory body, reserves the right in such circumstances to make disclosures, in confidence if necessary, to relevant external bodies. Such a decision would be taken by the Chief Executive and the Chair, consulting with UKRIO’s Board of Trustees, Advisory Board, staff or volunteers with relevant expertise, and/or legal counsel, as appropriate. In some cases, UKRIO may be legally required to make such disclosures. We also reserve the right to disclose details of our advice and correspondence if that advice is later misrepresented by an enquirer.
If a third party would be able to work alongside UKRIO to resolve an enquiry, or would be a more appropriate source of support, then UKRIO would approach that body only with permission from the person(s) making the enquiry. The exception to this, again, would be if there was clear evidence of criminal activity or a ‘Situation’, as described above.
- Legitimate Interests
UKRIO may use personal information if it is reasonably necessary to do so and in UKRIO/the individuals “legitimate interests”. UKRIO ensures the information is used fairly and does not impact on the individual’s rights. For example, the use of personal information to administer, review and keep an internal record of the people we work with, including volunteers and institutional contacts.
How we keep data safe
This section of the policy only addresses security issues relating to personal data and other confidential data. UKRIO is based in its own office, lockable and with an alarm system. The building in which UKRIO’s office is based, No. 1 Croydon, follows standard security practices for office buildings (i.e. lockable, has an alarm system, etc.). A reception desk is staffed during office hours and access to the office areas of the building is via key card only. Regular exterior patrols are carried out each night by security and any incidents are investigated and recorded.
- Paper records are kept in lockable cabinets in the UKRIO office.
- Electronic records are stored in the UKRIO office:
- All UKRIO-owned desktop computers, laptop computers and portable memory devices are encrypted and require a password to decrypt the contents.
- UKRIO-owned computers are further password-protected, with each user given a unique password. Users are given ‘administrator’ rights only when required by their duties.
- Users are allowed access to folders and files which are relevant to their work.
- Files which contain information deemed to be particular sensitive are password-protected.
- Files relating to UKRIO’s Advisory Service are anonymised wherever possible (see above).
- Security system testing is done by anti-virus software
- Backed-up data is held securely off-site and in encrypted form. The risk of loss of irrecoverable data is regarded as low-to-medium.
Human resources, payroll and accounts payable information: these functions are carried out on behalf of UKRIO by staff of the Sussex Innovation Centre (SINC, www.sinc.co.uk). Information relating to these functions is held in the SINC office, to a similar standard as above.
How long do we keep information for
UKRIO’s records retention schedule is given below, including the retention schedule for records relating to UKRIO’s Advisory Service. UKRIO will follow the guidance on retention of records given in the JISC Infonet ‘HEI Records Retention Schedule’, available from: http://www.jiscinfonet.ac.uk/partnerships/records-retention-he/hei-rrs.
The retention schedule for records relating to UKRIO’s Advisory Service is given below:
|Description||Retention period||Examples of records|
|The management in summary form of enquiries and requests for assistance directed to UKRIO’s Advisory Service||Permanent||● Indexes|
|The management in detailed form of enquiries and requests for assistance directed to UKRIO’s Advisory Service||Last action on enquiry/ request for assistance + 6 years *||● Reports|
● Supporting material submitted by enquirer
● Reference materials
|The management in detailed form of informal enquiries directed to UKRIO’s Advisory Service||Last action on enquiry/ request for assistance + 3 years *||● Enquiry notes|
● Form letters or emails
* Note that retention for a longer period may be appropriate:
- If the enquiry/ request for assistance concerned a situation that may have required immediate action to prevent further risk or harm to research participants, patients or other persons, improper treatment of animal subjects of research, improper use or storage of human tissue, materials or personal data, or negative environmental consequences. For further information, see the UKRIO Protocol for Responding to Requests for Assistance, available from: http://ukrio.org/wp-content/uploads/UKRIO-Protocol-for-responding-to-requests-for-assistance-revised-May-2017.pdf
- If the enquiry/ request for assistance involved, or was reported to (by any party), a statutory regulator, the Police or other body with a legal responsibility to address the matter in question.
- If the enquiry/ request for assistance was used as the basis of a case study for educational and training purposes. Case studies will always be anonymised and published with the permission of the service user(s) who brought the matter to our attention (this does not include fictional scenarios, as above).
- If the enquiry/ request for assistance, or the handling of the enquiry/ request for assistance, could be a basis for legal action against UKRIO.
Sharing information with other organisations
UKRIO will never sell or rent personal information to third parties. However, we may need to disclose information to third parties in connection with purposes set out in this policy, such as with organisations that fund, subscribe to, otherwise support UKRIO as well suppliers and sub-contractors who may process information on our behalf and IT/web based related support and services.
Where we are under a legal or regulatory duty to do so, we may disclose information to the police, regulatory bodies or legal advisors, and/or, where we consider it necessary to protect the rights, property or safety of UKRIO, its personnel, visitors, volunteers, advisory board, users or others.
When using suppliers who operation partially or fully outside the European Economic Area (EEA) – potentially within a country that may have different data protection laws. In this example, UKRIO will take steps to ensure they provide adequate level of data protection in accordance with the UK law.
UKRIO has the policy of sharing lists (or carrying out joint or reciprocal mailings) only on an occasional and tightly-controlled basis. Details will only be used for any of these purposes where the Data Subject has been informed of this possibility, along with an option to opt in.
UKRIO undertakes to obtain external lists only where it can be guaranteed that the list is up to date and those on the list have been given an opportunity to opt in.
It is considered unlikely that UKRIO will carry out telephone marketing. However, if it ever does, it will only do so where consent has been given in advance, or the number being called has been checked against the Telephone Preference Service.
Whenever email addresses are collected, any future use for marketing will be identified, and the provision of the address made optional (opt in).
Keeping individual’s data up to date
UKRIO will regularly review its procedures for ensuring that its records remain accurate and consistent and, in particular:
- ICT systems will be designed, where possible, to encourage and facilitate the entry of accurate data.
- Data on any individual will be held in as few places as necessary, and all staff and volunteers will be discouraged from establishing unnecessary additional data sets.
- Effective procedures will be in place so that all relevant systems are updated when information about any individual changes.
Staff or volunteers who keep more detailed information about individuals will be given additional guidance on accuracy in record keeping.
Updating and rectification
Under Article 16 of the GDPR, individuals have the right to have inaccurate personal data rectified. If personal data about an individual is inaccurate the individual may request a rectification, either verbally or in writing, UKRIO will facilitate this request within one month of receipt. All request can be made to the Data Protection Officer. To recognise a verbal request, UKRIO will contact the requester in writing to ensure a log is kept and the data is rectified.
UKRIO appreciates if subscribers, volunteers and suppliers keep us up to date of any changes in contact details. UKRIO will regularly inform contacts via email, SurveyMonkey® (www.surveymonkey.com) or MailChimp® (www.mailchimp.com) of any changes relating to policies and terms.
UKRIO respects the rights for individuals in relation to their personal information as provided in the GDPR. If you want to exercise any of the below rights, please contact the Data Protection Officer (DPO) James Parry, Chief Executive, you can do so using the UKRIO contact form, via email to firstname.lastname@example.org or by writing to:
UK Research Integrity Office
Sussex Innovation Croydon
No 1 Croydon
12-16 Addiscombe Road
Croydon CR0 0XT
The DPO may ask for further information and/or evidence of identity. UKRIO will endeavour to respond fully to all requests within one month of receipt of your request, however if we are unable to do so we will contact you with reasons for the delay.
Please note that exceptions apply to a number of these rights, and not all rights will be applicable in all circumstances. For more details we recommend you consult the guidance published by the UK’s Information Commissioner’s Office (ICO).
Where an ‘individual’ requests their rights to any points in the list below, they must contact UKRIO either verbally or in writing. UKRIO will facilitate this request within one month of receipt. All request can be made to the Data Protection Officer. To recognise a verbal request, UKRIO will contact the requester in writing to ensure a log is kept of the ‘right to be forgotten’.
1. The right of access
Individuals have the right to request a copy of the personal data that UKRIO holds about them. This is called a ‘subject access request’. We will provide these unless legal exceptions apply.
Subject access requests must be in writing (email is acceptable).
All staff and volunteers are required to pass on anything which might be a subject access request to the Data Protection Officer without delay.
Where the individual making a ‘subject access’ request is not personally known to the Data Protection Officer their identity will be verified before handing over any information.
UKRIO will not normally charge for processing a subject access request. If it does decide to charge for processing a subject access request, this will a) be no more than £10; and b) the fact that a charge will be made will be communicated to the person in question when they make a subject access request, along with the amount.
The required information will be provided in permanent form unless the applicant makes a specific request to be given supervised access in person.
2. The right to rectification
Individuals have the right to have inaccurate or incomplete information we hold about them corrected. Please contact us if you feel we hold inaccurate or incomplete data about you and where applicable, UKRIO will correct any errors.
3. The right to erasure
An individual may ask us to delete some or all of the personal information where it is no longer necessary for UKRIO to use it, where they have withdrawn consent, or where we have no lawful basis to keep it.
When personal data or confidential data is no longer required, or has passed its retention date, paper records must be shredded. If there is a significant amount of material which cannot be dealt with by normal shredding machines, this should be disposed of using a reputable disposal contractor.
Computerised records must be permanently deleted, with particular care taken that ‘hidden’ data cannot be recovered. UKRIO’s nominated IT contractor can advise on permanent deletion of computerised records.
4. The right to restrict processing
Individuals have the right to request that UKRIO restrict the processing of their personal data in the following events: if some of the data we hold is wrong; UKRIO is not legally allowed to use it; when and individual needs us to retain the data in order for them to use it in a legal capacity; or they believe their privacy right overall our legitimate interests in the information for a specific task and they have made an objection to this.
5. The right to data portability
An individual has the right to ask UKRIO to provide them or another service provider with some of the personal information that we hold about them to be presented in a readily available electronic form, to ensure that it can be transferred easily.
6. The right to object
Article 21 of the GDPR gives individuals the right to object to UKRIO from processing their personal data. This effectively allows individuals to ask UKRIO to stop processing their personal data when we are processing your personal information based on our legitimate interests, scientific/historical research or for statistics.
7. Rights related to automated decision making including profiling
UKRIO does not use automated individual decision-making (making a decision solely by automated means without any human involvement); nor profiling (automated processing of personal data to evaluate certain things about an individual).
If an individual is unhappy with any aspect of how UKRIO is using their personal data, please inform UKRIO’s Data Protection Officer.
A person also has the right to lodge a complaint about any use of their information with the UK’s Information Commissioner’s Office (ICO).
Changes to this Policy
Please contact us if you have any queries, suggestions or comments regarding this policy, either by the
UK Research Integrity Office
Sussex Innovation Croydon
No 1 Croydon
12-16 Addiscombe Road
Croydon CR0 0XT
Policy operational date: December 2010
Date of last review: May 2018
Date of next review: March 2019
A PDF version of this policy is available at http://ukrio.org/wp-content/uploads/UKRIO-Privacy-Policy-May-2018.pdf