Privacy Notice Contents
- Introduction
- Who you are
- Lawful basis for processing personal data
- Special Category Data
- Retention of personal data
- Security of personal data
- Your individual rights
- Data transfers / third parties
- Cookies
- Right to complain
- Additional information
- Review of this notice
- Amendments
1. Introduction
We, The Babraham Institute, take the protection of all personal data very seriously and strictly adhere to the rules laid out by data protection laws and General Data Personal Regulation (GDPR). For the purpose of the GDPR, the data controller is The Babraham Institute, Babraham Research Campus, Cambridge, CB22 3AT. This privacy notice aims to give you information as to how we collect and process your personal data through your interaction with our websites under the domain www.babraham.ac.uk, our various programs, by entering into a relationship with us for the delivery of our services and to comply with our legal obligations. We have appointed a Data Protection Officer (DPO) who is responsible for monitoring compliance and providing guidance with our data protection status. If you have any questions about this privacy notice, including any requests to exercise your legal rights, please contact the DPO using the contact information in Section 11, Additional information.
2. Who you are
In the sections that follow, we have outlined the types of personal data we collect, how we collect it and the purposes for which we process personal data. Please select the relevant section for you from the list below, based on the relationship you have with us:
- Website Visitors
- Employees
- Students
- Vacancy Applicants
- Suppliers
- Visitors, contractors, and event participants
- External committee members
- Members of the public
A. Website Visitors
Why we collect your personal data
- For operational purposes such as operating our website and ensuring it is presented in the most effective manner for you and for your computer or device.
- For providing support services, handling complaints, notifying you of service changes, managing our relationships, and communicating with you by email, post, or telephone (excluding communicating for the purposes of direct marketing, see below).
- Where you have consented to be contacted for such purposes, for the purposes of creating, targeting and sending direct marketing communications by email and/or post, and making contact by telephone for marketing-related purposes. This includes sending our newsletter or providing you with information, resources or services that you request from us or which we feel may interest you.
- For researching and analysing the use and performance of our websites and services.
- For enabling you to participate in interactive features of our services when you choose to do so.
- For creating and maintaining our databases, back-up copies of our databases and our business records generally.
The data we collect, and where from
We collect personal data from you when you interact with our websites under the under the domain www.babraham.ac.uk
The categories of personal data that we may collect, store, and use about you may include: consent ID; consent date and time; HTTP agent; URL visited; user language; IP address; and geolocation.
For information on data collected by first party cookies, see: https://www.babraham.ac.uk/legal/cookies
For further information, please see here.
B. Employees
This section provides information about the use of personal data while you are employed by us. As an employee, you also have legal and contractual responsibilities to protect the personal data of other people and to handle it appropriately in accordance with our Data Protection Policy.
This section also applies to students hosted by us. Additional personal data is also processed specifically for students. See Section C, Students, for more information.
Why we collect your personal data
- To maintain your HR employment file.
- To assess your suitability for a particular role or task (including any relevant right to work checks).
- To support you in implementing any health-related adjustments to allow you to carry out a particular role or task.
- To administer remuneration, payroll, pension, employee benefits and other standard employment functions.
- To administer HR-related processes, including those relating to management of performance, absence, disciplinary issues, complaints, and grievances.
- To operate security, governance (including conflicts and declarations of interest), audits, and quality assurance processes and arrangements.
- To deliver IT services to you.
- To communicate effectively with you by post, email and phone, including the distribution of relevant newsletters.
- To facilitate your membership of committees, working groups or other staff networks.
- To support your training, health and safety, safeguarding, welfare, and religious requirements.
- To compile statistics, feedback, and conduct surveys and research for internal and statutory reporting purposes.
- To fulfil and monitor our responsibilities under equality, immigration, and public safety legislation.
- To enable us to contact others in the event of an emergency.
- To schedule meetings and capture discussions during meetings.
- For the fulfilment of contracts.
- To organise travel arrangements, accommodation, event bookings, and staff reimbursement.
- To apply for and support grant applications and meet funder requirements.
- To ensure all staff using Institute vehicles have valid driving licences.
- To promote the Institute and share recorded content, such as seminars or promotional videos.
- To aid administration internally and with external regulators and funders.
- For the protection of claims against the Institute.
The data we collect, and where from
We collect personal data throughout the duration of your employment with us.
The categories of personal data that we may collect, store and use about you may include: name; address; contact numbers; identification documents; date of birth; email address; national insurance number; next of kin and emergency contact details; social media handles; tenancy information; opinions; voice/visual media; signature; job title; employment history; qualifications and training records; driving license details; bank details; security screening details; meeting minutes and right to work documentation.
We may also process special category data where we have an Article 9 exception allowing us to do so (See Section 4, Special Category Data). In this case, it is in the interests of Employment, Social Security or Protection Law; Explicit consent; for the establishment and defence of legal claims, and if the processing is necessary for substantial public interest.
For further information, please see here.
C. Students
Also see Section B, Employees for additional purposes of personal data collection.
Why we collect your personal data
As a student, your personal data will be processed in accordance with the explicit purposes of your programme. Specifically:
- To make decisions about offering you a position, placement, studentship or funding.
- To administer your programme in partnership with the University of Cambridge.
- To supervise your learning and assess your progress.
- To provide notifications to aid administration.
- To centrally manage institute projects and capture institute committee meetings.
- To maintain our duty of care to you.
- In the interests of funding and to pay stipends.
- To provide short-term tenancies and manage council tax exemptions.
- To enable studentship placements with industry partners.
The data we collect, and where from
Your personal data is provided to us by the University of Cambridge in accordance with a University Partner Institute Agreement between us and the University of Cambridge. For more information, see D. Vacancy Applications: Studentships.
In addition to the categories of personal data listed in B. Employees, the categories of personal data that we may collect, store and use about you may include: study start and end dates; proof of studentship; fee and funding details; assessment reports; academic history; scholarships applied for; career goals; college preferences; current memberships; and funding applications.
We may also process special category data where we have an Article 9 exception allowing us to do so (See Section 4, Special Category Data). In this case, it is in the interests of Employment, Social Security or Protection Law and Substantial Public Interest.
For further information, please see here.
D. Vacancy applicants
Why we collect your personal data
- To process applications and verify information.
- To schedule interviews.
- To make decisions about offering you a position or funding. • To tell you the outcome and provide feedback if appropriate.
- To make reasonable adjustments during the recruitment process due to any disability or health requirements.
The data we collect, and where from
We collect and process personal data relating to job applications in a variety of ways, including through application forms, CVs, right to work documentation, interviews or other forms of assessment.
The categories of personal data that we may collect, store and use about you may include:
- Your name, address and contact details, including email address and telephone number.
- Details of your qualifications, skills, experience, and employment history.
- Information about your current level of remuneration.
- Whether or not you have a disability, or other requirements, for which the organisation needs to make reasonable adjustments during the recruitment process.
- Information about your entitlement to work in the UK.
We may also process special category data where we have an Article 9 exception allowing us to do so (See Section 4, Special Category Data). In this case, it is in the interests of Employment, Social Security or Protection Law, for the establishment and defence of legal claims and if the processing is necessary for substantial public interest. This equality data is anonymised and retained for up to five years after the relevant recruitment process and contributes significantly to our equality4success programme.
Applicant data retention
Your data will be stored in your application record and on other IT systems (including email) and, where necessary to process your application, will be shared with members of the HR team and the interview panel for the role you have applied for. For studentship recruitment, this may also include industry partners sponsoring your studentship programme (see Section C, Students).
If your application for employment is unsuccessful, we will hold your data for 365 days after the end of the relevant recruitment process. After this period, your data will be deleted or destroyed. We will not use your identifiable personal data for any purpose other than the recruitment exercise for which you have applied.
If your application for employment is successful, data gathered during the recruitment process will be transferred to your Human Resources file (electronic and paper-based) and retained during your employment.
You are under no statutory or contractual obligation to provide personal data as part of the application process. However, if you do not provide the information requested, we may be unable to process your application.
Studentships
When you applied to become a student of the University of Cambridge, you were told how the University of Cambridge and any relevant external organisation(s) would use your personal data to process your application and for related purposes. You were also provided with a statement about the use of personal data while you are a student at the University of Cambridge (see https://www.information-compliance.admin.cam.ac.uk/data-protection).
This statement detailed that your personal data would be shared with the providers of any external/collaborative learning and training placements or fieldwork opportunities which includes The Babraham Institute as the organisation responsible for administering the studentships.
Third-party application sharing
Where necessary, we will share your application form with third-parties involved in the recruitment process, such as external interview panel members. For studentships, this will be the Industry Partner sponsoring your studentship programme. A Data Processing Agreement is in place between us and the third-party representative to ensure sharing is lawful.
Electronic copies of your application form will be stored on our systems and securely shared with the Industry Partner or external panel member for recruitment purposes only. Access will be time-limited and will be withdrawn upon completion of the purpose.
For further information, please see here.
E. Suppliers
Why we collect your personal data
- For the maintenance of our services and facilities.
- To manage communications with you.
- To manage and maintain contracts and service agreements with you.
- For purchasing and procurement purposes, such as equipment, software, and consumables.
The data we collect, and where from
We collect and process your personal data during communication when establishing a relationship, contract initiation and negotiation, and purchasing and procurement activities.
The categories of personal data that we may collect, store and use about you may include:
- your contact information including name, email address and signatures.
- correspondence with you, such as for order placement or contract negotiation.
For further information, please see here.
F. Visitors, contractors and event participants
Why we collect your personal data
- For enabling access to Babraham Research Campus and to ensure accountability of site visitors, including communication, notification, and administration.
- To host seminars, conferences and events, including internal and external advertising and video recording.
- To secure bookings on your behalf to support your visit, such as transport, accommodation, and catering.
- To conform with Health and Safety regulations and maintain a duty of care to you.
- To provide and monitor any access you require to restricted areas.
- To maintain internal capability procedures.
The data we collect, and where from
We collect personal data from you when arranging your visit, when you register for an event, or when we arrange your access to specific areas of the site.
The categories of personal data that we may collect, store and use about you may include: Name; signature; contact details; affiliation; catering requirements; work and education history; purpose of visit; date/time of visit; car registration; parent/guardian contact details; employer/school details; still images (if visiting restricted areas); photos; and video recordings (if speaking at events or seminars).
We may also process special category data where we have an Article 9 exception allowing us to do so (See Section 4, Special Category Data). We may collect health data, such as injury details, if you have been involved in an accident whilst on campus. We may also collect details on smoker status, recent injuries, and general health information if you require access to restricted areas. For monitoring purposes, we collect data such as sex, religion, ethnicity, and race.
We will only process special category data where we have an Article 9 exception allowing us to do so, in this case, in the interests of Employment, Social Security or Protection Law, Explicit consent, Legal Claims and Substantial Public Interest.
For further information, please see here.
G. External committee members
External committee members are individuals who are not employed by us but are a representative or member of an Institute-managed committee or working group.
Why we collect your personal data
- To maintain distribution lists to circulate committee information.
- To capture discussions, decisions and actions during committee meetings.
- To record conflicts and declarations of interest.
The data we collect, and where from
Personal data is collected when you join a committee or working group, and during participation at committee meetings.
The categories of personal data that we may collect, store, and use about you may include: name; contact details; job role/position; meeting minutes; papers; action log items; and agenda documentation.
For further information, please see here.
H. Members of the public
Why we collect your personal data
- To maintain communication and engagement, and respond to your enquiries.
- To ensure equitable services and to evaluate activities.
- For the award and organisation of competitions and prizes.
- To provide consent forms, such as for media use or newsletter subscription.
- For outreach communication with schools.
- For internal communication campaigns.
The data we collect, and where from
We collect personal data when you contact and engage with us, or request participation in a service or activity.
The categories of personal data that we may collect, store and use about you may include: Contact information including name and email address; social media handles; opinions and enquiries; digital media; demographic information, including age, employment, and education information.
We may also process special category data where we have an Article 9 exception allowing us to do so (See Section 4, Special Category Data). In this case, we rely on Explicit Consent.
For further information, please see here.
3. Lawful basis for processing personal data
We only collect and use personal data about you when the law allows us to. Most commonly, we use it where:
- The data subject (you) has given consent to the processing activity taking place.
- If the processing is necessary for the performance of a contract.
- If the processing is necessary for compliance with a legal obligation to which The Babraham Institute is subject.
- If the processing is necessary for the purpose of the legitimate interest pursued by us or our partners.
Where legitimate interest is identified as a lawful basis, we will undertake a legitimate interest assessment which is a three-part test covering:
- The purpose test to identify the legitimate interest.
- The necessity test to consider if the processing is necessary for the performance for the purpose identified.
- The balancing test considering the individual’s interests, rights of freedoms and whether these override the legitimate interests identified.
4. Special Category Data
In addition to personal data, we may also process some information about you that is classed as ‘sensitive’ or ‘special category’ personal data, and which requires additional protections.
This includes disability, ethnicity, health, religious beliefs, and sexual orientation. For certain roles, other sensitive information may be processed, such as information about past criminal convictions, working with children or vulnerable adults, and your fitness to practise in certain regulated professions.
We will only process special category data where we have an Article 9 exception allowing us to do so.
For more information, see https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/lawful-basis/special-category-data/what-are-the-conditions-for-processing/
5. Retention of personal data
Personal data that we process for any purpose or purposes, shall not be kept for longer than is necessary for that purpose or those purposes. We will review your personal data regularly to establish whether we are still entitled to process it. If we decide that we are not entitled to do so, we will stop processing your personal data to the extent that it is appropriate to do so and securely delete or anonymise it. To determine the appropriate retention period, we will consider the amount, nature, and sensitivity of that data, the potential risk of harm from unauthorised use or disclosure, and whether we can achieve the purposes for which we process that personal data through other means.
If you would like to find out how long your information is being retained, please see Section 11, Additional information.
6. Security of personal data
We take the responsibility for protecting your privacy very seriously and we will ensure your data is secured in accordance with our obligations under data protection laws.
We have in place technical and organisational measures to ensure personal data is secure and unauthorised access alterations, or disclosure is prevented. We use electronic safeguards such as firewalls and data encryption, enforce access controls to our files, and authorise access to personal data only to those employees who require it to fulfil their job responsibilities. We have policies and procedures to handle any potential data security breaches and data subjects, third parties, and relevant regulators will be notified where we are legally required to do so.
We provide all employees with cyber security and data protection awareness training. If you would like more details of the security we have in place, please see Section 11, Additional information.
7. Your individual rights
In this section, we have listed the rights that you have under data protection laws.
Your principal rights under data protection laws are:
- the right to access - you can ask for copies of your personal data. You, or any third party acting on your behalf with your authority, may request a copy of the personal data we hold about you without charge. We will ask you to verify your identity or request evidence from the third party that they are acting on your behalf before releasing any personal data we hold about you.
- the right to rectification - you can ask us to rectify inaccurate personal data and to complete any incomplete personal data.
- the right to erasure - you can ask us to erase your personal data.
- the right to restrict processing - you can ask us to restrict the processing of your personal data.
- the right to object to processing - you can object to the processing of your personal data if processing relies on legitimate interests, processing is for scientific or historical research, processing includes automated decision making and profiling, or processing is for direct marketing purposes.
- the right to data portability - you can ask that we transfer your personal data to another organisation or to you.
- the right to withdraw consent - to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent.
- rights relating to complaints and remedies.
These rights are subject to certain limitations and exceptions. You can learn more about the rights of data subjects by visiting https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
You can ask any questions about these rights or exercise any of your rights in relation to your personal data by using the contact details set under Section 11, Additional information.
8. Data Transfers and Third Parties
We may disclose your personal data as listed under the relevant section to some third parties insofar as reasonably necessary for the purposes, and on the legal bases set out in this policy. Third parties that we use are listed below:
- Business partners, suppliers, contractors for the performance of any contract we enter into with them or you.
- Babraham Research Campus Ltd.
- Educational institutions and organisations we work with.
- External interview panel members (See D. Vacancy Applicants: Third-party application sharing)
- Third parties that support us to provide products and services e.g. IT support, cloud-based software services.
- Marketing services providers.
- Local authorities.
- Banks for the purposes of making payments.
- Professional advisors e.g. lawyers, auditors, DPO services.
- Web analytics and search engine provider to ensure the continued improvement and optimisation of our website.
- Website and social media for the purposes of promotion of The Babraham Institute.
If you want to find out in detail who your personal data is shared with, please see Section 11, Additional information.
Transfers outside of the UK
We may share personal data to third parties outside of the United Kingdom (UK). Likewise, the hosting facilities for our website and/or data centres may be located outside the UK. Any personal data transferred will only be processed on our instruction and we ensure that data security at the highest standard would be used to protect any personal data as required by data protection laws.
If personal data is transferred outside of the UK to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include:
- Standard Contractual Clauses with the published ICO Addendum
- International Data Transfer Agreement
- An exception as defined in Article 49 of the GDPR
For more information about transfers and safeguarding measures, please contact us using the information in Section 11, Additional information.
9. Cookies
Our website uses cookies. Please see our Cookie Policy here for full details of the cookies used.
10. Right to Complain
We take any complaints about our collection and use of personal data very seriously.
If you think that our collection or use of personal data is unfair, misleading or inappropriate, or have any other concern about our data processing, please raise this with us in the first instance.
To make a complaint, please contact us via email dpo@babraham.ac.uk
Alternatively, you can make a complaint to the Information Commissioner’s Office:
By Post: Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
By Website: https://ico.org.uk/concerns/complaints-and-compliments-about-us/
By Email: casework@ico.org.uk
By Phone: 0303 123 1113 (Local rate) or 01625 545 745 (National rate)
11. Additional Information
Your trust is important to us. That is why we are available to answer any questions concerning how your data is processed.
If you have any questions that could not be answered by this privacy notice or if you wish to receive more in depth information about any topic within it, please contact our DPO via email on dpo@babraham.ac.uk
12. Review of this notice
We keep this Privacy Notice under regular review. This Privacy Notice was last updated on 08/09/2023.
13. Amendments
This privacy notice may change from time to time. We recommend that you review it periodically. We will place any updates on this webpage.
We may also notify you in other ways from time to time about the processing of your personal data.