This policy sets out how we deal with the personal information of our students, academic/non-academic partners, collaborators and visitors to our websites.
This notice may be updated from time to time to ensure continued compliance with current legislation and to reflect best practice.
Identity of the Data Controllers:
The Norwich Research Park (NRP) Biosciences Doctoral Training Partnership (NRPDTP) is a consortium training bioscientists across various scientific themes and strategies of the UKRI-BBSRC. It is a collaboration between University of East Anglia (“the University”), John Innes Centre, Quadram Institute Bioscience, Earlham Institute and The Sainsbury Laboratory, jointly known as the Norwich Bioscience Institutes (“NBI”).
As Joint Data controllers, the University and NBI are legally responsible for processing your personal data in accordance with current Data Protection legislation. In order to carry out its functions and obligation with respect to the operation of the NRPDTP it is necessary for the NBI to collect, store, analyse and sometimes disclose your personal data. This is in addition to data collected and processed primarily by the University as your chosen education institution for your postgraduate research degree study.
What personal information do we collect about you?
The following gives an indication of the types of information NBI collect and process:
For students and prospective students:
- details of your qualifications achieved and currently being undertaken,
- any student photographs, (for ID and student record management)
- your date of birth,
- your nationality,
- email address,
- equality of opportunity monitoring data which will include sensitive categories of data for (e.g. ethnicity, religion, sexual orientation) [SC]
- any special access requirement [SC]
- details of your academic record including qualifications, skills, experience.
For academic/non-academic partners, collaborators:
- your name
- Institute, company name, affiliation.
This personal data includes categories of data classed as ‘special categories’ [SC] such as that collected for equality of opportunity monitoring such as ethnicity, religious beliefs or sexual orientation.
We collect this information in a variety of ways. For example, data might be collected through the application process or through interviews, meetings or our forms on our website.
We will also hold information supplied by third parties such as references.
What are our legal bases for processing your personal data?
There are a number of legal ways in which NBI can process your data, the most relevant of which are set out below:
|(1)||When you apply to the NRPDTP for funding, an award, or to take part in any partnership training programs, we will be required to collect, store, use and otherwise process information about you for any purposes connected with teaching, support, research, administration, your health and safety and for other reasons deemed necessary for the purpose of entering into or for the performance of your contractual agreement. See GDPR Article 6(1)(b)|
|(2)||Processing of your personal data may also be necessary for the pursuit of our legitimate interests or by a third party’s legitimate interests – but only where the processing does not fall within our core functions, is not unwarranted and will not cause a prejudicial effect on your rights and freedoms, or legitimate interests. See GDPR Article 6(1)(f).|
|(3)||Processing of your personal data is necessary for the performance of a task carried out in the public interest (see GDPR Article 6(1)(e)) and for statistical and research purposes.|
|(4)||Processing is necessary for compliance with a legal obligation to which the Data Controller is subject.|
|(5)||Processing of Special Categories data is necessary for statistical and research purposes in accordance with Article 89(1) based on the duties in the Equality Act 2010 (see GDPR Article 9(2)(j))|
|(6)||We will obtain consent from you in order to use your information beyond any purposes described above GDPR Article 6(1)(a)|
For what purposes will your information be used?
The purposes and related legal basis (number in brackets) under which NBI may process your personal data, (although given the complexity of the relationships that the Institutes have with its students, this is not exhaustive):
- administration (1)
- to provide you with information and updates (1,2)
- the production and, as appropriate, distribution of research and educational materials (1,2,3)
- internal and external auditing purposes (2,5)
- meeting health and safety obligations and equality of opportunity monitoring obligations (4,5)
- carrying out statutory duties to provide information to external agencies [see ‘the sharing section of this policy’ for further details] (1,2)
- providing information for enquiries or general contact made via email, contact form, events. (6)
- bookings made to use NRP resources. (2)
- public engagement, promoting NRPDTP activities and knowledge exchange/commercialisation activities. (6)
- authenticate access to resources. (2)
- record your IP address when accessing our website and when using NBI resources, usernames stored in logs to be able to comply with law and protect NBI resources. (2,4)
- from time-to-time, other activities that fall within the pursuit of the Institutes legitimate business and do not infringe your rights and freedoms (2)
Sharing information with others:
We (NBI) may share your relevant personal data with external organisations.
|Other institutions within the NRPDTP||Where you are registered, project is jointly funded, or supervisors are based at one or more of the other institutions within the NRPDTP as per applicable terms and conditions of your studentship or appropriate contract.|
|University – Academic staff and Professional services.||Student record data relating to personal details, project status, progress reports, supervisor reports etc. in accordance with the terms and conditions of your studentship.|
|Funding bodies||To fulfil the terms of bodies providing the funding for awards, primarily the UKRI-BBSRC.|
|Sponsors where a contract exists with you.||In accordance with the terms of the contract (which could include, for example, industrial CASE studentship non-academic partners, professional internship hosts.)|
|Potential employers or providers of education whom you have approached.||To confirm your qualifications.|
|NBI’s wholly owned shared service.||For administrative activities such as Finance (studentship payments), IT (for computer, email accounts, manage/store student records), Contracts, CCTV for site, health and safety procedures.|
Any other disclosures that NBI makes will be in accordance with Data Protection law and your interests will always be considered.
We use a range of third-party service providers to manage our website, emails.
Emails are based in Microsoft O365 cloud offering, managed by NBI’s shared service provider. Microsoft’s privacy statement.
How long your information will be held:
In principle, the Institute will only hold the data it collects for the duration it is required after which it is either deleted or anonymised.
For most areas such as: administration, human resource records, communications with students, records are stored for, up to 6 years after the completion of your studies, in line with the university’s retention schedule.
Names of scientists and any collaborators that are linked to research data produced may be stored indefinitely as such is required to ensure the integrity of this data is not lost and is required for future scientific review processes.
General communication with prospective students, enquiries are deleted after 12 months.
Certain areas such as scientific or public engagement, grant awards, records will be anonymised to allow statistical analysis for reports to reports to funding bodies.
Please refer to the following for a comprehensive list of the University’s Postgraduate Research Service retention schedule: https://portal.uea.ac.uk/documents/6207125/7105351/RRS_PGR_Service+-+Updated+November+2018+%28002%29.pdf/063c8583-b3e6-73e8-885a-75fe2bb01919
Security of your information:
Data Protection legislation requires us to keep your information secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised access and disclosure. Only members of staff who need access to relevant personal data will be authorised to do so. Information about you stored or shared electronically will be subject to additional security measures such as password and other restrictions, while paper files will be stored in secure areas with controlled access.
Some processing may be undertaken on the University’s behalf by an organisation contracted for that purpose. Organisations processing personal data on the University’s behalf will be bound by an obligation to process personal data in accordance with data protection legislation.
Your data protection rights:
Under Data Protection legislation you have a number of rights.
To request a copy of your personal data, please see contact details below:
a) For your personal data related to your Postgraduate Research studies or University life in general:
UEA Information compliance team: email@example.com. Further details on UEA privacy notices and legal statements please refer to: UEA’s Information compliance pages.
b) For your personal data related to the training programme via the one of the NRPDTP partners you are based at or data stored on resources provided as part of your NBI account:
John Innes Centre / Quadram Institute Bioscience: firstname.lastname@example.org
Earlham Institute: email@example.com
The Sainsbury Laboratory: firstname.lastname@example.org
To find out more about your rights and how you can exercise them, please see the University web page on your data protection rights.
Do we transfer information outside the European Economic Area (EEA)?
Generally, information you provide to us is stored on NBI’s secure servers, or on our cloud-based systems which are located within the EEA. However, there are times when we do need to store information outside the EEA. If we transfer your information outside the EEA, we will take steps to ensure that appropriate security measures are taken to protect your privacy rights. This could be by imposing contractual obligations on the recipient of your personal information or ensuring that the recipients are subscribed to ‘international frameworks’ that aim to ensure adequate protection. For example, we would ensure that a supplier based in the USA has signed up to “Privacy Shield”. Technical measures such as encryption will also be considered.
How to raise a query, concern or complaint:
If you still have queries, or concerns regarding the processing of your personal information, please contact us using details in the “Your data protection rights” section.
We will be more than happy to discuss these with you.
If you wish to raise a complaint with the Information Commissioner’s Office details on how to do so are available on the ICO’s website.
Revised: Oct 2019