GENERAL DATA PROTECTION REGULATIONS (GDPR)
RESEARCH OUTREACH POLICY
Introduction – This policy concerns the personal information (data) held by Research Outreach, its security and use.
The policy is written in response to the GDPR, in force from 25th May 2018. It defines the people involved, the data collected by Research Outreach, how it is stored and used internally and externally, and individuals’ rights over their data.
Research Outreach process personal information to enable us to produce and distribute printed material, promote our services; maintain our accounts and records; to support and manage our employees. At all times we aim to respect any personal information you share with us, or that we receive from others, and keep it safe.
This Notice contains important information about your personal rights to privacy. Please read it carefully to understand how we use your personal information. Please note that this notice applies to both our clients and our employees and as such may make reference to types of information only relevant to one or other of those
The Data Protection Officer for the purposes of the GDPR will be the Accounts and Office Administrator. They will be responsible for the implementation and review of this policy.
All employees will be responsible for the collection of the data, its security, ensuring that permission for the data to be held, used, and shared as described below is given, and updating of individuals’ records including deletion where required.
What Data is Collected and Why?
It is necessary for data to be collected for the effective running of Research Outreach, and the production of articles and animations. It is also necessary in order for Research Outreach to meet its lawful/contractual obligations to clients and employees.
We may collect, store and otherwise process the following kinds of personal information:
a. your name, job title and contact details including postal address, telephone number, email address, emergency contact details and, where applicable, social media identity;
b. your date of birth and gender;
c. your financial information, such as bank details and/or credit/debit card details. Where this is done, it is kept in a secure and limited way, or it is held for us by a regulated financial services provider (for example Worldpay);
d. personal descriptions, CVs, bios and photographs;
e. details of your qualifications/experience;
f. demographic information such as postcode, preferences, and interests;
g. other information relevant to customer surveys and/or offers.
Your personal information, however provided to us, will be used for the purposes specified in this Notice.
In particular, we may use your personal information:
a. to fulfil our contractual obligation to a client as stated on a client allocation/confirmation form;
b. to fulfil our contractual obligation to an employee as stated in their personal contract of employment;
c. to provide further information about our work, services or activities (where necessary, only where you have provided your consent to receive such information);
d. to otherwise provide you with services, products or information you have requested;
e. to answer your questions/requests and communicate with you in general;
f. to allow you to apply for a job or volunteer role with us;
g. to manage relationships with our partners and service providers;
h. to analyse and improve our work, services, products or information (including our website), or for our internal records;
i. to audit and/or administer our accounts;
j. to satisfy legal obligations which are binding on us, for example in relation to regulatory, government and/or law enforcement bodies with whom we may work (for example requirements relating to the payment of tax or anti-money laundering);
k. To use your emergency contact details in the advent of an emergency or accident;
l. Occasionally and periodically subscribers may be sent promotional emails with offers, new products and developments, and other information that we believe you will find useful. This will be sent to the email address you provided, but you are able to opt out of receiving such information at any time.
The GDPR allows us to collect and process your personal information if it is reasonably necessary to achieve our or others’ legitimate interests (as long as that processing is fair, balanced and does not unduly impact your rights as an individual).
In broad terms, our “legitimate interests” means the interests of running Research Outreach ensuring the best possible user experience.
When we process your personal information to achieve such legitimate interests, we consider and balance any potential impact on you (both positive and negative), and on your rights under data protection laws. We will not use your personal information for activities where our interests are overridden by the impact on you, for example where use would be excessively intrusive (unless, for instance, we are otherwise required or
permitted to by law).
When is the Data Collected and Reviewed?
This data is captured when a client first confirms their participation by signing the contractual confirmation form, when the client provides us with information as requested or when an employee begins their contract of employment with Research Outreach. The accuracy of the personal information will be reviewed regularly, and employees are responsible for communicating any changes in their personal information to Research Outreach.
Who Collects and Holds the Data?
The data is collected by the editorial team, the accounts manager and any other employees that may require additional information. Your personal information is only accessible by appropriately trained staff and contractors and stored on secure servers which have features to prevent unauthorised access. Any documents containing employee personal information are only available to the administration team and Company Directors.
What Data is Shared outside the Company?
We do not share, sell or rent your personal information to third parties for marketing purposes. However, in general we may disclose your personal information to selected third parties in order to achieve the purposes set out in this Notice.
Where information is shared, only the minimum amount of information required for that purpose will be disclosed.
These parties may include (but are not limited to):
a. professional service providers such as accountants and lawyers;
b. professional external sub-contractors;
c. local government agencies;
d. subscribers to our magazine and visitors to our website (e.g. your name in the masthead);
e. our insurers;
f. regulatory authorities, such as tax authorities;
Research Outreach will require that third party organisations do not further share the data or use it for any purpose except communications and publications as specified above. The data is not used in any form of automated decision making or profiling.
International Data Transfers
Countries in the European Economic Area (“EEA”) all have the same level of data protection law as under the GDPR and, where practical, we will endeavour to use contractors and/or suppliers that operate within the EEA.
We may sometimes have a business need to use contractors and/or suppliers to process personal information on our behalf that operate outside the EEA. It is possible that personal information we collect from you will be transferred to and stored in a location outside the EEA, most typically, the United States.
Please note that some countries outside of the EEA have a lower standard of protection for personal information, including lower security requirements and fewer rights for individuals. Where your personal information is transferred, stored and/or otherwise processed outside the EEA in a country that does not offer an equivalent standard of protection to the EEA, we will take all reasonable steps necessary to ensure that the recipient implements appropriate safeguards (such as by entering into standard contractual clauses which have been approved by the European Commission) designed to protect your personal information and to ensure that your personal information is treated securely and in accordance with this Notice. If you have any
questions about the transfer of your personal information, please contact us using the details below.
Unfortunately, no transmission of your personal information over the internet can be guaranteed to be 100% secure – however, once we have received your personal information, we will use strict procedures and security features to try and prevent unauthorised access (please see Breaches of Data Security section below).
A cookie is a small text file that is downloaded onto ‘terminal equipment’ (e.g. a computer or smartphone) when the user accesses a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions. Cookies allow a website to respond to you as an individual, personalising your browsing experience. Using cookies, a website can act according to your personal needs and note your preferences and dislikes by gathering and remembering information about your preferences and browsing history.
Overall, our cookies are designed to help us provide you with a better and more functional website, by helping us monitor which pages you find useful and which you do not. A cookie in no way gives us any access to your computer, and it does not reveal any details or identifiable information about you, other than any data that you choose to share with us.
You can choose to accept or decline cookies from any website, including ours – we ask you to confirm your consent prior to using any cookies.
When you visit researchoutreach.org, Google Analytics is used to collect anonymised information about our users and their behaviour when using our website. We do this to find out the number of visitors to parts of our website. No information collected is used to identify individuals and we do not allow Google to use this information to identify users on our website.
Links to Other Websites
Our website often contains links to other websites that we believe our readers may find interesting. We would like to point out that, once you follow a link and leave our site, we have absolutely no control over the destination site. Accordingly, we cannot be responsible for your privacy and data security while visiting these other sites, and these other sites do not fall under the remit of our privacy protection policy. We advise caution and suggest that you assess the privacy statement of the destination website when you leave Research Outreach via a link.
Your Rights to your Personal Data
All clients and employees have the right to be provided with a copy of the data held on them by Research Outreach. Any request for this should be made in writing (including e-mail) to the Data Protection Officer. Research Outreach has one month to reply to any such request. There will be no charge for such access to data.
Breaches of Data Security
If at any point a breach of data security is suspected or identified, then that suspicion or fact must be reported immediately (verbally if necessary and confirmed in writing) to the Data Protection Officer who is responsible for investigating breaches of security, determining the resultant degree of risk and deciding on the action to be taken, reporting this at the first opportunity to the Managing Director.
Where a breach is likely to result in a serious risk to the rights and freedoms of individuals (say involving health or financial issues), the Managing Director has 72 hours to report the incident to the Information Commissioners Office (ICO).
Research Outreach recognises that the requirements of the GDPR apply as much to paper files and records as it does to digital ones and will ensure that any paper records are similarly securely treated. As security issues are much more problematic for paper records, Research Outreach will seek to reduce the use of paper files to the minimum possible. Specifically, paper files containing employee data will be stored in a locked filing cabinet.
Consent on the Holding and Use of the Data
Data Retention and Reviews
It is expected that an employee will update their personal information if it changes during the year.
In general, unless still required in connection with the purpose(s) for which it was collected and/or processed, we remove your personal information from our records six years after the date it was collected. However, if before that date your personal information is no longer required in connection with such purpose(s), we are no longer lawfully entitled to process it or you validly exercise your right of erasure, we will remove it from our records at the relevant time.
If you request to receive no further contact from us, we may keep some basic information about you on our suppression list in order to comply with your request and avoid sending you unwanted materials in the future.
How to Contact Us
Please let us know if you have any questions or concerns about this Notice or about the way in which Research Outreach process your personal information by contacting us at the channels below. Please ask for/mark messages for the attention of the Data Protection Officer.
Telephone +44 (0) 1453 827934
Post: 25 Westend Office Suites, Westend, Stonehouse, GLOS, GL10 3FA
Changes to this Notice
We may update this Notice periodically. We will notify you of significant changes by contacting you directly where reasonably possible for us to do so and by placing an update notice on our website. This Notice was last updated on 16th May 2018.