EPI is committed to protecting your privacy and security. This policy explains how and why we use your personal data, to ensure you remain informed and in control of your information.
EPI complies with the six principles of the General Data Protection Regulation. Personal data is:
- processed fairly, lawfully and transparently
- only used for the specified, clearly explained purpose it was collected for
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- kept accurate and up-to-date
- only kept for as long as it is needed (usually until a project or activity is complete) and is then removed and securely deleted
- processed in a manner that ensures appropriate security of the personal data; it is stored in secure systems and only transferred by secure means.
We are also responsible for demonstrating compliance with data protection legislation. This accountability takes the form of adopting and implementing data protection policies, written contracts with organisations that process personal data on our behalf, documenting the data we hold, carrying out data protection impact assessments, and having an individual (the Head of Analysis) who carries out the tasks of a Data Protection Officer (DPO).
Any questions you have in relation to this policy or how we use your personal data should be sent to firstname.lastname@example.org for the attention of EPI’s Data Protection Officer.
2. THE INFORMATION WE COLLECT
Data for carrying out the research function of EPI
The primary function of the Education Policy Institute is to carry out research in relation to education and young people’s mental health to improve public policy making. Our work is usually quantitative in nature although we do undertake some small-scale qualitative studies.
Our research largely relies on secondary data analysis rather than primary data collection. This type of analysis draws on large scale administrative or survey datasets including (but not limited to):
- The National Pupil Database
- The School Workforce Census
- Longitudinal Survey of Young People in England
- Individual Learner Records
If we are carrying out a primary data collection (i.e. we are asking for data directly from you) then we may provide a separate privacy notice for that study.
Data for carrying out the administrative functions of EPI
Your personal data (i.e. any information which identifies you, or which can be identified as relating to you personally) will be collected and used by the Education Policy Institute (charity no: 1102186, company registration no: 4579498)
We collect data you provide to us. This includes information you give when joining as a member or signing up to our newsletter, placing an order or communicating with us. For example:
- personal details (name, job title, organisation and email) when you sign up to our newsletter. This also includes address and telephone when you join as a member or supporter;
- financial information (payment information such as credit/debit card or direct debit details, and whether memberships are gift-aided. Please see section 8 for more information on payment security); and
- details of EPI events you have attended.
Sensitive personal data for carrying out the administrative functions of EPI
We do not normally collect or store sensitive personal data (such as information relating to health, beliefs or political affiliation) about members and those signed up to EPI’s newsletter. However, there are some situations where this will occur (e.g. if you have an accident on one of our events). If this does occur, we’ll take extra care to ensure your privacy rights are protected.
Accidents or incidents
If an accident or incident occurs on our property, at one of our events or involving one of our staff then we’ll keep a record of this (which may include personal data and sensitive personal data).
3. HOW WE USE INFORMATION
We only ever use your personal data with your consent, or where it is necessary in order to:
- enter into, or perform, a contract with you;
- comply with a legal duty;
- protect your vital interests;
- for our own (or a third party’s) lawful legitimate interests, provided your rights don’t override the these.
In any event, we’ll only use your information for the purpose or purposes it was collected for (or else for closely related purposes)
We process personal data for the purposes of research under a legitimate interest to promote high quality education outcomes for all children and young people, regardless of social background. We only do so where the interests and fundamental rights of individuals that require the protection of personal data do not override those interests.
If any special category data is processed as part of our analysis, our legal basis is UK GDPR Article 9 (2) (j) archiving, research and statistics (with a basis in law). To rely on this condition we must meet the associated condition in UK law. This is Schedule 1 (1)(4) of the Data Protection Act 2018. This condition applies if processing:
- is necessary for archiving purposes, scientific or historical research purposes or statistical purposes;
- is carried out in accordance with Article 89(1) of the GDPR (as supplemented by section 19 of the Act); and
- is in the public interest.
We use personal data for administrative purposes (i.e. on our research and events programmes). This includes:
- receiving membership subscriptions (e.g. direct debits or gift-aid instructions);
- maintaining databases of our members and those signed up to our newsletter;
- fulfilling orders for goods or services (whether placed online, over the phone or in person);
- helping us respect your choices and preferences (e.g. if you ask not to receive marketing material, we’ll keep a record of this).
4. COOKIES AND LINKS TO OTHER SITES
The only cookies in use on our site are for Google Analytics. Google Analytics is tool employed by organisations to help them understand how visitors engage with their website, so improvements can be made. Google Analytics collects information anonymously – and reports overall trends, without disclosing information on individual visitors. By using our site you are consenting to saving and sending us this data. You can opt out of Google Analytics – which will not affect how you visit our site. Further information on this can be found here: https://tools.google.com/dlpage/gaoptout
Our website uses local storage strictly for system administration to provide you with the best possible experience – used in order to create reports relating to web traffic and user preferences. This includes: your IP address; details of which web browser or operating system was used; and information on how you use the site.
Links to other sites
Our website contains hyperlinks to many other websites. We are not responsible for the content or functionality of any of those external websites (but please let us know if a link is not working by using the ‘Contact’ link at the top of the page).
5. DISCLOSING AND SHARING DATA
Your personal data that has been collected for the purposes of EPI’s administrative functions – which include your name, organisation, and email address are held by our mailing list provider. By signing up to our newsletter you are agreeing to the terms and conditions of MailChimp.com (http://mailchimp.com/legal/terms/). This information is not shared with any other organisation. If you wish to unsubscribe from our mailing list at any time, you can do so by clicking the ‘unsubscribe’ link, found at the bottom of any email we send you – or by sending your name and email address to email@example.com– stating ‘Unsubscribe’ in the email in the subject line or body of the email.
Occasionally, where we partner with other organisations, we may also share information with them (for example, if you register to attend an event being jointly organised by us and another charity). We’ll only share information when necessary and we will never share your contact information (eg. email or telephone).
Data from third parties that we hold for research purposes will never be disclosed or shared without the written agreement of the data controller.
Since 9 March 2018, EPI asks for individuals to “opt-in” for most communications. This includes all our marketing communications (the term marketing is broadly defined and covers information shared in our newsletter.)
We use personal data to communicate with people, to promote EPI and to help with fundraising. This includes keeping you up to date with information from EPI on our research, events, news, job opportunities and other information relating to our work.
You can decide not to receive communications or change how we contact you at any time. If you wish to do so please contact us by emailing firstname.lastname@example.org, writing to 150 Buckingham Palace Road, London, SW1W 9TR or telephoning 020 7340 1160 (lines open 9am – 5pm, Mon – Fri).
What does ‘marketing’ mean?
Marketing does not just mean offering things for sale, but also includes news and information about:
- our research programme, including details of recent reports or blogs;
- our events and activities; and
- job opportunities.
When you receive a communication, we may collect information about you respond to or interact with that communication, and this may affect how we communicate with you in future
7. HOW WE PROTECT DATA
We employ a variety of physical and technical measures to keep your data safe and to prevent unauthorised access to, or use or disclosure of your personal information.
Electronic data and databases are stored on secure computer systems and we control who has access to information (using both physical and electronic means).
Our researchers are accredited by the Office for National Statistics as Safe Researchers. All staff receive data protection training and we have a set of detailed data protection procedures which personnel are required to follow when handling personal data set out in our policies on Information Security, Managing Personal Data and Ethical Research. Copies of these policies are available on request.
All electronic EPI forms that request financial data use pass your details to our payment provider (Stripe Payments Europe: https://stripe.com/gb/privacy; https://stripe.com/privacy-shield-policy). EPI complies with the payment card industry data security standard (PCI-DSS) published by the PCI Security Standards Council, and will never store card details. If you would rather make a payment through BACS or by cheque please contact us by emailing email@example.com, writing to 150 Buckingham Palace Road, London, SW1W 9TR or telephoning 020 7340 1160 (lines open 9am – 5pm, Mon – Fri).
Of course, we cannot guarantee the security of your home computer or the internet, and any online communications (e.g. information provided by email or our website) are at the user’s own risk.
Where we store information
EPI’s operations are based in England and we store our data within the United Kingdom and the European Union.
How long we store information
We will only use and store information for so long as it is required for the purposes it was collected for. How long information will be stored for depends on the information in question and what it is being used for. For example, if you ask us not to send you marketing emails, we will stop storing your emails for marketing purposes (though we’ll keep a record of your preference not to be emailed).
We continually review what information we hold and delete what is no longer required. We never store payment card information.
9. KEEPING YOU IN CONTROL
We want to ensure you remain in control of your personal data. Part of this is making sure you understand your legal rights, which are as follows:
- the right to confirmation as to whether or not we have your personal data and, if we do, to obtain a copy of the personal information we hold (this is known as subject access request);
- the right to have your data erased (though this will not apply where it is necessary for us to continue to use the data for a lawful reason);
- the right to have inaccurate data rectified;
- the right to object to your data being used for marketing or profiling; and
- where technically feasible, you have the right to personal data you have provided to us which we process automatically on the basis of your consent or the performance of a contract. This information will be provided in a common electronic format.
Please keep in mind that there are exceptions to the rights above and, though we will always try to respond to your satisfaction, there may be situations where we are unable to do so. This is particularly the case where we receive survey or administrative data from third parties for research purposes as this will nearly always be in de-identified or anonymised formats. This means that no directly identifying information is shared with us. In these situations, the data collector will have provided you with a privacy notice that informs you how your data will be used but because we do not know who you are, we are not able to directly provide you with a privacy notice ourselves.
In any situation, if you would like further information on your rights or wish to exercise them, please write to EPI’s Data Protection Officer at Lower Ground Floor, 150 Buckingham Palace Road, London, SW1W 9TR or email to firstname.lastname@example.org for the attention of EPI’s Data Protection Officer.
You can complain to EPI directly by contacting our Data Protection Officer using the details set out above.
If you are not happy with our response, or you believe that your data protection or privacy rights have been infringed, you can complain to the UK Information Commissioner’s Office which regulates and enforces data protection law in the UK. Details of how to do this can be found at www.ico.org.uk