Vitae-Rothamsted Research Training Privacy Notice

1.  Introduction

We are The Careers Research and Advisory Centre (CRAC) Ltd.  CRAC is the non-profit organisation that manages the Vitae programme. Vitae is the global leader in supporting the professional development of researchers, experienced in working with institutions as they strive for research excellence, innovation and impact. 

You can find more information about CRAC and the work that we do on our website: www.crac.org.uk.

CRAC is committed to protecting the personal information of all its contacts and being clear about what information we hold about them and how we use it. This privacy notice tells you what to expect when CRAC collects personal information. 

CRAC is registered as a data controller with the Information Commissioner’s Office (ICO). Our registration number is Z1030346.  You can check our registered details on the ICO’s website: https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/ 

2.  Data controller and Data Protection Officer

As the party contracting this training programme, Rothamsted Research is the Data Controller of any personal information collected within scope of this privacy notice. You can contact their Data Protection Officer by emailing Louise.Warren@Rothamsted.ac.uk or by writing to their Data Protection Officer, Rothamsted Research, West Common, Harpenden, Hertfordshire, AL5 2JQ

Vitae is the data processor, as we are processing your personal data in order to fulfil the contract. Our location and contact details are below:

Data Protection Officer
The Careers Research and Advisory Centre (CRAC) Limited
22 Signet Court
Cambridge
CB5 8LA
Email: data.protection@crac.org.uk
Tel: 01223 460277

Our Data Protection Officer (DPO) is the first point of contact for people whose information is processed. Contact details for our DPO are as follows:

Email: data.protection@crac.org.uk
Tel: 01223 460277

3.  How we use your information

We can only use your personal information where we have legitimate reasons for doing so and have told you what those reasons are. 

The specific uses that will be made of your personal information in relation to this project are listed below: 

  •  Your responses will be used to determine the appropriate type and level of content for the Training programme we are designing for Rothamsted Research.
  • Your responses may be used after the training programme, along with responses to a further survey to be run after the training, to determine the impact of the training and recommendations for future training activities.
  • Your responses will be kept confidential and not shared with any third parties other than the programme organisers at Rothamsted Research; and the latter only once anonymised.
  • Responses will be retained for one year after completion of the programme which is scheduled to be by May 2022.
  • If we want to use your personal information for a reason other than the purposes set out above, we will tell you before we start that use.

4. The legal basis for processing your information

Under data protection legislation, we require a legal basis to be able to process personal information for the purposes set out above. In this case, the legal basis is consent: we request your consent to process your personal data as outlined in this privacy notice, in order for us to identify and provide you and the University with the training and development support the University has contracted us to provide.

Withdrawal of consent

Consent can be withdrawn at any point if you no longer want your responses provided to this survey to be used for the purposes outlined above.  You can withdraw consent by emailing data.protection@vitae.ac.uk.

5. What personal information we will collect

The personal information we collect in this survey is:

  • Email Address
  • Name
  • Your discipline
  • Your role/role type/job title or equivalent 
  • Your training and experience relevant to the content of this programme

6. Personal information we obtain from another source 

The Institute may provide us with a list of names, email addresses and job titles of the people they wish to participate in the surveys/other elements of the programme. We do not expect to obtain any personal information from any other source.

7. Who we give your personal information to 

Your personal information may be shared with the programme organisers at the Institute. We will not routinely pass your information to any other organisation except where required to do so as part of our functions or by law. 

8. Where your personal information will be stored

Your personal information is stored on Microsoft Azure and Microsoft Office 365 business services.  Microsoft will have access to your personal information for the purposes of providing the business services to us. For more information about how Microsoft may process your personal information please see the information in the Microsoft Trust Centre: www.microsoft.com/en-us/trustcenter/privacy. 

Vitae uses Zoom to deliver our virtual events, and Surveymonkey to distribute surveys and collect responses. 

Any personal information that you share with Vitae through Zoom will only be used to facilitate the delivery of the programme as described in this policy; this includes providing an attendance list to the organiser of hosted events so they can effectively manage the post-event administration. Your personal information will not be shared with any other party or for any purpose not referenced in this privacy notice and will not be used for marketing purposes. 

Zoom complies with GDPR. For more information, please visit Zoom’s website (https://zoom.us/gdpr). As with other online tools, the use of Zoom generates data that may allow conclusions to be drawn about people. This data is treated confidentially and is neither passed on nor sold to third parties by Vitae or by Zoom, according to their privacy policy (https://zoom.us/privacy#_Toc44414842). Like many other webinar technology providers, Zoom is a US-based service provider. Like others, "Zoom" is certified under the EU-U.S. Privacy Shield, so that the legal requirements for an adequate level of data protection are met. 

Any personal information that you share with Vitae through Surveymonkey will only be used to facilitate the delivery and evaluation of the event and programme as described in this policy. Your personal information will not be shared with any other party or for any purpose not referenced in this privacy notice and will not be used for marketing purposes. For more information on how Surveymonkey handles data, please visit Privacy Notice | Momentive (surveymonkey.com) Like many other webinar technology providers, Surveymonkey is a US-based service provider. Like others, it is certified under the EU-U.S. Privacy Shield, so that the legal requirements for an adequate level of data protection are met. 

We do everything possible to protect your and our data and to ensure transparency. However, it is up to you to decide whether you want to or are allowed to participate in our events via Zoom and/or Surveymonkey. With your participation in a Zoom meeting or a surveymonkey survey you accept our data privacy policy and agree to the processing of the data necessary for the execution of the programme.

You should understand and agree that your personal information may be transferred to, and stored at, a destination outside the country and economic area in which you reside, and that it may also be processed by staff operating outside that country for the purposes set out in this Privacy Policy. 

9. How we protect your personal information

CRAC has a number of security measures in place to protect your personal information, listed below: 

  1. All staff are required to undertake training in data protection and information security on joining CRAC and then on an annual basis
  2. Formal information security policies that must be read and understood by all staff
  3. Personal information is only available to those members of staff who require access as part of their role.
  4. CRAC implements information security controls based on recommendations from the UK National Cyber Security Centre, the International Organisation for Standardisation, the Payments Security Standards Council and the UK Information Commissioner’s Office. We regularly review the risks to our systems and mitigating security controls.
  5. CRAC holds ISO27001 accreditation.

10. Your rights over your personal information

Once your personal information has been collected, you have certain rights in relation to that personal information that may be exercised. You have the right to: 

  1. Ask for a copy of your personal information
  2. Correct inaccurate personal information held about you
  3. Ask for your personal information to be deleted (within 30 days)
  4. Restrict processing of your personal information
  5. Ask for a copy of their information in a format that allows easy transfer (“data portability”)
  6. Object to automated decision making or profiling (if these take place)

11. How long we will hold your personal information

We are only able to retain a copy of your personal information as long as it is still needed for the purpose(s) for which it was collected. It will be retained for one year after completion of the programme which is scheduled to happen in May 2022.

12.  Complaints about the use of your personal information

If you are unhappy with the way in which your personal information has been handled by CRAC, you may contact us at: data.protection@crac.org.uk or via our Data Protection Officer (details in section 2) and we will try to resolve your issue informally.

If we are not able to resolve the issue to your satisfaction, you can also make a complaint to the data protection supervisory authority. In the UK, this is the Information Commissioner’s Office (ICO) and they can be contacted at: 

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Tel: 0303 123 1113
Email: casework@ico.org.uk 

13. Changes to this privacy notice

We keep our privacy notices under regular review and we will inform you of any changes to this notice by placing an update on the Vitae website.

This privacy notice was last updated on 20 January 2022.