We will only keep personal information for as long as it is needed to fulfil the purpose for which it was collected. Where you indicate to us you no longer wish for us to retain your information, we will delete your information.
We take the security of your information very seriously and have put physical, technical, operational, and administrative strategies, controls and measures in place to help protect your personal information from unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. We will always keep these under review to make sure that the measures we have implemented remain appropriate.
We use Google Workspace & Google Cloud Platform for the secure storage of personal information processed by us. Through the use of Google services, the organisation is able to provide a high level of security around the storage of highly sensitive personal data which is captured within a high variety of our activities. You can find further security and compliance information in the Google Compliance Resource Centre, Privacy Resource Centre and the Google Cloud & the GDPR pages.
Your personal data may also be stored with specific third-party services for the minimum period necessary to perform activities with your personal information. Each third-party is subject to contractual and security reviews to ensure adequate and comparative levels of security, we’d expect for ourselves, is provided for the data they process on our behalf.
The types of third-party providers we use include, but are not limited to:
- Transcription services
- Mass email services
- Communications providers
- Survey platform services
- Client Relationship Management services
- Website services and platform providers
- IT services organisations
Where appropriate, we may share your personal information with our professional advisers including our lawyers and auditors, project partners, industry experts, peers (of a group you are involved in as a Sector Stakeholder), and local and central government departments where it is strictly necessary. It is also possible that we may be required to share your data to comply with applicable laws or with valid legal processes, such as in response to a court order.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded by implementing at least one of the following safeguards:
- Transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK (the UK also recognises the European Commission list of adequate countries. For further details, see European Commission: Adequacy of the protection of Personal Data in non-EU countries)
- Specific contracts/agreements approved by the UK which give personal data the same protection it has in the UK. For further details, see UK International Data Transfer Agreements. We will also assess in-country standards as part of this process.
We may share the information we gather with other organisations in these scenarios (where this has been outlined in the privacy notice). The following list is non-exclusive:
- Evaluators and Delivery Partner organisations and other organisations that are funded by us or collaborating with us on projects or pieces of research.
- Independent contractors or suppliers we hire to work on specific projects or pieces of research we conduct or commission.
Where there is a requirement or desire to archive your data for purposes of public interest which may mean the possibility of a secondary use, we carefully review all organisation’s research project proposals to maintain appropriate safeguarding of data when access is granted.