Privacy policy

Introduction

Research in Practice is part of the National Children’s Bureau, which is registered in England and Wales (company number 952717 and subsidiary NCB RiP 15336152) and a charity (258825). The registered office is located at National Children’s Bureau, 23 Mentmore Terrace, Hackney, London E8 3PN. A Company Limited by Guarantee.

Glossary

• Partner: an organisation with a contract with us permitting significant access to our services and content.
• Link Officer: an individual at a Partner organisation who acts as a primary point of contact (and a Data Controller under applicable law) during the paid contract.
• Record of Engagement: a Partner organisation's recorded activity, used for reporting to Link Officers to illustrate value for money during a paid contract.
• Individual Subscriber: an individual who subscribes to limited services and content.
• Public Account: a website profile created by an individual with no affiliation to a Partner organisation. This is a free use account with limited features.
• Data Controller: a person/organisation responsible for managing personal data under law.
• Data Processor: a person/organisation responsible for handling personal data under law.
• CRM: Customer Relationship Management software used to store customer information including personal data.
• Commission: A commissioned piece of work by a third party organisation under contract.
• CMS: Content Management System, software used to manage the content of our website.

Data privacy law scope

For Public Accounts and Individual Subscribers, we are the Data Controller and Data Processor.

For Partner Membership we are Data Processor only: the role of Data Controller lies with the Partner.

Data collection

If you are a Partner, your Link Officer is a Data Controller. They will administer users of our services at your organisation. Users with Partner membership should ensure they know the name of their Link Officer and contact them for advice as required about personal data.

We will collect basic personal data about you, including:

• name
• work address, phone number and email
• job title, department and company
• images (with additional consent)
• video (with additional consent)
• audio (with additional consent)
• email correspondence and CRM notes

On occasions or following a commission we may also need to collect and store special categories data that includes sensitive personal information about your health or medical conditions. We will collect this information from you to ensure we meet any statutory obligations and/or meet our duty of care to you or to fill a contractual agreement following a commission. We will only do this if it is necessary, and if we need your consent we will ask you for it, or via a data controller in your organisation.

Why we collect data

Partners and Individual Subscribers

If you are a member or employee of a Partner organisation, or you have been nominated by a member organisation to have an account, we need your personal data to fulfil our contractual relationship. Without this information, it will not be possible to provide our services. We will not collect personal data that we do not need.

Public accounts

If you have created a Public Account we will only collect and use data you provide with your consent. This will be used to send communications that you have consented to receive.

Commissions

For a commission we have a legitimate right to process your information in order to fulfil a contractual agreement, such as providing event attendance or research. We will not collect personal data that we do not need and will be explicit in how the data will be used and processed.

Metadata

We use Google Analytics to measure anonymous user activity that helps us understand our users' behaviour and to improve our services. No personal data is collected by us when we use Google Analytics and you should refer to the Google privacy policy for more information.

We use Matamo to monitor Partner account holders Record of Engagement. Matomo tells us which pages on our website you have used as an authenticated user, to fulfil our contractual commitments to Partners in providing usage data.

We use Hotjar in order to better understand our users’ needs and to optimise our service. Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. This includes a device's IP address (processed during your session and stored in a de-identified form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), and the preferred language used to display our website. Hotjar stores this information on our behalf in a pseudonymised user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.

For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.

HotJar Feedback & Consent: We may provide a voluntary feedback facility on some website pages from time to time, to gather user feedback for the purposes of improving our offering. In addition to submitting your feedback response, you can at the same time consent to provide additional data. Granting consent allows us to collect and combine the feedback responses with:

• Any other feedback previously submitted from the same device
• Location (limited to the country)
• Language used
• Device and Browser used
• Custom Attributes (e.g. products or services being using)
• Behaviour and Interactions on the page(s) visited

All Behaviour and Interaction data collected will be retained for no longer than one year. It will then be automatically deleted. All Feedback responses data submitted is stored in accordance with the HotJar Data Retention Policy. More information on the cookies employed by Hotjar is available on our cookies page.

Your right to withdraw this consent is present at any time. Requests to have your data removed can be actioned simply by contacting us - HotJar provide us with a Visitor Lookup tool. From the date when the withdraw of consent occurs, HotJar will no longer combine feedback responses with information about behaviour. Any data collected and combined from the date when consent was granted until the date of withdrawal would have been lawfully processed. The legal basis for processing this data, which might include personal data, if any provided, is Article 6(1)(a) EU General Data Protection Regulation.

Lawful basis for processing

Partners and Individual Subscribers

Where a paid membership or commission exists, we will process your personal data under the lawful basis of necessity for fulfilment of that contract, including identifying the nominated Link Officer to other individuals from the member organisation if requested.

Public Accounts

Public Accounts where no money is exchanged; the lawful basis of processing is consent.

Change of purpose

We will only use your personal data for the purposes for which it is collected, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal information for an unrelated purpose, we will notify you to explain the legal basis which allows us to do so or request your consent.

Photography, video and audio

We capture photography, video and audio to deliver and promote our services. This data can contain personal information. All photography, video and audio recordings seek explicit consent from participants at the point of capture, which is kept on record. This includes parental consent where children and/or young people are involved.

Our use of platforms for online events

This guidance provides an overview for delegates of Research in Practice’s online events of the platforms that we use and the implications for delegates’ personal data.

Why have we chosen these platforms?

These platforms are the easiest to access for our Partners, meet data protection requirements and have the functionality we need to provide you with the most effective learning experience.

The platforms we use

Research in Practice use several platforms so that we can offer a range of learning opportunities to our members. You may not be able to access all of them, depending on your organisation's ICT security, but you should be able to access at least one of them. We regularly review access availability with our Link Officers.

Research in Practice use Microsoft Teams with Partners who are able to access the platform through their own organisational subscription, or with delegates who have guest access. Microsoft Teams is secure, and should be accessible by most Partners. The platform will not require a submission of personal data for you to take part, but the name in which you have registered your account and your email address will be shared.

Research in Practice also use Zoom, which provides additional functionality that is not available on Microsoft Teams. Zoom can be accessed via a web browser, or by their app.

You will need to submit personal details such as your name and email address in order to sign in and access Zoom. We enable the maximum-security settings to reduce the risk of personal data being misused, and so that unauthorised people cannot access the webinar. We continually monitor the Zoom security protocols to check that they continue to meet our, and your, requirements. We understand that many of our members do not currently permit access to Zoom, and we will offer an alternative webinar platform where this is an issue.

We may also signpost you to other platforms such as YouTube where appropriate. The joining instructions for each webinar session will provide clear guidance on the platform being used, how it is accessed, and how delegates can troubleshoot any common issues.

At this time, no single platform has the functionality and accessibility that works for all of our Partners, however, we will regularly review platforms as they extend and improve their security and functionality. We may use an alternative platform in the future if it improves accessibility, functionality and security and will update this guide with details.

Recording online events

We will let you know when we are recording an online event by including a statement in the joining instructions. This statement will also include the implications for your personal data. Recorded events will be displayed on the Research in Practice website and/or microsites. The name that delegates submit to the platform will be displayed, as will any video feed or comments that you share during the webinar. By taking part in a recorded webinar, you are accepting that the information that is displayed will be recorded.

Sharing files

Additional material may be shared with the facilitator during the event. These materials may be included in the resource bundle available to participants after the webinar. We do not expect you to share any files during an online event, but should you do so, these will be able to be accessed by the facilitator and other attendees. By sharing a file, you are indicating that you are happy for it to be shared unless you expressly state otherwise.

We also engage with Link Officers or workshop organisers so that we can share follow-up resources with participants where that is appropriate.

General Data Protection Regulation

The detail of how each platform is complying with the General Data Protection Regulation (GDPR) for each platform can be found on their websites:

• Microsoft
• Zoom

Who processes my data?

All data we hold about you will be processed by our staff and approved third party contractors (sub-processors). Third party processors are required to take appropriate security measures to protect your personal data in line with our policies and act only under our instruction. They do not have permission to use your data for their own purpose without your prior consent. Details of third party processors can be found below.

Customer Relationship Management (CRM) system for Research in Practice website

The majority of customer personal data is held in our CRM. This contains basic personal data including:

• name
• address
• job title
• event attendance
• email address
• phone number
• record of engagement (for our website)
• your employer

This data is held and retrieved to allow us to:

• send non-marketing emails
• manage your login details for our website
• engage with you through our events (including understanding dietary requirements or special needs)
• administer any contract/s that exist between us
• understand your use of our website/s to fulfil a Record of Engagement.

Content Management System (CMS) for Research in Practice website

Our website holds a minimum amount of personal data that is designed to permit authentication (logging in). All other personal data is held securely in our CRM.

We retain no personal data on un-authenticated anonymous users.

Associate sub-processors

For many of our events, webinars and conferences we use Associates as facilitators. Associates are independent topic experts that help us to deliver our high quality learning events and we issue them with sub-contracts to deliver the learning event. In order to fulfil their delivery contract we provide them with a list of event attendees which includes the name, email address and organisation of the participant for the purpose of delivering the event.

Third party data processors

We work with third party data processors. These organisations help us to fulfil our obligations as a service provider and are themselves subject to their own policies as under law. These organisations include:

• Email services
  • MailChimp. The Rocket Science Group, LLC 675, Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 U.S.A.
• Online surveys
  • SmartSurvey Ltd. Basepoint Business Centre, Oakfield Close, Tewkesbury, Gloucestershire, GL20 8SD U.K.
  • Monday.com
  • TypeForm
• Print/mail
  • William Pollard & Co Ltd. Oak House, Falcon Road, Exeter, Devon, EX2 7NU U.K.
• Video conferencing, hosting and webinars
  • Microsoft Teams, Microsoft Corporation, One Microsoft Way,Redmond, Washington 98052
  • Vimeo, Inc. 555 West 18th Street, New York, New York 10011 U.S.A.
• Asset Bank
• Website development and hosting technology
  • AB Multimedia Limited. Registered Office: 9 Richmond Road, Exeter, EX4 4JA U.K.
  • Mentor Digital, 4 West End, Somerset St, Bristol, BS2 8NE
• Event Management (Commissions only).
  • Arlo: Registered Office: 7 Ward St, Level 2, Lower Hutt 5010 New Zealand
• Contract management
  • DocuSign
  • Monday.com
• Transcription and analysis
  • Verbitgo
  • Takenote
  • McGowan Transcriptions
  • Dovetail

 

Research in Practice reserves the right to change or add to any third-party processors used in providing our services. Changes will be noted in this policy.

Data retention

We will only retain your personal information for as long as necessary to fulfil the purpose/s it was collected for, including satisfying any legal, accounting, or reporting requirements.

Personal data is disposed of by Research in Practice:

• When an individual verbally exercises their right to erasure and that request is not refused by Research in Practice.
• Automatically, two year(s) after the last interaction by Research in Practice with an individual (including Public Accounts and non-activated accounts).
• If an individual or Partner organisation leaves Research in Practice, their data will no longer be processed, but may be retained for three year(s) following such date.

In some circumstances, we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you.

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

In the physical world

Our paper records are minimal but can include printed contracts, printed event information and other small sources of data used in day-to-day office activity. Personal data held on paper is digitised and the paper is destroyed as soon as possible.

We operate a clear desk policy, have a secure building, use a standard cross-shredder and use a regular secure document disposal service.

Cloud servers

We use standard cloud servers for our technology, which can be in data centres in other locations apart from the UK. This will involve transferring your data outside the European Economic Area (EEA). Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries.
• Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

Encryption

All websites (including CRM) are hosted on industry standard secure servers where access to personal data is encrypted behind authentication.

User connection when accessing the website and CRM is encrypted through the appropriate use of certificates.

Ensure ongoing confidentiality, integrity, availability and resilience

All websites (including CRM) are backed up daily on a four-week rolling cycle. This permits availability to restore with minimal risk of data loss. Data is stored in secure databases, spread across multiple data centres in the EU and UK for full redundancy.

Restore in a timely manner after an incident

We have a procedure in place allowing for disaster recovery which includes 'Major Critical Incident' which permits continuity of the business with minimal data loss risk.

Testing the effectiveness of the security

Our web applications are occasionally subject to Penetration Testing by a consultant and issues are addressed.

Adherence to code of conduct

Employees are required to adhere to a National Children's Bureau Acceptable Usage Policy in relation to electronic systems. Our Staff receive regular training in General Data Protection Regulations.

Ensuring strict adherence from our contractors (third-party data processors)

We use approved contractors to build our websites (including CRM). These contractors are subject to strict rules about data access and handling and have access to our servers.

Where possible and practical, third-party contractors (processors) are guided by our staff directly and are subject to Non-Disclosure Agreements where personal data protection is concerned. Contractors are expected to run their own physical and technical security to a high standard and have full insurances. We have visited the offices of our contractors and are satisfied that they meet good standards of data security.

Your rights of access, correction, erasure and restriction

Your duty to inform us of changes

It is important that the personal information we hold about you is accurate and up-to-date. Please keep us informed if your personal information changes during your working relationship with us.

Your rights in connection with personal information

Under certain circumstances, by law you have the right to:

• Request access to your personal information (commonly known as a 'data subject access request'). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
• Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected. You may also request for supplementary information to be added to your information where relevant and appropriate.
• Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
• Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
• Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
• Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us. We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In circumstances where you may have provided your consent to the collection and use of your personal information for a specific purpose, you have the right to withdraw your consent for that processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose/s you originally agreed to, unless we have a legitimate basis for doing so in law.

Contact us

Questions, comments and information requests regarding this privacy policy and data processed by Research in Practice in accordance with the General Data Protection Regulation (GDPR) should be addressed to Research in Practice, National Children’s Bureau, 23 Mentmore Terrace, Hackney, London E8 3PN, or please email ask@researchinpractice.org.uk.

National Children’s Bureau have a Data Protection Officer to oversee data protection compliance. If you have any questions how NCB handles your personal information, please contact DataProtection@ncb.org.uk.

Changes to this privacy policy

We reserve the right to update this privacy policy at any time, and we will notify you if we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

National Children Bureau

You can also view the National Children’s Bureau privacy policy.