How we use your information as part of the “Unmasked: The Science of Superheroes” project
This privacy notice tells you what to expect us to do with your personal information when you contact the “Unmasked: The Science of Superheroes” project team. Personal information (or personal data) is any information which relates to and identifies you. Data protection legislation (the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA)) set out how we should handle your personal information.
Our contact details
The University of Central Lancashire Higher Education Corporation is the data controller for the personal information we process, unless otherwise stated. We are registered with the Information Commissioner’s Office and our registration number is Z5512420.
There are many ways you can contact us, including by phone, email, social media and post. See our main contact details.
Our Data Protection Officer
What personal information will we use?
Support for the “Unmasked: The Science of Superheroes” project arises from a collaboration between UCLan and the Science and Technology Facilities Council, although UCLan is the controller for any personal data processed as part of the project.
The project team will use information you provide directly to us when you contact us to make an enquiry, sign up to our mailing lists or arrange for an author to appear at your venue, as well as any information we generate as a result of providing our services.
The information we will collect about you includes your name, contact details, mailing preferences, enquiry details, and any other information we need to provide author support for events, if applicable.
Why do we use your personal data?
We will use your personal data to respond to enquiries you submit; keep records of our responses; maintain a mailing list and send out newsletters and other marketing communications; and arrange and manage any author visits or appearances at your venue, which includes processing personal data for insurance purposes.
What is the lawful basis for this processing?
The University can only process personal data about you if there is a lawful basis from the GDPR which allows us to do so.
From the point you initially contact the SUN team, information will be collected, and records will be created and maintained, for the purposes set out in this notice. The lawful bases on which we rely for processing information for those purposes are as follows:
Article 6(1)(b), which allows us to process personal data when it is necessary for the performance of a contract. You may enter into a contract with us when you use our services. We require you to provide any information we reasonably request for these purposes otherwise we cannot deliver your contract.
Article 6(1)(f), which allows us to process personal data where it is in our, or someone else’s, legitimate interests to do so and it does not unduly prejudice your rights and freedoms. We rely on this condition to, among other things:
- Respond to queries and enquiries and keep records of our interactions with enquirers.
- Send information about our services and events to you, unless you tell us not to. It is in the University’s legitimate interests to promote its services and events to those who may be interested.
- Produce some internal reports, research, market research, surveys and statistics. It is in our legitimate interests to use these to evaluate, plan and assess how the University’s educational events are operating and make any changes we think are appropriate and will benefit current and future students, and members of the public.
We may also process some information only if you provide your consent. In this case, Article 6(1)(a) applies, and Article 9(2)(a) applies where the information is special category data (special category data is information about your race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for ID purposes, health, sex life or sexual orientation). It will be clear where we are relying on your consent to collect and use your information because consent will be requested at the time you provide the information. When you are asked for consent, we will explain why we are asking for the information and how we will use it if you choose to provide it. Consent can be withdrawn at any time and we will explain how you can do this in each individual case.
Where we process special category data for the purposes set out in this notice, we rely on the following additional lawful bases from the GDPR and DPA:
Article 9(2)(g) GDPR, which allows us to process special category data if the processing is necessary in the substantial public interest and there is a basis to do so in law. The law which allows us to rely on Article 9(2)(g) is section 10 and Schedule 1 DPA. The specific conditions from Schedule 1 DPA on which we rely for this type of processing are as follows:
- Schedule 1(6), which allows us to process special category data to comply with a statutory or legal obligation. Such obligations include, but are not limited to, those set out in the Health and Safety at Work etc. Act 1974 and the Equality Act 2010.
- Schedule 1(8), which allows us to process special category data to monitor equality of opportunity or treatment.
- Schedule 1(20), which allows us to process special category data for insurance purposes without your consent, in certain circumstances.
When processing special category data in reliance on the above conditions from Schedule 1 DPA the University must have an appropriate policy document, which can be read here: Data Protection: Processing special category data and criminal convictions data.
Who will my personal information be shared with?
We share your information with some external organisations and bodies, some of which are processing personal data on our behalf. We only share your personal data with another person or organisation where the law allows us to and we consider it to be appropriate under the circumstances. The external parties we will share information with include the following:
- University insurers: information, including accident forms, is shared with our insurers to provide insurance cover and to enable us to make insurance claims.
- Government agencies and authorities, including the police for the prevention and detection of crime, apprehension and prosecution of offenders, the collection of tax or duty and safeguarding national security, among other things.
- Executive agencies or non-departmental public bodies such as the Health and Safety Executive.
- Internal and external auditors to provide assurance that the University is following its risk management, governance and internal control processes and to independently inspect our financial statements and records.
- Companies or organisations acting on our behalf: We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct.
Sending your information outside the EEA
Occasionally we may need to send your personal information outside the European Union/European Economic Area (EU/EEA) e.g. to obtain a service from a data processor. We only transfer personal data outside the EEA if there is a lawful basis to do so and appropriate safeguards are put in place to protect your information and ensure it remains secure.
How long will we keep your personal information?
All information will be retained and disposed of in line with the University’s retention schedule.
We will retain records of your enquiries and our replies for two years following the closure of your enquiry.
Records of events and all information associated with their design and delivery will be retained for three years following the end of the event then will be considered for permanent preservation in the University Archive.
Records of insurance claims will be retained for six years following the end of the investigation or settlement of claim.
Your data protection rights
Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Further information about each of these rights can be found on the Information Commissioner’s Office website here.
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. For further information or to make a request, please see our website here.
Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your right to erasure
You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to any processing we carry out, if we carry it out on the basis that it forms part of our public task or is in our legitimate interests. You also have the right to object to your personal information being used for direct marketing purposes.
Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information because we have your consent or because it is necessary for a contract you are a party to, and the processing is automated.
Your right to complain
We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact Unmasked: The Science of Superheroes team and we will respond. Alternatively, you can contact the Information Governance Manager & Data Protection Officer.
If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office, which is the UK supervisory authority for data protection. Further information can be found on the data protection pages of our website here.