Privacy Information for Research Participants

Introduction

Anglia Ruskin University Higher Education Corporation (ARU) is committed to protecting your personal information when you use our services. 

When saying “we”, “our” or “ARU”, we’re referring to Anglia Ruskin University.

This statement explains how we, specifically ARU handles and uses the personal data we collect about our research participants. ARU in this context means the central University (Cambridge, Chelmsford, Peterborough and London campuses as well as our Associate colleges and former institutions including Cambridgeshire College of Arts and Technology (CCAT) and the Essex Institute of Higher Education (formerly the Chelmer Institute – itself formed from the Mid-Essex Technical College and the Brentwood College of Education). At first, these colleges combined to become Anglia Polytechnic, and then Anglia Polytechnic University in 1992. We’ve been known as Anglia Ruskin University since 2005.

Please read the following privacy policy to understand how we use and protect the information obtained via the following online services:

This Privacy Policy explains the following:

  • who we are
  • what personal data we may collect about you
  • where get your personal data from
  • how we will use personal data we collect about you
  • who we share your personal data with
  • how long we hold your personal data
  • the legal basis for processing your personal data
  • your rights regarding the personal data you provide to us
  • the use of cookies on our websites and how you can reject them

By providing us with your personal data and using our services, you agree to the collection and use of this information in accordance with the purposes described above in this privacy notice or as otherwise explained to you.

If you have any requests concerning this Privacy Policy, your personal information, or any queries with regard to our processing please contact dpo@aru.ac.uk.

What personal data will ARU collect about me?

In most cases we will receive information from you directly e.g. from questionnaires, during face-to-face interviews or observations carried out by our staff or students, psychometric tests or results after exercises. This is not an exhaustive list. The specific information we ask for will vary depending on the subject of the research, but will be explained to you in writing before you provide any information to us. We may also ask for data that has already been collected from you for another purpose e.g. test results, but we will obtain your permission to do this.

Researchers may also obtain information about you which is held by another organisation (e.g. a school, an employer, other businesses etc). We will always make sure that the organisation has a legal right to share this data before we receive it and this is detailed on the permission letter we ask them for. Where we obtain information about children we will make sure that the parent/ guardian is aware.

ARU also collects data about how you use applications, websites or other university-related online content, and the device(s) you use to access these services which we may ask you to use in order to provide with research data. This includes collecting unique online identifiers such as IP addresses, which are numbers that can uniquely identify a specific computer or other network device on the web. For more information, please see the section on cookies within this privacy notice. We may also use third party applications for this purpose but will have reviewed their privacy assurances before deciding to use them. Please see the privacy policies of specific applications we may direct you to for details of how they may use your data.

How do we use your personal data?

Your data is used by us for the purposes of conducting research. This includes:

  • Research projects for which you are a willing participant who has received a participant information leaflet explaining in detail the use of your personal data
  • Published research findings, although all personal data is typically removed from a final report. You will be advised if this is not the case
  • Administrative purposes – including:
  • the arrangement of interviews and other appointments,
  • your contact details and the means to pay you where the research may involve a payment
  • internal record keeping, including consent forms and the management of any feedback or complaints

Communications to you may be sent by email, telephone or post, depending on the contact details we hold.

Who do we share your personal data with?

In the course of processing your personal data we may disclose where necessary to the following, but always ensuring that there is a legal requirement for them to be able to identify you from the information. Normal practice would be to anonymise or pseudonymise the data which can identify you. We will always advise you about this in advance:

  • An organisation that we work together with in conducting the research
  • An external body who is authorised to audit the quality of our research
  • Bodies who are responsible for compiling and maintaining research databases which authorised organisations and researchers can access.
  • A provider who may be able to deliver further services of interest to you, provided you have agreed to this
  • Where the law requires it, with law enforcement agencies
  • With support providers in the event of your data suggesting an urgent need for intervention in your vital interests.

How we protect your data

We ensure we have appropriate data sharing agreements in place before sharing your personal data with another organisation.

We do not sell your personal data to third parties under any circumstances, or permit third parties to sell on the data we have shared with them.

We will publish on our website any changes we make to this data protection statement and notify you by other communication channels where appropriate.

Should we transfer your personal information to other organisations outside of the European Economic Area (EEA), we take all necessary steps in line with data protection laws. These include contract terms approved by the EU Commission with the relevant organisations receiving your personal information and appropriate security controls.

How long do we keep your personal data?

We ask our researchers to de-identify information as soon as possible (anonymisation or pseudonymisation) wherever it is not crucial to the research. Information where you can be identified will be kept for a minimum amount of time and in accordance with the research objectives. We may, however, keep consent forms which contain personal information for a number of years after the research has been completed; this is sometimes a requirement from the research’s funder. They may require us to retain research records for a minimum period of time so that they can audit us and ensure the research was carried out according to their requirements. Some may insist that data is deleted after a specific period. We will advise you of this.

Typically research project data for under-graduate major dissertations, which does not become a published report, is not kept beyond the end of the academic year in which it was submitted.

For some research projects we cannot de-identify the information as it is necessary for achieving the outcome of the research and therefore some data which can identify you will be required. Where your personal data is provided for research purposes the law allows us to not have to state how long we will keep it for.

Some of the data supporting our published, post-graduate, doctoral or staff research will be held confidentially for as long as necessary to fulfil the purposes for which it was it collected, including for the purposes of satisfying any public interest, contractual, legal, accounting, or reporting requirements. The law allows us keep this data indefinitely as long as there are appropriate safeguards in place so that you are not disadvantaged by this.

You will be informed in your Participant Information Sheet with regards to how long your personal information will be kept for.

Please see our Retention Schedule for further details.

What is the legal basis for using your personal data?

In most cases, when we ask you for information about you to support our research projects, we won’t need to ask for your consent as it is defined in Data Protection Law. Where we ask for consent, we are referring to ‘ethical research’ consent, i.e. this is not a Data Protection ‘permission’, it is our practice to make sure that we do not allow people to participate in our research without them feeling comfortable in doing so. The Data Protection ‘legal basis’ we rely upon is usually:

  • ‘performance of a task carried out in the public interest’. Research conducted by our staff and postgraduate research students is always intended to make an original contribution to knowledge. Such research is published in order to share that knowledge. Research projects may also be conducted by undergraduate and taught postgraduate students to fulfill the requirements of their programme of study. These projects are not necessarily intended to make an original contribution to knowledge and are not usually published. However, this research is integral to the students’ education and is part of our ‘public task’ to support their learning and development in this way.
  • There may be rare instances where the research we undertake could not be said to be part of our services to students nor having a wider public benefit. In such cases we do this under our ‘legitimate interests’ in conducting research for the benefit of the University.
  • Where we may ask for ‘Special Category’ (sensitive personal) data, we will rely on the basis of ‘research purposes’ and make sure we have the necessary safeguards in place over your data.

If you have participated in research before the law changed on May 25th 2018 you would typically have given your personal data to ARU with your ‘consent’. The law states that if you give your data under ‘consent’ but then we change this to a different legal basis (as above) then we must explain this to you and why our use of your data is fair to you. Please therefore be aware of the following:

  • Our research standards have always tried to make sure that we explain to participants what we do with your data. We now provide more data to participants but this additional data is also given to you here on these pages. We are confident that we are being as open as possible with you about our use of your data.
  • The changes we have made to comply with the law improve the way we use your data and its security. This applies to all our research personal data whenever it was collected.
  • Our approach to requests from you to change your mind about wanting to participate in our research goes further than your data protection rights and has not changed as a result of the new law.
  • We therefore do not believe that having collected your data before 25th May 2018 has disadvantaged you compared to participants whose data we collected after this date.
  • Where we have successfully anonymised your data as part of a research project then the law change will have no effect as we are no longer processing data that can identify you and the law therefore does not apply.

We will always handle your personal data securely, we will only use personal data where necessary and as little as is needed. We will anonymise and pseudonymise data where relevant. There is no statutory or contractual requirement for you to provide us with any personal data for our research activities.

The situations in which we shall process the following categories of personal data are listed below:

Specific Purpose

Legal Basis

Obtaining information about your opinions or facts about you to inform our research projects. The following are examples of types of data we may ask you for, but this will vary across all of our research projects

  • Basic details such as name, address, other contact details
  • Age
  • Marital Status
  • Employment status
  • Economic data
  • Gender data
  • Ethnicity data
  • Health data
  • Biometric data
  • Your opinions

Where we do not need to identify you (i.e. the data will be anonymised), we do not need a legal basis. Where we do, the processing is necessary:

  • For the performance of a public task where the research is part of a student’s studies or is in the public interest where employee/ post-graduate research is undertaken
  • In rare occasions where the above does not apply processing is necessary under our legitimate interests for example where research generates income

Where we process Special Category data for these purposes, we do so because it is:

  • For scientific or historical research purposes or statistical purposes

Using your personal and contact information in order to communicate with you for the following example purposes:

  • Sending you questionnaires for you to provide us with your data
  • Sending you links to online resources and web forms where you may provide us with your data
  • Arranging dates and times for appointments for interviews where we may collect your data in person
  • Providing you with feedback or advice on the data you have provided if it is relevant to the research and you have agreed to this
  • Managing your concerns, queries and complaints
  • Sharing your contact details with other organisations with your consent

Where we do not need to identify you, we do not need a legal basis. Where we do, the processing is necessary:

  • for the performance of a task carried out in the public interest in the provision of higher education and for public benefit and/or
  • under our legitimate interests in generating income from such projects and/or
  • under contract with another organisation and/or
  • with your consent to share

Your rights under GDPR

Please read about your rights under Data Protection legislation. It is important to note that the ‘legal basis’ we rely on (above) to process your data determines which of your rights are available. You are not expected to know these details, it is our responsibility to understand how the law applies and to explain it to you when responding to a request from you. Our Rights guidance is an opportunity to provide you with information on how you can expect us to handle your requests.

The law provides for the following rights:

  • To be informed
  • To access your data
  • To rectify (change, update or correct) your data
  • To erase (remove, delete or destroy) your data
  • To restrict our use of your data
  • To data portability
  • To object
  • To not be subject to automated decision-making and profiling

To complain to the Information Commissioner’s Office (ICO): the ICO is the UK supervisory authority for data protection issues. For more information please visit the ICO website.

Information Security

ARU is committed to holding your data securely and uses information security best practice to transmit personal data. Data is held in accordance with the Corporate Information Security Policy . For example, your personal data is accessible only by those authorised and who have a business need for access. When shared with third parties, your personal data is shared with encryption or in password protected files.

Where we have given you (or where you have chosen) a password that enables you to access our systems, you are responsible for keeping this password confidential. You must not share passwords with anyone.

Although we maintain a number of safeguards, fraudulent email requests are occasionally delivered to staff and students. We will never ask for your username or password by email. Any message that does so should be treated as a potential breach of security, no matter how legitimate it may appear. If you are in any doubt, do nothing until you have spoken to a member of the IT Services Customer Support Team.

ARU have put in place procedures to deal with any suspected data security incident and will notify you and any applicable regulator where we are required to do so. If you have any concerns that personal data has been compromised please contact

Processing outside the European Economic Area (EEA)

The law requires us to let you know if we or our suppliers process your personal data outside the EEA (The European Union Member States plus Norway, Iceland & Lichtenstein) and what we have in place to make sure your rights in UK Data Protection law remain in place. We do use suppliers such as software providers, IT support providers and online learning module delivery providers as well as ad hoc IT project suppliers who either host our data or access data for support purposes in countries outside the EEA. We will at all times have in place, in our Agreements with these suppliers, features which protect your data rights as required by GDPR. These include: The relevant country has an ‘Adequacy decision’ in place (meaning UK law recognises its Data Protection laws as equivalent to our own), or the contract contains ‘EU Standard Contractual Clauses’ which are an approved mechanism to legally require suppliers to comply with UK law. We are monitoring the potential impact of Brexit on these EU arrangements and will take appropriate action if the law requires. At present our data processing outside the EEA meets the demands of UK law.