Anglia Ruskin University Higher Education Corporation (ARU) is committed to protecting your personal information when you use our services.
When saying “we”, “our” or “ARU”, we’re referring to Anglia Ruskin University.
This statement explains how we, specifically ARU handles and uses the personal data we collect about our research participants. ARU in this context means the central University (Cambridge, Chelmsford, Peterborough and London campuses as well as our Associate colleges and former institutions including Cambridgeshire College of Arts and Technology (CCAT) and the Essex Institute of Higher Education (formerly the Chelmer Institute – itself formed from the Mid-Essex Technical College and the Brentwood College of Education). At first, these colleges combined to become Anglia Polytechnic, and then Anglia Polytechnic University in 1992. We’ve been known as Anglia Ruskin University since 2005.
By providing us with your personal data and using our services, you agree to the collection and use of this information in accordance with the purposes described above in this privacy notice or as otherwise explained to you.
In most cases we will receive information from you directly e.g. from questionnaires, during face-to-face interviews or observations carried out by our staff or students, psychometric tests or results after exercises. This is not an exhaustive list. The specific information we ask for will vary depending on the subject of the research, but will be explained to you in writing before you provide any information to us. We may also ask for data that has already been collected from you for another purpose e.g. test results, but we will obtain your permission to do this.
Researchers may also obtain information about you which is held by another organisation (e.g. a school, an employer, other businesses etc). We will always make sure that the organisation has a legal right to share this data before we receive it and this is detailed on the permission letter we ask them for. Where we obtain information about children we will make sure that the parent/ guardian is aware.
ARU also collects data about how you use applications, websites or other university-related online content, and the device(s) you use to access these services which we may ask you to use in order to provide with research data. This includes collecting unique online identifiers such as IP addresses, which are numbers that can uniquely identify a specific computer or other network device on the web. For more information, please see the section on cookies within this privacy notice. We may also use third party applications for this purpose but will have reviewed their privacy assurances before deciding to use them. Please see the privacy policies of specific applications we may direct you to for details of how they may use your data.
Your data is used by us for the purposes of conducting research. This includes:
Communications to you may be sent by email, telephone or post, depending on the contact details we hold.
In the course of processing your personal data we may disclose where necessary to the following, but always ensuring that there is a legal requirement for them to be able to identify you from the information. Normal practice would be to anonymise or pseudonymise the data which can identify you. We will always advise you about this in advance:
We ensure we have appropriate data sharing agreements in place before sharing your personal data with another organisation.
We do not sell your personal data to third parties under any circumstances, or permit third parties to sell on the data we have shared with them.
We will publish on our website any changes we make to this data protection statement and notify you by other communication channels where appropriate.
Should we transfer your personal information to other organisations outside of the European Economic Area (EEA), we take all necessary steps in line with data protection laws. These include contract terms approved by the EU Commission with the relevant organisations receiving your personal information and appropriate security controls.
We ask our researchers to de-identify information as soon as possible (anonymisation or pseudonymisation) wherever it is not crucial to the research. Information where you can be identified will be kept for a minimum amount of time and in accordance with the research objectives. We may, however, keep consent forms which contain personal information for a number of years after the research has been completed; this is sometimes a requirement from the research’s funder. They may require us to retain research records for a minimum period of time so that they can audit us and ensure the research was carried out according to their requirements. Some may insist that data is deleted after a specific period. We will advise you of this.
Typically research project data for under-graduate major dissertations, which does not become a published report, is not kept beyond the end of the academic year in which it was submitted.
For some research projects we cannot de-identify the information as it is necessary for achieving the outcome of the research and therefore some data which can identify you will be required. Where your personal data is provided for research purposes the law allows us to not have to state how long we will keep it for.
Some of the data supporting our published, post-graduate, doctoral or staff research will be held confidentially for as long as necessary to fulfil the purposes for which it was it collected, including for the purposes of satisfying any public interest, contractual, legal, accounting, or reporting requirements. The law allows us keep this data indefinitely as long as there are appropriate safeguards in place so that you are not disadvantaged by this.
You will be informed in your Participant Information Sheet with regards to how long your personal information will be kept for.
Please see our Retention Schedule for further details.
In most cases, when we ask you for information about you to support our research projects, we won’t need to ask for your consent as it is defined in Data Protection Law. Where we ask for consent, we are referring to ‘ethical research’ consent, i.e. this is not a Data Protection ‘permission’, it is our practice to make sure that we do not allow people to participate in our research without them feeling comfortable in doing so. The Data Protection ‘legal basis’ we rely upon is usually:
If you have participated in research before the law changed on May 25th 2018 you would typically have given your personal data to ARU with your ‘consent’. The law states that if you give your data under ‘consent’ but then we change this to a different legal basis (as above) then we must explain this to you and why our use of your data is fair to you. Please therefore be aware of the following:
We will always handle your personal data securely, we will only use personal data where necessary and as little as is needed. We will anonymise and pseudonymise data where relevant. There is no statutory or contractual requirement for you to provide us with any personal data for our research activities.
The situations in which we shall process the following categories of personal data are listed below:
Obtaining information about your opinions or facts about you to inform our research projects. The following are examples of types of data we may ask you for, but this will vary across all of our research projects
Where we do not need to identify you (i.e. the data will be anonymised), we do not need a legal basis. Where we do, the processing is necessary:
Where we process Special Category data for these purposes, we do so because it is:
Using your personal and contact information in order to communicate with you for the following example purposes:
Where we do not need to identify you, we do not need a legal basis. Where we do, the processing is necessary:
Please read about your rights under Data Protection legislation. It is important to note that the ‘legal basis’ we rely on (above) to process your data determines which of your rights are available. You are not expected to know these details, it is our responsibility to understand how the law applies and to explain it to you when responding to a request from you. Our Rights guidance is an opportunity to provide you with information on how you can expect us to handle your requests.
The law provides for the following rights:
However, in the case of research there are legal exemptions from our duties to provide some of these rights. As long as we are making sure that your data is protected, you are not suffering harm as a result of our use of your data and to the extent that exercising your rights may damage the success of our research, we may decide that we cannot provide for your rights of access, rectification, restriction and objection. The law allows us to do this, however we will always fully consider how we can best manage any concerns you may have over our use of your data for research.
Usually we can accept requests for your data to be withdrawn from research up to the point that the data is presented in a final report form. Reports will typically not identify individuals and therefore there will be no personal data to remove, but if the intention is to identify you, you will be informed before you provide us with your data.
Please get in touch with your research contact initially to discuss your concerns or wishes, and email@example.com in the event that you have a complaint.
To complain to the Information Commissioner’s Office (ICO): the ICO is the UK ‘supervisory authority’ for data protection issues. For more information please visit the ICO website:
In order to protect your ‘rights and freedoms’ when using your personal information for research and to process special category data we must have special safeguards in place to help protect your information. We take the following steps:
In addition to the above University safeguards the GDPR and the DPA also require us to meet the following standards when we conduct research with your personal information:
ARU is committed to holding your data securely and uses information security best practice to transmit personal data. Data is held in accordance with the Corporate Information Security Policy.
Although we maintain a number of safeguards, fraudulent email requests are occasionally delivered from sources designed to look like they are sent by ARU. We will never ask for your username or password by email. Any message that does so should be treated as a potential breach of security, no matter how legitimate it may appear. If you are in any doubt about the validity of an email coming from ARU, do nothing until you have spoken to your research contact.
ARU have put in place procedures to deal with any suspected data security incident and will notify you the regulator where we are required to do so. If you have any concerns that personal data has been compromised please contact firstname.lastname@example.org.
The law requires us to let you know if we or our suppliers process your personal data outside the EEA (The European Union Member States plus Norway, Iceland & Lichtenstein) and what we have in place to make sure your rights in UK Data Protection law remain in place. We do use suppliers such as software providers, online survey suppliers, ad hoc IT project suppliers who either host our data or access data for support purposes in countries outside the EEA and partner with other research institutes across the world. We will at all times have in place, in our Agreements with these suppliers, features which protect your data rights as required by GDPR. These include: The relevant country has an ‘Adequacy decision’ in place (meaning UK law recognises its Data Protection laws as equivalent to our own), or the contract contains ‘EU Standard Contractual Clauses’ which are an approved mechanism to legally require suppliers to comply with UK law. We are monitoring the potential impact of Brexit on these EU arrangements and will take appropriate action if the law requires. At present our data processing outside the EEA meets the demands of UK law.