Consumer Data Research Centre

Privacy Policy

This Privacy Policy is specific to the Consumer Data Research Centre (CDRC). The CDRC also complies with the policies of our partner institutions: University College London; University of Liverpool; University of Oxford; University of Leeds.

Consumer Data Research Centre (CDRC)
University College London (UCL)
Department of Geography
Gower Street
London
WC1E 6BT

UCL Centre Director: Professor Paul Longley
E: info@cdrc.ac.uk

1.0. Introduction
1.1. The Consumer Data Research Centre (CDRC) is a multi-institutional centre (University College London, Universities of Liverpool, Oxford and Leeds) providing access to consumer data through a three-tier data service – Open, Safeguarded and Secure data.cdrc.ac.uk. The Open tier is accessible by all and data can be downloaded for any purpose following a simple registration process. Access to data from the Safeguarded and Secure Tiers is restricted to the purpose of social science research for the benefit of society and follows a reviewed application process.

1.2. The CDRC is committed to safeguarding the privacy of our CDRC Service Users. This policy explains how we collect, safeguard and use your personal data.

1.3. This policy relates to the use of CDRC Service Users personal data and does not refer to the personal and/or commercially sensitive research data made available through our data service.

1.4. By using our website and services you are agreeing to this policy.

1.5. CDRC is comprised of four partner institutions – University College London; University of Liverpool; University of Oxford; University of Leeds – each of which has its own privacy policy and each is a joint data controller for the purposes of data protection legislation. Contact details for each controller can be found at the end of this notice.

2.0. What information will we collect about you
2.1. Open Tier: personal details including name and email that you provide when registering to download data. We also record which datasets you download and when.

2.2. Safeguarded and Secure Tier: personal details including contact details for you and your research team, information about your research, ethical approval and safe researcher training. We may also collect information about your IP address in the case of applications for specific products, and in the case of applicants to the UCL JDI Research Lab Baseline Personnel Security Standard (BPSS) checks.

2.3. On registering for all tiers of the service Users are asked whether they would like to receive the CDRC Newsletter and other information from the CDRC.

2.4. Contact information from those attending CDRC short courses and outreach events.

3.0. Cookies
3.1 We will also collect personal information about website usage through cookies.  Our website uses cookies to distinguish you from other users of the website. A cookie is a small file of letters and numbers that’s stored on your device. The CDRC adheres to the UCL Cookies Policy.

4.0. How will we use the information
4.1. Your personal data are collected to enable us to provide you with data through our three-tier service and to respond to queries. These data may be shared between the CDRC teams at our partner institutions.

4.2. The CDRC uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”) to understand how visitors engage with CDRC platforms and to provide statistics to our funder, the Economic and Social Research Council and CDRC Advisory Board (cdrc.ac.uk; data.cdrc.ac.uk; maps.cdrc.ac.uk; indicators.cdrc.ac.uk; nrdf.cdrc.ac.uk) and so we can improve it.

4.3. Safeguarded and Secure Tier applications will also be shared with the Data Partner(s) in question and with CDRC Research Approvals Group reviewers as well as the CDRC Research Approvals Group Chair as part of the CDRC Research Approvals Group process https://www.cdrc.ac.uk/data-services/using-our-data/

4.4. These data are also collected to enable us to provide information about our performance (KPIs) to our funder, the Economic and Social Research Council and to the CDRC Advisory Board to demonstrate our success and account for the investment into the Centre.

4.5. For those who have consented to receive the CDRC Newsletter and other information from the CDRC we will continue to send this information until we are notified otherwise.

4.6. Contact information from participants of CDRC short courses and outreach events will be used to enable us to deliver these events.

4.7. We will not share your personal details with third parties other than those already cited.

5.0. Lawful basis for processing
5.1. The lawful basis for processing your personal data will be for ‘the performance of a task in the public interest’ (GDPR 6(1)(e)), ‘public task’.

5.2. The lawful basis for processing your personal data may in specific instances be by consent as in the case of providing information about the CDRC Data Service and its activities.

5.3. The lawful basis for processing any special category personal data will be the processing is necessary ‘for scientific research purposes’ (GDPR 9(2)(j)).

6.0. How we will protect information about you
6.1. CDRC Open Service Users’ personal data are held on CDRC servers behind UCL or University of Liverpool firewalls and with restricted access to CDRC personnel on a ‘needs basis’ through password protected server user management systems.

6.2. CDRC Safeguarded and Secure Service Users’ personal data are held on managed networks and computers at CDRC partner institutions. Applications for data are shared between CDRC UCL and Liverpool staff through a private and secure GitHub repository. Hardcopies of applications are held in locked filing cabinets within a locked office environment.

6.3. All other personal contact data collected to deliver short courses and outreach events are held on managed networks and computers at CDRC partner institutions and UCL SharePoint.

7.0. Data Retention
7.1. We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

7.2. All CDRC Service Users’ personal data will be retained for 18 months following the closure of the CDRC.

8.0. Your Rights
Under certain circumstances, you may have the following rights in relation to your personal data:
8.1. A right to access personal data held by us about you.

8.2. A right to require us to rectify any inaccurate personal data held by us about you.

8.3. A right to require us to erase personal data held by us about you.  This right will only apply where, for example, we no longer need to use the personal data to achieve the purpose we collected it for; or where you withdraw your consent if we are using your personal data based on your consent; or where you object to the way we process your data (in line with Right 7.6. below).

8.4. A right to restrict our processing of personal data held by us about you.  This right will only apply where, for example, you dispute the accuracy of the personal data held by us; or where you would have the right to require us to erase the personal data but would prefer that our processing is restricted instead; or where we no longer need to use the personal data to achieve the purpose we collected it for, but we require the data for the purposes of dealing with legal claims.

8.5. A right to receive personal data, which you have provided to us, in a structured, commonly used and machine readable format. You also have the right to require us to transfer this personal data to another organisation.

8.6. A right to object to our processing of personal data held by us about you.

8.7. A right to withdraw your consent, where we are relying on it to use your personal data, as applies in the case with consent to send you the CDRC Newsletter and other information.

8.8. A right to ask us not to use information about you in a way that allows computers to make decisions about you and ask us to stop.

8.9. The right to lodge a complaint with the ICO.

8.10. If you wish to exercise any of these rights, please contact info@cdrc.ac.uk

9.0. Changes to our privacy notice
9.1. Our Privacy Notice may be updated from time to time. Any updates will appear on this webpage. This notice was last updated 25th May 2018.

10.0. Complaints and further contact details
10.1. If you have any questions about this privacy notice or the way your personal data is being processed, please contact data-protection@ucl.ac.uk

10.2. For queries about the CDRC, contact the UCL Centre Director, Professor Paul Longley on info@cdrc.ac.uk

10.3. The contact details for each University can be found below:

University Contact details
University of Oxford data.protection@admin.ox.ac.uk
University of Liverpool LegalServices@liverpool.ac.uk
University College London (UCL) data-protection@ucl.ac.uk
University of Leeds d.wardle@adm.leeds.ac.uk