Privacy notice: public engagement groups

This privacy notice tells you what to expect us to do with your personal data when you join a public engagement group run by a research team at the University of Central Lancashire. Personal data (or personal information) is any information which relates to, and identifies, you. Data protection legislation (the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA)) set out how we should handle your personal data.

The University of Central Lancashire Higher Education Corporation is the controller for the personal information we process, unless otherwise stated. We are registered with the Information Commissioner’s Office and our registration number is Z5512420.

There are many ways you can contact us, including by phone, email, social media and post. View our main contact details on our website.

You can also contact the research team running the public engagement group directly on the contact details they have provided to you.

The University’s Information Governance Manager & Data Protection Officer can be contacted by email through the DPFOIA inbox. Further information and contact details can be found on our data protection web pages.

We will use information that you give to us when you register to join the public engagement group. We will also use information that we collect during any engagement we have with you, such as in group sessions that we run, or any feedback or views you give us via any other method.

Administration and communication

We use your information to run and administer the public engagement group, which involves keeping records of your or your family member’s contact details and medical conditions (where applicable) so we can involve you in activities that are relevant to your circumstances and interests. We will ask you to participate in meetings and events; suggest research ideas; make suggestions about the language we use; help us to design plain language summaries; and work with us to design new research studies. We will keep records about your participation and contribution to these activities to help us run the public engagement group.

We also use your information to manage any medical or dietary requirements that you tell us about when you join any in-person activities or events that we run.

We will use your information to communicate with you about the public engagement group. If you agree, we will also use your information to send you information and newsletters about the work of the research team, events and activities relating to the public engagement group, and opportunities to participate in our research.

Security and crime prevention

The University operates a CCTV system for security and crime prevention purposes, which includes the use of body worn video devices. The CCTV system covers University buildings (inside and outside) and public areas across our campuses. If you attend any events on one of our campuses, your images are likely to be captured by the CCTV system while you are on, in, or near University premises. CCTV footage will be used to maintain the security of the University community, enhance public safety, prevent and detect crime and apprehend and prosecute offenders. CCTV footage may be used, where there is a lawful basis, in the investigation of complaints and allegations made under the University’s rules, regulations, procedures and codes of practice. Further information is available in our CCTV Privacy Notice.

Monitoring, compliance and research

We will use your information to ensure and monitor our compliance with legislation including laws relating to equality and health and safety. We will also use your information to monitor our compliance with regulatory requirements set by external agencies.

Your information will also be used for research purposes, including research by University staff for planning and development purposes, and University researchers for the purposes of academic research.

The University relies on the following lawful bases from the UK GDPR to process information about you for the purposes set out in this notice:

Article 6(1)(c), which allows us to process personal data when it is necessary to comply with a legal obligation. We are legally required to monitor compliance with laws relating to health and safety and equality, among other things.

Article 6(1)(e), which allows us to process personal data where it is necessary to perform a task in the public interest. Research; some monitoring and internal reporting; and auditing are carried out as part of our public tasks. We rely on this lawful basis to process the majority of the information about you that we use for our public engagement groups.

Article 6(1)(f), which allows us to process personal data where it is in our, or someone else’s, legitimate interests to do so and it does not unduly prejudice your rights and freedoms. We rely on this condition to, among other things:

• provide a security service and CCTV monitoring. It is in the interests of the University community and the general public to make the University a safe and secure place to live, work and study.
• produce some internal reports, research and statistics. It is in our legitimate interests to use these to evaluate, plan and assess how the University is operating and make any changes we think are appropriate and will benefit current and future students.

We also process some information only if you provide your consent. In this case, Article 6(1)(a) applies, and Article 9(2)(a) applies where the information is special category data (special category data is information about your race, ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data used for ID purposes, health, sex life or sexual orientation). It will be clear where we are relying on your consent to collect and use your information because consent will be requested at the time you provide the information. When you are asked for consent, we will explain why we are asking for the information and how we will use it if you choose to provide it. Consent can be withdrawn at any time and we will explain how you can do this in each individual case.

Where we process special category data for the purposes set out in this notice, we rely on the following additional lawful bases from the UK GDPR and DPA:

Article 9(2)(g) UK GDPR, which allows us to process special category data if the processing is necessary in the substantial public interest and there is a basis to do so in law. The law which allows us to rely on Article 9(2)(g) is section 10 DPA by virtue of Schedule 1 DPA, which also provides the lawful basis for processing data about criminal convictions. The specific conditions from Schedule 1 DPA on which we rely for this type of processing are as follows:

• Schedule 1(6), which allows us to process special category data to comply with a statutory or legal function. Such functions include the duties set out in the Equality Act 2010.
• Schedule 1(8), which allows us to process special category data to monitor equality of opportunity or treatment.

When processing special category data or data about criminal convictions in reliance on the above conditions from Schedule 1 DPA the University must have an appropriate policy document, which can be read here: Data Protection: Processing special category data and criminal convictions data.

Article 9(2)(j) UK GDPR, which allows us to process special category data for archiving, scientific or historical research purposes or statistical purposes, where there is a basis to do so in law. The law which allows us to rely on this basis is section 10 DPA by virtue of Schedule 1(4) DPA. Our public engagement groups are set up for research purposes and we rely on this lawful basis to process information about your health conditions (if applicable) for the purposes of participating in a public engagement group.

We share your information with a small number of external organisations and bodies, some of which are processing personal data on our behalf. We only share your personal data with another person or organisation where the law allows us to and we consider it to be appropriate under the circumstances. The external parties we will share information with include the following:

• University insurers: information, including accident forms, is shared with our insurers to provide insurance cover and to enable us to make insurance claims. This will only occur in certain circumstances e.g. if you have an accident on our premises.
• Internal and external auditors to provide assurance that the University is following its risk management, governance and internal control processes and to independently inspect our financial statements and records. Your information may be provided to auditors if you claim expenses from us for attending one of our events.
• Companies or organisations acting on our behalf: We use processors who are third parties who provide elements of services for us, such as those who provide IT services on our behalf. We have contracts in place with our processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They will hold it securely and retain it for the period we instruct.

Occasionally we may need to send your personal information outside the UK and/or the European Economic Area (EEA) e.g. to communicate with you if you are based in another country; or to obtain a service from a processor. These transfers are usually carried out with your consent or because they are necessary for a task in the public interest. All transfers are carried out with appropriate safeguards in place to protect your information and ensure it remains secure. For example, we share information on the basis of the UK International Data Transfer Agreement or UK International Data Transfer Addendum when we share information with processors based outside the EEA. A copy of these Agreements can be obtained from the University on request.

The research team that is running the public engagement group that you join maintains a members’ database. The team will keep information about you in the members’ database for as long as you are happy to remain a member of that group.

We will keep records of your input and feedback generated as a result of your participation in our activities for as long as it is useful to our ongoing research activities. This may mean it is retained indefinitely. Where possible, we will anonymise this information so that you cannot be identified from it.

Under data protection law, you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information. Further information about each of these rights can be found on the Information Commissioner’s Office website. To make a request to exercise any of these rights, please contact the Information Governance Manager & Data Protection Officer at the DPFOIA inbox.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. For further information or to make a request, please see the data protection pages of our website.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances.

Your right to object to processing

You have the right to object to any processing we carry out, if we carry it out on the basis that it forms part of our public task or is in our legitimate interests. You also have the right to object to your personal information being used for direct marketing purposes.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information because we have your consent or because it is necessary for a contract you have signed up to, and the processing is automated.

We work to high standards when it comes to processing your personal information. If you have queries or concerns, please contact the relevant research team or the Information Governance Manager & Data Protection Officer and we will respond.

If you remain dissatisfied, you can make a complaint about the way we process your personal information to the Information Commissioner’s Office, which is the UK supervisory authority for data protection. Further information can be found on the data protection pages of our website.