Introduction
The goal of this research project is to develop and test whether a mobile application to support SME (small medium enterprise) business leaders with strategic planning, is effective.
Our research is being funded by The University of Manchester.
Contact details
For the purposes of this Project, Behavioural Insights Ltd (BIT), Be The Business and The University of Manchester are the data controllers. That means we are responsible for what data we collect about you during this project. Please see the separate privacy notices from Be The Business and The Productivity Institute for more information.
This notice applies to the personal data the Behavioural Insights Team collects directly from you.
If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact The Behavioural Insights Team at:
Post: Behavioural Insights Ltd, 58 Victoria Embankment, London, England, EC4Y 0DS
Email: [email protected].
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
What information will we collect?
As part of this research project you will be asked to participate in qualitative research testing your engagement with a strategic planning app. As part of this research, we may collect the following information:
- Your name
- Your email address and/or contact telephone number
- Your age
- Your gender identity
- The name of the organisation you work for
- Your industry
- Your job title
- Your seniority (of your occupation)
- Your current employment status
- Your geographical location (region)
What do we do with the information we collect?
We are processing your personal data to conduct research to test whether a mobile application to support SME business leaders with strategic planning, is effective.
The Behavioural Insights Team may use the following information you provided during the data analysis process, to summarise the characteristics of those who participated in the research, and determine whether there are any meaningful differences in findings between subgroups of participants with shared characteristics: your age, gender identity, industry, job title, seniority (of your occupation) and geographical location (region).
We will produce a final report summarising the evidence we collect from our research. You will not be identifiable in these findings. This means that we will not use your name or any other identifiable information. Our findings may take the form of a published results report or deck, a blog post on our websites, and sharing summaries on Linkedin and Twitter. We may also share these findings with other relevant stakeholders.
What is our lawful basis for processing your personal data?
Data protection laws require us to meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a lawful basis for the processing.
For all information collected:
The Behavioural Insights Team is relying on the lawful basis of:
LEGITIMATE INTERESTS: Our lawful basis for processing your personal data is legitimate interests (as per Article 6 (1) (f) of the GDPR) and we have considered that your interests and fundamental rights do not override those legitimate interests). It is necessary in the data controller’s ‘legitimate interests’ to process the personal data mentioned above so we can obtain rigorous evidence to inform our trial testing an intervention to encourage business leaders to adopt productivity-enhancing habits. This will achieve our overall aim of increasing productivity among UK SMEs.
We ensure that necessary safeguards are in place, including minimising our use of personal data, pseudonymising that data where possible, and ensuring the research does not cause substantial damage or distress, and is not used in order to take specific decisions or measures impacting you.
Who has access to your information?
Your information will be accessed by a limited number of researchers in our team working on this project.
We may disclose your information to third parties in connection with the purposes of processing your personal data set out in this notice. These third parties may include:
- other companies in our group;
- the other data controllers for this project: Be The Business and The University of Manchester;
- regulators, law enforcement bodies and the courts, in order to comply with applicable laws and regulations, assist with regulatory enquiries, and cooperate with court mandated processes, including the conduct of litigation;
- suppliers, research assistants and sub-contractors who may process information on our behalf, e.g.,transcription services. These third parties are known as data processors and when we use them we have contractual terms and policies and procedures in place to ensure that your personal data is protected. This does not always mean that they will have access to information that will directly identify you as we will share anonymised or pseudonymised data only wherever possible. We remain responsible for your personal information as the controller;
- any third party to whom we are proposing to sell or transfer some or all of our business or assets.
We may also disclose your personal information if required by law, or to protect or defend ourselves or others against illegal or harmful activities, or as part of a reorganisation or restructuring of our organisations.
International Transfers
Your personal information will not be transferred outside of the European Economic Area (“EEA”). References in this notice to the EEA include the UK, even where the UK is no longer a member of the European Union.
Security
We take reasonable steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information.
We implement appropriate technical and organisational measures to protect your data. We ensure that all team members who will have access to your data are trained and informed about their responsibilities when processing your data. We limit access to your personal data to only those who are required, and have measures in place to remove that access when it is no longer needed. Our physical personal devices like laptops and computers are encrypted to protect your data, and any confidential hard copy data is kept in locked rooms or cabinets. We have procedures in place to deal with any suspected data breaches, and we will notify you and any appropriate regulator of a breach when we are legally required to do so.
Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When it is no longer necessary to retain your personal data, it will be securely deleted. We determine the appropriate retention period based on the amount, nature, and sensitivity of the data, the potential risk of harm from any unauthorised use or disclosure of your data, the purposes for which we are processing your data and where there are alternate ways we can achieve these purposes, and any other applicable legal requirements.
Taking the above factors into consideration, our anticipated date of deletion for your personal data is 31st March 2025.
In some circumstances, we will retain an anonymised dataset (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including rights to:
- Request access to your personal data: this enables you to receive a copy of the personal data we hold about you and to check we are lawfully processing it.
- Request correction of your personal data: this enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
- Object to processing of your personal data: for example, you can object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
- Request restriction of processing your personal data: This enables you to ask us to suspend the processing of your personal data.
- Data portability: Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you in a machine-readable format, or transmit it to a third party data controller, where technically feasible.
- Right to withdraw consent to the processing of your personal data: This applies where we have relied on consent to process personal data. Please note that withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawing your consent.
- Right not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you. Please note that we do not engage in automated decision making without manual intervention in its research projects.
If you wish to exercise any of the rights set out above, please contact our Data Protection Officer with your specific request by email to: [email protected]
It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances your rights may be restricted.
Ordinarily, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Please also note that we can only comply with a request to exercise your rights during the period for which we hold personal information that directly identifies you. If we have only collected pseudonymised information (e.g. where we have not collected any names or contact details) or personal data has been irreversibly anonymised and has become part of the research data set, it will not be possible for us to comply.
Changes to this Notice
We may change this Privacy Notice from time to time. If we make any significant changes in the way we treat your personal information we will make this clear by email or by contacting you directly.