Introduction
The Behavioural Insights Team (BIT) is an independent research company. We have been funded by The Department for Culture, Media and Sports (DCMS) to carry out research exploring the role of local media in shaping the public dialogue surrounding the 2024 Summer riots in specific communities.
This privacy notice sets out how BIT will collect and use your personal data on behalf of DCMS. Where DCMS or BIT collect personal data from you directly, please make sure that any personal details you provide are accurate and up to date, and let us know about any changes as soon as possible.
Contact details
DCMS is the controller and is responsible for your personal data collected in connection with this project. Behavioural Insights Ltd (the legal name of Behavioural Insights Team (BIT)) is the processor of your data on behalf of DCMS. This notice applies to the personal data DCMS or BIT collect directly from you and personal data collected by third parties on behalf of DCMS.
DCMS has a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact the DPO:
Email: [email protected]
Post: 100 Parliament Street, London SW1A 2BQ
The Department for Culture, Media & Sport’s personal information charter explains how your information will be dealt with.
If you have any questions about how BIT will be processing your personal data on behalf of DCMS please contact the DPO:
Email: [email protected].
Post: Behavioural Insights Ltd, 58 Victoria Embankment, London EC4Y 0DS.
You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). DCMS and BIT would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
What personal data will we process?
BIT will collect personal data from participants who agree to take part in the research, on behalf of DCMS. This may include the following:
- Name and contact details, including email address and/or telephone number
- Details of your employment, including place of employment and job title
- Demographic information, including age, gender, and ethnicity
- Qualitative data gathered through interviews
What do we do with information we process?
BIT is collecting your personal information on behalf of DCMS as part of a research project. At the end of the project BIT will write a report. The report will not include any personal information (such as names or contact information) that could be used to identify you.
What is our lawful basis for processing your personal data?
Data protection laws require DCMS and BIT to meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a lawful basis for the processing.
For all information collected, DCMS is relying on the lawful basis of PUBLIC TASK. Our lawful basis for processing your personal data is public task (as per Article 6 (1) (e) of the GDPR).
DCMS will collect and process your special category personal data on the basis that such processing is necessary for scientific research purposes or statistical purposes (as per Article 9 (2) (j) of the GDPR). When DCMS rely on this basis, DCMS ensure that necessary safeguards are in place, including minimising its use of personal data, pseudonymising that data where possible, and ensuring the research does not cause substantial damage or distress, and is not used in order to take specific decisions or measures impacting you. BIT will also put the necessary safeguards in place.
Who has access to your information?
Your information will be accessed by a limited number of researchers and advisors in BIT’s project team.
DCMS and BIT may disclose your information to third parties in connection with the purposes of processing your personal data set out in this notice. These third parties may include:
- other companies in BIT’s group [that are based within the United Kingdom];
- regulators, law enforcement bodies and the courts, in order to comply with applicable laws and regulations, assist with regulatory enquiries, and cooperate with court mandated processes, including the conduct of litigation;
- suppliers, research assistants and sub-contractors who may process information on behalf of BIT (e.g. McGowan Transcriptions who will transcribe the interviews, and Criteria Fieldwork who will identify and contact participants to take part). These third parties are known as data processors and when we use them we have contractual terms and policies and procedures in place to ensure that your personal data is protected. This does not always mean that they will have access to information that will directly identify you as we will share anonymised or pseudonymised data only wherever possible. DCMS remains responsible for your personal information as the controller; and
- any third party to whom DCMS or BIT is proposing to sell or transfer some or all of our business or assets.
DCMS and BIT may also disclose your personal information if required by law, or to protect or defend ourselves or others against illegal or harmful activities, or as part of a reorganisation or restructuring of our organisations.
International Transfers
Your personal information will not be transferred outside of the European Economic Area (“EEA”). References in this notice to the EEA include the UK, even where the UK is no longer a member of the European Union / European Economic Area.
Security
DCMS and BIT take reasonable steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, DCMS and BIT implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
DCMS and BIT ensure that those who have permanent or regular access to personal data, or that are involved in the processing of personal data, are trained and informed of their rights and responsibilities when processing personal data. DCMS and BIT provide such access on a need-to-know basis, and have measures in place which are designed to remove that access once it is no longer required.
Physical personal devices used by BIT are encrypted to protect your data, and confidential hard copy data (including special category data) is kept in locked rooms or cabinets.
DCMS and BIT have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data Retention
DCMS and BIT will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When it is no longer necessary to retain your personal data, it will be securely deleted. Our anticipated date of deletion for your personal data is October 2025.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including rights to:
- Request access to your personal data: this enables you to receive a copy of the personal data we hold about you and to check we are lawfully processing it.
- Request correction of your personal data: this enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. This does not apply to personal data collected under the lawful basis of public task.
- Object to processing of your personal data: for example, you can object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
- Request restriction of processing your personal data: This enables you to ask us to suspend the processing of your personal data.
- Data portability: Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you in a machine-readable format, or transmit it to a third party data controller, where technically feasible. This does not apply to personal data collected under the lawful basis of public task.
- Right not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you. Please note that BIT does not engage in automated decision making without manual intervention in its research projects.
If you wish to exercise any of the rights set out above, please contact the Data Protection Officer with your specific request by email to: [email protected]
It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances your rights may be restricted.
Ordinarily, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, DCMS may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, DCMSmay refuse to comply with your request in these circumstances.
DCMS may need to request specific information from you to help DCMS confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. DCMS may also contact you to ask you for further information in relation to your request to speed up our response.
DCMS try to respond to all legitimate requests within one month. Occasionally it may take DCMS longer than a month if your request is particularly complex or you have made a number of requests. In this case, DCMS will notify you and keep you updated.
Please also note that DCMS can only comply with a request to exercise your rights during the period for which DCMS hold personal information that directly identifies you. If DCMS have only collected pseudonymised information (e.g. where DCMS have not collected any names or contact details) or personal data has been irreversibly anonymised and has become part of the research data set, it will not be possible for DCMS to comply.
Changes to this Notice
BIT or DCMS may change this Privacy Notice from time to time. If BIT or DCMS make any significant changes in the way BIT or DCMS treat your personal information BIT or DCMS will make this clear by contacting you directly.
Last reviewed: December 2024