The Behavioural Insights Team website
This notice is effective from 1 June 2022
This privacy notice is maintained by the Behavioural Insights Team (BIT). It sets out how and why we use your personal data – both on this website, and offline.
If you work for BIT, you should refer to your Employee Privacy Notice, and if you have applied for a job, you should refer to your Recruitment Privacy Notice.
If your personal data is processed by BIT because you are a participant in one of our research projects, you should refer to the privacy notice made available by us or by our client or partner prior to the research being undertaken. If you do not have a copy of the relevant privacy notice in relation to the research project you are involved in, please contact us at firstname.lastname@example.org.
If your personal data is processed by BIT in the context of using one of our products (including but not limited to Predictiv, Networky, Tig or Promptable), you should refer to the privacy notice made available by us on the relevant product’s app or website. In most cases, this would have been made available to you at the point of signing up to use the product.
This notice does not create any contractual rights or obligations. We may change this privacy notice from time to time, of which some changes may be required by applicable law. If we make any significant changes in the way we treat your personal information we will make this clear on the website or by contacting you directly.
BIT comprises a global group of companies which is headquartered in the United Kingdom. The main BIT entity – Behavioural Insights Ltd – is the controller of, and responsible for, most personal data collected by BIT, including on this website. However, if you interact with another BIT entity (see the list in Section 6 (International Transfers) of this privacy notice) that entity will be responsible for your personal data, and local data protection laws in that country will apply.
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact the DPO:
By post: Behavioural Insights Ltd, 4 Matthew Parker Street, London, SW1H 9NP
By email: email@example.com.
2. When do we collect information from you?
We may collect information about you if you:
- commission BIT to undertake research or other work for your organisation or company, or communicate with us about prospective or ongoing work;
- work for one of our partners (or a prospective partner) on a research project (e.g. at a school, college, GP surgery, NHS trust, social care service etc) that is helping us to deliver and/or evaluate a research intervention;
- use our website;
- sign up for events organised by us and may take photographs at events);
- subscribe to our newsletter;
- sign up to join our alumni network;
- contact us with any form of complaint or enquiry or in response to a request for feedback or a survey;
- consent to take part in an interview or focus group as part of a research project we are undertaking on our own behalf or on behalf of a client or partner;
- purchase products from us;
- work for or are one of our suppliers, or work for a prospective supplier; or
- visit our offices.
3. What kind of information do we collect from you?
This will depend on the context in which we interact with you:
a) When you scope working with BIT/commission BIT to undertake research for you/act as a supplier to BIT/work for a partner involved in a BIT research project:
|BIT is primarily engaged by government departments/corporate entities and as such those instructors are not data subjects.
Also, BIT generally contracts with corporate entities as suppliers to BIT and with partner organisations (rather than with individuals).
However, as part of such engagements or as part of business development with prospective clients, personal information may be provided to us (e.g. personal information relating to officers of clients, prospective clients, partners or suppliers) which may include the following:
b) When you use our website, subscribe to our newsletter, sign up to join our alumni network, or contact us with complaints, enquiries or feedback
|Website User Data
Further details about the technical data that is processed by us can be found in our Cookies Policy.
c) Visiting our offices or attending a BIT event (either in person or online, e.g. a webinar)
Please note that for larger events organised by BIT, such as BIT’s Behavioural Exchange conferences, there may be a separate event website and privacy notice applicable to that event. The privacy notice for that specific event will take precedence over this privacy notice.
d) Purchasing products from us (such as EAST cards)
e) When you are participating in interviews or focus groups in relation to a research project we are undertaking
|Research Participant Data||
Except as identified above in the context of collecting dietary requirements and responses to interviews, we do not collect any special categories of personal data (special category data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data), or information about criminal convictions and offences for any of the activities covered by this privacy notice, and/or data defined as ‘sensitive personal information’ in the CCPA (please see section 10 below) (non-public information such as government identification numbers, consumer or financial account logins, precise geolocation information, racial or ethnic origin, religious or philosophical beliefs, or union membership, genetic data, contents of mail or electronic communications, biometric data, health data, or data concerning sex life or sexual orientation).
In the preceding twelve months, the aforementioned categories of information may have been collected, including from California residents.
4. How do we use the information we collect?
Your personal information will be used for the purposes listed in the table below. We will only use your personal data where we have a lawful basis for doing so. The basis we rely upon will impact which rights you have in relation to your personal information (see section below for more details):
|Purpose||Lawful Basis||Category of personal data|
|Do business with our prospective clients, clients, suppliers and partners (as well as prospective clients, suppliers and partners)||Legitimate interest in contacting our clients, prospective clients, partners and suppliers, and retaining records of our contacts
Compliance with a legal obligation
To perform our obligations in accordance with any contract that we may have a client, partner or supplier
|Operate our alumni network||Consent
Legitimate interest in maintaining relationships with former colleagues who have or may have an interest in our work.
|Send our newsletter and promote our products and services via direct marketing||Consent||Subscriber Data|
|To recruit partners such as schools, colleges, businesses, GPs and NHS Trusts (not an exhaustive list) to work with us on research projects||Consent
Legitimate interest in contacting potential partners to meet recruitment requirements for research projects (provided the partners are likely to have a mutual interest in the potential outcomes of the research project)
|Request feedback and conduct surveys and other research/analytics||Consent
Legitimate interests in understanding how to improve our products and services
|Website User Data
|Arrange events and interact with clients and contacts at events||Legitimate interest in generating interest in our services and products||Subscriber Data
|Resolve queries and complaints||Legitimate interest in resolving a query or complaint raised by or involving a data subject
Compliance with a legal obligation
Website User Data
|Provide you with access to all parts of our site, personalise your experience on our website, and ultimately improve the functionality of the website for the benefit of all users||Legitimate interest in providing an enhanced, user friendly website by understanding how our website is used||Website User Data|
|Protect the security of our website and detect and prevent dangerous or unlawful use||Legitimate interest in safeguarding BIT’s intellectual property and assets, and in protecting the security of users and their information||Website User Data|
|Protect the security of our offices, staff and guests by identifying visitors||Legitimate interest in safeguarding BIT’s assets and employees
Compliance with a legal obligation (health and safety)
|To process your order for a product, including taking your payment and arranging delivery||To perform our obligations in accordance with a contract||Payment Data
Website User Data
|To prevent or detect fraud and money laundering including fraudulent payments and fraudulent use of our services||Compliance with a legal obligation (fraud and anti-money laundering compliance)
Legitimate interest in safeguarding BIT’s assets and employees
Website User Data
|Establish, defend or enforce legal claims or regulatory investigations||Legitimate interest in protecting the commercial and legal interests of BIT||Client Data
Website User Data
|Conducting interviews and/or focus groups to collect qualitative data in connection with research projects and build a body of evidence of what works in behavioural science and public policy||Consent
Legitimate interests in undertaking robust research with social impact
Where we collect special category as part of research participants’ responses to interviews and we have relied on consent as the lawful basis, we will also seek explicit consent as a condition of processing. Where we have relied on legitimate interests as the lawful basis, our condition for processing special category data will be that it is necessary for scientific research purposes.
|Research Participant Data|
Where we rely upon a “legitimate interest” as our legal basis, we will ensure that our interest is not outweighed by any impact on your rights and freedoms as a data subject in the United Kingdom or the European Economic Area, by using your information in a way which is proportionate and respects your privacy.
Please make sure that any personal data you provide is accurate and up to date, and let us know about any changes in the information which you have provided as soon as possible.
If you have previously signed up to receive our newsletter or other promotional communications from us but you don’t want to receive any more communications, please click the unsubscribe link on any email from us. Alternatively, you can also email us at firstname.lastname@example.org at any time.
5. Who else may have access to your information?
We may disclose your information with third parties for the purposes described below:
- with other companies in our group, in order to utilise personnel or shared IT services based in other BIT offices, for any of the purposes described in this notice;
- with our regulators, which may include the Information Commissioner’s Office, and with courts and law enforcement to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies;
- with a potential or actual third party purchaser of our business or assets if, in the future, we sell or transfer some or all of our business or assets to a third party, or invite investment in our company.
Comments and other information which you post on the website or our social media pages will be displayed publicly and to other users. Please be careful when disclosing personal information which may identify you or anyone else. We are not responsible for the protection or security of information which you disclose in public areas.
6. International Transfers
The global presence of BIT means that your personal data may be transferred outside of the UK and the European Economic Area (“EEA”) – where data protection laws may not be equivalent – for any of the purposes described in this notice. Whenever we make restricted international transfers of personal data, we take steps to ensure that your personal data receives an adequate level of protection (by putting in place appropriate safeguards, such as contractual clauses), or to ensure that we are able to rely on an appropriate derogation under data protection laws. You have a right to request access to any safeguard which we use to transfer your personal information outside of the UK and the EEA (although we may need to redact data transfer agreements for reasons of commercial confidentiality).
As noted above, we may share your data with one of our group companies. As of the date of last review of this notice, the group of companies comprise:
- Behavioural Insights Ltd – (UK)
- Behavioural Insights US (Inc) – (United States of America)
- Behavioural Insights (Australia) Pty Ltd – (Australia)
- Behavioural Insights (New Zealand) Ltd – (New Zealand)
- Behavioural Insights (Singapore) Pte Ltd – (Singapore)
- Behavioural Insights (Canada) Ltd (Canada)
- Behavioural Insights Trustee Company Limited
There is an adequacy decision from the European Commission in respect of transfers of personal data to New Zealand. This means that New Zealand is deemed to provide an adequate level of protection for your personal information if we transfer personal data to Behavioural Insights (New Zealand) Ltd. There is also an adequacy decision from the European Commission in respect of transfers of certain types of personal data to Canada, namely data that is subject to protection under Canada’s Personal Information Protection and Electronic Documents Act.
In relation to other group companies outside of the UK and EEA, we have put in place standard contractual clauses (as first set forth laid down in the European Commission Decision 2010/87/EU of 5 February 2010 and as updated from time to time) to ensure an adequate level of protection for your personal data.
Some of our data processors may transfer personal data outside of the UK or EEA and, as stated above, we will always ensure there are appropriate safeguards in place so that such transfers are lawful. For example, MailChimp’s and Hubspot’s servers are located in the United States so personal data will be transferred to the United States.
If you are concerned about us sharing your personal data with MailChimp, please do not sign up to receive information from us.
We take appropriate steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information. Measures we take include placing confidentiality requirements on our staff members and service providers; limiting access to personal information and destroying personal information which is no longer required.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Any downloadable documents, files or media made available on this website are provided to users at their own risk. While appropriate precautions have been undertaken to ensure only genuine downloads are available, users are advised to verify their authenticity using third party anti-virus software or similar applications. You should also exercise caution when sharing personal data or confidential information on any website, and should use up-to-date web browsers and anti-virus software.
8. Data Retention
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. When it is no longer necessary to retain your personal data, it will be deleted.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
9. Your legal rights
Subject to certain exemptions, and in some cases dependent upon our lawful basis (see “How do we use the information we collect?” above), you have certain rights in relation to your personal data:
- Request access to your personal data: this enables you to find out how and why we are using your personal data, and to receive a copy of the personal data we hold about you to check we are lawfully processing it.
- Request correction of your personal data: this enables you to have any incomplete or inaccurate data we hold about you corrected.
- Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
- Object to processing of your personal data: you can object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request restriction of processing your personal data: this enables you to ask us to suspend the processing of your personal data if you contest its accuracy; our processing is unlawful (but you do not want your data erased); your personal data is no longer needed for the original purposes but is needed for legal claims; or you have objected to processing which is based on legitimate interest grounds.
- Data portability: Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you or to another controller (where technically feasible) in a machine-readable format. Based on our use or personal data and the lawful bases relied on, this right is unlikely to be relevant.
- Right to withdraw consent to the processing of your personal data: This applies where we have relied on consent to process personal data. Please note that withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawing your consent.
You also have the right to make a complaint at any time to the applicable data authority or government agency in your jurisdiction; in the UK that is the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach a data authority or government agency, so please contact us in the first instance.
If you wish to exercise any of the rights set out above, please contact the Data Protection Officer with your specific request by email to: email@example.com.
Our representative in the EEA is BIT France, 26 Rue Henri Monnier, 75009 Paris, France. If you are located in the EEA, you can contact them by post or by sending an email to firstname.lastname@example.org.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded or excessive (which may include repetitive requests). Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
10. California residents
If you reside in California, in addition to the foregoing legal rights, you have the following additional rights:
- Right to Know request: Under California law, you have a right to request information about our collection, use, and disclosure of your personal information over the prior 12 months, and ask that we provide you with the following information without charge:
- Categories or specific pieces of personal information we have collected about you.
- Categories of sources from which we collect personal information.
- Purposes for collecting personal information.
- Categories of third parties with which we share personal information.
- Categories of personal information disclosed about you for a business purpose
- Household Requests: We currently do not collect household data. If all the members of a household makes a Right to Know or deletion request, we will respond as if the requests are individual requests.
How to Exercise Your California Rights
You can exercise your rights, or raise privacy questions or concerns, by emailing email@example.com.
We may need to request specific information from you to help us confirm your identity, which may include, but is not limited to, verifying your name and email address. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. You may make a request related to your personal information twice per 12-month period.
We aim to confirm receipt of requests within 10 business days (if we have not already granted or denied the request by then), and aim to respond substantively within 45 calendar days of the date you made your request. Occasionally, it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
You may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us.
We will not discriminate against you for exercising any of your rights under applicable California privacy laws.
No Sale of Personal Information
We do not ‘sell’ personal information of California consumers (as defined in the California Consumer Privacy Act (CCPA) or the California Privacy Rights Act (CPRA), as applicable), have not done so in the past 12 months, and we will not do so without offering you the right to opt out of any ‘sale’.
No Use By Minors
We do not knowingly permit children (under the age of 13 in the US or 16 in the EEA) to use our services or participate in our surveys. If we discover someone who is underage has engaged our services, we will take reasonable steps to promptly remove that person’s personal information from our records.
Shine the Light Disclosure
The California “Shine the Light” law gives residents of California the right under certain circumstances to request information from us regarding the manner in which we share certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. We do not share your personal information with third parties for their own direct marketing purposes.
Notice Concerning Tracking Signals
Do Not Track is a privacy preference that users can set in certain web browsers. We do not currently respond to Do-Not-Track signals. You can learn more about Do Not Track here.
11. Company details
Behavioural Insights Ltd is a limited company registered in England and Wales. Registration number: 08567792
Registered office: 4 Matthew Parker Street, London SW1H 9NP