TASO privacy notice

1. Introduction

The Centre for Transforming Access and Student Outcomes in Higher Education (TASO) is committed to protecting your personal information.

This Privacy Notice is to inform you of how we use your personal data when you interact with us. We have identified the following areas of work where we will process your personal data:

1. When you are a participant in a research project or being consulted as a stakeholder for a project (Research Participants)
2. When we are reviewing the sector and project ideas, including areas for potential research, and making decisions on the allocation of projects and funding (Discovery, Review & Allocation)
3. When you are part of the Project Team, either alongside or funded by TASO to conduct a project which may or may not be research related. This also includes individuals who assist in the project set up processes where they may not collect, receive or analyse any data within the project itself (Project Team)
4. Within our organisational communications and sectoral outreach work (Communications)
5. When you are visiting our offices or attending an event run by TASO (Visitors)
6. When you apply for a job with us (Recruitment)
7. When you use our website (Website)
8. When you submit an intervention, research or evaluation case study for inclusion in a toolkit we have developed (Submissions)

Please review the sections that are relevant to yourself within each part of this this Privacy Notice within which we outline what personal information we collect, why we collect it, how we collect it, where we get it from, what we do with it, our lawful basis for using it, how we store it, who we share it with, how long we keep it, what rights you have, how to complain and how to contact us.

This Privacy Notice does not create any contractual rights or obligations. We may change this privacy notice from time to time. If we make any significant changes in the way we treat your personal information we will make this clear on the website or by contacting you directly.

If you have any questions about this Privacy Notice or any Data Protection related matters relevant to TASO you can send an email to our Data Protection Officer: dpo@theevidencequarter.com

2. Our contact details

Name: The Centre for Transforming Access and Student Outcomes in Higher Education

Address: TASO, Evidence Quarter, 4th Floor, Albany House, Petty France, London, SW1H 9EA

E-mail: info@taso.org.uk

3. What personal information we collect

Research Participants

If your personal information is used by TASO because you are a participant in one of our research projects, you should also refer to the Privacy Notice for the project you are involved in which will be provided to you by us, the project delivery team(s) or independent research evaluator organisation(s) at the time they are collecting your personal information. Information provided below is to provide you with non-specific information about how personal information is used within TASO’s research projects.

For participants in our research projects, we typically collect and process information in the following categories:

• Personal identifiers: for example, names (normally only used for matching datasets and often replaced by anonymous identifiers)
• Characteristics: for example, age, gender
  Education outcomes: for example, whether an individual enters higher education
• Information recorded in interviews we have with you
• Information on the education pathways and detailed characteristics of participants

If you think you have not received a relevant Privacy Notice for the project in which you are participating, please make contact with our Data Protection Officer: dpo@theevidencequarter.com

Discovery, Review & Allocation

We work to review the Higher Education sector and engage with sector stakeholders, decision makers, panels, advisory groups, and people directly employed in the sector. From this work we discover, review, and generate ideas for potential programmes of work we may like to fund and/or study as a project or piece of research. To achieve this, we will typically collect and process the following personal information:

• Name, Email Address, Phone number
• Job Title, occupation, place of work, employer
• Your CV, qualifications and relevant experience including any previously published work
• Information captured in emails, surveys, and communications
• Information recorded in interviews we have with you
• Personal information published by and associated with an establishment or organisation undertaking a programme of work that might benefit from the type of project or research we fund
• Personal information submitted by an organisation to us
• Personal information we require to process communications and applications
• Personal information held within previous academic research journals and papers
• Personal information made publicly available on websites and social media
• Personal information you provide to us whilst we are working with you

Some or all of the list above may be collected when you are:

• Engaging with us during our reviews of the Higher Education sector (“Sector Stakeholder or Evaluator”)
• Working with us to review potential new project or areas of research and/or helping us to make decisions on whom to allocate resources (“Sector Stakeholder”)
• Working on, or part of, a programme of work we think could benefit from a project or piece of research we might fund (“Delivery Partner”)
• Part of an organisation applying to have a project or piece of research conducted and/or funded by us based upon a programme of work you have conceived, or are involved with, or wish to be involved with (“Delivery Partner”)
• Part of an organisation applying to win a contract from us to undertake a project or piece of research with us, or be funded by us to undertake a project or piece of research according to a brief we have written (“Evaluator”)

Where you are working on a programme of work that is to benefit from a project or piece of research, we refer to the organisation(s) delivering the programme of work as a ‘Delivery Partner’. A Delivery Partner organisation may also receive funding from us to continue the programme of work. A Delivery Partner organisation may also be introducing a new programme of work as part of our project or piece of research so that we might conduct our project or piece of research based on the new programme of work. You may be referred to as an ‘Delivery Partner’ further through this document.

Where you are working within an organisation expressing an interest or applying to undertake a project or piece of research, we refer to the organisation as an ‘Evaluator’.

You may also be part of an advisory group, industry panel, or an industry expert or stakeholder (‘Sector Stakeholder’) providing us with opinion and/or further information as part of our work to discover and review new projects and their allocation.

We will never process any personal information which you would not expect us to process when we are working with you.

Project Team

As an individual (data subject) working on a project in collaboration with TASO or on a project that is funded by TASO we will typically collect the following categories of your personal data (we work to only collect the minimum amount outlined):

• Name(s), Email Address, Phone number
• Job Title, occupation, place of work, employer
• Your CV, qualifications and relevant experience including any previously published work
• Information held in past successful or unsuccessful funding applications
• Information held on documentation created within a past project in which you were a member of the Project Team
• Information captured in emails, surveys and communications
• Information recorded in interviews we have with you

This information is also relevant to employees of organisations acting within the framework of being part of TASO’s ‘Panel of Evaluators’ (a set of organisations TASO partner with to conduct projects) and ‘Theme Working Groups’ (groups of industry specific relevant stakeholders who advise TASO in various capacities on projects TASO are undertaking – either directly related to a project or informing the development of a project).

Communications

There are a variety of ways and reasons we communicate with you which are outlined in sections 2 & 3 of this Privacy Notice. In order to achieve our objectives, we will collect one or more of the following categories of your personal data within the communications work we conduct:

• Name(s), Email Address, Phone number
• Job Title, occupation, place of work, employer
• Information captured in emails, surveys and communications
• Opinions you have expressed to us which are relevant to a project objective
• Publicly available personal information (e.g. from websites and social media platforms)
• Social media handles and publicly expressed content
• Videos of you where you are in the background when you attend an in-person event we are recording
• Videos of you where you are acting as a speaker for our work or being interviewed on camera as an attendee of an event TASO is holding
• Accessibility and/or dietary needs/preferences (in relation to events management)
• Payment details managed by a third party payment provider

Visitors

To accommodate your visit to our offices we will process the following categories of personal data:

• Name(s), Email Address, Phone number
• Job Title, occupation, place of work, employer
• Information that may aid accessibility needs including any relevant special categories of information (“Health Data”)
• Reason for visiting
• Information recorded in interviews we may have with you
• Time of entry and exit, and duration of visit
• Quotations you give about an event of ours you have attended (either at the event or after the event) – we will anonymise any reference to yourself or gain your permission to reference you against your quotation
• Recorded footage of you (where we are video recording a live event)
• CCTV footage of you

Recruitment

Where you have applied for a job, work experience or internship with us we will collect:

• Contact details such as name, title, addresses, telephone numbers, and personal email addresses
• Copies of driving licence, passport, birth certificates and proof of current address, such as bank statements and council tax bills
• Evidence of how you meet the requirements of the job, work experience or internship, including CVs and references
  evidence of your right to work in the UK and immigration status
• Doversity and equal opportunities monitoring information – this can include information about your race or ethnicity, religious beliefs, sexual orientation, disability and other ‘special category data’ information about your health, including any medical needs or conditions
• Other information required for some applications
• If you contact us regarding your application, a record of that correspondence
• Details of your use of our recruitment tools and services, such as your candidate profile and alerts for vacancies the status of your application and updates on how it moves forward
• Most of the personal information we process for our communications work is provided to us directly by you

We may also collect, store and use the “special categories” of more sensitive personal information including:

• Information about your physical or mental health, or disability status.
• Information about your health and medical conditions for health and safety reporting purposes.
• Criminal records information.

Website

When you visit our website, we will collect the following information about you:

• Information about the device used to access our website, your visits and use of the website including your IP address, internet log information, location, browser type and version, referrer and activity, and details of visitor behaviour patterns
• We record your activity and preferences when visiting our website through the use of cookies (see “Cookies”, below)
• IP address, operating system and browser information

Submissions

When you submit an intervention, research or evaluation case study for review for potential inclusion in a toolkit we have developed that may be accessed within or from our website, we will collect the following information about you:

• Name, telephone number, email address, regional location, position/job title, and University or organisation you’re from and any relevant qualifications
• Details about the intervention, research or evaluation, which may include information such as the course you’re on or involved with, the course subject(s) that you’re related to or taking

Other non-personal data collected as part of a Submission:

• How the intervention was developed, how long the project ran for, the target population, who is involved, methods used, impact of the intervention

4. Why we collect your information and what we use it for

Research Participants

We collect your personal information for two distinct reasons when you are a research participant. Not all reasons will be relevant to you within this Privacy Notice, and you should always refer to the Privacy Notice provided to you which will be specific to the research you’re involved in.

The first reason for collecting your personal information will be to analyse it in the context of the research. This means the personal information collected from you is needed so we can conduct research on your personal information.

It is highly unlikely we will analyse one participant’s personal information in isolation. Most research we conduct is the bringing together of multiple people’s information to make discoveries to inform results to be published in a research report. Your personal information is never published unless we have gained permission from you to do so.

The second reason for collecting your personal information is so we might gather the information needed for the research project from you. There are a variety of reasons we use your personal data to do this (not all reasons listed below will be relevant to you and you should refer to the purposes for use as listed in the project Privacy Notice):

• The aim of our projects will normally be to test the impact of an activity designed to improve equality in education, or to understand existing patterns of inequality in education
• To conduct an interview, workshop or focus group with you as a participant, which may or may not be recorded
  To contact you to participate in an interview, and/or a workshop, and/or a focus group session as part of a project or piece of research
• To gain your permission for participation in the research
• To match your data with your data held in the government data sources, including the Higher Education Statistics Agency (HESA), the National Pupil Database (NPD) and the Individualised Learner Record (ILR).
• To transcribe the audio captured from any recorded interviews, workshops or focus groups we have with you as a participant
• To identify your data, which would be deleted where possible, should you no longer agree to have your data processed for the purpose of conducting the evaluation
• To associate your answers with yourself where we would like to make confidential contact with you based upon the answers you have provided which we have identified as useful in our development of the research area
• To make confidential contact with you where you have indicated interest in being contacted about the research area or to participate in any research projects associated with this area of research (you are able to opt out at any time and are under no obligation to participate in any subsequent research projects)

We will also use your personal information to respond to and identify your personal information when you submit a data subject rights request.

Discovery, Review & Allocation

There are many uses of personal information in our work for Discovery, Review and Allocation. The following uses of your information, unless specified further below are relevant to all individuals involved:

• To identify you as a relevant individual
• To invite you to meet with us or attend an event we are holding either virtually or in person
• To invite you to attend an industry event with us with the option of liaising with you to speak at an event either with us or on our behalf (this may also include speaking to the media for the purpose of publication including print, radio, and television)
• To invite you to participate in a survey, panel, or poll we are conducting
• To request and capture your opinions which will be used to inform our decisions in this area of work
• To discuss thoughts and ideas around sectoral challenges and initiatives
• To identify and review programmes of work undertaken in the children’s social care sector
• To allocate you to a project or piece of research where you will be become a member of the Project Team
• To record a podcast, webinar and/or video with us for purposes of creating promotional or sectoral awareness content which we will publish for public consumption (non-profit)
• If applicable, for reference within an academic paper, journal or sectoral publication including print, radio, or television
• To monitor your level of engagement with us
• If applicable, to book and arrange transport and accommodation for you
• To inform and discuss with you our intentions for archiving research generated data for future use
• To associate you to a piece of work you have conducted
• To interact about and for the development of a project idea, a call for projects, evaluators and research partners, an Expression of Interest (EOI) submission, an invitation to tender (ITT) document or submission, and/or a funding application or funding process
• To maintain legal and ethical compliance measures

Sector Stakeholders

• To request your permission for involvement in an advisory group, committee, panel or industry ambassador programme including ad hoc discussion groups we have created.
• Sharing of your personal information for the encouragement of networking, idea generation and healthy debate, with other individuals in the same Sector Stakeholder group/committee/panel as yourself (we will never share your information with anyone you would not expect).
• If applicable, to pay you for your time or services.

Delivery Partner

• To review applicability and eligibility for the implementation of a programme of work we have proposed that will be part of a project or piece of research we wish to conduct.
• To review applicability and eligibility of a programme of work already implemented (without our influence) for a project or piece of research we wish to conduct.
• To make decisions regarding allocation of resources, applicable evaluators, funding and timing for a project or piece of research based on information you have provided.
• To make our funder aware of a project and where applicable the individuals involved in the project (this may be the Office for Students).

Evaluator

• To make decisions on your eligibility and applicability as an individual, collective or organisation, to conduct a project or a piece of research work in respect of a brief we have written.
• For the review of documents you have submitted to us.

Project Team

Within a Project Team, which includes all individuals (data subjects) involved in the life cycle of a project from idea inception to funding, conducting the project, writing, and printing the report through to completion and data deletion, we collect personal information for different purposes throughout.

There are members of the Project Team that will be involved in activities around a project but not involved in the delivery or activity of the project itself. These Project Team member’s personal information will be used for the following reasons:

• To interact for the development of a project idea, funding application and acceptance or rejection
• To maintain legal and ethical compliance measures for a project
• To communicate between stakeholders to assist and support the project technically, organisationally, or contractually
• To liaise for the creation of documentation and reports including but not limited to any interim or final project reports as required
• For setting up and conducting of individual or group conversations which are held digitally or in person
• To make contact with individuals to address any challenges faced
• To identify you in past project documentation if helpful to a live project

Where you are part of the Project Team that will deliver the aims of the project and are involved in conducting the activities associated in the delivery of a project, we use your personal information for the following reasons:

• To review your applicability for being part of the Project Team that will deliver a project
• To set up meetings, events, and communication activities relevant to the work within the project
• To send you information and set up desired and possibly automated lines of communication to yourself for the duration of the project
• To identify yourself as a relevant project stakeholder for project or research participants which may mean we share your direct contact details to relevant participants for the purpose of the smooth running of a project or to address any challenges faced
• Where relevant and agreed, to make you identifiable on published documentation so you receive the required accreditation for the work you have conducted
• To add credibility to project documents where you are a recognised authority in a particular field or subject which may in turn attract investment or good will for participation in the project
• If relevant to the project, to conduct interviews, send and receive surveys and set up the ability to gain access to datasets in external locations and databases
• To set up visits and access requirements to organisations, buildings or protected individuals
• To run a Disclosure and Baring Service (DBS) application and processes if required for the project and share the outcome as required
• To send or receive instructions from you in the pursuit of the objective of the project
• To identify you in past project documentation if helpful to a live project

Communications

To complete the objectives of TASO, communications is fundamental to its success. Communications work comprises of gathering and dispensing information for a variety of purposes. Using personal information is important to deliver on TASO’s communications strategy.

The reasons we use your personal data for communications work, which will depend on how we capture your personal information, includes:

• To send you information about online and offline events
• To invite you to attend and/or register you for an online or offline event
• To manage your data in context of an event which may mean taking payment, alerting you to issues, reviewing your application to the event and sending you updates about the event
• To add you to the TASO list of sector related stakeholders once you have registered for an event, to receive communication from us or registered an interest from another source
• To send you our newsletter and relevant ad hoc updates including latest news, blogs, programme updates, research projects, research publications, event details, recruitment and funding opportunities
• To gather and use survey answers which you have completed
• To identify if you are a relevant sector stakeholder from publicly available information on websites and social media accounts
• Where you have been identified as a sector stakeholder, to invite you and to allow you to participate in interviews, forums, panels, focus groups, research reviews and research projects as a Research Participant or industry expert
• To transcribe audio captured from any recorded interviews, workshops or focus groups we have with you as a participant
• Quoting you in documentation where we have found your information from publicly available sources
  Gaining permission from you to use a quote you have provided in communication with us
• To gather opinion from on on the work and activities we are conducting
• To request referral to other sector relevant stakeholders you may have awareness of
• To make contact with you where we have identified a match to your skillset and/or opinion to a particular project and invite further consultation
• To identify you in our data lists and take any required actions where we have received a data subject rights request from you
• To understand and if appropriate take action where TASO is under any legal or regulatory obligations regarding the uses of your data
• To use in promotional collateral and material as still images or videos where we have either sought your permission to do so or you have verbally agreed have an ad hoc photo taken or to participate in an on-camera interview at a
• TASO event you are attending (you may appear in the background and be recognisable)
• To allow for accessibility and dietary needs/requirements at our events
• To improve upon previous communications work and activities, to develop capacity and the ability for TASO to perform its service to society

If you no longer want to receive marketing communications from us, you can unsubscribe from our mailing list at any time by please clicking the unsubscribe link, at the bottom of our emails or by emailing info@taso-he.org detailing your name and email address, and indicating that this is in relation to the unsubscribing.

Visitors

When you visit the TASO offices we will use your personal information to register you at the reception of our building who will log entry and exit times as part of building security measures.

You may be asked to write your name and further details into a visitors’ book by building entrance staff and you will be captured on CCTV cameras during your visit which is also for security and monitoring purposes.

Your personal information will be limited to those who you would expect to know of your visit and where you voluntarily interact with other employees of TASO whom you meet, or other event attendees.

Your personal information will also be stored in an electronic calendar application and used as a lookup to understand arrival and departure times and to identify when you last visited.

Should you be visiting for an event at our offices we may produce name badges for ease of identification by ourselves and others in attendance, and we may make a video recording (filming) of the event where you may be in the background. We may ask you to be in the foreground of a video recording of an event i.e. conduct an ad hoc interview with you or record you asking a question to a panel member.

You are under no obligation to be in the foreground of any filming we do at an event, and we will inform you of recording taking place so you are able to move to a location where you do not appear in the background of any filming should you not wish.

Please do let us know either before, during or after a filmed event if you no longer wish to be recognised within a recording and we shall endeavour to remove or obscure the image so you would not be identifiable on any recordings we have made.

Recruitment

We use you information in the recruitment process for employment, work experience or internship at TASO in the following ways:

• To reply to you about the position you have applied for or inquired about
• To approach you as a good fit for employment, work experience or internship
• To check you are the right candidate for the role
• To move your application forward including making changes in applicant tracking systems or dedicated recruitment-based software and websites
• To receive a reference from a sectoral relevant individual where they have gained permission from you to be introduced to us
• To send you notifications for other job, work experience or internship vacancies
• To inform you about the status of your application
• To invite you to participate in relevant surveys, questionnaires, research projects and events where your profile has been identified relevant to research work, we are conducting (we will never share or sell your personal data and we will never include you in research participation where we have not gained your permission to do so)
• With permission, retain your personal information for longer statutory requirements where you have not been successful but would like the opportunity to invite you to apply again in the future

We maintain a reserve list of candidates who met our requirements but were not successful in securing the specific post they applied for. We’ll ask for your permission to be added to this list. We will refer to the list when other roles are advertised and will contact you if you match the role. We will ask for your permission before putting you forward for the role.

If you are successfully recruited, we will upload your details to our HR system. We will also share your data for statistical analysis (it will be anonymised first) if we are required to do so by law – for example, by court order, or to prevent fraud or other crime.

Website

The personal information we collect when you visit our website goes toward helping us:

• To monitor the website and keep it secure, it helps us understand how we might improve the website through numbers of visits, visitor patterns and behavior
• Promote and develop services and grow our organisation
  Run our organisation, provide administration and IT services, ensure network security, and prevent fraud
• Collect information to understand more about our stakeholders’ interests and preferences and to inform our marketing strategy.
• To keep our website updated and relevant, to develop our organisation, and to inform our marketing strategies
• To add you to Communications activities lists where you have indicated your consent for us to do so
• Answer any enquiries you submit to us via the website inclusive of information submitted via the TASO Speaker Request Form

Cookies we use tell us how you use the site and what pages you have visited.

Submissions

When you submit an intervention, research or evaluation case study for review we use your personal information to:

• Communicate with you about your submission
• Inform you that you have been successful or not
• Understand the reasons for your submission and why you think it is relevant to a toolkit
• If you are successful, we will ask you if you want to have your personal data (contact details) to be displayed on our website (within the toolkit) for anyone accessing the toolkit to make contact with you
• To invite you to speak or engage with an audience interested in the toolkit or generally related topics pursued by TASO
• Invite you to participate in developing your case study into further research we think may be relevant to TASO in the future

5.     Collecting your personal information

Research Participants

As a Research Participant we will collect your data in a variety of ways and at a variety of times throughout any given project.

Not all methods of collection listed below will be relevant to you and you should rely on the project specific Privacy Notice to keep you informed. Below is a list of all possible way we, or a Project Team may collect your personal information.

We refer to “primary data collection” when data is collected directly from you, and we refer to “secondary data collection” when the data is not collected directly from you.

• From yourself within online/telephone interviews (primary data collection)
• From yourself within online workshop or focus group interviews (primary data collection)
• From yourself via an online survey we have sent you or you have voluntarily answered (primary data collection)
• From yourself when you communicate directly with us (primary data collection)
• From your place of work to make initial contact with you (secondary data collection)
• From publicly available websites and sources including Social Media (secondary data collection)
• From a reference passed to TASO or the Project Team by an individual or organisation within TASO’s or the Project Team’s network of previously established contacts database (secondary data collection)
• From a database held by TASO or the Project Team where your data has been held with your permission for a secondary use within a TASO (including a Project Team) project (secondary data collection)
• From a parent, guardian, relative, educator, education establishment or other relevant allied professional (secondary data collection)

We also receive personal information indirectly (secondary data collection), from other sources in the following scenarios:

• We may receive information from higher education providers and other organisations that are funded by us or collaborating with us on research projects.
• We may match research participant information with information held by the Higher Education Access Tracker (HEAT) (or other similar tracking services) on whether they have participated in outreach programmes and your long-term outcomes (e.g. whether and where they have progressed to higher education).
• We may also directly match research participant data information with government data sources, including the Higher Education Statistics Agency (HESA), the National Pupil Database (NPD) and the Individualised Learner Record (ILR).

Discovery, Review & Allocation

There are many ways we collect your personal information during our Discovery, Review and Allocation work.

These include:

• From publicly available sources including websites, social media, broadcast media, publications in print, radio and television, and academic or scientific publications
• From sector related referrals (employees, Sector Stakeholders, Delivery Partners, Evaluators, current and past Project Team members, local or central government sources, our funders, our board of directors, sector related charities, schools, social workers, Higher Education Providers, Professors, researchers, data scientists, academics)
• From yourself within online/telephone meetings and/or interviews
• From yourself within online or in person forums, panels, workshops, focus groups or sectoral relevant meetings or interviews
• From yourself via online polling requests or surveys we have sent you which you have answered
• From yourself when you communicate directly with us
• From your place of work to make initial contact with you
• Within documentation you or a relevant organisation has submitted or provided to us

Project Team

We collect personal information from Project Team members from yourself and from a variety of indirect locations (i.e. we don’t always initially obtain your personal data from yourself).

Initial applications to TASO where TASO has advertised for applications from researchers and research organisations to conduct TASO supported and/or funded research projects or other related projects. There are a variety of documents with personal data capture fields in which Project Team applicants must complete as part of the application and subsequent approval processes.

Once an application is successful, we will collect further Project Team member personal information from the individuals named in the initial application materials and communications, this is most likely collected over email. There may be times TASO captures further personal information of Project Team members from publicly available websites and social media platforms.

Throughout the duration of a project there may be a further capture of personal information via documentation submitted, Certification Services, Disclosure & Baring Service (DBS) (if applicable), and any subsequent requirements by external websites and software which require further personal information as part of their functional processes. TASO may or may not be responsible for collecting your personal information for requirements throughout a given project although it is likely TASO will collect this personal information so it may assist any required processes that become required.

TASO also retains a list of sector relevant stakeholders which has been created from publicly available locations, websites and social media, and made up of stakeholders TASO has interacted with on a previous project or on an individual basis with a current TASO employee.

Individual TASO employees may also maintain a professional relationship with you as a relevant industry stakeholder where there is a previously established relationship. TASO will always confirm you are comfortable with your personal information being processed by TASO where there is a previous relationship with a TASO employee where they have made contact with you directly – in this scenario TASO has collected your personal indirectly via its employee.

You may volunteer personal information to TASO which may or may not be related to a project in which you are involved which TASO will record for awareness of future opportunities to work with you. Other ways TASO will collect your personal information include:

• From yourself within online/telephone interviews
• From yourself within online workshop or focus group interviews
• From yourself via an online survey we have sent you or you have voluntarily answered
• From yourself when you communicate directly with us
• From your place of work to make initial contact with you

Communications

Collection of your personal information within communications work will be via one or more of the following:

• When you register or sign up for the TASO mailing list, events, newsletters or publications on our website or via direct contact from yourself
• When you complete a TASO survey which may be on the TASO website, a link we have sent you in an email or direct message, a link to a survey that has been sent on our behalf via an email or other industry newsletter or forum, or a link to the survey from an external website or social media platform
• When we communicate with you to required direct feedback from you which may be via email, direct message, unified communications or social media platform
• From your posts and communications posted on our website or on social media platforms either directly to TASO or separate to TASO where publicly available
• During our work to monitor content and communications with us via each of the platforms and technologies we employ in our communications work
• We collect information from publicly available sources and from individuals who have made us aware of yourself where we have identified you as a relevant stakeholder in the pursuit of public good and societal benefit in alignment with the work conducted and produced by TASO
• From events location/space service providers to accommodate for any needs or requirements
• When we record you at an event either foreground or background depending on the circumstances of the recording taking place (we will also provide a Privacy Notice at the events location)
• External event registration locations
• Where relevant, when we take payment from you

We use third party providers to deliver our e-newsletters, manage event registrations and sign-ups, edit and possibly transcribe recorded footage and to take payments where required. These third parties gather further personal information on behalf of TASO in conjunction with their services to TASO.

We also gather statistics around email opening, clicks, event attendance, engagement levels and events management using industry standard technologies to help us monitor and improve our communications work.

TASO maintains Data Processing Agreements with all third-party providers where personal data is being collected and processed on TASO’s behalf.

Visitors

Office visitor information will be collected via email from yourself or the individual that has arranged your visit on your behalf or via a third party which we will pass on to building management so they can communicate your arrival to us. Your personal information will also be collected from you when you add your details to a building management visitors book.

If you are visiting the TASO offices to attend an event you may be asked to write your personal information on a name badge/sticker and you may be filmed, should we be recording the event as part of our Communications work (see the Communications section above).

Recruitment

We have gathered your information in one or more of the following ways:

• Via publicly available sources such as social media where we have identified you as an individual we would like to approach as a good fit for employment, work experience or internship at TASO
• From a reference of a sectoral relevant individual where they have gained permission from you to be introduced to us
• From a Higher Education Provider (HEP) such as a college or University who has recommended you to us
• From a current or former employee where they hold a previously established relationship with you and sharing your personal information with TASO would not be unexpected
• From yourself via a recruitment web advert we have developed which may also mean we have received your personal data via a recruitment platform or website
• From a recruiter, recruitment agency or other applicant tracking system or recruitment website
• From yourself when you have participated in a survey or questionnaire as a research participant and we have identified you as a potential candidate for employment, work experience or internship at TASO
• From yourself where you have responded to an advert on our website, completed our contact us page on our website or sent an unsolicited prospective email to us
• We also use platforms such as LinkedIn, Indeed, CV Library and others where we may have identified you as a potential candidate for employment, work experience or internship at TASO
• From publicly available websites and social media platforms
• From former employers and people named by candidates as references
• Where relevant, the Disclosure and Baring Service (DBS)
• If relevant to the role, Government departments or other relevant and related institutions.

Website

We collect data about you from your device and via third-party website analytics services such as Google Analytics and cookies (see below) when you visit our website. We do not make, and do not allow our Google Analytics settings to make, any attempt to find out the identities of those visiting our website.

This website includes embedded content (e.g. videos, images, articles, etc.) from other websites and links to external websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow other parties to collect or share data about you. Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website. We do not control these external websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

Cookies

As you interact with our website, we automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies to enhance your experience of our website.

Our website uses cookies for collecting user information which may include IP address, operating system and browser information. We use persistent cookies to track returning visitors. They expire after 12 months and enable us to compare website traffic from month to month.

Cookies are text files, which identify a user’s computer to our servers. Cookies in themselves do not identify the individual user, just the computer used. You can learn more about cookies by visiting http://www.allaboutcookies.org/.

You can manage and delete cookies through your web browser. Each browser manages cookies differently, but you can learn more about cookie settings in the most common browsers using the links below:

• Chrome
• Firefox
• Safari for Mac
• Safari for iOS
• Edge
• Internet Explorer

You can also prevent your data from being used by Google Analytics by using the Google Opt-out Browser Add-on, available at this link.

Submissions

When you submit an intervention, research or evaluation case study for review we will collect your personal information in the following ways:

• A digital form on the TASO website
• Via email to a TASO employee or generic TASO email address
• Personal information contained within case study documents submitted
• Within subsequent information you provide to us about the submission
• Information you volunteer to us within any communications we have with you

6.     Our lawful basis for using your data

Research Participants

We process the personal data of research participants in a variety of ways. As a research participant we will only use your personal data when the law allows us to.

We will always inform you of our lawful basis for processing within either the Research Participant Data Privacy Notice and/or the Participant Information Sheet and/or a Consent Form you are presented with at the point of collection of your personal data.

Most commonly, the lawful basis for using your personal information may be one or more of the following within a project:

• Legitimate Interest for societal benefit within a research project
• Public Task when we work in the public interest
• Legal Obligation when we must comply with the laws of the country in which we are working in or where you have provided information where we have a statutory requirement to inform relevant authorities

For the collection of your sensitive personal information, also known as GDPR special categories of personal information, in general we rely on GDPR Article 9.2(j) for research purposes with a basis in law. This is also relevant to any personal information known as “protected characteristics” under the UK Equality Act 2010. Confirmation of this will be found in the project specific Data Privacy Notice.

A note on Consent: Research projects will often ask you for your consent to participate in a project. Unless it is clearly stated in relevant Privacy Notice provided to you, in general, this will not be data protection consent as the lawful basis we use to process your personal information.

A lot of research we do is dependent on gathering “informed consent” for your participation as part of ethical considerations required by either a research ethics committee who’ve reviewed the project proposal or to follow best practice in accordance with the Helsinki Declaration.

Should you withdraw your consent for participation when the data being analysed, we would not be able to immediately remove your data until the analysis is complete. Where possible we would endeavour to remove all association to your personal information from the point of withdrawal and inform you where this may not be possible depending on the stage of analysis and project as a whole.

Discovery, Review & Allocation

Most frequently we will process your personal information on the basis of our legitimate interest as a Data Controller within our work for the benefit of society. There may be occasions where we have entered into a contract with you and therefore the lawful basis shall be upon the obligations of a contract in which you have agreed. There may also be occasions where our funder(s), or other public bodies shall instruct us in this work which will more likely be a task within the public interest, also known as “Public Task”.

Project Team

In the lifecycle of a project one the following lawful basis for processing your personal information will apply and is dependent on how you interact with us:

• Contract: Processing your personal information in accordance with a contract we have with you or the organisation you work for.
• Legal: Complying with applicable law with regard to personal data necessary to satisfy our legal and regulatory obligations, including with regard to public health and workplace safety, entitlement to work and when applicable to conduct security checks for a project.
• Legitimate Interest: In the processing of your personal information in relation to a project application, to set up project related activities and in the overall organisational, monitoring and management activities during a project. This includes moving your data to an internal stakeholder list for possible future collaboration and notifications.

Communications

We process personal information for our communications work based on different legal bases:

• Legitimate Interest: We may rely on our legitimate interests to process your personal data, provided that such interests are not overridden by your interests, fundamental rights, or freedoms. In particular, we may process your personal data with reliance on a legitimate interest where we have identified you as a relevant stakeholder in the Higher Education sector and in the effective and lawful operation of our businesses, maintenance of our relationships with collaborative organisations, and the effective delivery of information and services we may provide to you. We may have other legitimate interests and, if so, we will make clear what those interests are at the relevant point in time.
• Consent: We may rely on the consent that you provide us at the point of collection of your personal data to use such information for the purposes outlined herein. For example, you may have agreed to receive marketing materials such as our electronic newsletters (you are able to opt-out or unsubscribe at any time).
• Public Task: From time-to-time when we carry out communications activities, we may have to process personal data to perform a task that’s in the public interest or in the exercise of a TASO funder’s (such as the Office for Students) official authority.
• Legal: We may process your personal data if necessary for us to comply with a legal obligation arising under an applicable law to which we are subject.

Visitors

We process the personal information of visitors to our offices based on the legitimate interest of the data controller (TASO).

Recruitment

We process personal data throughout the recruitment application process based on different legal bases:

• Contract: Processing your data is necessary to move your application forward before signing a contract of work. This concerns employment or pre-employment checks.
• Legal: Complying with applicable law with regard to personal data necessary to satisfy our legal and regulatory obligations, including with regard to public health and workplace safety, entitlement to work and when applicable security checks.
• Legitimate Interest: Evaluating your application and to manage our relationship with you, to ensure that we recruit appropriate employees, and to evaluate and maintain the efficacy of our recruiting process more generally. We will also process your personal data to invite you to participate in projects which may be, or similar to, surveys, questionnaires, events, interviews or other research projects where the work we are conducting is for societal benefit.
• Public Task: When we carry out National Security vetting for some roles, we have to process personal data to perform a task that’s in the public interest or in the exercise of a TASO funder’s (such as the Office for Students) official authority.
• Consent: If we offer you the opportunity to participate in our optional recruiting programs or if we collect sensitive personal data for legally permitted purposes other than compliance with our legal obligations regarding public health and workplace safety. We will ask for consent from you where you are not successful, and we want to retain your personal information for longer than 6 months. Also, for us to send you surveys, questionnaires, information about events, interviews or other research project opportunities where the work we are conducting is for societal benefit.

Website

We process the personal information of visitors to our website based on our legitimate interest as the data controller.

We request your consent for adding your personal information to our Communications activity lists where you have provided your information via a form on our website. You are able to opt-out of receiving communications from us by emailing us on info@taso.org.uk or by selecting the ‘unsubscribe’ preference we include on each marketing email we send.

We also request for consent for the use of cookies when you first visit our website. You can opt to refuse cookies that are not necessary, and you are able to update cookie collection preferences through browser settings (see Cookies in Section 5).

Submissions

The lawful basis we use for processing your personal information when you submit an intervention, research or evaluation case study for review is within the legitimate interest of TASO (the Data Controller) in the pursuit of its goals of improving outcomes in higher education.

7.     Security, Storage and Sharing of your data

We take the security of your information very seriously and have put physical, technical, operational, and administrative strategies, controls and measures in place to help protect your personal information from unauthorised access, use or disclosure as required by law and in accordance with accepted good industry practice. We will always keep these under review to make sure that the measures we have implemented remain appropriate.

We use Google Workspace & Google Cloud Platform for the secure storage of personal information processed by us. Through the use of Google services the organisation is able to provide a high level of security around the storage of highly sensitive personal data which is captured within a high variety of our activities. You can find further security and compliance information in the Google Compliance Resource Centre, Privacy Resource Centre and the Google Cloud & the GDPR pages.

Your personal data may also be stored with specific third-party services for the minimum period necessary to perform activities with your personal information. Each third-party is subject to contractual and security reviews to ensure adequate and comparative levels of security, we’d expect for ourselves, is provided for the data they process on our behalf.

The types of third-party providers we use include:

• Transcription services
• Mass email services
• Communications providers
• Survey platform services
• Client Relationship Management services
• Website services and platform providers
• IT services organisations

We may also share your personal information with our professional advisers including our lawyers and auditors where it is strictly necessary. It is possible that we may be required to share your data to comply with applicable laws or with valid legal processes, such as in response to a court order.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded by implementing at least one of the following safeguards:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK (the UK also recognises the European Commission list of adequate countries. For further details, see European Commission: Adequacy of the protection of Personal Data in non-EU countries)
• Where we use certain service providers, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK. For further details, see UK International Data Transfer Agreements. We will also assess in-country standards as part of this process.

Where data is likely to be shared outside the UK to a country without appropriate safeguards comparative to those offered by the UK GDPR and UK Data Protection Act 2018 we shall inform you of the reasons for this requirements and the supplementary measures to maintain the security around your data we have implemented.

Research Participants may have specific differences (outlined below) to how personal information is secured, stored and shared compared to our activities with other data subject’s personal information.

Research Participants

We may share the information we gather with other organisations in the following scenarios (where this has been outlined in the privacy notice):

• We may share information with higher education providers and other organisations that are funded by us or collaborating with us on research projects.
• We may share information with independent evaluators that we hire to work on specific projects.
• We may also share information with HEAT, HESA, the NPD and ILR for the purpose of matching as outlined above.

Where there is a requirement or desire to archive your data for purposes of public interest which may mean the possibility of a secondary use of your personal data we shall inform you of our intention to do so maintaining appropriate safeguards in line with UK GDPR Article 89.1. Supplementary security safeguards may include, but are not limited to:

• Pseudonymisation
• Anonymisation
• Functional Anonymisation
• Data Coarsening

Always refer to the research project Privacy Notice to confirm how your data will be stored, shared, and kept secure.

8.     How long we keep your data

We will only keep personal information for as long as it is needed to fulfil the purpose for which it was collected.

Research Participants

The length of time which we plan to keep any information for will be outlined on the privacy notice for each individual project. Wherever possible, personal data will be anonymised or pseudonymised, as long as this does not impair the aims of the project.

When data is no longer needed, unless there is another legal reason for us to retain your personal information, we will securely destroy any paper or digital records (as specified in the privacy notice for any particular project).

Discovery, Review & Allocation

We will only keep personal information for as long as it is needed to fulfil the purpose for which it was collected.

Where it has been indicated to us that an individual is no longer relevant, has changed role or organisation, or has requested to be forgotten, unless there is no other legal reason for retaining the personal information, we will update or delete the personal information as required. We review all lists at least on an annual basis.

Personal information may be moved into Communications activities lists and therefore retained longer than may be anticipated – this is within our legitimate interest to do so, and all individuals have the ability to opt-out of such further communications at any time.

Project Team

Where it has been indicated to us that an individual in a Project Team is no longer relevant, has changed role or organisation, or has requested to be forgotten, unless there is no other legal reason for retaining the personal information, we will update or delete the personal information as required.

Personal information of Project Team members may be moved into Communications activities lists and therefore retained longer than may be anticipated for an individual project – this is within our legitimate interest to do so, and all Project Team members have the ability to opt-out of such further communications at any time.

Communications

If you have provided consent for us to use your information for our communications work, we will retain your information until you withdraw that consent. Where we have not relied on consent for the processing of your information, where you indicate to us you no longer wish for us to retain your information, we will delete you information.

If you attend one of our events, we will use your information for the purpose of the event and will only contact you for any other purpose if you have said we can. We will retain your personal information collected for the purpose of the event for 3 years for evaluation and organisation development purposes to help us understand our audience and reach, and to improve future events.

We review all Communication’s activities lists on an annual basis and delete, update or request confirmation of accuracy of data and/or preferences where appropriate or required.

Visitors

Your personal information shall be retained within digital email calendars and subject to archiving processes conducted on an ad hoc basis. Name badges will be destroyed when you leave the premises. ID that is requested to be shown at the building front desk is for verification purposes only and we don’t record this information.

Closed-circuit television (CCTV) operates inside and outside the building for security purposes. The information is viewed by the building security company on a live feed and may be recorded at the discretion of the provision of security services supplied by the building we occupy.

When we provide you Wi-Fi on site for the use of visitors. We’ll provide you with the login details. We record the device address and will automatically allocate you an IP address whilst on site. We also log traffic information in the form of sites visited, duration and date sent/received. This information is retained for a reasonable period of time to monitor the security of Wi-Fi use when onsite.

We sometimes record audio and video of training sessions delivered by external training providers. We don’t do this without the prior agreement of the training provider and no recordings are shared outside of the TASO. Training recordings will be deleted when they are of no subsequent use to TASO and its staff.

Recruitment

We will store your information for the duration of the recruitment process. Where you have not been successful, we shall retain your personal data for up to 6 months in accordance with the UK Limitation Act 1980. We will only retain your personal data longer than 6 months where we have gained your permission to do so.

If you have been successful in the recruitment process, we will provide you with an Employee Privacy Notice outlining the retention period of your personal information.

Website

Depending on your reason for visiting the website and how you decide to interact with our website will determine the amount of time we retain your personal information outlined above. You are able to delete Cookies (please see section 5).

Submissions

When you submit an intervention, research or evaluation case study for review, unless you have expressed to us to be included in any further communications outside of a submission, we will keep your personal data:

• For 6 months after we have notified you that your submission has not been been successful
• Indefinitely or until your case study is not longer part of any toolkit on the TASO website – your personal data will be deleted 6 months after the case study has been removed

9.     Your data protection rights

You have the following rights in respect of your personal data:

• Your right of access – You have the right to ask us for copies of your personal information
• Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
• Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
• Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
• Your right to object to processing – You have the right to object to the processing of your personal information in certain circumstances including where we are processing your data based on consent.
• Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at info@taso.org.uk if you wish to make a request.

10.     How to Complain

We kindly request you allow us the opportunity to address your complaints when they arise.

If you have any concerns about our use of your personal information, you can make a complaint to us by contacting dpo@theevidencequarter.com or info@taso.org.uk

You can also complain to the UK Information Commissioner’s Office (ICO) using the details below if you are unhappy with how we have used your data. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

The ICO’s address:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

11.     Last update to this Privacy Notice

This Privacy Notice was last updated in March 2024.