how have we got your information
- You may have given us your personal data yourself. For example, you may have given us your business card at an event, emailed us requesting information, or filled in an online form so that you could download a report, document or some other information.
- We may have found your contact details at some publicly available source but in this case we wouldn’t use them without your consent.
- The organisation you work for may have given us your personal data or asked you to give us it because your role is key to the Chest services or resources that they want from us.
what information do we collect
- We only ask for your name, your role or job title, your department, the name of your organisation and your business contact details (phone numbers and email address). We’ll only keep personal email addresses or personal phone numbers if you have specifically asked us to use them.
- Occasionally we might ask you for other personal information when we run an event or an online survey. But we’ll always make it clear why we’re collecting that information and how long we’ll keep it and of course it will be up to you whether you want to participate in the event or survey.
what will we do with your information
We only use your information in connection with the Chest service and resources.
- We may contact you with news about Chest including changes and improvements to service, new resources that will become available and others that will be retired, and to tell you about any events or surveys that we’ll be running.
- If you’re the nominated contact for your organisation, we also need to use your personal data to deliver the Chest service and resources to you on behalf of your organisation and we may need to use it to process your purchase orders, licences, invoices and payments.
- Contact us for if you’d like details about any specific third party that we’re using.
how we protect your information
- We adopt best industry practice to protect your information by aligning with the international standards for information security such as ISO27017 and ISO27018 and we hold our own ISO27001 certification. We keep your personal information behind firewalls to prevent unauthorised access.
- We keep most personal data in Azure (Microsoft’s public cloud). Microsoft adopts leading security measures and is certified to all the standards we’ve listed above and also CISPE, which specifically addresses information security in the cloud. You can read more about their security measures here: https://www.microsoft.com/en-us/trustcenter/privacy/.
- If you’re the nominated contact for your organisation your information may also be kept in public or private clouds used by the service providers we’ve selected for our finance systems. We only use service providers where we are happy with the security measures they implement to protect the data we entrust them with.
- All other third parties, wherever they are located, who have to use your information to provide you with Chest services or resources have to give us contractual commitments to adopt practices consistent with the requirements of the General Data Protection Regulation.
how long do we keep your information
- We’ll keep your personal information until you tell us not to. All our communications will ask you if you want to continue receiving Chest news. Every couple of years we’ll also contact you to check that you’re still happy to hear from us.
- However, by law we must keep financial records such as purchase orders and invoices for six years. If you’re the nominated contact for your organisation, your details might appear on these records. But apart from this, we keep your information until your organisation tells us not to – for example when you stop working for them or because your job role has changed. In any case, we contact your organisation every two years to check that your details are still valid. One year after any of your organisation’s Chest contracts ends, we’ll contact you to ask if you want us to delete your contact details linked to it or whether you’d like to continue to receive Chest news relating to it.
how can you check your information
- We’re happy for you to check the information we have about you at any time. You can ask us to tell you what information we have, why we have it, how we protect it etc. You can also check that your information’s accurate and we’ll make any corrections promptly. Similarly we’ll delete your information if you ask us to.
- Please note that if you’re the nominated contact for your organisation, we’re obliged to check with them before we delete your information. This is because they are the data controller for your information and, for example, your organisation might need us to substitute someone else’s contact details before we delete yours.
- If you want to know about your information, please use the contact details shown at the top of this notice.
The Chest website contains links to other websites. Your visit to those other websites will be governed by their own published privacy policies.
changes to our information security practices
We review our information security practices frequently, so this privacy notice will be updated periodically, therefore we suggest you check it from time to time. The version that appears here was published in January 2019.
Update to Chest data controller
Effective from 2 January 2019 the data controller for Chest has changed from Eduserv to Jisc. This reflects the merger between Eduserv and Jisc.