Chest Privacy Notice

Chest is a Jisc enterprise. Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86.

We want to explain how we respect your privacy. If you have any questions about this privacy notice or about your personal information, then please call 0300 121 0878 or email help@chest.ac.uk.

Our overall policy is to collect the minimum personal data that we need to provide you with the Chest service and to keep you updated about it. We keep personal data for as short a period as possible and take good measures to protect it. We’re always happy for you to check the data we have about you and we’ll delete it if you want us to – unless this would mean we wouldn’t be able to provide your organisation (whether that’s an institution or company) with the Chest service.

how have we got your information

• You may have given us your personal data yourself. For example, you may have given us your business card at an event, emailed us requesting information, or filled in an online form so that you could download a report, document or some other information.
   
• We may have found your contact details at some publicly available source but in this case we wouldn’t use them without your consent.
   
• The organisation you work for may have given us your personal data or asked you to give us it because your role is key to the Chest services or resources that they want from us.
   
• If you visit this website (www.chest.ac.uk), we might use cookies and analytical tools to collect anonymous information about your visit. Cookies are small text files placed on your computer to collect standard internet log and visitor behaviour information. Tracking and analysing visitor activity enables us to improve the website. Find out more about which cookies are used on this site. For further information visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above-mentioned websites tell you how to remove cookies from your browser. However this might disable some of the key website features. 

what information do we collect

• We only ask for your name, your role or job title, your department, the name of your organisation and your business contact details (phone numbers and email address). We’ll only keep personal email addresses or personal phone numbers if you have specifically asked us to use them. 
• Occasionally we might ask you for other personal information when we run an event or an online survey. But we’ll always make it clear why we’re collecting that information and how long we’ll keep it and of course it will be up to you whether you want to participate in the event or survey.
  
  

what will we do with your information 

We only use your information in connection with the Chest service and resources. 

• We may contact you with news about Chest including changes and improvements to service, new resources that will become available and others that will be retired, and to tell you about any events or surveys that we’ll be running.
   
• If you’re the nominated contact for your organisation, we also need to use your personal data to deliver the Chest service and resources to you on behalf of your organisation and we may need to use it to process your purchase orders, licences, invoices and payments.
   
• We’ll never sell or share your personal data with any third party except for third parties who provide part of the Chest service or resources – for example Chest publishers and software suppliers may need your personal data to ensure that nobody else accesses or downloads the Chest resources that your organisation has purchased. Sometimes we’ll run communication campaigns using carefully selected marketing agencies to contact you on our behalf and so we’d have to give them your contact details. All of these third parties have to give us contractual commitments to only use your information in connection with Chest. If any of them want to put you on their own mailing lists they need your specific agreement and they should let you review their own privacy policy.
   
• Contact us for if you’d like details about any specific third party that we’re using. 
  
  

how we protect your information

• We adopt best industry practice to protect your information by aligning with the international standards for information security such as ISO27017 and ISO27018 and we hold our own ISO27001 certification. We keep your personal information behind firewalls to prevent unauthorised access.
   
• We keep most personal data in Azure (Microsoft’s public cloud). Microsoft adopts leading security measures and is certified to all the standards we’ve listed above and also CISPE, which specifically addresses information security in the cloud. You can read more about their security measures here: https://www.microsoft.com/en-us/trustcenter/privacy/.
   
• If you’re the nominated contact for your organisation your information may also be kept in public or private clouds used by the service providers we’ve selected for our finance systems. We only use service providers where we are happy with the security measures they implement to protect the data we entrust them with.
   
• All other third parties, wherever they are located, who have to use your information to provide you with Chest services or resources have to give us contractual commitments to adopt practices consistent with the requirements of the General Data Protection Regulation.
   

how long do we keep your information

• We’ll keep your personal information until you tell us not to. All our communications will ask you if you want to continue receiving Chest news. Every couple of years we’ll also contact you to check that you’re still happy to hear from us.
   
• However, by law we must keep financial records such as purchase orders and invoices for six years. If you’re the nominated contact for your organisation, your details might appear on these records. But apart from this, we keep your information until your organisation tells us not to – for example when you stop working for them or because your job role has changed. In any case, we contact your organisation every two years to check that your details are still valid. One year after any of your organisation’s Chest contracts ends, we’ll contact you to ask if you want us to delete your contact details linked to it or whether you’d like to continue to receive Chest news relating to it. 
  
  

how can you check your information 

• We’re happy for you to check the information we have about you at any time. You can ask us to tell you what information we have, why we have it, how we protect it etc. You can also check that your information’s accurate and we’ll make any corrections promptly. Similarly we’ll delete your information if you ask us to.
   
• Please note that if you’re the nominated contact for your organisation, we’re obliged to check with them before we delete your information. This is because they are the data controller for your information and, for example, your organisation might need us to substitute someone else’s contact details before we delete yours.
   
• If you want to know about your information, please use the contact details shown at the top of this notice. 
  
  

other websites

The Chest website contains links to other websites. Your visit to those other websites will be governed by their own published privacy policies. 

changes to our information security practices

We review our information security practices frequently, so this privacy notice will be updated periodically, therefore we suggest you check it from time to time. The version that appears here was published in January 2019. 

Update to Chest data controller
Effective from 2 January 2019 the data controller for Chest has changed from Eduserv to Jisc. This reflects the merger between Eduserv and Jisc.