Data Privacy Policy¶
Background¶
The United Kingdom's (UK's) current Data Protection Act ("the Act") came into force on 25th May 2018, alongside the General Data Protection Regulation (GDPR). The Act is derived from Article 8 of the European Convention on Human Rights 1950 that provides a "right to respect for one's private and family life, his home and his correspondence", essentially personal privacy. The University of Bristol is a registered data controller under the Act and its registration number with the Information Commissioner's Office is Z6650067.
The Act gives individuals rights over their personal data and protects them from the erroneous use of their personal data. The Act also imposes responsibilities and requirements on any organisation that handles personal data, obligating them to comply with a number of important principles and legal obligations. The Data Protection Principles state that personal data shall:
-
be collected and processed fairly, lawfully and transparently The purpose for which personal data is collected and processed should be made clear to the data subject. Data subjects should not be deceived or misled as to the purpose for which their personal data is held or used, and must be given full information about how it will be used. Personal data should only be obtained from a person who is legally authorised to supply it.
-
be obtained only for specified, explicit and legitimate purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes Personal data held for one purpose should not be used for another, e.g. research data should not be used for direct marketing. All personal data held must be within terms of a register entry or be specifically exempt from registration.
Personal data must not be disclosed to any person not connected to the purpose it was obtained for. Details of persons to whom data may be disclosed and by whom are contained in the registration.
-
be adequate, relevant, and limited to what is necessary for the purpose or purposes for which they are held All personal data held must be clear in meaning, and convey sufficient information for others to understand them. Only information that is strictly necessary should be collected and held. Records should be unambiguous, accurate and professionally worded. Any abbreviations should be widely agreed. Opinions should be clearly distinguishable from matters of fact. Sensitive personal data must only be held if really necessary.
-
be accurate and, where necessary, be kept up to date Personal data must not be inaccurate or misleading to any matter of fact. This is equally applicable to information received from a third party. The source of information should always be included on records.
-
held in a form which permits identification of data subjects for no longer than is necessary for the purpose it was collected for Personal must not be retained longer than is necessary for the purpose it was initially collected.
-
be held securely, incorporating appropriate technical and organisational measures to prevent unauthorised or unlawful processing of personal data and protect against accidental loss or destruction of, or damage to, personal data Access to personal data must be permitted only for the purposes necessary for the fulfilment of legitimate purposes pursued by the University (in line with its notification with the Information Commissioner's Office).
Privacy Notice¶
This privacy notice includes information for the data subject (natural person) in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (2016/679). This notice is provided to the data subject during the collection of personal data.
The BriCS Controllers (referred later as "we")¶
BriCS Services are provided by the Bristol Centre for Supercomputing (BriCS), as part of the University of Bristol. The University of Bristol is the registered data controller. Its registration number with the Information Commissioner's Office is Z6650067.
Data protection and privacy are important to BriCS. We ensure that your personal information is processed appropriately, fairly and in a transparent manner. We only collect personal information for a specific purpose and we will only collect the personal information that is necessary for the purpose of processing the data. We will ensure that the personal information we collect is accurate and we will update them as needed.
If you have any concerns or requests about how we process your personal data, you may contact us using the following email address: [email protected]
When we process your data¶
When you log in to a BriCS service, including registration portals, or the system itself, we handle your person data related to your account. Additionally, collection of the resource allocation decisions, usage accounting, support, and user data on the BriCS services is in scope of this document.
Categories of personal data, purposes of processing and legal basis for the processing of personal data¶
This privacy notice applies to information collected in connection with your access to and use of BriCS Services. "You" refers to any data subjects who register for use or uses BriCS Servicess. The "BriCS Services" refers to any services or products that are provided to you by the University of Bristol via BriCS, including platform, software, web solutions, tools and related support services, regardless of how you access or use these services.
Sources of Personal Data¶
We acquire data primarily from the following sources:
- data provided by you (data subject)
- MyAccessID registration and authentication service
- your home organisation's identity provider
- other identity provider or virtual community you have chosen to use
- organisations that have allocated BriCS resources for you
Collected Personal Data¶
The following data may be registered:
A. Profile Information¶
- contact information such as name and email address
- credentials for authentication or other purposes
- identifiers provided by your Identity Providers (home organisation or 3rd party)
- affiliation information about users such as home organisation,the data subject's role as a member of his/her organisation
B. Project Allocation information such as project name, project membership, project description, resource allocator of the project, user roles in project¶
C. Data access permissions¶
D. Information of your other possible memberships and roles in scientific communities¶
- group and memberships you may have in the context of your scientific community
- roles and rights you may have in the context of your scientific community
Additionally, we keep service use data, such as logs, consisting of the following data:
- Your identifier (user account, identifier, name)
- Accounting data
- System, service and central logs and databases which contain traces on your activities on the system
- Your IP address with timestamps
- The Identity Provider you used and any other data collected with specific agreement from the data subject
Purpose of the processing of personal data¶
You will need to register before you apply for BriCS resources from a Resource Allocator (e.g. UKRI), or to be added to existing BriCS projects. Resource allocation is handled separately by Resource Allocators who are allowed to grant resources to BriCS services. If you register to their allocation services, they will provide to us profile information, created at the time of your registration, to identify you as a user.
Until you have been allocated access to BriCS services or been added to projects with access to BriCS services, we process your data only to determine if you have access to the system. Once you have access to the BriCS services, your information will be processed to provide access to the system, including the local account creation. Accounting information will be stored and transferred to other parties as specified below. Once your access to the system has ended, we will still store your account, log, and accounting information according to what is described in the data retention section.
We process your personal data for the following purposes:¶
- identify authorized users, administer user accounts and credentials, manage access to our services, process and track transactions and manage licenses
- deliver, maintain and develop our services
- provide help and support for the services
- send you information relating to the services, such as to notify you about changes to our service and products
- track and analyse services used for accounting, auditing and other internal functions
- protect against, identify and prevent fraud and other criminal activity, claims and other liabilities; and
- comply with and enforce applicable legal requirements, relevant international agreements due to the nature of the provided services, relevant industry standard practices, and our policies, including this privacy note and the applicable terms of use for the BriCS services.
- to operate our business, which includes analysing our performance and meeting our legal and contractual obligations. It also includes processing personal data for reporting purposes for BriCS infrastructure funders and for BriCS user organisations (your affiliation).
Legal basis for processing Personal Data¶
When you apply the right to use the BriCS Services, the legal basis for data processing is to take steps prior to entering into a contract at the request of you or performance of the contract where you are a party (Art. 6 (1)(b) General Data Protection Regulation, GDPR). When your data is processed for any other purposes listed above, the legal basis is our or third party's legitimate interests (Art. 6 (1)(f) GDPR). The processing is necessary for client management, fraud prevention, misuse prevention, IT and network security, and to fill our contractual obligations (including providing information on the use of the BriCS Services to those who have funded it or to your home organisation). In some cases, we may ask if you consent to the relevant use of your personal data. In such cases, the legal basis for us processing that data about you may (in addition or instead) be that you have consented (Art. 6 (1) (a) GDPR).
Processing of personal information by other service providers and processors¶
Except as described above, your personal information will not be shared with third-parties outside of BriCS / the University of Bristol.
Data Transfer outside the United Kingdom¶
Your data is processed entirely in the United Kingdom (UK).
Your profile information will not be transferred outside of the UK.
How do we protect the data and how long do we hold it for?¶
The data is collected into databases that are protected by firewalls, encryption, passwords, and other technical measures. The databases and backups of these databases are located in secure facilities.
Information disclosure to other Controllers¶
Accounting and reporting, as well as other necessary information (e.g., to handle possible security incidents), including your profile information, will be transferred to resource allocators and funders, cybersecurity partners and home organisations.
Resource allocation is done on external portals, not in the scope of this Privacy Notice. There may be other external services not in the scope of this Privacy Notice connected to the central allocation and authentication services. If you choose to use these services, your profile data, and possibly applicable allocation data, will be transferred to these services. Those services are responsible for informing you of your rights before using the services.
Data Retention¶
The retention period of user and project information (general information, roles, persons, resource allocation, project logs, accounting information and accompanying reporting information) is 2 years after the end of the operation of the BriCS service for which the data was collected, for the purpose of accounting and statistics unless otherwise required by applicable legislation.
The retention period of other system logs is a maximum of 5 years after the relevant information has been collected.
How do we protect the data and how long do we hold it for?¶
The data is collected into databases that are protected by firewalls, encryption, passwords, and other technical measures. The databases and backups of these databases are located in secure facilities.
Data subject rights¶
You have the following rights as a data subject:
- To request confirmation as to whether we are processing personal data concerning you
- To request a copy of the personal data
- To demand the rectification or completion of inaccurate or incomplete data
- To withdraw your consent, if processing is based on your consent
- To request the erasure of data in certain cases
- To request the restriction of processing, provided that the processing is based on our or third party's legitimate interests.
- Right to object processing of your personal data, provided that the processing is based on our or third party's legitimate interests.
- Right to have your data transferred from one system to another in certain situations
You have the right to request the deletion of your personal data at any time, either via the links provided via BriCS services, or by emailing [email protected]. We will comply as much as we can with the request, subject to retention policies need to ensure compliance with cybersecurity and auditing.
We will always use our best efforts to address and settle any requests or complaints you bring to our attention. Besides contacting us, you always have the right to approach the competent data protection authority with your request or complaint.
University of Bristol Data Protection Officer¶
The University's Data Protection Officer (DPO) is Henry Stuart:
Henry Stuart
Information Governance Manager & Data Protection Officer
University Secretary's Office
University of Bristol
Beacon House
Queens Road
Bristol, BS8 1QU
Tel: 0117 45 56325
[email protected]