Impacting Business by Design Privacy Notice
Last updated: 17 June 2020
Our contact details
Impacting Business by Design (IBbD) is a business support programme offered by a consortium of 3 universities, led by De Montfort University, Leicester, including Brunel University London and Nottingham Trent University, part-financed by Research England’s Connecting Capabilities Fund.
When we refer to IBbD we mean the HEI staff contracted to deliver the programme, including contractors and other third parties working for on or behalf of De Montfort University, Nottingham Trent University and Brunel University (“us”).
Each university in the partnership is individually responsible for the data it controls according to terms set out in the collaboration agreement.
This privacy notice interprets the data privacy and protection policies of the universities, including their research data management policies, for the purposes of IBbD. These policies are available here:
De Montfort University
Brunel University London
Nottingham Trent University
In case of any queries or complaints, the initial point of contact concerning IBbD’s data protection and privacy issues for the project overall and for IBbD activities at De Montfort University is:
Emily Hancock, Project Manager
Impacting Business by Design, c/o. The Design Unit, De Montfort University, Vijay Patel Building POD 3.13, The Gateway, Leicester, LE1 9BH
Tel: 0116 257 7429
For IBbD at Brunel University London, please contact:
Vanja Garaj , Co – Investigator
Impacting Business by Design (Brunel), Michael Sterling 257, Brunel University London, Kingston Lane, Uxbridge, Middlesex, UB8 3PH
Tel: 01895 266 964
For IBbD at Nottingham Trent University, please contact:
Peter Ford, Co-Investigator
Impacting Business by Design (Nottingham Trent) c/o Design Matter, Nottingham Trent University, 50 Shakespeare Street, Nottingham, NG1 4FQ.
Tel: 0115 848 5662
What type of information we have
Impacting Business by Design collects information, through its staff and suppliers, that could be used to identify people and businesses, including:
- Names, contact details and characteristics of people and businesses.
- Information about their potential or actual interest in or need for our support, or their relationship to someone interested in or in need of our support, i.e. third parties.
- Information about people and businesses that allows us to evaluate the appropriateness of entering into contracts with them, the impact of our support, or opportunities to improve the effectiveness and efficiency of our support activities, e.g. based on their characteristics, motivations…
- Information generated by our support activities that could be considered personal or confidential, e.g. support project appraisals, proposals, outputs and impact-evaluations.
- Records of our engagement with people and businesses, including our employees and suppliers, that allows us to evidence and justify our use of public funds in line with: EU and UK laws governing competition and state aid; our contractual obligations to Research England and; our legal obligations as universities to undertake research and education for the public good. This can include correspondence, contracts, financial transactions, advice, prototype designs and associated technical and business information, audio and visual recordings, and any other information required and shared with us for the purposes of the project.
How we get the information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- To form and perform our grant-funded collaborative design research projects based on repayable grant agreements (contracts).
- To meet our constitutional obligations (public task), as universities, to develop and share project-related learning for the public good in line with Research England’s terms and conditions of our funding, i.e.:
- Product design (technical): what design solutions (including science and engineering as well as functional and aesthetic) are effective for resolving the product design challenges (manufactured goods and any associated services) faced by UK-based businesses during the Experimental Development phase of R&D?
- Product design (practice): what design innovation practices are effective for businesses with different circumstances and characteristics?
- University-industry knowledge exchange (collaboration): which research collaboration practices are most effective at transforming the ability of UK-based businesses to successfully commercialise design innovations?
- To ensure and demonstrate that our activities are carried out fairly, without discrimination, and in accordance with the law (legal obligation).
- This may include collection and processing, with your consent, of Special Category Data concerning ethnicity, disability and sexuality.
- Because you have volunteered to participate in research related to the above activities but that is not essential achievement of them (public task).
We may also receive your personal information indirectly from the following sources and scenarios:
- From other organisations offering business support that are, with your consent, referring you to us for possible IBbD support.
- From organisations offering lists, databases or marketing services that are lawfully holding your details for this purpose and have your consent to share that data with us.
- From any information published by you that allows us to market, deliver and evaluate and improve our business support offer.
Our activities may also result in the creation of personal data based on our analysis and interpretation of your data, e.g. our appraisals of the case for offering support to your business and priority needs and opportunities for improving it.
What we do with the information we have
As indicated above, we will process your data for the following purposes:
- To identify businesses that are interested and eligible for support by our programme.
- To deliver the support.
- To evaluate the effectiveness of the support and improve it.
- To create and disseminate knowledge, in line with the charitable purposes of the university and the terms and conditions of our grant funding by Research England and our contract with you.
We will do this in the following ways:
Advertising and marketing:
We will only contact you following your use of our website if you ask us for more information about the programme. You can do so by registering with us via the website, or by phoning or emailing a representative of the programme or one of our partners that passes your details to us with your consent.
When you register, you will be asked to accept our privacy and data protection policies. Your details will then be entered to the secure ZOHO CRM system which we use for customer relationship management. These details will be kept up to date and used to manage our relationship and communications with you. Details of the nature and progress of contracts we have with you may be included in these records.
When you request information about the programme, we will ask for your consent to send advertising and marketing communications. If you sign up to receive these, you will be reminded of the right to withdraw that consent. We may periodically ask you to confirm your continued interest in the programme and consent for us to send you these communications.
We may use and analyse personal data to identify people and organisations we believe may be more likely to take up or benefit from our research collaborations, training and other offers in which an interest has been shown. We will not use your information to advertise to you offers that are not aligned with your original interest. If you have contracted with us or negotiated contracts with us, we may make similar offers of support to you in future. If not, we will only contact you for administrative purposes, e.g. to let you know we have been given your details by a partner, or – with your explicit consent – to receive marketing communications. Any data processing will be done only by us.
Forming and delivering contracts for research and training
The terms and conditions and laws governing the funding of IBbD, notably state aid legislation and competition law, requires us to gather and analyse details of your requirement and market failure case for support to confirm project eligibility, feasibility, and priority for support.
When you register for support, your details are saved on the secure ZOHO CRM server. This provides you with a unique registration number that permits you to submit your application to the same portal. Application data is saved by ZOHO to a document file, or uploaded by you as a document file. The registration number cannot be used to view data that has been submitted, and any requests to view or amend information provided must be made through the IBbD project manager. We will transfer the application document file as soon as possible after submission to a password protected encrypted file and folder on the university server by secure encrypted connection. Your contact details and records of the types of service and marketing information you are interested in, as well as our contacts with you will be stored on ZOHO; ZOHO will be used mainly to facilitate our communications with you and to maintain a record of those for customer relationship management (CRM). Access to the data on ZOHO is restricted to our staff. Application/appraisal data will be viewed only by the IBbD primary/co-investigators and project managers or our employees directly engaged in developing proposals, contracts and implementing and evaluating projects.
Applicants for support in the form of research partnerships will be asked to consent to a due diligence process that may include checks for: economic stability, via a CreditSafe credit-check; inclusion on government lists of proscribed organisations; legal status, e.g. company registration; track record with similar activities, e.g. via references; compliance with essential policies and procedures, e.g. health and safety, anti-bribery, anti-slavery… These checks are a necessary basis for us to be able to offer you support. If your CreditSafe score is low or does not have data for you, you may be required to provide additional financial data to allow us to complete the appraisal of your application and terms on which we might be able to offer support. Individuals registering for participation in marketing and training events will not be subject to due diligence.
Additional data collection and transfer for application, due diligence or other project purposes may take place via phone calls, email, meetings, letters or (for large documents) secure electronic document transfer via DMU’s ZEND server, NTU’s ZendTo server, or BUL’s Dropoff server. Any personal or confidential data shared by email or secure ZEND, ZendTo or DROPOFF will be encrypted and password protected. If appropriate, and with your consent, data collection may also take place via password-locked encrypted portable digital devices, e.g. digital voice recorders…
Data collected by means other than the website will be stored on the relevant University’s secure server in a password protected folder accessible only to staff that have an immediate duty to perform with regard to that data. In addition to IBbD staff, IT administrator access to the data is possible for the purpose of system maintenance but is governed by the university data privacy and protection policies. As far as possible, files, folders and data will be de-identified, e.g. by the use of pseudonyms for which the key will be stored in a separate secure file and folder.
Personal data collected or generated in regard to any support we agree to provide you, e.g. new product design or training, or any related research, e.g. programme evaluation, will be accessible in identifiable format (pre-anonymisation) only to our staff responsible for your support or for the programme management or internal or external auditors. Access to these files and folders will be on a needs-only basis and restricted by passwords. Folders are accessible to authorised persons using their secure login. Encrypted files stored in these folders are accessible only via password. The same password will not be used for both folder and file. Data will be stored only on the secure university servers or secure supplier servers, but may be processed by staff remotely via secure encrypted connection. Data may be transferred and processed on other devices as long as these and the files are encrypted and password locked. However, no personal data will be stored on such devices overnight.
Non-electronic media containing personal/confidential data – designs, prototypes, etc. – will be stored in locked rooms/cabinets accessible only to our staff.
From time to time, details of employees and their salaries may be required to evidence the costs associated with our activities, along with other eligible costs – for the purpose of contract management. We are mindful that this data could be used to re-identify people and could impact on their economic interests. We will therefore pseudonymise employee data and store the data separately from the pseudonym key, and only use aggregated employment data for reporting and publication.
Outputs of our research and training activities may include data that could be considered personal or confidential data, e.g. new product designs, business improvement proposals. This data will be treated the same as any personal data you share with us, subject to our requirement to use anonymised data for teaching and publication.
Reports and publications
Privacy of individuals and employees can potentially be affected by publications, therefore only anonymised data (de-identified data, and data that does not permit the data subjects’ reidentification) will be published in our reports and publications. By exception, we may wish to identify data subjects (people or organisations) in publications, e.g. for publication of news and case study information for marketing and dissemination. In these cases, we will ask your consent to publish.
Where we intend to use information about a specific project (rather than aggregated data) for teaching or publication, you may request a delay in publication for a period of up to 2 years – if you feel that this is important for commercial or other significant considerations. We will provide you with at least 30 days’ notice of any intention to publish results of research partnership projects, following which you have up to 15 days to issue a confidentiality notice – based on your review of the proposed publication.
Data held by one of the university partners may be used by the other university partners for research and publication purposes. Each university shares an equal obligation with the others to ensure that the data is used in line with their data protection and research data management policies. The use of programme data for research and publication will therefore be subject to review and agreement by the respective data controller(s) and, overall, by the programme Principal Investigator (PI) at De Montfort University, as detailed in the IBbD collaboration agreement.
Anonymised data will be used by the programme management for management reporting purposes. Programme data will be collected and processed by the programme management for the purposes of delivering and improving the programme. All such information will be treated as confidential and will be stored and transferred with similar constraints to the data mentioned above.
Anonymised data may be shared with other academic researchers for the purposes of validation of our published research, or to inform other academic studies aligned with our purpose. The relevant data controllers and the PI will jointly agree the sharing of such data for academic research purposes. Where data is requested that we believe could potentially be used to re-identify you, e.g. product designs, we will request your consent to share the data. If you object, your data will not be shared. Project information and the availability of research data for sharing will be made available via the relevant university portals:
For De Montfort University:
Project information is made available through https://www.dmu.ac.uk/research/research.aspx.
Research data outputs are available through DORA and Figshare.
For Brunel University London:
Project information is made available via: https://www.brunel.ac.uk/research/Projects.
Research data is available from Brunel Figshare.
For Nottingham Trent University:
Project information is made available through https://www.ntu.ac.uk/research/ .
Research data is available from IRep.
Employees, partners and Suppliers
Some of our functions are performed by central university departments according to standard university policies and procedures, e.g. Human resources, procurement, finance.
Except as otherwise mentioned elsewhere in this privacy notice, the use of personal data from potential and actual employees, partners and suppliers is governed by the universities’ recruitment, procurement, data protection, and other relevant policies and subject to separate notice. You will be informed of these policies and procedures in relation to any recruitment, etc, activity with which you engage.
How we store your information
We will keep your data for the minimum period required for our legal purposes. Due to the use of public funding to provide allowable aid to enterprises for Experimental Development (R&D), this will be a minimum of 10 years after the closure of the scheme.
Any data we do not need to retain for this purpose will be destroyed or returned to you (if this has been agreed with you) as soon as possible.
Your information is securely stored, as follows:
The CreditSafe economic risk assessment is provided by CreditSafe Business Solutions Limited, Bryn House Caerphilly Business Park, Van Road, Caerphilly, CF83 3GG.
University servers are located on university campuses. Data transferred via ZEND is hosted on the De Montfort University servers, located in Leicester (UK). Data transferred by BUL Dropoff is hosted on Brunel University servers, located in Uxbridge and Slough (UK). Data transferred by NTU ZendTo is hosted on Nottingham Trent University servers, located in Nottingham (UK).
Any laptops, personal computers, or other mobile digital devices used for collecting, transferring or processing data will be fully encrypted and password protected. Up to date security software will be installed and transfer to IBbD’s data servers (as above) will be made via secure encrypted connection. As far as possible, we will avoid storing your personal data on this equipment except for the temporary (daily) processes of collection, processing or transfer, and processing will be based on deidentified data.
Any information to be archived will be de-identified and stored securely on the university servers. In case of closure of the programme, it will be managed on behalf of the universities by the responsible research data curator according to a data management plan and metadata to be provided for this purpose:
For DMU, please contact: firstname.lastname@example.org
For NTU, please contact: LIBResearchTeam@ntu.ac.uk
For BUL, please contact: email@example.com
Your data protection rights
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing – You have the the right to object to the processing of your personal data in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at using the contact details we provided, above, if you wish to make a request.
How to complain
If you wish to find out what personal data we hold or to update it, or if you have any concerns about how we collect, use, store or share data, or if you wish to report a breach, please contact us using the contact details provided above, at the start of this Privacy Notice.
For concerns, you can also contact the relevant University Data Protection Officers, as follows:
Brunel University London: firstname.lastname@example.org
Nottingham Trent University: email@example.com
De Montfort University, and IBbD as a whole: DPO@dmu.ac.uk
Each university will inform the others in case of complaints in order that the issue can be managed across the programme. The Primary Investigator, Professor Guy Bingham, at De Montfort University is responsible for managing complaints about the programme.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113