The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to data protection that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.
This privacy notice tells you what to expect when the Natural Environment Research Council (NERC) Environmental Information Data Centre (EIDC) collects personal information from people who are in direct correspondence with us or who are visiting and/or using tools in the following websites http://eidc.ceh.ac.uk or https://catalogue.ceh.ac.uk/eidc/documents. It sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.
By visiting http://eidc.ceh.ac.uk or https://catalogue.ceh.ac.uk/eidc/documents you are accepting and consenting to the practices described in this notice and related policies. This privacy notice will be revised as required and you are encouraged to revisit the privacy notice regularly to read the latest version.
1. The name and contact details of our organisation
UK Centre for Ecology & Hydrology
Maclean Building, Benson Lane
The NERC Environmental Information Data Centre is hosted at the UK Centre for Ecology & Hydrology (UKCEH).
2. The name and contact details of our data protection representative
3. Personal data
This section of the privacy notice provides information on: the purpose of the data processing; the lawful basis for the processing; further information where the lawful basis is legitimate interests for the processing; the categories of personal data obtained (if the personal data is not obtained from the individual it relates to).
Visitors to our website:
The relevant section of our privacy notice will depend on the purpose of your visit to our website.
We use the following lawful grounds for processing personal information to support our work when we carry out processing in pursuit of our purposes laid out in Article 93 of the Higher Education and Research Act 2017, in the most part, our lawful basis for processing your personal information falls under:
Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law, but we also make use of: contractual, legitimate and consent based processing.
Contributors to NERC science in the public interest - EIDC data centre functions and personal data:
Purpose of the processing: Your personal data are processed as part of long-term data archiving services for scientific research and development undertaken for NERC and hosted at UKCEH.
The lawful basis for the processing personal data: EIDC is providing long-term data archive services for scientific research and development in the public interest.
For more information on our use of personal data see the EIDC Policy on Retention and Use of Personal Data.
In addition to the personal data provided by you in some instances there may be some categories of personal data that are not obtained from you personally this may include information received such as:
- the Internet protocol (IP) address used to connect your computer to the Internet
- your login information
- browser type and version
- time zone setting
- browser plug-in types and versions
- operating system
Further information is available in our cookies policy
The recipients of the personal data:
- NERC Environmental Information Data Centre staff
- UKCEH Data Licensing Team
- UKCEH Enquiries Team
- NERC Grant Administration Team
- Other NERC data centre grant support staff
- DataCite (for personal data agreed with you to include in a Digital Object Identifier)
- Data.gov.uk (for personal data agreed with you to include in a public data catalogue record)
- Science and Technology Facilities Council
4. The details of transfers of the personal data to any third countries or international organisations (if applicable)
Your information is processed in the UK and European Economic Area (EEA).
5 The retention periods for the personal data
Personal data retention is outlined in the EIDC Policy on Retention and Use of Personal Data
6. The rights available to individuals in respect of the processing
The GDPR provides the following rights for individuals:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling.
The lawful basis for EIDC processing personal data can also affect which rights are available to individuals. For example, some rights will not apply.
An individual always has the right to object to processing for the purposes of direct marketing, whatever lawful basis applies. The remaining rights are not always absolute, and there are other rights which may be affected in other ways. Further details on how the lawful basis for processing your data affect the rights available to you are outlined below:
Processing on the basis of contract, the individual's right to object and right not to be subject to a decision based solely on automated processing will not apply. However, the individual will have a right to data portability.
Individuals' rights to erasure and data portability do not apply if processing on the basis of public task. However, individuals do have a right to object.
Please contact the EIDC (firstname.lastname@example.org).
7. The right to withdraw consent (if applicable)
Where any data processed using consent as the lawful basis you have the right to withdraw consent at any time.
8. The right to lodge a complaint with a supervisory authority
Initially please raise your concern with the EIDC (email@example.com).
Any continuing concerns you may have can be raised with UKCEH's data protection representative:
If the EIDC (UKCEH) has not resolved your information rights concern you can raise the matter with the Information Commissioner's Office via live chat or by phoning 0303 123 1113.
9. Provision of privacy information
There are a variety of ways in which EIDC provide privacy information including:
- Providing individuals with privacy information at the time we collect their personal data from them.
- If we obtain personal data from a source other than the individual it relates to, we provide them with privacy information.
- Within a reasonable period of obtaining the personal data and no later than one month.
- If we plan to communicate with the individual, at the latest, when the first communication takes place
- If we plan to disclose the data to someone else, at the latest, when the data is disclosed.
10. How the EIDC provide privacy information
We provide the information in a way that is:
- Easily accessible
- Uses clear and plain language.
11. Changes to the information
The EIDC regularly reviews and, where necessary, updates our privacy information.
If the EIDC plans to use personal data for a new purpose, we update our privacy information and communicate the changes to individuals before starting any new processing.
12. Register of processing activities
UKCEH undertakes an information audit to find out what personal data we hold and what we do with it.
UKCEH puts itself in the position of the people we're collecting information about.
UKCEH will be carrying out user testing to evaluate how effective our privacy information is.
13. Delivering Privacy Information
We provide our privacy information to individuals through our website and in documents relevant to our communication with you.
14. Affiliated Websites
The EIDC has no affiliated websites
16. Third party services
We may use third party services as a method to allow website metrics. These set cookies to help us accurately estimate the number of visitors to the website and volumes of usage. This allows us to ensure that the service is available when you want it and fast. See more details of our third party usage.
Our site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites and any services that may be accessible through them have their own privacy notices and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. Please check these policies before you submit any personal data to these websites or use these services.