Who we are
“We” are ‘Smart Data Foundry’, a part of the University of Edinburgh which is a charitable body, registered in Scotland, with registration number SC005336, VAT Registration Number GB 592 9507. We are based in Bayes centre, 47 Potterrow, Edinburgh, EH8 9BT. The University of Edinburgh is registered with the Information Commissioner’s Office (ICO); its registration number is Z6426984 and the Data Protection Officer (DPO) is Rena Gertz.
“EPCC” is part of the University of Edinburgh and provides the data infrastructure that Smart Data Foundry uses to host data used for research purposes.
What personal data do we collect and how do we use it?
Your Privacy and Security, by Design
We will always protect and respect your privacy, and we are committed to security when it comes to your information. We promise that when we collect, process, store and share personal data we will do so safely and securely and on the basis of a Privacy by Design-driven approach. If we ever share your de-identified data with third parties, such as with government bodies for the purposes of research, this data will be statistically aggregated and effectively anonymised.
When we refer to ‘de-identified data’, we mean data shared with us that has had personal data (sometimes referred to as ‘personal identifiable information’ or ‘PII’) removed before we receive it, so we are unable to identify an individual from that data. This type of data is also referred to as ‘pseudonymised data’. It is not accurate to refer to it as ‘anonymised data’, as although Smart Data Foundry is unable to link the data back to an individual, the organisation that shared the data with us in de-identified form has the ability to match it back to an individual, and it is therefore not truly anonymised.
Retention and storage
We only store your data for as long as is necessary for the purposes of processing that are set out in this policy and according to our retention schedules, after which it is deleted according to our data management processes. We have taken appropriate safeguards to require that the personal information we process will remain protected in accordance with this Privacy Notice when transferred internationally, including when processed internationally by our third-party service providers and partners.
You have certain rights in relation to personal information we hold about you; details of these rights and how to exercise them are set out below. We will require evidence of your identity before we are able to act on your request.
Right of Access: You have the right at any time to ask us for a copy of the Information about you that we hold, and to confirm the nature of the Information and how it is used.
- Right of Correction or Completion: If Information we hold about you is not accurate, or is out of date or incomplete, and requires amendment or correction you have a right to have the data rectified, updated or completed.
- Right of Erasure In certain circumstances, you have the right to request that Information we hold about you is erased e.g. if the Information is no longer necessary for the purposes for which it was collected or processed, or our processing of the Information is based on your consent and there are no other legal grounds on which we may process the Information.
- Right to Object to or Restrict Processing: In certain circumstances, you have the right to object to our processing of your Information by contacting us at the address or email address set out below. For example, if we are processing your Information on the basis of our legitimate interests and there are no compelling legitimate grounds for our processing which override your rights and interests. You also have the right to object to use of your Information for direct marketing purposes.
- Right of Data Portability: In certain instances, you have a right to receive any Information that we hold about you in a structured, commonly used and machine-readable format.
If the request is regarding de-identified data used for research, we cannot act on this request as we receive the data in a pseudonymised form and we, therefore, cannot identify you within the data. If you get in touch with us, we will be able to put you in touch with the Data Protection Officer at the relevant organisation that may have shared your pseudonymised data with us and they will be able to help you.
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), who are the UK’s supervisory authority; their address is: Wycliffe House, Water Lane, Wilmslow SK9 5AF. Helpline number: 0303 123 1113. ICO website: https://www.ico.org.uk
We are also unable to comply with requests that relate to information of others without their consent. You can exercise any of the above rights by contacting us at the address or email address set out below. Most of the above rights are subject to limitations and exceptions; we will provide reasons if we are unable to comply with any request for the exercise of your rights.
How to get in touch
If you want to know what information we collect and hold about you, or to exercise any of your rights as set out in section, please write to us at our company address or via email at firstname.lastname@example.org (please mark your correspondence ‘For the Attention Of the Privacy team’).