Smart Data Foundry – External Privacy Policy
Every hour of every day, we create data about ourselves – from websites we visit and products and services we buy online, through to taxis we hail and photos we share on social networks.
Companies and organisations ask permission to gather data about us, usually in long and complicated privacy statements. They invite us to click a button to allow them to use tracking cookies, small pieces of computer code that record our online activities.
We exist to unlock the positive power of financial data to improve people’s lives – whether that’s to tackle climate change, create fairer economic policies, fast-track the progress of financial technology, or improve access to finance for people who struggle to. We cannot do so without the trust and goodwill of the people whose lives we want to improve.
We have a responsibility to do the right thing with the data we hold. We’ll always be 100% clear with you on how we use your data to further improve people’s lives. That’s why we’re setting out our privacy policy in plain language, so everyone can understand it.
Who we are
“We” are ‘Smart Data Foundry’, a not-for-profit private limited company by guarantee, registered in Scotland and a wholly owned subsidiary of the University of Edinburgh, with company number SC709914 and VAT Registration Number GB 592 9507 00. We are based in Bayes centre, 47 Potterrow, Edinburgh, EH8 9BT. We are registered with the Information Commissioner’s Office (ICO) with registration number ZB326175, and the Data Protection Officer (DPO) is Adarsh Peruvamba.
The University of Edinburgh is a charitable body registered in Scotland, with registration number SC005336, VAT Registration Number GB 592 9507.
“EPCC” is part of the University of Edinburgh and provides the data infrastructure that Smart Data Foundry uses to host data used for research purposes.
What personal data do we collect and how do we use it?
We use the data shared with us to perform our functions – enable research on deidentified financial data, and provide synthetic data to technology users.
Cookies
Cookies are small pieces of computer code placed onto your computer, laptop, tablet, or phone by the websites that you visit. They are used widely to make websites work, or work more efficiently, as well as providing information to the owners of the site. You can disable basic ‘functional’ cookies by changing your browser settings, but this might affect your access to the website.
When you first visited SDF’s website, we asked if we could place a cookie on your device to help us improve our website by collecting and reporting information on how you use it. We would like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
How private and secure is my data?
SDF was set up with privacy at its heart. We will always protect and respect your privacy, and we are committed to security when it comes to your information.
We promise that when we collect, process, store and share personal data we will do so safely and securely and on the basis of a Privacy by Design-driven approach. If we ever share your de-identified data with third parties, such as with government bodies for the purposes of research, this data will be statistically aggregated and effectively anonymised. We implement security guidelines on our research data in line with Turing Institute guidance – a summary of which can be found here.
When we refer to ‘de-identified data’, we mean data shared with us that has had personal data (sometimes referred to as ‘personal identifiable information’ or ‘PII’) removed before we receive it, so we are unable to identify an individual from that data. This type of data is also referred to as ‘pseudonymised data’ or ‘adequately anonymised data’. It is not accurate to refer to it as ‘fully anonymised data’, as although Smart Data Foundry is unable to link the data back to an individual, the organisation that shared the data with us in de-identified form has the ability to match it back to an individual, and it is therefore not truly anonymised.
Do you share my data?
We share aggregated data – such as tables and graphs – with our partners for research, such as government bodies and financial services companies, like banks and insurers.
We do not sell personal data and if we ever share insights about your data with third parties, such as with government bodies for the purposes of research, we will anonymize data.
How do you store data about me and for how long do you keep it?
We will only store your data for as long as we need it, and the maximum times are set out in the table above.
Your rights
You have certain rights in relation to personal information we hold about you as established by the GDPR and the Data Protection Act within the UK. Here are some details as to how you will be able to enact these rights;
Right of access: You can ask us at any time for a copy of the information that we hold about you, and for details about how this information is used.
Right of correction or completion: If the information we hold about you is inaccurate, incomplete, or out of date then you can tell us to correct it, complete it, or update it.
Right of erasure: In certain circumstances, you can ask us to delete the data we hold about you; for example, if it’s no longer necessary for us to hold the information or if there are no legal grounds for us to hold the information.
Right to restrict or object to processing: In certain circumstances, you can tell us to stop using your information, including for direct marketing.
Right of data portability: In certain circumstances, you can tell us to send you any information that we hold about you in a structured, commonly-used format that can be read by a computer or other digital device.
Right to complain: If you want to complain about the way we handle your data then you can contact the UK’s data regulator, the Information Commissioner’s Office (ICO), by calling 0303 123 1113, visiting www.ico.org.uk, or writing to: The Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.
Most of the rights given to you by the GDPR have limits and exceptions, so if we can’t handle your request then we’ll explain our reasons to you. A common one may be on de-identified data used for research – we likely cannot act on this request as we receive the data in a pseudonymised form where we cannot identify individuals within the data already.
We will need you to prove your identity before we can handle your request, and we cannot handle requests that relate to other people without their consent.
You can exercise any of the above rights by contacting us at the address or email address set out below.
How to get in touch
If you want to find out what information we collect and hold about you – or to exercise any of your rights set out in the section above – then please email smartdatafoundry@ed.ac.uk with “FAO: Privacy team” in your subject line, or please write to us at: Privacy team, Smart Data Foundry, Bayes Centre, 47 Potterrow, Edinburgh, EH8 9BT.
