Privacy Notice

  • Introduction

    This website belongs to Nesta - you can find our full details below. This privacy notice explains how Nesta uses personal information we collect via this site. We are committed to protecting your privacy and we take all reasonable precautions to safeguard personal information. This website contains links to other websites. We encourage you to read the privacy statements on the other websites you visit.

  • Contact details

    Nesta is the data controller and is responsible for your personal data collected in connection with this project. This means that we will be responsible for keeping your information safe and only using it for the purposes set out in this notice.

    We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact the DPO and provide enough information to identify yourself (e.g. your name and address):

    Email: dpo@nesta.org.uk

    Post: 58 Victoria Embankment London UK EC4Y 0DS

    If you are unhappy about how we use your personal data or have a complaint, you have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please do contact us in the first instance.

  • What personal data will we collect?

    We will collect directly from you the following personal data:

    • Email address

    In addition the following personal data will be collected by us from the directory of Directors of Children's Services on the Association of Directors of Children's Services website https://www.adcs.org.uk:

    • Email address

  • What do we do with information we collect and what is our legal basis for this?

    The purpose for which we are processing your personal data is to provide you with access to the PASCAL website and platform, and for the purposes of contacting you at a later date about participating in follow-up research to measure the impact of your use of the PASCAL platform.

    Legal basis

    Data protection law requires us to have a specific legal basis for processing your personal data. For this project, our lawful basis will be:

    • Legitimate business interest: We have a legitimate business interest in delivering the PASCAL platform and conducting follow-up research to measure impact. The project fulfils our organisation’s aims including undertaking innovative research, evaluation and information activities that will deliver social impact.

  • Who has access to your information?

    Your information will be accessed by a limited number of researchers and advisors in our project team working on this project.

    In addition, we may disclose your information to third parties in connection with the purposes of processing your personal data set out in this notice. These third parties may include:

    • other companies in our group;
    • regulators, law enforcement bodies and the courts, in order to comply with applicable laws and regulations, assist with regulatory enquiries, and cooperate with court mandated processes, including the conduct of litigation;
    • suppliers, research assistants and sub-contractors who may process information on our behalf e.g. cloud services to store data, SMS providers to send text messages. We are using Heroku for database and analytics, and AWS SES for access authentication emails delivery. These third parties are known as data processors and when we use them we have contractual terms and policies and procedures in place to ensure that your personal data is protected. This does not always mean that they will have access to information that will directly identify you as we will share anonymised or pseudonymised data only wherever possible. We remain responsible for your personal information as the controller; and
    • any third party to whom we are proposing to sell or transfer some or all of our business or assets.

    We may also disclose your personal information if required by law, or to protect or defend ourselves or others against illegal or harmful activities, or as part of a reorganisation or restructuring of our organisations.

  • International Transfers

    Your personal information will not be transferred outside of the UK and the European Economic Area.

  • Security

    We take reasonable steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information.

  • Data Retention

    General principle: We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When it is no longer necessary to retain your personal data, it will be securely deleted.

    To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

    Taking the above factors into consideration, our anticipated date of deletion for your personal data is 12 months from the date of collecting your personal data.

    In some circumstances, we will retain an anonymised dataset (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

  • Your legal rights

    Under certain circumstances, you have rights under data protection laws in relation to your personal data, including rights to:

    • Request access to your personal data: this enables you to receive a copy of the personal data we hold about you and to check we are lawfully processing it.
    • Request correction of your personal data: this enables you to have any incomplete or inaccurate data we hold about you corrected.
    • Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
    • Object to processing of your personal data: for example, you can object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
    • Request restriction of processing your personal data: This enables you to ask us to suspend the processing of your personal data.
    • Data portability: Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you in a machine-readable format, or transmit it to a third party data controller, where technically feasible.
    • Right to withdraw consent to the processing of your personal data: This applies where we have relied on consent to process personal data. Please note that withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawing your consent.

    If you wish to exercise any of the rights set out above, please send your specific request to the Data Protection Officer using the contact details provided at section 2.

    It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances your rights may be restricted. Please also note that we can only comply with a request to exercise your rights during the period for which we hold personal information that identifies you. If personal data has been irreversibly anonymised and has become part of the research data set, it will not be possible for us to comply.

  • Changes to this Notice

    We may change this Privacy Notice from time to time. If we make any significant changes in the way we treat your personal information we will contact you directly.

  • Website improvement and analytics

    To understand how our website is used and to continually improve your experience, we use Ahoy, a data collection framework that runs directly on our application servers.

    Crucially, we do not use traditional cookies for this purpose. Instead, Ahoy collects non-personally identifiable information about your visit (such as your referrer type, browser type, device type, operating system and the pages you view). We also record a temporary, anonymized record of your visit. This data is used solely for aggregated statistical analysis.

    This data is stored securely on our own servers and is not shared with third-party advertising or data-brokering networks.

  • Security

    We take steps to protect your personal information and follow procedures designed to minimise unauthorised access or disclosure of your information. If you have a password for an account on this site, please keep this safe and do not share it with anyone else. You should also not allow anyone else to log in using your details. You are responsible for all activity on your account and must contact us immediately if you are aware of any unauthorised use of your password or other security breach.

    In the event that whilst using our site(s) you become aware of any potential vulnerabilities, please let us know. Please see our vulnerability disclosure policy for guidance on how to report a vulnerability.