Catapults

Privacy Policy

INNOVATE UK

PRIVACY NOTICE AND INFORMATION MANAGEMENT POLICY

 

  1. Innovate UK is part of the wider UK Research and Innovation (UKRI). UKRI’s Privacy Notice can be found here ukri.org/privacy-notice/. This Privacy Notice and Information Policy set out below provides a simple framework to explain Innovate UK’s specific arrangements for collecting, storing, using and sharing your information, which may contain personal data or confidential or commercially sensitive information across all areas of the organisation. It provides details on how we utilise the information we obtain to enhance our ability to fund, support and connect innovative businesses to accelerate sustainable economic growth for the UK.

 

  1. Any information we obtain from you, whether it is through our online platforms, our grant applications and administration, through events or elsewhere, will be managed pursuant to this policy. As a public sector body where we collect information that is personal data, we are subject to the Data Protection Legislation and we will explain how we will comply with this as part of this policy.

 

New legislation

  1. From 25th May 2018 we are subject to the General Data Protection Regulation (EU 2016/679) the “GDPR” and this policy is written to also be compliant with that legislation.

 

  1. The UK Data Protection Bill is also due to be in force on 25th May 2018. It imposes some further data protection obligations on public sector organisations such as Innovate UK. At the time of writing this policy, the Data Protection Bill could still be updated and modified which might result in changes or clarifications to this policy. We may also need to change this policy if guidance is produced by, for example, the Information Commissioners Office, which clarifies a particular aspect of the new Data Protection Act or the GDPR.

 

Policy Principles

  1. This policy will:
  • identify the information we may collect from you;
  • explain where we store your information, for how long and how we keep it safe;
  • explain the rules for our use of your information;
  • explain how we will use the different types of information we collect from you and why we are allowed to use it;
  • explain how we may share your information; and
  • explain your rights in relation to your personal information including how you can request a copy of your information.

Information we may collect from you

  1. Personal data: We will only collect personal data to the extent that it is required and we will tell you the specific purpose for the collection. When you participate in, access or sign-up to any of our services (including our events, newsletters, competitions, social media, message boards and telephone discussions), create an account using the Innovation Funding Service online platform or otherwise correspond with us, we will receive information about you. This may consist of information, such as your name, email address, postal address, landline or mobile number. Depending on the activity (for example, applying for a grant from us), we will also obtain information about the name and type of your business, and its address. We also use cookies and collect IP addresses from visitors to our websites.

 

  1. In some circumstances we may collect special category data which is information about an individual’s race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation. This will be limited to information collected as part of surveys we may send out from time to time and this information will only be collected and used with your consent to do so.

 

  1. Confidential information: For grant applications we will also collect the detailed information from a proposal you submit that is likely to contain commercially sensitive and confidential information. This information is not personal data and so is not subject to the Data Protection Act or the GPDR but as it is commercially sensitive and confidential, we will treat it as such.

 

Storage and security of your information and personal data

  1. All information including personal data and any applications uploaded to us will be held and stored on secure servers which are operated in accordance with the UK Information Commissioner’s guidelines on the storage of personal data from the point of collection to the point of destruction. We use strict procedures and security features to try and prevent unauthorised access to your information.

 

  1. We will maintain the security of your information by protecting the confidentiality, accuracy and availability of your information.

 

  1. We will ensure confidentiality so that only people who are authorised to use your information can access it. We will ensure that any of your personal data we hold is accurate and kept up to date. We will check the accuracy of your personal data at the point of collection and at regular intervals afterwards. We will take all reasonable steps to destroy or amend inaccurate or out-of-date data.

 

  1. Our Security procedures include:
  • Entry controls. Only employees or authorised contractors have access to our buildings and all visitors are accompanied.
  • Secure lockable desks and cupboards. Desks and cupboards are kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  • Methods of disposal. Paper documents that require destruction are shredded. Digital storage devices are physically destroyed when they are no longer required.
  • Our employees ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

 

  1. We will not keep your personal data any longer than is required for the purpose or purposes for which your personal data was collected. We will take all reasonable steps to destroy, or erase from our systems, all personal data which is no longer required.

 

Transfer of information outside of the EEA

  1. We will comply with all specific requirements under the GDPR and the new Data Protection Act for the transfer of any of your personal data outside of the EEA including ensuring that appropriate safeguards are in place. This means that we will enter legally binding agreements between us and any third party outside of the EEA to protect the transfer of your data unless that country or organisation is already certified as having appropriate safeguards in place. We may also transfer your personal data with your consent or if the transfer is necessary for a contract or for public interest reasons or in relation to legal claims. In all other circumstances we will not transfer your data outside of the EEA. It is specifically noted that where data is stored in the USA, then we will ensure that we only work with organisations that comply with the EU-US Privacy Shield to meet the requirements of the GDPR and the new Data Protection Act. Specific arrangements for international competitions are set out below.

Rules that apply for your information and personal data

  1. We will hold all information and personal data received from you in compliance with the Data Protection Act 1998, the GDPR and the new Data Protection Bill, once it is in force. This means that when we use or process your information that contains personal data we must comply with the eight enforceable principles of good practice. These provide that personal data must be:
  • Processed fairly and lawfully.
  • Processed for limited purposes and in an appropriate way.
  • Adequate, relevant and not excessive for the purpose.
  • Not kept longer than necessary for the purpose.
  • Processed in line with data subjects’ rights.
  • Not transferred to people or organisations situated in countries without adequate protection.

 

  1. We are a public authority as defined in the Data Protection Act and the draft Data Protection Bill and this gives us certain rights to use your information and process your data because it is necessary for the performance of a task carried out in the public interest or in relation to our official tasks set out in law such as running our competitions to support businesses, promote innovation and improve the quality of life in the UK.

 

  1. If we are not processing your data for an official public task or function we may still be able to process your data because it is necessary for a contract with you or it is necessary for our legitimate interests. If we cannot process your data for another reason and consent is required, we will obtain your consent to use the information that you provide to us including where we request to share your information.

 

  1. We will ask for your consent specifically and separately from any other terms and conditions and we will not use or share your information without your consent if your consent is required.

 

  1. In some circumstances we may collect and hold your data as manual records which are not a part of a filing system that is readily accessible. This may include personal data in emails, videos, pictures, or social media posts. In this case some of the rules for the protection of your personal information will not apply and your rights to receive this information may be limited.

 

How we will use your information and why we can use it

  1. We will use your information, including personal data, for the purpose that it was collected. In most cases we are allowed to this information as it is necessary to undertake our official tasks and perform our public function and tasks. If we need your consent, to use your information, we will ask for it at the time the information is collected.

 

  1. We are allowed by law to use your information to undertake our official tasks and perform our public functions and tasks in the following categories for:
  • grant/contract support, administration, evaluation and reporting;
  • research into the impact and effectiveness of grants/contracts and its administration;
  • our internal administration, reporting and compliance, including for external audit purposes; and
  • contacting you with information about other support available or provision of assistance to you from us.

 

  1. We can use your information for compliance with our legal obligations for:
  • detection of fraud; and
  • Anti-money laundering requirements.

 

  1. We can use your information if it is necessary for a contract we have entered into for:
  • your attendance at an event.

 

  1. We can use your information after obtaining your consent for the purposes of:
  • contacting you with promotional or marketing material; or
  • providing you with information relating to any of our events.

 

  1. Where we propose using your data for any purpose other than those contained within this policy, we will ensure that we notify you in advance and inform you of why we can use it and obtain your consent, if required.

 

  1. If you sign up to receive newsletter or updates we will use the information you give us to provide the service(s) you have requested. We may occasionally contact subscribers to help us evaluate and improve the service that we offer if you have consented to being contacted for this purpose.

 

  1. We may use your information to send promotional and marketing communications by various communication channels. In all cases, these types of communications will only be sent to an individual if you have consented to our use of your personal data for such purposes.

How we will share your information

  1. We will not share your information without obtaining your consent unless one of the reasons below applies. This will mean that we can share your information without your consent:
  • if we are allowed by law to share it to carry out a task in the public interest or to undertake our official tasks; or
  • if we have to disclose or share it in order to comply with our legal obligations; or
  • if we need to share it for a legal contract with you; or
  • to protect our rights, property, or safety of our employees, or others.

 

Fraud protection

  1. If you provide false or inaccurate information and fraud is identified, your details will be passed to fraud prevention agencies. This can be done without the need for your consent. Law enforcement agencies may also access and use this information. We and other organisations may also access and use this information to prevent fraud and money laundering, for example, when checking details on applications for credit and credit related or other facilities, managing credit and credit related accounts or facilities, recovering debt, checking details on proposals and claims for all types of insurance, checking details of job applicants and employees.

 

  1. Please contact us if you want to receive details of the relevant fraud prevention agencies. We and other organisations may also access and use from other countries the information recorded by fraud prevention agencies. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

 

Competitions

  1. In order to assess your submission for one of our competitions, we will need to share your information with our assessors for the purposes of considering your application to the competition. The support of UK businesses and the promotion of innovation is part of our public tasks and functions. By submitting a bid to us in accordance with the guidance for competitions that we publish, you are providing your information for us to exercise this public function and this is the basis on which we can share your information.
  2. The assessors will use your information only for the purposes of the assessment of your bid into the competition. We enter into contracts with all of our external assessors to ensure that they will hold your information both confidentially and securely.

 

Joint Competitions

  1. Where we are collaborating with another organisation for a competition and/or grant, we will identify that other organisation within the competition guidance and/or contract as a “Joint-Sponsor”. In this case, we will share your information in respect of the competition and/or grant with the Joint-Sponsor in addition to the assessors as it necessary for us to exercise our public function to promote innovation by providing support to businesses. The Joint-Sponsor will use your information for the same purposes as we will use it and as described above. An example of a Joint-Sponsor is another UK based organisation that operates or funds grant awards or other similar contracts, such as a department within the UK government.

 

Consultant/Sub-Contractor for internal activity

  1. We may need to disclose your information to a consultant/sub-contractor in order to undertake an internal activity, for example to an IT consultant working on upgrading our IT system. Where this is the case, we will only disclose the information reasonably necessary for the purpose, and will ensure that appropriate provisions are put in place to secure your information.

 

Affinity Partners

  1. As part of our objective to stimulate and support UK innovation, we have established a close relationship with organisations that we call our Affinity Partners and which are identified in the list attached to this policy.

 

  1. In some cases it will be necessary for us to share your information with Affinity Partners as part of our public tasks and function which include knowledge exchange and the promotion of innovation. In this case we will not need your consent to share your information.

 

  1. However, if the sharing of your information is not necessary as part of our public tasks, we will obtain your consent to share your information with our Affinity Partners when we collect your information to share it for that purpose. If that is not possible, and we have collected your information through for example an event, we will contact you specifically to obtain your consent before sharing your information with an Affinity Partner.

 

  1. We will share limited, relevant and specific information with an Affinity Partner that is necessary to assist with an application made to us or your project. With your consent we will share information which may help you in developing and/or exploiting your specific idea, product or service which was the basis of your live or recent application or grant. You are free to refuse your consent to sharing with an Affinity Partner if it is not necessary for us to share it.

 

  1. Each Affinity Partner will have its own privacy policy which will determine how it deals with your information once it is received.

 

  1. Where we share information with Affinity Partners, we will ensure that there is a formal data sharing/non-disclosure agreement in place with the partner organisations.

Other organisations

  1. In some circumstances we will ask that some of the information we collect is shared with other organisations that are not Affinity Partners. Where this is not part of our Public Task, we will obtain your consent to sharing your information either when you initially provide the information or, if that is not possible, after we have received your information. We will obtain your consent before we share your information if it is not necessary for us to share your information to undertake our public functions. If your consent is required, you are free to refuse your consent.

Audit by third parties

  1. We may be audited by an independent third party to ensure that we are conducting our activities efficiently or to audit the impact of the funding that we provide. In this case we may share your information with the auditors as this is required for our public tasks and functions. If we consider that consent is required, we will ask for consent in advance of the sharing of personal information.
  2. We will ensure that any external auditors or assessors hold your information and personal data both confidentially and securely.

International competitions

  1. For competitions such as the Newton Fund, which involve collaborative work between UK organisations and their partners in non EEA countries, we recognise that the protection of your information including your personal data and your confidential information is vitally important. We will comply with all specific requirements for the transfer of any personal data outside of the EEA as detailed earlier in this policy and will minimise the risks to your information as set out in this section of the policy.

 

  1. We will conduct the assessment of your application separately from and independent of our counter-part organisation. We will not share any application or any personal information directly with our counter-part organisation unless this is necessary for our public function.

 

  1. Once the selection process is completed and a project is selected, we will limit any exchange of information with our counter-part organisation funding the project in the other country to non-personal and non-confidential information where possible. For example, we may only refer to named organisations in our discussions with our counter-part. If we would like to share personal data which is not necessary for us to share, we will request a specific consent from you at that time. We will not disclose your commercially sensitive and confidential project details. We will only discuss the technical details of the project at a high level with our counter-part organisation.

 

  1. You should note that it may be necessary for you to share personal data and confidential information with the organisations in non EEA countries that you will collaborate with on these projects, but you will be in control of that sharing and we will not share that type of information on your behalf.

 

  1. In some limited circumstances, we may agree to run a competition on behalf of a counter-part funding organisation in a non EEA country. In this case we may need to share certain information from an application form or in some cases the whole application form to allow that funding organisation to select a project to fund. In this case we will ensure that the rules for those competitions make it clear that certain project information will be shared and where the information that is requested contains personal data we will be sharing that data only as is necessary for us to undertake our public task and function to run a competition.

 

  1. If there are circumstances where we need to obtain specific consent from you, we will request that consent forms are submitted along with the application form.

 

Your rights in relation to your personal information:

  1. You have rights in relation to the personal data you give us, or which we collect about you. Please see a list of your rights below.
  • You have a right to ask us to send the information we have about you free-of-charge, together with various information about why and how we are using your information, to whom we may have disclosed that information, from where we originally obtained the information and for how long we will use your information. This is called a data subject access request. However, if we hold manual records that are not within a filing system and it will cost us more than a prescribed amount to provide you with those manual records (at the moment this is between £450-£600), we will not have to provide all of this information to you as part of our response to your data subject access request.
  • You have the right to ask us to correct any mistakes in any information we hold about you.
  • You have the right to ask us to erase the information we hold about you (the ‘right to be forgotten’). Please note that this right does not apply in all circumstances but, if you ask us to erase your information and we cannot erase it, we will explain why not.
  • You have the right to ask us to stop using your information where the information we hold about you is not correct, we are not allowed to use your information, or we no longer need to use your information. However, there are a few reasons why we may be allowed to continue to store your information because of our public functions or tasks. If we can do this, we will explain why we can still use your information.
  • You have the right to ask us to send the information we hold about you to another person or company in a structured, commonly-used and machine-readable format. We will only be able to do this in certain limited circumstances and, if you ask us to send your information and we cannot do it, we will explain why not.
  • If we are allowed to use or store your information you can object to this and we will stop using or storing your information unless we can explain why we believe that we can still use or store it.
  • Where we use/store your data because you have agreed to it through giving your consent, such as ticking a box to receive a newsletter, you have the right to withdraw your consent at any time and we will stop using or storing your information for that purpose.
  • You have the right to object to us using/storing your information for marketing purposes.
  1. If you wish to exercise any of your legal rights, please contact our data protection officer by email or in writing to the address at the end of this policy, or via our contact form on our website.

Automated decision-making

  1. 52. We do not use automated decision-making processes in relation to your personal information.

Changes to this policy

  1. Any changes we make to our information management policy in the future will be posted on this page. Please check back frequently to see any updates or changes to our information management policy.

Contact Information:

  1. For any communication in relation to your rights under this policy, please send an email to our Data Protection Officer (DPO) at: dataprotection@ukri.org
  2. Or write to us at:

David Hyett, Head of Information Governance,
UK Research & Innovation,
Polaris House,
North Star Avenue,
Swindon
SN2 1FL.

Your right to complain

  1. You also have the right, at any time, to lodge a complaint with the Information Commissioner’s Office if you believe we are not complying with the laws and regulations relating to the use or storage of the information you give us, or that we collect about you. If you would like further information on your right to complain please see the Information Commissioner’s website at https://ico.org.uk/.

    Affinity Partners List

    This list is made up of organisations that can help Innovate UK fund and support innovative businesses to accelerate sustainable economic growth for the UK. It will be updated as we extend our engagements with organisations.

    Delivery partners Catapults
    KTN – Knowledge Transfer Network
    EEN – Enterprise Europe Network
    Public-funded partners  

    BEIS- Department for Business Energy and Industrial Strategy

    DH – Department of Health
    DTI- Department for Trade and Industry
    DFID- Department for International Development
    Foreign and Commonwealth Office
    DCLG – Department for Communities and Local Government
    DEFRA – Department for Environment, Food & Rural Affairs
    MOD – Ministry of Defence
    Growth Accelerator
    IPO – Intellectual Property Office
    Design Council
    AMSCI – Advanced Manufacturing Supply Chain Initiative
    APC – Advanced Propulsion Centre
    ATI – Aerospace Technology Institute
    UK Administration Devolved administrations

Contact us