Information We May Collect About You
Personal information provided by you
The information you give us may include personal information like your name, titles, address, email address, telephone number, date of birth and bank details. You may give us your personal information by filling in forms, including those on our website (www.era.org.uk) or by corresponding with us in writing, by telephone, email or otherwise. This includes information you provide when you correspond with us regarding the ERA Licence and when you report a problem with the website. Further information on the information we may collect and the purpose for its processing are below.
For more information on which cookies we use and how we use them see ERA’s Cookies Policy.
Personal information provided by third parties
We may receive personal information about you from third parties, which may include parties who provide this information in fulfilment of a legal obligation or representatives you have authorised to act on your behalf. Any information we receive about you from these third parties will only be processed for the purposes described under “How will we use the information about you?” section below.
How we will use the information about you
We may process the information we collect about you:
- for the purposes of issuing, administering and recording ERA Licences; administering and recording declarations from educational establishments stating they do not require an ERA Licence; and generally for managing the ERA Licensing scheme (“Licence Data”). This includes contacting you to request information from you (such as pupil or student numbers), to provide you with information you have requested about ERA and the ERA Licence, to respond to your queries and to keep a record of communications with you. The information we may process for these purposes includes your name, title, employer, email address, office address and phone number. The Licence Data may be provided by you, your employer or, in rare cases, by third parties. The lawful basis for processing an ERA Licence is the performance of a contract between you or the organisation by whom you are employed and ERA and/or taking steps to enter into such a contract. The lawful basis for processing a declaration and/or taking steps to enter into such a declaration is the legitimate interests of our business;
- for the purposes of managing the provision of goods and services supplied to ERA and communicating with suppliers (“Supplier Data”). The Supplier Data may include your name, title, employer, email address, office address, phone number and bank details. The source of the Supplier Data is you or your employer. The lawful basis for this processing is the performance of a contract between you or the organisation by whom you are employed and ERA;
- for the purposes of recruiting, managing, remunerating and communicating with employees and potential employees (“Employee Data”). The Employee Data may include your name, title, email address, home address, phone number, qualifications, education and employment history, references, national insurance number, tax code, bank details and passport or visa details. The source of the Employee Data is you or a third party such as recruitment agencies, former employers and establishments from which you have received your qualifications. The lawful basis for this processing is the performance of a contract between you and us and/or taking steps, at your request, to enter into such a contract;
- for the purposes of meeting our statutory obligations and governance obligations, specifically relating to our Members and Directors (“Member Data”). The Member Data may include your name, title, employer, email address, office address, phone number, data of birth, home address and other interests for purposes of recording any conflicts of interest. The source of the Member Data is you or your employer. The lawful basis for this processing is compliance with the law;
- for the purposes of verifying that those individuals granted access to streamed content on ERA’s Video Streaming Platform are students studying at or employees of educational institutions that hold a current ERA Licence (“Registered User Data”). The Registered User Data may include your name, email address, role, teaching level, subject or specialisation, key stage taught and name and post code of your institution. The source of the Registered User Data is provided by you. The lawful basis for this processing is the legitimate interest of our business and the right holders we represent; and
- for the purposes of emailing news and insights about ERA and our services to those users who have explicitly signed up for these communications (“User Correspondence Data”). The User Correspondence Data may include your name, email address, role, teaching level, subject or specialisation, key stage taught and name and post code of your institution. The source of the User Correspondence Data is provided by you. The lawful basis for this processing is consent.
Sensitive Personal Information (Special Category Data)
We generally do not ask you to provide us with information regarding your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data, health, sex life or sexual orientation. However, if it is necessary to obtain this information from you in relation to our business activities or to perform a contract with you, we will only collect and process the information with your explicit consent and only for the purpose specified by you when giving your consent.
Who your information might be shared with
As far as is reasonably necessary, we may disclose your personal data to:
- Our business partners, suppliers, agents and sub-contractors for the purposes described under “How we will use the information about you?” section above. These parties may be engaged for the fulfilment of contracts we have with you and the provision of support services to us; and
- Law enforcement agencies, regulatory bodies, auditors and professional advisors to comply with any legal obligation; or for the purposes of fraud prevention; or in order to enforce any agreements; or protect the rights, property, or safety of ERA, its licensees, or others; or obtain any related professional advice.
Transfers of your information out of the EEA
We may need to transfer your personal data to countries that are located outside the European Economic Area (“EEA”) for the purposes of processing by parties that work for ERA or one of its suppliers. By way of example, this may happen if any of the computer services used to host the website are located in a country outside of the EEA.
Keeping your data secure
We will use technical and organisational measures to safeguard your personal data. All information you provide to us is stored securely.
Unfortunately, the transfer of information via the internet is not entirely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our website or email server; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
Retention of your data
We will not retain your personal data for longer than is necessary in relation to the purposes for which the data was collected or otherwise processed. The criteria we use for determining the retention periods for personal data processed in the performance of a contract will be any regulatory requirements, statutory retention periods or guidance provided by regulatory bodies such as HMRC or the Information Commissioners Office. The statutory limitation period for legal claims related to most contracts is generally 6 years.
Member Data will be retained in perpetuity to ensure a full record of the historic governance of ERA.
What rights do you have?
Right to request a copy of your information
You can request confirmation that your data is being processed and a copy of the information we hold for you (this is known as a subject access request).
Should you wish for confirmation that your data is being processed or wish to access the personal data we may hold about you then you can request this from us in writing. Upon written request, we will provide you with a readable copy of the personal data which we keep about you. We will respond to you within the time frame specified within the applicable data protection law, which is generally within one month of receipt of the written request. We will provide the information without charge, but if requests are manifestly unfounded or excessive, in particular because they are repetitive, we retain the right to refuse or to charge a reasonable fee based on the administrative costs of providing the information. To request a copy of the personal data we hold about you please address your written request to the CEO at the address given in the “How can you contact us?” section below.
Right to correct any mistakes in your information
You can require us to rectify the personal data we hold about you if it is inaccurate or incomplete.
Should you require us to rectify the personal data we hold about you, please send a written request to the CEO at the address given in the “How can you contact us?” section below. We will respond to you within the time frame specified within the applicable data protection law, which is generally within one month of receipt of the request.
If we have disclosed your personal data to any third parties, we will also inform those third parties of any correction to your personal data where possible.
General Data Protection Regulation
In addition to the above, you will also have the following rights that are applicable to the way we use your data under the General Data Protection Regulation that came into force on 25th May 2018.
Right to erasure
You can require us to erase personal information we hold about you without undue delay in the following circumstances:
- The personal data is no longer necessary in relation to the purposes for which is was collected or otherwise processed;
- You object to the processing and there is no overriding legitimate interest for us to continue the processing of the data;
- Your personal data was unlawfully processed; or
- Your personal data must be erased in order to comply with a legal obligation.
ERA can refuse to comply with a request to erase personal information we hold about you for the following reasons:
- To exercise the right of freedom of expression and information;
- To comply with a legal obligation for the performance of a public interest task or exercise of official authority;
- For public health purposes in the public interest;
- Archiving purposes in the public interest, scientific research, historical research or statistical purposes; or
- The exercise or defence of legal claims.
If we have disclosed your personal data to any third parties, we will inform those third parties of any erasure of your personal data, unless it is impossible or involves disproportionate effort to do so.
Right to restrict processing of your personal data
You have the right to restrict the processing of your personal data in the following circumstances:
- You contest the accuracy of the personal data;
- The processing is unlawful and you do not wish for the data to be erased but require restricted processing of the data instead; or
- We no longer require your personal data but you require the data to establish, exercise or defend a legal claim.
When processing of your data has been restricted, we will be permitted to store your data but will not perform the processing of it, unless you consent to further processing or processing is necessary for the establishment of a legal claim; for the protection of rights of another person; or for reasons of important public interest.
If we have disclosed your personal data to any third parties, we will inform those third parties about the restriction on the processing of your personal data, unless it is impossible or involves disproportionate effort to do so.
How to contact us
We take your privacy very seriously and try to adhere to the highest standards when collecting and processing your data. However, if you think there is a problem with the way we are processing your personal data, then we encourage you to contact us directly to see if your concerns can be addressed. Please see our Code of Conduct for further details on our complaints process.
If you are not satisfied with the outcome of our internal complaints procedure, or if you consider that your complaint has not been handled correctly, you may lodge a complaint with the Information Commissioners Office.