Research Project Privacy Notice
BIT Barrier Identification Tool
BIT Barrier Identification Tool Website
This notice is effective from 29 April 2020
This privacy notice is maintained by the Behavioural Insights Team (BIT). It sets out how and why we use your personal data – both on this website, and offline.
Behavioural Insights Ltd (the legal name of Behavioural Insights Team (BIT)) is the controller and is responsible for your personal data collected in connection with this tool. This notice applies to the personal data we collect directly from you when you sign up to our website Please make sure that any personal details you provide are accurate and up to date, and let us know about any changes as soon as possible.
We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact the DPO:
Post: Behavioural Insights Ltd, 58 Victoria Embankment, London EC4Y 0DS
You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
What personal data will we collect?
If you use our tool and decide to send yourself a summary of the findings at the end, you will be asked to provide your name, job title, organisation name and business email address. We will also receive the summary of the the data you inputted into the tool surrounding the problem you are trying to solve, the behavioural barriers you identify as relevant to this problem and cookie and browser generated information collected through use of the website plus your marketing preferences if you choose to receive newsletters and other marketing materials from us.
Further details about the technical data that is processed by us can be found in our Cookies Policy.
What do we do with information we collect?
The purpose for which BIT is processing your personal data is to:
Give you access to our tool
Give you the option to subscribe to our newsletter (if you choose to sign up this can be opted out of at anytime)
Assess the types of challenges that the tool is being used to support
Contact you with further suggestions as to how behavioural insights can help you to solve your challenge
Make further improvements to the tool and the functionality of the website
Protect the security of our website
What is our lawful basis for processing your personal data?
Data protection laws require us to meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a lawful basis for the processing.
BIT is relying on the lawful basis of:
Our lawful basis for processing your personal data is legitimate interests (as per Article 6 (1) (f) of the GDPR) in relation to assessing the types of challenges the tool is being used to address, understanding how to improve our products and services and in relation to improving the functionality and security of our website. We have considered that your interests and fundamental rights do not override those legitimate interests.
Our lawful basis for processing your personal data is consent (as per Article 6 (1) (a) of the GDPR) in order to send you a summary report of the behavioural barriers identified as applying to your situation, send you our newsletter and provide updates on our products and services, and request feedback (e.g. by sending you surveys).
We may also process your personal data as necessary to comply with our legal obligations.
Who has access to your information?
Your information will be accessed by a limited number of researchers and advisors in BIT’s team working on this tool.
BIT may disclose your information to third parties in connection with the purposes of processing your personal data set out in this notice. These third parties may include:
other companies in BIT’s group;
regulators, law enforcement bodies and the courts, in order to comply with applicable laws and regulations, assist with regulatory enquiries, and cooperate with court mandated processes, including the conduct of litigation;
suppliers, research assistants and sub-contractors who may process information on behalf of BIT such as MailChimp which we use as our marketing automation platform. These third parties are known as data processors and when we use them we have contractual terms and policies and procedures in place to ensure that your personal data is protected. This does not always mean that they will have access to information that will directly identify you as we will share anonymised or pseudonymised data only wherever possible. We remain responsible for your personal information as the controller; and
any third party to whom we are proposing to sell or transfer some or all of our business or assets.
We may also disclose your personal information if required by law, or to protect or defend ourselves or others against illegal or harmful activities, or as part of a reorganisation or restructuring of our organisations.
We may share your date with one of our group companies. As of the date of last review of this notice, the group of companies comprise:
Behavioural Insights Ltd
Behavioural Insights (France) SAS
Behavioural Insights US (Inc)
Behavioural Insights (Australia) Pty. Ltd
Behavioural Insights (New Zealand) Ltd
Behavioural Insights (Singapore) Pte Ltd
Behavioural Insights (Canada) Ltd
In sharing this personal information with other group entities, your information may be transferred outside of the EEA. In this case, we have put in place standard contractual clauses (as laid down in the European Commission Decision 2010/87/EU of 5 February 2010 or as updated from time to time) to ensure an adequate level of protection for your personal information if we transfer personal data to any of those entities. If you require further information about this, you can request it from the Data Protection Officer.
There is an adequacy decision from the European Commission in respect of transfers of personal data to New Zealand. This means that New Zealand is deemed to provide an adequate level of protection for your personal information if we transfer personal data to Behavioural Insights (New Zealand) Ltd.
Some of our data processors may transfer personal data outside of the UK or EEA and, as stated above, we will always ensure there are appropriate safeguards in place so that such transfers are lawful. For example, MailChimp’s servers are located in the United States so personal data will be transferred to the United States. MailChimp has certified to the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework.
We take reasonable steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.
We ensure that those who have permanent or regular access to personal data, or that are involved in the processing of personal data, are trained and informed of their rights and responsibilities when processing personal data. We provide such access on a need-to-know basis, and have measures in place which are designed to remove that access once it is no longer required.
Physical personal devices used by BIT are encrypted to protect your data, and confidential hard copy data (including special category data) is kept in locked rooms or cabinets.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When it is no longer necessary to retain your personal data, it will be securely deleted.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
We will delete the data you input into the tool after 12 months. We may contact you up to 12 months after using the tool.
In some circumstances, we will retain an anonymised dataset (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
If you sign up to receive our newsletter or other promotional communications from us but you don’t want to receive any more communications, please click the unsubscribe link on any email from us. Alternatively, you can also email us at email@example.com at any time.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data, including rights to:
Request access to your personal data: this enables you to receive a copy of the personal data we hold about you and to check we are lawfully processing it.
Request correction of your personal data: this enables you to have any incomplete or inaccurate data we hold about you corrected.
Request erasure of your personal data: this enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it.
Object to processing of your personal data: for example, you can object where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
Request restriction of processing your personal data: This enables you to ask us to suspend the processing of your personal data.
Data portability: Where the processing takes place on the basis of your consent or contract, and is carried out by automated means, you have the right to request that we provide your personal data to you in a machine-readable format, or transmit it to a third party data controller, where technically feasible.
Right to withdraw consent to the processing of your personal data: This applies where we have relied on consent to process personal data. Please note that withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawing your consent.
Right not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you. Please note that BIT does not engage in automated decision making without manual intervention in its research projects.
If you wish to exercise any of the rights set out above, please contact the Data Protection Officer with your specific request by email to: firstname.lastname@example.org
It is important to understand that the extent to which these rights apply to research will vary and that in some circumstances your rights may be restricted.
Ordinarily, you will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Please also note that we can only comply with a request to exercise your rights during the period for which we hold personal information that directly identifies you. If we have only collected pseudonymised information (e.g. where we have not collected any names or contact details) or personal data has been irreversibly anonymised and has become part of the research data set, it will not be possible for us to comply.
Changes to this Notice
We may change this Privacy Notice from time to time. If we make any significant changes in the way we treat your personal information we will make this clear by amending this notice or by contacting you directly.