Privacy Policy

1         Introduction.

Compound Semiconductor Applications (CSA) Catapult is part of the Catapult network of world leading centres of excellence designed to transform the UK’s capabilities for innovation, specifically in the field of compound semiconductor applications, and is committed to safeguarding the privacy and security of the personal information provided to us.

This policy sets out how we collect your personal information, what we do with it, how we keep it secure and explains your rights in relation to any personal information that we hold about you.

If you require more information, please contact us by sending an email to Compliance@csa.catapult.org.uk.

1.1        Who we are.

We operate in a growing market where silicon cannot operate, or where compound semiconductors outperform silicon.  Providing world class research facilities with access to independent, trusted expertise to develop capabilities and accelerate the commercialisation of compound semiconductor in key applications areas.

It is our goal to grow the UK’s commercial compound semiconductor capability with a view to improving productivity in areas such as power electronics, Radio Frequency (RF) / Microwave and Photonics.  It is our aim to make the UK the leading place worldwide to develop and launch new products and services in this space.

The Catapult is a ‘not for profit’ organisation and is registered with the Information Commissioners Office (ICO). Our registration number is ZA499638 and we have aligned with the legal obligations of the General Data Protection Regulations (GDPR) and the Data Protection Bill 2018 (DPA 2018).  Therefore, as a data controller of the personal information that we process we are responsible for ensuring that our systems, processes, suppliers, employees and partners comply with the data protection laws in relation to the information we process.

The Information Compliance Manager oversees compliance with data protection laws and this policy and provides guidance and advice to the company, our employees and partners as and when required.

1.2        Statement scope.

We are committed to being transparent about how we collect and use personal data and this policy applies to personal data for all individuals that we interact with on a corporate basis including users of the website, job applicants, employees, individuals on work experience, contractors, partners and suppliers.

Although in most cases the interaction between us will be with, or addressed to, a named individual, this one to one interaction should not be assumed.  We reserve the right to transfer all past, current and further interactions and communications to other individuals, teams, partners or suppliers subject to business requirements.

1.3        Changes to this policy.

In the interest of being transparent we may amend this Privacy Policy from time to time. Any significant changes to this Policy or to the way we treat your data will be communicated via our website.

This privacy notice was last updated on 12 March 2019

2         Data Processing.

2.1        Why do we process your personal information?

CSA Catapult is committed to being transparent about how it collects and uses personal data and shall process your personal information where:

  • It is necessary for the performance of a contract with you.
  • You have provided us with consent to use your personal information.
  • We are required to or authorised by law to do so; or
  • It is necessary to pursue our legitimate interests in a way which is reasonably expected as part of running our business, which is not detrimental to you and would have minimal impact on your privacy.

Examples of where our use of personal information is necessary to pursue our legitimate interests include:

  • monitoring and recording information relating to your browsing behaviour on our website to make personalised content available to you;
  • monitoring and recording information relating to web-based services including how and when the system is accessed and how data is uploaded for the purposes of analysing the performance of and improving the quality of the products and services we provide to you;
  • processing information relating to our business contacts to send them information about our products and services. This helps to facilitate our business development activities including building relationships with current and prospective businesses; and
  • using our CRM system to analyse how our contacts interact with the company which helps to inform our business development activities and determine how we grow our business.

2.2        Collection, use and disclosure of your personal information.

We collect and process personal information which is:

  • obtained or created in relation to the services we provide;
  • relating to individuals who apply for a job or work placement with us;
  • relating to our employees and partners
  • relating to contractors, suppliers and other third parties.

The personal data we collect will include the types of data as shown in the following tables, which also identifies how it is collected and how we process it.

2.3        Online service users.

Types of Contact Information Identification Information: Title, name and the name of your organisation

Contact Information: Your postal address and or your Email address.

Technical Information: IP address, browsing preferences, and details of visits made.

Other: Any other information relating to you which you may provide to us.

Collection Data will be collected from the website and from the web form and maybe stored within our Customer Relationship Management (CRM) System.
Use To complete any request, you may make to us through our website.

To provide and improve our services and website experiences and to facilitate our internal business operations.

Disclosure Your personal information:

·       which is shared with service providers will be limited to the minimum required for providing the service and will be adequately protected and

·       will not be given to other third parties, apart from limited circumstances.

Basis for processing We capture and process personal information for the following reason using, article 6(1)(f) of the GDPR –  legitimate interest as our lawful basis.

 

2.4        Job applicants who apply for a job, and work placement with us.

Types of Personal Data Identification Information:  Title, full name, date of birth.

Contact Information: Your postal and Email address with contact telephone number – home and mobile and next of kin details.

Other: Special category data (gender, ethnic origin, religion, sexual orientation, disability) education and employment history; background checks (Financial and Criminal), Identity checks (i.e. Passport / Driving Licence) and right to work status; financial information including bank details and identifiers (e.g. National Insurance Numbers) and if appropriate student loan details.

Collection Personal data will be collected from several sources including your application form / CV; recruitment agencies and providers of background checks and referees.

To assist with the recruitment process information from a personal profile analysis will be reviewed.

Use Human Resources administration and to discharge our legal obligations under an employment contract, to assess suitability, eligibility to work in the UK and / or fitness to work, and promote staff benefits.

Automated Decision Making: Pre-screening questions.

Disclosure Your personal information may be:

·       Transferred outside the European Economic Area (EEA) to service providers who support the operation of our business; and

·       Stored within CSA Catapult’s information systems and within third party software applications and services which have been procured to support the operation of the HR function. When information is shared with service providers it is limited to what is required for providing the service and will be adequately protected.

Basis for processing We capture and process personal information for the following reasons using, article 6 (b) contractual, (c) legal obligation and (f) legitimate interest of the GDPR as our lawful basis.

 

 

2.5        Business partners and customers.

Types of Personal Data Identification Information: Title, name, job title / position, name of your organisation

Contact Information: Postal address, email address and phone number.

Financial Information: e.g. payment-related information.

Collection Personal data, collected from you directly, will be processed as part of the relationship management function and will be stored within internal systems, CRM and CCTV Systems.
Use For the administration and management of contracts and projects with business partners and customers.
Disclosure Your personal information may be:

·       May be transferred outside the EEA to other service providers who support the operation of our business.

·       If shared will be limited to that which is required to enable us to facilitate our internal business operations and will be adequately protected; and

·       Transferred to other third parties such as our insurers, legal and other professional advisors, regulators, administrators and government departments, who may be acting as data controller.

Basis for processing We capture and process personal information for the following reasons using, article 6 (b) contractual and (f) legitimate interest of the GDPR as a lawful basis.

2.6        Third parties, including suppliers, experts and other service providers.

Types of Personal Data Identification Information: Title, name, job title / position, name of your organisation

Contact Information: Postal address, email address and phone number.

Financial Information: e.g. payment-related information.

Collection Relationship management information collected from you directly, and information that is publicly available.
Use To manage, monitor and administer our supplier relationship and to meet our commercial requirements e.g. creditworthiness.

As required by law and to comply with our statutory / regulatory obligations.

Disclosure Personal Information:

·       May be transferred outside the EEA to other service providers who support the operation of our business.

·       If shared will be limited to that which is required to enable us to facilitate our internal business operations and will be adequately protected; and

·       Transferred to other third parties such as our insurers, legal and other professional advisors, regulators, administrators and government departments, who may be acting as data controller.

Basis for processing We capture and process personal information for the following reasons using, article 6 (b) contractual and (f) legitimate interest of the GDPR as a lawful basis.

 

Telephone and Conferencing.

All telephone and conferencing calls received within our offices are hosted by a third party, Microsoft, who collect technical information such as IP and email address and details regarding telephone and conference calls.  The information collected will be used by us, to enable your call to be connected to the correct person and or conference room, and to improve the telephony / conferencing services that we offer both internal and external parties.

Voicemails may be recorded and distributed using various communication applications and stored in accordance with our retention schedule.

Where we have an existing business relationship we may additionally match and store this information within our CRM system.

Email and Messaging.

Our email and messaging applications, referred to as communications, used for our business is hosted by Microsoft, who will collect contact and technical information contained within, and related to, the messages received by us.  The information collected will be used by us to monitor all communications, including file attachments, for the detection of viruses or malicious software.

We engage the services of a third-party supplier, Eclaimer, to add individual email signatures to all of our outgoing Email messages.

All communications will be delivered to the individual or group named within the message, however, in certain circumstances these may be delivered or forwarded to other groups or individuals within the business. In some circumstances, communications can be linked to our CRM system.

We can deliver secure communication to receiving systems that support Transport Layer Security (TLS), which will ensure that the same level of security has been applied. This may however not be the final destination of intended communication, in which case, we will be unable to guarantee the method of transfer from that point forward.  Emails will be retained in accordance to our retention schedule.

3         Your Data Protection Rights.

CSA Catapult will process personal information that it holds about you in line with your rights under data protection law and will respond to your requests as soon as possible, but no later than one calendar month, starting from the day after we receive your request.

If the request is complex, or you make more than one request, our response may be extended to a maximum of three calendar months, starting from the day after we receive your request, and you will be advised of this if that is the case.

You are not required to pay any charge for exercising your rights, but it may be necessary for us to charge a fee if the request that has been received is “manifestly unfounded” or excessive. The fee will cover the administrative costs associated with dealing with such requests.

If you choose to engage any of these rights, please email Compliance@csa.catapult.org.uk.

3.1        Right of access.

You can ask for copies of your personal information, more commonly known as making a ‘subject access request’ which will be provided electronically unless you state otherwise.  It may be necessary to apply exemptions where necessary, which means you may not always receive all the information we process.

When making a subject access request we will verify your identity to information that we hold but, in some cases, we may require further information to validate your identity. We will provide you with information regarding the data that is being processed, the source of that data, if the data is being disclosed, how the data is being stored and any automated decision making with the logic involved to support decisions making.

3.2        Right to rectification.

You can ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information that you think is incomplete.  To assist us to deal with this request you will need to state clearly what you believe is inaccurate or incomplete and explain how this should be corrected and where available provide evidence of the inaccuracies.

3.3        Right to erasure.

You can ask us to erase your personal information which is also known as the ‘right to be forgotten’.  To assist us to deal with this request you will need to state clearly what you want erased. The right to erasure is not absolute, and we can refuse to erase your data in certain circumstances.

3.4       Right to restriction of processing.

In some circumstances you can object to the processing of your personal data and limit the way your personal data is being used by us, if you are concerned about the accuracy of the data, or how it is being used. To assist us to deal with this type of request you will need to explain your concern, providing evidence and stating your desired outcome.

3.5        Right to object to processing.

In certain circumstances you can object to the processing of your personal data. You do however have an absolute right to object to your data being used for direct marketing.

3.6        Right to data portability

The right of data portability only applies to information that you have given to us. You can ask for this information to be transferred to another organisation, or we can provide it to you direct, providing that this is technically feasible.  This right only applies if we are processing information based on your consent or under, or in talks about entering into a contract, and the processing is automated.

 

Further details about your rights are available on the Information Commissioners Office (ICO) website https://ico.org.uk/for-the-public/.

3.7        How do we protect your data?

We are committed to processing your personal data in a manner that ensures appropriate security ensuring confidentiality, integrity and availably at all time.

This includes protecting against unauthorised or unlawful processing, accidental loss, destruction or damage, by using technical or organisational measures, and working to and aligning with, good industry security practices.

When it is necessary to engage with third parties to process personal data on our behalf, they do so on the basis of written instruction under a duty of confidence and are obliged to implement appropriate technical and organisational measures to ensure the security of that data.

Where processing of data is outside the EEA we will ensure that further safeguards are implemented to protect the transfer of your data such as the US Privacy Shield and standard contractual clauses approved by the European Commission or other contracts which provide equivalent protection.

3.8        How long do we keep your information for?

We will retain your personal information in accordance with applicable laws, regulation and in accordance with our data retention schedule.  We will not retain your information for longer than is necessary, taking account of factors such as:

  • guidance from official bodies such as the ICO and Government funding departments;
  • how long we need to keep the data to fulfil the original purpose for which it was collected;
  • the nature and sensitivity of personal data;

Once the retention period has passed the data will be disposed of securely in line with our Data Protection Policy.

If you require further information regarding our retention schedule, please contact us at Compliance@csa.catapult.org.uk.

 

3.9   Marketing.

We may use your information, to notify you about goods or services which may be of interest to you.  We will contact you by electronic means only if you have consented to such communication or where we have a lawful, legitimate interest in doing so.

3.10   How to make a complaint.

If you wish to make a complaint or you have any concerns regarding how we are processing your personal information, then please contact Compliance@csa.catapult.org.uk and we will respond to your request.

If we are unable to resolve your complaint, then you have the right to contact the supervisory authority, by, post, phone, live chat or via their website:

Information Commissioners Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline number: 0303 123 1113

Ico.org.uk/livechat

http://ico.org.uk.

4       Visitors to our Website

CSA Catapult’s website is hosted by UKRI and managed by Affinity who use cookies and other information gathering technologies for a variety of purposes.

The purpose for implementing all of the below is to maintain and monitor the performance of our website and to constantly look to improve the site and the services it offers to our users. The legal basis we rely on to process your personal data is article 6(1)(f) of the GDPR, which allows us to process personal data when it is necessary for the purposes of our legitimate interests.

4.1        Analytics.

We may collect analytic information on Websites usage to help us improve them. We may also share anonymous data about individual’s actions on our Websites with third-party service providers of analytics services.

4.2        Cookies.

Cookies which are text files containing small amounts of information are downloaded to your device when you visit a website.  Cookies are useful because they allow a website to recognise your device, preferences and can be used to improve your online experience.

4.3        Functional.

These cookies are used to ensure you can correctly navigate our website and or share pages via social media.

4.4        Performance.

These cookies are used to analyse trends, administer the website, track visitor movements and gather board demographic information for aggregate use.  The information is used to compile reports and to help us improve our website.  These cookies are not linked to Personally Identifiable Information (PII).

4.5        Targeting and Advertising.

The social media sharing functionality on certain web pages is provided by a third party. As you navigate these pages or if you use the sharing buttons the third party will automatically set the cookies.  We have no controls over these cookies being collected.

For detailed information about the use of cookies in the Websites, please read and review the Cookie Policy found here.

4.6        Other Technologies.

If you register to receive updates by email, you will receive emails which will contain a web beacon. This will take the form of a small, transparent image, which is embedded in each email.  It will be used to send information such as your IP address, when each email was viewed, from what device and which geo-location.  We use information about email usage to compile reports and to help us improve our communications.

Our websites may also collect your IP address which is routinely stored as part of web server log files for 14 days.

We may use Local Storage Objects (“LSOs”) such as HTML5 to store content information and preferences. Various browsers may offer their own management tools for removing HTML5 LSOs. Third parties with whom we partner provide certain features on our Websites or to display advertising based upon individuals Web browsing activity using LSOs such as HTML5 and Flash to collect and store information. For further information on how to manage Flash LSOs please click here.

4.7        Logs.

As is true with most websites and services delivered over the Internet, we gather certain information and store it in log files when individuals interact with our Websites and Services. This information includes internet protocol (IP) addresses as well as browser type, internet service provider, URLs of referring/exit pages, operating system, date/time stamp, search information, locale and language preferences, identification numbers associated with devices, mobile carrier, and system configuration information. Occasionally, we connect personal information to information gathered in our log files as necessary to improve our Websites and Services. In such a case, we would treat the combined information in accordance with this Policy.

4.8        Links to other websites.

We will sometimes make available, via our website, links to other third-party websites which are not under our control. We will not be liable for any issues arising in connection with the use of your information, the website content or the services being offered to you by these individual third-party websites.  We would recommend that you check the privacy policy and terms and conditions on each website to see how each third party will process your information.

4.9        Social media.

When you contact us using private or direct messages via social media, i.e. Twitter and LinkedIn, your contact details and the contents of the message will be stored by the service provider and we may store the content of the message within our internal systems, including our CRM System, either in part or in full.

We may also analysis messages and monitor social media sites for sentiment and engagement analysis.

5         Visitors to our office.

When visiting us at our Newport Office you will be greeted in reception by a member of our staff who will contact the intended host of your arrival.

We will share your name and name of your organisation, and in some cases your car registration number before you arrive, which will allow us to manage your visit to the building and our office space.

We operate CCTV within our designated office space, and visitors must be aware that we have parameter surveillance in operation and that images maybe captured when visiting the building.

5.1        Access to Wi-Fi on site.

When visiting us at Regus there will be Wi-Fi available on site for all visitors to access. If you decide to connect to the CSA Catapult guest Wi-Fi service, you will be prompted for a password which will be provided to you from our IT Department or by the intended host.

When you have connected to our guest Wi-Fi we will record the device address and we will automatically allocate you an IP address whilst you are on site, and we may record applications used and log traffic information in the form of sites visited, duration and date sent/received.