Privacy & Cookies

In compliance with UK Data Protection Act 2018, often referred to as GDPR, this Privacy Notice explains what personally identifiable information we collect from you:

  • when you visit our website;
  • when you apply for a position with us or join us;
  • or are a recipient of our services;
  • or enter into contractual arrangements with us;
  • or visit our site.

The Pirbright Institute is a research institution for the purposes of preventing and controlling viral diseases and is committed to processing all personal information about our clients, collaborative partners and stakeholders, students, staff, contractors or visitors in ways that comply with its legal and regulatory obligations, and to being clear about what it does with personally identifiable data.

This notice applies to clients, collaborative partners & stakeholders, students, staff, or visitors. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.

Data collection

The data we collect to fulfil our research, training, employment, and our postgraduate services is taken as a data controller. This means that we are responsible for deciding how we hold and use personal information about you. We are required under data protection legislation to notify you of the information contained in this Privacy Notice.

We may collect personal information when:

  • when you apply for a job or student placement;
  • you are a member of our personnel (staff or student)
  • you use our website;
  • you work with us on academic or medical research;
  • you are screened as an approved visitor or contractor to work with us and enter our site;
  • you use our services;
  • you are contracted to provide us with services or materials;
  • you are a recipient of our training or events we provide.

We may collect the following types of information:

  • Name, address, email, contact phone numbers, date of birth.
  • Next of kin or emergency point of contact
  • Registration of vehicles used on business or entering our site
  • Nationality
  • Qualifications
  • Referee details (name/address/phone/email)
  • Employment status / details
  • CCTV, body worn video (BWV) and automatic number plate recognition (ANPR) camera footage
  • Information obtained through electronic means such as IP address or cookies
  • Information about your use of our information and communications systems
  • Photographs

Special Categories of data

We also collect special category data, necessary for legal requirements and reporting but also to help us eliminate gender bias and developing an inclusive culture that values all staff, as governed by the Athena Swan standards to which we are certified.

Special categories of particularly sensitive personal information require higher levels of protection. We need to have further justification for collecting, storing, and using this type of personal information and we do this with either your consent or as permitted by UK data protection legislation

The special category information we collect includes:

  • Ethnicity
  • Religion
  • Sexual Orientation
  • Disability
  • Details of any Criminal convictions

Why do we collect this information?

The personal data collected is needed to:

  • undertake our scientific research;
  • issue our publications;
  • provide specialist training and events;
  • for necessary funding and administrative purposes;
  • to meet our legal and regulatory obligations;
  • to safely manage the work-related activities of personnel such as travel;
  • to run our post graduate schemes.

We also collect personal contacts from our Business, Corporate and Trustee stakeholders, and collaborative partners for our legitimate interests.  Almost entirely, these contacts are corporate or business individuals and while this is still categorised under UK legislation as personal data we are aware that it can be used for business-to-business purposes, as stipulated by UK and European data protection regulations and the Privacy of Electronic Communications Regulation (PECR) with which we also comply.

Website

Information we may collect through our website is needed:

  • to help identify your computer;
  • analyse data about web page traffic and to help us tailor our website for your needs;
  • to allow students, staff and guests to access information they may require.

Our website is hosted by a third-party provider.

All traffic (transferral of files) between our website and the users web browser is encrypted and delivered over HTTPS.

We capture data using cookies; a cookie consists of a piece of text sent by a web server to a web browser and stored by the browser. The information is then sent back to the server each time the browser requests a page from the server. This enables the web server to identify and track the web browser.

See our Cookies Notice for more information of the information gathering associated with our website.

Our site may, from time to time, contain links to and from the websites of our stakeholders, partner organisations and affiliates.  Those sites have their own privacy policies, and The Pirbright Institute does not accept any responsibility or liability for those policies.  Please check those policies before you submit any personal data to those websites.

Email links via our website do not store the data that is input, the data will be collated into an email and sent to us.

The contact form collates the data you input into an email and sent to us. We only store this data temporarily in the website database and it is deleted once we have replied to you.

How do we collect this information?

We collect personal information:

  • directly from our customers;
  • directly from our stakeholders;
  • directly from our partners, e.g. grant or commercial funding;
  • directly from students, e.g. when a student applies to join us;
  • from publicly available sources, e.g. networking, social media, internet services, exhibitions, direct referrals, other Corporate bodies;
  • from guests, contractors, or visitors;
  • from CCTV, body worn video (BWV) and ANPR images.

We are committed to keeping your information up to date as far as is reasonably possible. However, any person who believes that we have made an error, can contact us as outlined below, and we will use reasonable endeavours to correct any established error.

How do we use the data we collect?

Most of our data is held within our databases, accessible to only to those staff who need access.

Any processing activities undertaken are fully compliant with UK data protection regulations and Privacy and Electronic Communications Regulations (PECR) where needed for the marketing or promotional approaches we undertake.

Our main processing activities include:

  • providing services requested from us;
  • to meet our legal and regulatory obligations;
  • processing for funding and administrative purposes;
  • promotional material about the Institute, our research or other relevant information in the areas of work undertaken;
  • sending statements, invoices, and payment reminders, and collecting payments;
  • sending non-marketing commercial communications; 
  • sending our email newsletter or notifications to those requesting them;
  • the use of cameras (CCTV, body worn and ANPR) for security, crime prevention and safeguarding purposes.

Keeping your information safe and secure

The Pirbright Institute is committed to keeping customers’ personal information secure to protect it from being inappropriately or accidentally accessed, used, shared or destroyed, and against it being lost.  

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.

To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information we collect online.

We currently share very limited data outside the European Economic Area (EEA) and in very specific and limited circumstances. These mainly only relating to staff who are visiting or working outside the EEA. Where it is necessary to transfer personal information to third parties located outside the UK, we will ensure that information is protected to a level which meets the requirements of UK data protection regulations.

Third party access

Access to your personal information is only allowed when required by law or is required as part our fulfilling our service obligations.

We do make use of third-party service providers to help us fulfil our services and where we do the third party is required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes and we only permit them to process your personal data for specified purposes and in accordance with our instructions.

We use third party providers to:

  • administer our staff and student records;
  • for screening and security checks;
  • to help us manage and host events;
  • host and administer of our website;
  • allow us to receive funding for the research we undertake;
  • to help us promote the Institute or advertise forthcoming events;
  • provide safe travel advice to overseas travellers;
  • to achieve and renew our certified awards.

Third party providers are carefully chosen and, to the best of our belief and understanding, comply with current UK legislation. If the third party’s data handling or storage is located outside of the UK, then guarantees are required that the activities they are undertaking on our behalf are fully compliant with local laws and do not breach UK law.

If you would like to know more about the third party providers we use please contact our Data Protection Officer at dataprotection@pirbright.ac.uk.

Links to other websites

Our website and email newsletters and bulletins may contain links to other websites of interest.

However, you should note that we do not have any control over these other websites. Once you have used any of these links to leave our site, therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting these sites and such sites are not governed by this privacy statement.

How long do we keep personal information?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Details of retention periods for other aspects of your personal information are available from  our Data Protection Officer at dataprotection@pirbright.ac.uk.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

In some circumstances we may anonymise your personal information so that it can no longer be associated with you, in which case we may use such information without further notice to you. Once you are no longer an employee, worker, or contractor of the Institute we will retain and securely destroy your personal information in accordance with our data retention policy or applicable laws and regulations.

Marketing

The Pirbright Institute undertakes limited marketing activity and only that which is necessary to promote the Institute to other institutions, scientists, and stakeholders. This is completed for our legitimate interests or where you have given your consent and will include:

  • Publications
  • Events
  • Training Courses
  • Research Services
  • Product and reagent sales

Any marketing we undertake is made in a fully complaint manner as governed by UK data protection regulations and PECR, with the contacts being given the option to opt out from such contact.

Controlling your personal information

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your working relationship with us.

If you want to review, verify, correct or question anything detailed in this policy or anything about your personal information, please contact the Data Protection Officer at dataprotection@pirbright.ac.uk.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances to the extent permitted by law.

Under certain circumstances, by law you have the right to:

  • request details of personal information which we hold about you;
  • restrict the collection or use of your personal data;
  • to withdraw any permission, you have given us to use your data;
  • or even to delete any records that we may hold.
     

You also have the right to complain or object to the way we use your personally identifiable information. If you have any issues or worries about what we do please write to our Data Protection Officer at dataprotection@pirbright.ac.uk.

You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues. You can contact the Information Commissioner’s Office by telephone on 0303 123 1113, or by using the live chat service which is available through the Information Commissioner’s website www.ico.org.uk.

We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Data breaches

The Pirbright Institute will report any unlawful data breach of information it controls, or any unlawful data breach of information held by any of our third party data processors, to any and all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how handle your personal information, please contact the DPO by email at dataprotection@pirbright.ac.uk.

If you would like to know more specific details about how we collect and use the data, or how long we keep it, in our main areas of business please click the relevant link below.

Applying for a job

The Pirbright Institute is committed to protecting and respecting privacy of anyone who applies for a role at the Institute and will ensure that the information you provide as part of recruitment/internal move is only used for the purposes set out in this notice.

What information we require

When you apply for a job through our recruitment portal, or other means, we will use the relevant information to assist in the recruitment and selection process.

We will gather and process personal information about you from your CV and our registration process. This includes, but is not limited to:

  • your name, address, and contact details, including email address and telephone number;
  • your qualifications, skills, experience, and employment history, including start and end dates, with previous and current employer(s);
  • your nationality and evidence of your entitlement to work in the UK;
  • information about any criminal record;
  • equal opportunities information, which is used for the purposes of monitoring only, including information about your gender, age, ethnic origin, sexual orientation, and religion or belief.  This information is anonymised for the purposes of reporting. 

How we will use information

We hold and use this information in order to:

  • administer our recruitment services to you;
  • communicate with you regarding job opportunities that are relevant to your fields of interest and the progress of any applications you make;
  • provide your details to appropriate Hiring Manager and those involved in the recruitment process (excluding any equal opportunities information you have provided which is not on your CV);
  • provide you with job alerts relating to roles you might be interested in;
  • comply with our legal requirement – to check to see if you have the right to work in UK and to carry out criminal records checks to ensure that individuals are permitted to undertake the role in question;
  • seek your feedback on our services to conduct research and development for the improvement of our service and the user experience;
  • fulfil our obligations when you are offered employment e.g. your address/email for the purposes of issuing you a contract of employment and undertaking our pre-employment vetting processes; your bank details for the purposes of paying you once employed 
  • to ensure we are complaint with our Equality, Diversity and Inclusion policy and practices;
  • undertake our vetting process prior to employment and periodically during employment.

The Pirbright Institute is an equal opportunities employer and a company committed to diversity and so we will collect special category personal information such as ethnic origin and information during the application process for monitoring and recording purposes and to meet our requirements under Athena Swan accreditation. All special category and sensitive information will be used on an anonymised basis. This information is not shared with the recruitment panel.  All job applicants and members of staff will receive equal treatment and that we will not discriminate on grounds of gender, marital status, race, ethnic origin, colour, nationality, national origin, disability, sexual orientation, religion, or age.

Who will have access to the data?

We currently do not share any data outside the EEA for our candidates or employees, but should we need to transfer personal information to third parties located outside the UK, we will ensure that information is protected to a level which meets the requirements of the UK and the receiving countries data protection laws or regulations.

We may share your personal information on the basis that it is necessary to do so to perform the contract you enter into with us as follows:

  • Restricted members of the HR and recruitment team including recruitment panel.
  • Trusted third parties who provide functions on our behalf, such as payroll, pension, benefits qualification and screening and criminal record checking services, these third parties are required to process your data and comply with similar stringent undertakings of privacy and confidentiality as The Pirbright Institute; in accordance with UK Legislation.
  • Regulatory or law enforcement agencies, when required by law to do so.
  • To answer your enquiries.
  • We may also seek your consent to collect, hold, use and disclose your personal information for any other purpose not listed above for auditing purposes.

We do not share your personal information with third parties who wish to use it for marketing purposes.

As an applicant, you have control of your personal data through our recruitment portal.  If you decide to upload a CV, cover letter, personal statement or other similar document or information we will keep your data for a maximum of 12 months as part of our talent pool, and for any other potential recruitment positions, unless you request that it is deleted before that time.  We may contact you for future opportunities which we feel may be of interest to you.

You can update your CV at any time, simply by following the same procedure to submit a new CV through your online registration account.

You can also amend your communications preferences at any time through your online account and ask us to restrict the processing of your personal information at any time. You will do this by closing your account on the online portal (using the delete option in your account).

If you have deleted your account and subsequently apply for another job at The Pirbright Institute, we will ask you to reregister as a new applicant.

How do we protect data?

Pirbright takes the security of your personal information seriously. To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic, and managerial procedures to safeguard and secure the information we collect.

Pirbright engages with third parties to process personal data or sensitive personal data on its behalf, they do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Please note that clicking on links from job boards’ data privacy practices may be different to that of Pirbright. Visitors should consult the other websites' privacy policies as we are not responsible for, and have no control over, information that is submitted to or collected by these third parties.

How long will we keep information?

We will hold your personal data for twelve months or all the time your account remains active on our portal.

You can request us to delete your data and can do so by closing your account on the online portal (using the delete option in your account).

For any further information you can contact our Data Protection Officer at dataprotection@pirbright.ac.uk.

Training

With leading research into areas such as foot-and-mouth disease, African swine fever and avian immunology, Pirbright offers a variety of external training courses to upskill the industry and demonstrate new scientific techniques.

Training courses may be self-funded, although others are sponsored as part of grant funded projects undertaken by researchers at Pirbright. The training extends worldwide, upskilling personnel at all levels.

What information we require

The data collected is necessary for anyone attending the courses; these vary from 1-day courses to residential courses of up to 2 weeks, with trainees offered accommodation on site at the Institute for the latter.

Personal data to facilitate this will include:

  • Name, address, email, Contact phone numbers.
  • Gender
  • Nationality
  • Visa details
  • Referee details (name, email telephone, address, position in organisation)
  • Payment details

How we will collect information

We will collect your data on a training course registration form available to download from our website. All applications are submitted to us by email.

How we will use information

Your information is used to confirm your attendance at the course you booked and secure payment for our services.

Who will have access to the data?

Only Pirbright employees involved in arranging or delivering the training, will have access to customer information.

All course attendees will be issued with certification of course attendance.

How long will we keep information?

Data for each training course is sourced up to 2-3 months ahead of the training to help us make all the necessary arrangements. Data will be held during this period and for 2 months after training delivery to help us administer payments or any remaining questions or actions. Records in hard copy will be securely shredded once our need to retain them has passed. Electronic copies are deleted.

Training records of training for external parties are retained for 1 year.

Training records for Pirbright personnel, held on their personnel files training records, are retained for 6 years after employment or student placement has finished.

For any further information you can contact our Data Protection Officer at dataprotection@pirbright.ac.uk.

Research and scientific

The Pirbright Institute is a centre of excellence for research and surveillance of viral diseases of livestock and those that spread from animals to humans. To that end we have extensive facilities for performing studies with the primary host animals, i.e. livestock, and the disease agents that we study.
We offer services such as arthropod genetics, avian immunology, bioimaging, diagnostics & surveillance, cell cytometry and sorting and contract research.

Data for research purposes is mainly non-personal (other than recognising the need for contact names, addresses) but where this is processed in a personal capacity it will be under exemption for purposes in the public interest, scientific or historical research purposes.

What information we require

We need personal data from our stakeholders, partners, from the scientists involved with the research or project, on the funders who sponsor the research plus other stakeholders who are involved e.g. farmers and Industrial producers of veterinary vaccines and antivirals.

The personal data involved is limited to the personal contact details (names, business address, business telephone and email) with all processing undertaken in a commercial and contractual capacity.

In some cases, we may need to take special category data limited to Union membership as required by the funding or contractual obligations so as not to compromise the research.

How we will collect information

Information will be collected directly from the commercial contact or as provided by stakeholders, partners, funders, or grant sponsor.

How we will use information

We may use the information in the following ways:

  • to contact you in respect of the research / project
  • to promote events, publications, or conferences
  • to offer specialised training
  • to meet the requirements of the funder / sponsor of the research / project
  • to share reports or findings with key partners and stakeholders
  • with the press or media where external publication is necessary

Who will have access to the data?

Data will only be accessible by selected Pirbright employees, Agencies or Bodies who are stakeholders in the research, trusted data processors and only with people who need to see or use the data.

We do not, and will never, sell or share your personal information with other third parties.

From time to time, we may make use of external expertise who can analyse the research data. Rest assured we do not disclose any names in this data and only where it is necessary for the benefit of the research / project.

How long will we keep information?

For the duration set out in the research project or as directed by the commercial requirements of sponsorship or funding.

For any further information you can contact our Data Protection Officer at dataprotection@pirbright.ac.uk.

Communications and events

What information we require

The Pirbright Institute has been in existence for over 100 years and over the years to become one of the UK's leading virus diagnostics and surveillance centres and is now also at the forefront of virus research. Pirbright’s achievements continue to play a pivotal role in controlling and preventing some of the world's most devastating diseases with the development of new and improved diagnostics and vaccines.

Our research and work are of interest to other medical institutes, stakeholders within the sector, for academic studies and network contacts and partners; for this reason, we like to share news, updates on medical research, about what we do.

We host regular annual events, conferences for celebratory and / or promotional sessions for these key stakeholders or with scientists, researchers or other contacts who have expressed an interest. To do these we need to use personal data such as your name email address, telephone number, address, and potentially dietary information.

We may also collect with your consent photographic images for the purposes of promoting via social media or other channels the events that you have attended.

How we will collect information

Data has been accumulated over several years from various sources and retained within a secured database record. The data is collected:

  • directly form you having enquired about or attended previous events or information we have shared;
  • from publicly available sources;
  • from our social media channels;
  • though out networking contacts.

How we will use information

Your details are held on database for the purposes of promoting and inviting you to our events which we believe will be a matter of interest to you in relation to the Institute or the research or work we are completing.

Who will have access to the data?

Data and our database are only available to Pirbright staff who need access to the data with the bulk of this processing and administrative completed internally by our Communications and Engagement Team.

Occasionally, we do make use of third-party service providers to help us fulfil our services and where we do the third party is required to take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes and we only permit them to process your personal data for specified purposes and in accordance with our instructions.

How long will we keep information?

We will only retain your personal information for as long as necessary to fulfil the purposes of sharing information or event we believe are of interest to you. With each invite or cascade we will give you the option to tell us you no longer wish to be included or to receive this material.

Data for events is held during the advertising of the event which can be up to 3 months. Post event your details will be uploaded to our database for up to 6 years or removed as requested by you.

Photographic images are retained indefinitely unless a request is made for us to delete that image.

For any further information you can contact our Data Protection Officer at dataprotection@pirbright.ac.uk.

Security

The Pirbright Institute is a business that undertakes confidential research but also research that involve hazardous chemicals, bacteria and viruses. For this reason, visitors to the site are needed to be monitored and screened to check for the legitimacy of access but also where necessary to check their background and experience.

What information we require

The data needed for our personnel screening and security monitoring processing activities include:

  • Name, address and address history, email, contact telephone number(s)
  • Vehicle registration number
  • Photographs (for identity pass cards)
  • Career history
  • Date of birth
  • Disclosure and Barring Service Check
  • National Insurance Number
  • Financial Check
  • Animal Rights Connection
  • CCTV and video imaging

How we will collect information

We will collect the information when we know that you want to visit the site as a visitor, an approved visitor or contractor, or as a member of staff. All access to the site must be approved by a member of Pirbright staff.

Where we need to complete screening checks, we will ask you to complete a Screening Processing Form which captures your name, email, telephone and signature and enables us to share your details with a third party who will complete the checks for us.

We have CCTV cameras across our whole site monitoring the perimeter and internal buildings; we also have ANPR cameras monitoring traffic in and out. Images from these cameras is automatically running and available within the gatehouse and to security personnel.

For more details on our use of CCTVs and cameras you can contact our Data Protection Officer at dataprotection@pirbright.ac.uk.

How we will use information

The information collected as part of our screening process is shared with an approved and trusted third party who will securely and confidentially complete the level of screening check we require. The third party processes the data in accordance with UK Data Privacy legislation and will not use the data for their own purposes and only as instructed and allowed by The Pirbright Institute.

The data collected from images on CCTV, body worn cameras and ANPR cameras is used to:

  • assist in the prevention or detection of crime or equivalent malpractice;
  • assist in the identification and prosecution of offenders;
  • monitor the security of the premises;
  • ensure that health and safety rules and procedures are being complied with;
  • assist with the identification of unauthorised actions or unsafe working practices that might result in disciplinary proceedings being instituted against employees and to assist in providing relevant evidence;
  • promote productivity and efficiency.

Who will have access to the data?

Data is available only on a restricted basis and only to staff or employees who need access which includes our HR team, Security, third party processor(s) and the host of your visit or line manager.

How long will we keep information?

Data captured by our cameras is automatically overwritten every 30 days.

No personnel information submitted to the third parting screening service provider is handled or held by Pirbright. The third-party processor will delete all data they have processed after 12 months or sooner should you request it.

For any further information you can contact our Data Protection Officer at dataprotection@pirbright.ac.uk.

Contractual arrangements

The Pirbright Institute is a centre of excellence for research and surveillance of viral diseases of livestock and those that spread from animals to humans. To that end we have extensive facilities for performing studies with the primary host animals, i.e. livestock, and the disease agents that we study.

Pirbright enters into a number of contractual arrangements with organisations or companies for the provision of services or materials.

What information we require

Pirbright will request personally identifying information from companies and organisations we enter into commercial arrangements with that may include, but is not limited to:

  • Names of company officers.
  • Names and contact details of contract holders.
  • References in support of bids or tenders.

The personal data involved is limited to the personal contact details (names, business address, business telephone and email) with all processing undertaken in a commercial and contractual capacity.

How we will collect information

Information will be collected directly from the commercial contact or as provided by contract winner or holder.

How we will use information

We may use the information to:

  • to evaluate commercial tenders or bids;
  • to validate a company or organisations in accordance with good governance procedures.

Who will have access to the data?

Data will only be accessible by selected Pirbright employees involved in the contracting process.

We may share information on activities with partners and stakeholders that could include personnel information in the form of contact details.

We do not, and will never, sell or share your personal information with other third parties

We do utilise third-party providers with subject matter expertise to audit our business practices. We do not disclose any names in this data and only where it is necessary for the benefit of the research / project.

How long will we keep information?

We currently retain all commercial information relating to contracts for 7 years.

For any further information you can contact our Data Protection Officer at dataprotection@pirbright.ac.uk.

Changes to our Privacy Notice

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

This Privacy Notice was last updated in November 2020.

Trim content

® The Pirbright Institute 2021 | A company limited by guarantee, registered in England no. 559784. The Institute is also a registered charity.