1. Overview
Innovate UK is part of UK Research and Innovation (UKRI). UKRI’s privacy notice can be found on the website. Innovate UK’s privacy notice and information management policy should be read in addition to UKRI’s privacy notice.
This policy explains Innovate UK’s specific arrangements for collecting, storing, using and sharing information for users (‘you’, ‘your’), which may include personal data or confidential or commercially sensitive information.
It provides details on how we use this information to enhance our ability to fund, support and connect innovative businesses and accelerate sustainable economic growth for the UK.
Any information we obtain from you – through our online platforms, competition applications and administration, events or elsewhere – will be managed according to this policy. This includes where we collect information that is personal data, and subject to data protection legislation.
This policy is written to comply with the General Data Protection Regulation (EU 2016/679), or GDPR, introduced on 25 May 2018.
As a public sector organisation we are also subject to some further data protection obligations under the UK Data Protection Act 2018.
2. Policy principles
This policy will:
- identify the information we may collect from you
- explain how we store your information, the length of time we hold it and how we keep it safe
- outline the rules we comply with when we use your information
- explain the different types of information we collect from you, how we use it and why we are allowed to do so
- explain how we may share your information
- explain the rights you have in relation to your personal information, including how you can request a copy of your information.
3. Information we may collect about you
3.1 Personal data
Personal data may consist of information such as your name, email address, postal address, landline or mobile number.
We may collect personal data when:
- you participate in, access or sign-up to any of our services, including events, newsletters, competitions, social media, message boards and telephone calls
- you create an account using the Innovation Funding Service
- you otherwise correspond with us.
Where we collect personal data we will:
- only do so to the extent that it is required
- tell you the specific purpose for the collection.
Depending on the activity, we may also obtain information about your business. For example, when applying for a grant from us, this includes the name and type of your business and its address.
We also use cookies and collect IP addresses from visitors to our websites.
3.2 Special category data
In some circumstances, we may collect special category data about you.
Special category data may consist of information about race, ethnic origin, politics, religion, trade union membership, genetics, biometrics, health, sex life or sexual orientation.
The collection of special category data will be limited to surveys, which we may ask for you to complete from time to time. Any special category information provided in this process will only be collected and used with your consent to do so.
3.3 Confidential information
For grant and other funding applications, we may collect information from your submitted proposal including potentially commercially sensitive and confidential information. Although this information is not subject to the Data Protection Act or the GPDR, we will treat it appropriately.
4. How we store and secure your information
4.1 Storage of data
We will maintain the security of your information by protecting the confidentiality, accuracy and availability of that information.
All information, including personal data and funding applications, will be held on secure servers operated by Innovate UK. These are operated in accordance with the UK Information Commissioner’s guidance on the storage of personal data, from the point of collection to the point of destruction.
We will employ strict procedures and security measures to prevent unauthorised access to your information. Only people who are authorised to use your information can access it.
We will ensure that any personal data we hold is accurate and up-to-date. We do this through checks at the point of collection and at regular intervals thereafter.
4.2 Security procedures
Our security procedures include:
- entry controls, whereby only employees or authorised contractors have access to buildings where we hold information. Any visitor must accompanied by a member of staff
- lockable desks and cupboards. Desks and cupboards that hold confidential information including personal data are kept locked at all times
- secure methods of disposal when information is no longer needed, for example, paper documents are shredded and digital storage devices are physically destroyed
- appropriate equipment and IT policies, for example, shielding display monitors from passers-by and locking personal computers when left unattended.
We will not keep personal data for any longer than is required for the purpose or purposes for which it was collected.
We will take all reasonable steps to destroy or erase from our systems all personal data that is no longer required, inaccurate or out-of-date.
4.3 Transfer of information outside of the European Economic Area (EEA)
With your consent, we may transfer your personal data outside of the EEA:
- if the transfer is necessary for a contract
- for public interest reasons
- if it relates to legal claims.
Where there is a requirement for transfer, we will do so in compliance with the GDPR and Data Protection Act. This includes entering legally binding agreements with any third party outside of the EEA to protect the transfer of your data, unless that country or organisation is already certified as having appropriate safeguards in place.
In all other circumstances we will not transfer your data outside of the EEA.
Where data is required to be transferred and stored in the USA, we will ensure that we only work with organisations that comply with the EU-US Privacy Shield to meet the requirements of the GDPR and the Data Protection Act.
We have specific arrangements for sharing information with partners as part of our international competitions.
5. Rules we apply to your information
We will hold all information and personal data in compliance with the Data Protection Act, the GDPR and the Data Protection Bill.
When we use or process any of your information that contains personal data, we will comply with the eight principles of good practice. Personal data must be:
- processed fairly and lawfully
- processed for limited purposes and in an appropriate way
- adequate, relevant and not excessive for the purpose
- accurate
- not kept longer than necessary
- processed in line with your rights
- secure
- not transferred to people or organisations located in countries without adequate protection.
As a public authority we have certain rights to use and process the information we collect because it is either:
- necessary for the performance of a task carried out in the public interest
- in relation to our official tasks set out in law, such as running funding competitions to support businesses and promote UK innovation for the public benefit
- In addition to these circumstances, we may still be required to process your data because it is necessary for a contract with you or it is necessary for legitimate Innovate UK interests.
If we cannot process your data for any of the above reasons, we may ask for your consent to use the information that you provide to us.
You will be asked for consent specifically and separately to any other terms and conditions to which you need to agree, including requests to share your information with other parties. Where consent is required, we will not use or share your information without gaining this.
In some circumstances, we may collect and hold data as manual records, which may not be within a filing system that is readily accessible. This may include personal data in emails, videos, images or social media posts.
Should this be the case some of the rules for the protection of your personal information may not apply. Your rights to receive information held in this way may be limited.
6. How we will use your information and why we can use it
We will only use your information, including personal data, for the purpose that it was collected.
We are allowed to use your information to undertake our official tasks and perform our public function. If we need your consent to use your information, we will ask for it at the time the information is collected.
We are allowed by law to use your information for:
- grant or contract support, administration, evaluation and reporting
- research into the impact and effectiveness of grants or other contracts and their administration
- internal administration, reporting and compliance, including for external audit purposes
- informing you about other support available or provision of assistance to you from Innovate UK.
We can use your information to comply with our legal obligations for:
- detection of fraud
- anti-money laundering.
We can also use your information if it is necessary to do so for a contract we have entered into, for example, to support your attendance at an event.
With your consent, we can use your information to:
- contact you with promotional or marketing material
- provide you with information relating to our events.
Where we propose using your data for any purpose other than those within this policy, we will notify you in advance and inform you of how we intend to use it and our legal requirements to do so. If necessary we will obtain your consent.
If you sign up to receive newsletter or updates from us, you will need to provide information that we can use to deliver the service or services you have requested.
We may occasionally contact you to help us evaluate and improve the services that we offer if you have consented to being contacted for this purpose.
We may use your information to send you other promotional and marketing communications. These types of communications will only be sent to you if you have consented to our use of your personal data for such purposes.
We do not use automated decision-making processes in relation to your personal information.
7. How and when we will share your information
7.1 General use
We will not share your information without obtaining your consent unless:
- we are allowed by law to share it to carry out a task in the public interest or to undertake our official tasks
- we have to disclose or share it in order to comply with our legal obligations
- we need to share it for a legal contract with you
- it is necessary to protect our rights, property, or safety of our employees or others.
7.2 Innovate UK competitions
For applications to Innovate UK competitions, we will share your information with our independent assessors for the purposes of considering your application for funding.
We do this in accordance with our public tasks and functions. By submitting an application, you are providing your information for us to exercise this public function and agreeing to this basis on which we can share your information.
Assessors will use your information only for the purposes of assessing your application into a competition. We enter into contracts with all of our external assessors to ensure that they will hold your information both confidentially and securely.
7.3 Joint competitions
Where we are collaborating with another organisation on a competition, we will identify that other organisation within the competition guidance or contract as a joint sponsor.
An example of a joint sponsor is another UK-based organisation that operates or funds grant awards or other similar contracts, such as a department within the UK government.
In addition to the independent assessors, we will share your information in respect of the competition with the joint sponsor. The joint sponsor will use your information for the same purposes as Innovate UK.
7.4 International competitions
International competitions such as the Newton Fund involve collaborative work between UK organisations and their partners in non-EEA countries.
We will comply with all specific requirements for the transfer of any personal data outside of the EEA as per our rules that apply to your information and personal data.
We will conduct the assessment of your application separately from and independent to our partner organisations in other countries. We will not share any application or any personal information directly with our partner organisation unless this is necessary for our public function.
For funded projects, we will limit any exchange of information with the partner organisation to non-personal and non-confidential information where possible. For example, we may only refer to named organisations in an application in discussions with a partner organisation.
If we feel it is beneficial to share personal data where it is not necessary for us to do so, we will request your specific consent at that time.
We will not disclose your commercially-sensitive and confidential project details. We will only discuss the technical details of the project at a high level with our partner organisation.
You should note that it may be necessary for you to share personal data and confidential information with the organisations in non-EEA countries that you collaborate with on a funded project. You will be in control of that sharing and we will not share that type of information on your behalf.
In limited circumstances, we may agree to run a competition on behalf of a partner funding organisation in a non-EEA country. We may need to share certain or all information from your application to allow that partner organisation to make an assessment of the projects it wishes to fund.
In this case we will ensure that the rules for those competitions make it clear that certain project information will be shared. Where this information contains personal data, we will only share that data as is necessary for us to undertake our public task and function.
If there are circumstances where we need to obtain specific consent from you, we will request that consent forms are submitted along with the application form.
7.5 Consultant or sub-contractor
We may need to disclose your information to a consultant or sub-contractor in order to undertake an internal activity, for example, an IT consultant working on upgrading our IT system.
Where this is the case, we will only disclose the information reasonably necessary for the purpose. We will put in place appropriate provisions to secure that information.
7.6 Affinity partners
As part of our objective to stimulate and support UK innovation, we have established a close relationship with organisations that we call our affinity partners.
In some circumstances, it will be necessary for us to share your information with affinity partners as part of our public tasks and function. This includes knowledge exchange and the promotion of innovation. We will not need your consent to share information for this purpose. As part of our public task we may share information on both successful and unsuccessful competition applications.
In other circumstances that are not within our public tasks, we will obtain your consent to share your information with affinity partners. We will do this at the point it is collected for the purpose it is required.
If this is not possible, for example, if we have collected your information from an event, we will contact you specifically to obtain your consent.
We will share limited, relevant and specific information with affinity partners where this assists with an application made to us or a funded project.
With your consent, we will share information with an affinity partner that may help you in developing or exploiting the idea, product or service that was the basis of your application. You may refuse to consent to sharing information where it is not necessary for us to share it.
Please note, each affinity partner will have its own privacy policy, which will determine how it deals with your information once it has received it.
Where we share information with affinity partners, we will ensure that there is a formal data sharing or non-disclosure agreement in place.
7.7 Other organisations
In some circumstances, we will ask that certain information that we collect from you can be shared with other organisations that are not an affinity partner.
We will obtain your consent in instances where it is not necessary for us to share your information to undertake our public tasks or functions. We will do this either when you initially provide the information or, if that is not possible, after we have received your information.
If consent is required, you are free to refuse your consent.
7.8 Audit by third parties
We may be subject to auditing by an independent third party to ensure that we are conducting our activities efficiently and the impact of the funding that we provide.
Should this be the case, we may need to share your information with auditors as part of our public tasks and functions.
If we consider that consent is required, we will ask for this in advance of sharing personal information.
We will ensure that any external auditors or assessors hold your information and personal data both confidentially and securely.
7.9 Fraud protection
If you provide false or inaccurate information and fraud is identified, your details will be passed to fraud prevention agencies.
This can be done without your consent. Law enforcement agencies may also access and use this information.
We and other relevant organisations may also access and use this information to prevent fraud and money laundering. Examples include:
- when checking details on applications for credit and credit-related or other facilities
- managing credit and credit-related accounts or facilities
- recovering debt
- checking details on proposals and claims for all types of insurance
- checking details of job applicants and employees.
We and other organisations may also access and use the information recorded by fraud prevention agencies outside of the UK. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
8. Your rights
You have rights in relation to the personal data you give us or that we collect about you.
These include:
- a data subject access request, which is the right to ask us to send the information we have about you free-of-charge, including:
- why and how we are using your information
- other parties to which we may have disclosed that information
- where we originally obtained the information
- for how long we will use it (in a data subject access request, if any of your information is held in manual records that are not within a filing system and it will cost more than the prescribed amount of £450 to £600 to provide you with those records, we will not have to provide all of this information to you.)
- the right to ask us to correct any mistakes in any information we hold about you
- the right to ask us to erase the information we hold about you, known as the ‘right to be forgotten’. Please note that this right does not apply in all circumstances. If you ask us to erase your information and there is a legal reason or otherwise why we cannot do so, we will explain this to you
- the right to ask us to stop using your information, where this information is not correct, where we are not allowed to use your information, or you believe we no longer need to do so. Please note, we may be allowed to continue to store your information because of our public functions or tasks. We will explain to you if this is the case
- the right to ask us to send the information we hold about you to another person or company in a structured, commonly-used and machine-readable format. If you ask us to send your information and we cannot do it, we will explain why not if we are allowed to use or store your information, you have the right to object to this, and for us to stop using or storing it, unless we can explain why we believe we need to keep it
- the right to withdraw your consent at any time where we use or store your data because you have agreed to it, such as ticking a box to receive a newsletter
- the right to object to us using or storing your information for marketing purposes.
If you wish to exercise any of your legal rights, please contact our Data Protection Officer by email or in writing.
9. Changes to this policy
Any changes we make to our information management will be reflected in this policy.
We may update this policy if additional guidance is introduced, for example, by the Information Commissioner’s Office, which clarifies a particular aspect of the Data Protection Act or the GDPR.
Please ensure you are referring to the most up-to-date version.
10. How to contact us
For any questions or enquiries about your rights under this policy, please contact our Data Protection Officer.
Data Protection Officer
Head of Information Governance
UK Research and Innovation
Polaris House
North Star Avenue
Swindon
SN2 1FL
Email: dataprotection@ukri.org
11. How to contact the Information Commissioner’s Office
You have the right to complain to the Information Commissioner’s Office if you believe we are not complying with the laws and regulations relating to the use or storage of the information you give us or that we collect about you.
For further information please see the Information Commissioner’s Office website.