Data Protection Policy

The Ceres Agri-tech Knowledge Exchange Partnership project as funded by Research England is managed and run by Cambridge Enterprise on behalf of the University of Cambridge and its collaborators.

Cambridge Enterprise Data Protection Policy

1. Purpose and scope

1.1 The purpose of this policy is to ensure compliance with the General Data Protection Regulation (‘GDPR’) and related EU and national legislation (‘data protection law’ [1]). Data protection law applies to the storing or handling (‘processing’) of information (‘personal data’) about living identifiable individuals (‘data subjects’).

1.2 This policy applies to Cambridge Enterprise Ltd (‘Cambridge Enterprise’), as a single organisation (‘data controller’).

1.3 This policy applies to all staff except when acting in a private capacity. In this policy, the term ‘staff’ means anyone working in any context within Cambridge Enterprise at whatever level or grade and whether permanent, fixed term or temporary, including but not limited to employees, workers, trainees, interns, seconded staff, agency staff, agents, volunteers, and external members of committees.

1.4 This policy is not, and should not be confused with, a privacy notice [2] (a statement informing data subjects how their personal data is used by Cambridge Enterprise).

1.5 This policy should be read in conjunction with the obligations in the following documents, which supplement this policy where applicable:

1.5.1  staff employment contracts and comparable documents (e.g. worker agreements), which impose confidentiality obligations in respect of information held by Cambridge Enterprise;

1.5.2  information security policies, procedures and terms and conditions, which concern the confidentiality, integrity and availability of Cambridge Enterprise information, and which include rules about acceptable use, breach reporting, IT monitoring, and the use of personal mobile devices [3];

1.5.3  The University of Cambridge’s (the University) record management policies and guidance, which govern the appropriate retention and destruction of Cambridge Enterprise information [4];

1.5.4  any other contractual obligations on Cambridge Enterprise or individual staff which impose confidentiality or data management obligations in respect of information held by Cambridge Enterprise, which may at times exceed the obligations of this and/or other policies in specific ways.

1.5.5  the Data Protection Policy of the University; as a wholly owned subsidiary of the University, Cambridge Enterprise staff will use specific services and facilities offered by the University.

2. Policy statement

2.1 Cambridge Enterprise is committed to complying with data protection law as part of everyday working practices.

2.2 All personal data collected and/or stored by Cambridge Enterprise is done so for the sole purposes of Cambridge Enterprise’s service provision or business (including its legitimate interests), and a data subject’s relationship with Cambridge Enterprise. Cambridge Enterprise ensures that it is transparent about its data processing activities and tells data subjects the reasons for processing their personal data, how it uses such data and the legal basis for processing, in its privacy notices. It will not process personal data of data subjects for other reasons. Where Cambridge Enterprise relies on its legitimate interests as the basis for processing data, it carries out an assessment to ensure that those interests are not overridden by the rights and freedoms of individual data subjects.

2.3 Where Cambridge Enterprise processes special categories of personal data [5] to perform obligations or to exercise rights in employment law, this is done in accordance with a policy on special categories of data and criminal records data.<

2.4 Complying with data protection law may be summarised as but is not limited to:

2.4.1  understanding, and applying as necessary, the principles relating to processing of personal data as set out in the GDPR when processing personal data: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; security, integrity and confidentiality.

2.4.2  understanding, and fulfilling as necessary, the rights given to data subjects under data protection law: to be informed; access; rectification; erasure; restriction; data portability; and objection (including in relation to automated decision-making).;

2.4.3  understanding, and implementing as necessary, Cambridge Enterprise’s accountability obligations under data protection law, including implementing appropriate data protection policies such as this data protection policy;

2.4.4  implementing data protection by design and default in projects, procurement and systems;

2.4.5  using appropriate contracts with third party data controllers and data processors;

2.4.6  holding relevant records about personal data processing; implementing appropriate technical and organisational security measures to protect personal data;

2.4.7  reporting certain personal data breaches to the Information Commissioner’s Office;

2.4.8  conducting Data Protection Impact Assessments where required; and

2.4.9  ensuring adequate levels of protection when transferring personal data outside the European Economic Area (‘EEA’).

3. Roles and responsibilities

3.1 Cambridge Enterprise has a corporate responsibility as a data controller (or when acting as a joint data controller or a data processor) for:

3.1.1  complying with data protection law and holding records demonstrating this;

3.1.2  cooperating with the Information Commissioner’s Office (‘ICO’) as the UK regulator of data protection law; and

3.1.3  responding to regulatory/court action and paying administrative levies and fines issued by the ICO.

3.2 The Cambridge Enterprise Senior Management Team is responsible for:

3.2.1  reviewing at least once every five years and approving this policy;

3.2.2  assessing the overall risk profile and ensuring appropriate resources and processes are in place and implemented to enable compliance with data protection law.

3.3 The Deputy Director, as the named person within Cambridge Enterprise with responsibility for data protection compliance, is responsible for:

3.3.1  monitoring and auditing Cambridge Enterprise’s compliance with data protection law, especially its overall risk profile, and reporting when necessary to the Senior Management Team;

3.3.2  advising on all aspects of Cambridge Enterprise’s compliance with data protection law (including its use of Data Protection Impact Assessments), seeking advice from the University Information Compliance Office where necessary;

3.3.3  acting as Cambridge Enterprise’s standard point of contact with the ICO with regard to data protection law, including in the case of personal data breaches;

3.3.4  acting as an available point of contact for any complaints from data subjects;

3.3.5  handling data subject rights requests;

3.3.6  publishing and maintaining core privacy notices and other Cambridge Enterprise data protection documents;

3.3.7  managing and/or handling Data Protection Impact Assessments; and

3.3.8  ensuring all Cambridge Enterprise staff are aware of this policy as necessary;

3.3.9  ensuring that appropriate processes and training are implemented to enable compliance with data protection law; and

3.3.10  ensuring that appropriate processes are implemented to enable information assets containing personal data within Cambridge Enterprise to be included in the University’s Information Asset Register where appropriate.

3.4 Individual staff, in order to enable Cambridge Enterprise to comply with data protection law, are responsible for:

3.4.1  completing relevant data protection training;

3.4.2  following relevant advice, guidance and tools/methods provided to staff, regardless of whether access to and processing of personal data is through Cambridge Enterprise-owned and managed systems, University-owned and managed systems, or through their own or a third party’s systems and devices;

3.4.3  when processing personal data on behalf of Cambridge Enterprise, only using it as necessary for their contractual duties and/or other Cambridge Enterprise roles and not disclosing it unnecessarily or inappropriately;

3.4.4  recognising, reporting internally, and cooperating with any remedial work arising from personal data breaches, including following the procedure set out in the Personal Data Breach Policy;

3.4.5  recognising, reporting internally, and cooperating with the fulfilment of data subject rights requests, including following the procedure set out in the Subject Access Request Policy;

3.4.6  ensuring compliance with Cambridge Enterprise’s Data Retention policy, deleting and removing data in accordance with the policy; and

3.4.7  on leaving Cambridge Enterprise ensuring that all data housekeeping requirements are fulfilled, only deleting, copying or removing personal data as agreed with their Head of Team and as appropriate.

3.5 Non-observance of the responsibilities in paragraph 3.4 may result in disciplinary action.

3.6 The roles and responsibilities in paragraphs 3.1 to 3.5 do not waive any personal liability for individual criminal offences for the wilful misuse of personal data under data protection law.[6]

4. Personal Data Breach

4.1 The GDPR requires data controllers like Cambridge Enterprise to notify any personal data breach to the applicable regulator and, in certain instances, the data subject.

4.2 We have put in place procedures to deal with any suspected breach of personal data and will notify data subjects or any applicable regulator where we are legally required to do so.

4.3 If you know or suspect that a personal data breach has occurred, do not attempt to investigate the matter yourself. Following the Personal Data Breach Policy, immediately contact the Deputy Director designated as the key point of contact for personal data breaches (as set out at paragraph 3 of this data protection policy). You should preserve all evidence relating to the potential breach of personal data breach.

5. Data subject’s rights and requests

5.1 Data subjects have rights when it comes to how we handle their personal data. These include rights to:

a) withdraw consent to processing at any time (provided that consent is the lawful basis on which processing is being carried out);

b) receive certain information about the data controller’s processing activities;

c) request access to their personal data that we hold;

d) prevent our use of their personal data for direct marketing purposes;

e) ask us to erase personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or to rectify inaccurate data or to complete incomplete data;

f) restrict processing in specific circumstances;

g) challenge processing which has been justified on the basis of our legitimate interests or in the public interest;

h) request a copy of an agreement under which personal data is transferred outside of the EEA;

i) object to decisions based solely on automated processing, including profiling;

j) prevent processing that is likely to cause damage or distress to the data subject or anyone else;

k) be notified of a personal data breach which is likely to result in high risk to their rights and freedoms;

l) make a complaint to the supervisory authority;

m) in limited circumstances, receive or ask for their personal data to be transferred to a third party in a structured, commonly used and machine-readable format; and

n) You must verify the identity of an individual requesting data under any of the rights listed above (do not allow third parties to persuade you into disclosing personal data without proper authorisation).

5.2 All employees must immediately forward any Data Subject request received to the Deputy Director designated as the key point of contact for data subject access requests (as set out at paragraph 3 of this data protection policy) and comply with the company’s Data Subject Access Request Policy.

6. Sharing personal data

6.1 Generally we do not share personal data with third parties unless certain safeguards and contractual arrangements have been put in place.

6.2 You should only share the personal data we hold with third parties, such as our service providers, if:

6.3 they have a need to know the information for the purposes of providing the contracted services;

6.4 sharing the personal data complies with the privacy notice provided to the data subject and, if required, the data subject’s valid consent has been obtained;

6.5 the third party has agreed to comply with the required data security standards, policies and procedures and put adequate security measures in place;

6.6 the transfer complies with any applicable cross-border transfer restrictions; and

6.7 a fully executed written contract that contains GDPR-approved third party clauses has been obtained.

7. Contact

Contact details for data protection purposes are published on the Cambridge Enterprise website [7].

This Data Protection Policy was approved by the Cambridge Enterprise Senior Management Team on 16 May 2018 and last reviewed on 21 May 2020. 

Appendix One

Data Protection – Definitions

‘Personal data’ is any information that relates to a living individual who can be identified from that information, in particular by reference to:

  • an identifier such as a name, an identification number, location data or an online identifier (such as an IP address); or
  • factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.

‘Special categories of personal data’ means information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation and biometric data.  GDPR specifies that special categories of personal data should be treated with particular care due to its sensitive nature.

‘Processing personal data’ refers to any operations performed on personal data (whether those operations are automated or not). Common types of personal data processing include (but are not limited to) collecting, recording, organising, structuring, storing, modifying, consulting, using, publishing, combining, erasing, disseminating and destroying data.

‘Data Subject’ refers to a person who lives in the EU, who GDPR defines as ‘identified or identifiable natural person[s]’.

‘Data Controller’ is a company/organisation that collects people’s personal data and makes decisions about what to do with it.  Data Controllers must comply with applicable data privacy legislation.

[1] See http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN.

[2] For which see https://www.enterprise.cam.ac.uk/about-us/information-compliance/data-protection/core-privacy-notices/

[3] See https://help.uis.cam.ac.uk/about-us/governance and related web pages as Cambridge Enterprise is a service user of the University Information Services.

[4] See https://www.information-compliance.admin.cam.ac.uk/records-management and contact enquiries@enterprise.cam.ac.uk to request a copy of the Cambridge Enterprise Retention Guidelines

[5] See Appendix One for definition

[6] These criminal offences include: unlawfully obtaining, disclosing or retaining personal data; recklessly re-identifying de-identified personal data without the data controller’s consent; deliberately altering or deleting personal data to prevent disclosure in accordance with data subject access rights; forcing a data subject to exercise their access rights; and knowingly giving false statements to the ICO.

[7] https://www.enterprise.cam.ac.uk/about-us/information-compliance/

Making a Subject Access Request

The Ceres Agri-tech Knowledge Exchange Partnership project as funded by Research England is managed and run by Cambridge Enterprise on behalf of the University of Cambridge and its collaborators.

Under the General Data Protection Regulation (GDPR) an individual has the right, subject to certain exemptions, to access information from organisations that process their personal data. The process for obtaining this information is known as a subject access request. (Subject access requests are different to requests submitted under FOI legislation [7], which relate to information about the organisation itself.)

If you wish to make a subject access request to Cambridge Enterprise, your request must be made in writing (this may be in electronic form).

Before we can act on your request, we must be sure of your identity.

You are entitled:

  • to be informed whether your personal data is being processed by Cambridge Enterprise;
  • to have the information constituting the personal data communicated to you in a permanent form.  If your subject access request is made electronically, the information will be provided in a commonly used electronic format, unless you agree to receive it in some other way;
  • to be given the purposes of the processing and the categories of personal data concerned;
  • to be given details of the recipients to whom the data has been or will be disclosed, including recipients in countries outside the European Economic Area and the appropriate safeguards relating to such data transfers;
  • to be informed about the length of time the data will be stored, or how that period is determined;
  • to be informed about any third-party sources of the data, and where this information is available; and
  • to request the rectification or erasure of data, the restriction of processing and to object to processing.

You may apply to access your data in writing in any way you choose. A Subject Access Request Form is made available for your convenience. The form sets out where you should send your request.

Under the GDPR, the time limit for responding to a subject access request is one month from the date of receipt. However, if a request is complex, we have the right to extend the time period for response by a further two months.

If you have any reason to believe that Cambridge Enterprise has not dealt correctly with your request, please contact enquiries@enterprise.cam.ac.uk and mark your email ‘Data Protection Matter’. If you are still not satisfied, you should contact the Information Commissioner’s Office.

Key privacy notice for website users

The Ceres Agri-tech Knowledge Exchange Partnership project as funded by Research England is managed and run by Cambridge Enterprise on behalf of the University of Cambridge and its collaborators.

How we use your personal information

  1. Introduction

This page explains what personal information we gather when you visit the Ceres website http://www.ceresagritech.org and details how that information is used.

  1. Who will process my personal information?

The information published here applies to the use of your personal information (also known as ‘personal data’) by Cambridge Enterprise Ltd through the viewing or use of this site.

  1. General personal information collected on our website

The use of your personal information is necessary for the legitimate interests of the Ceres Agri-Tech Knowledge Exchange Partnership (‘Ceres’) and Cambridge Enterprise in operating and improving its website, analysing its use, and ensuring its security.

When you visit the Ceres website domain we hold certain information about you for service and security reasons. We use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. For information about how Google Analytics uses your personal information, please see http://www.google.com/intl/en/policies/privacy/ and https://support.google.com/analytics/answer/6004245.

We also collect the request made by your browser to the server hosting the website which includes the IP address, the date and time of connection and the page you ask for. We use this information to ensure the security of our websites and we delete it after a maximum of 3 months. We may use and disclose it as necessary in the event of a security concern or incident.

For information about how we use cookies on our websites, please see our Cookie Policy.

  1. Links to other websites

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control those third-party websites and we are not responsible for their privacy policies or statements.

This Privacy Notice does not apply to any website operated by a third party. If you visit a third party website, please read its Privacy Notice or privacy statement to find out how it uses your personal data.

  1. Further information

For more information about how we handle your personal information, and your rights under data protection legislation, please see www.enterprise.cam.ac.uk/about-us/information-compliance/data-protection/data-protection-policy/

This page was last updated on 12th August 2020.