Privacy Notice – BSI Convened Communities (Bridge AI)

Introduction

The Innovate UK Bridge AI programme aims to drive growth and competitiveness in the UK economy through the adoption of artificial intelligence (AI) and machine learning (ML).  The programme was launched by HMG/UKRI on 6 March 2023, and will bring together businesses from priority sectors with AI experts and developers, to foster an AI innovation network in the UK.

BSI are involved in managing the programme in conjunction with other parties, who are explained in section 4.

This Privacy notice relates specifically to your personal data that BSI process in relation to the Innovate UK Bridge AI programme.

BSI

BSI Standards Limited (ICO registration ZA342039) (“BSI”) takes its data protection obligations seriously and is committed to protecting the personal data we process and respecting the privacy of all individuals who provide us with their personal data. This Privacy notice is intended to set out your rights and answer any queries you may have about your personal data. If you need more information, please contact: PrivacyTeam@bsigroup.com

Our personal data handling policy and procedures have been developed in line with the data protection laws that apply to us in the countries in which we offer our good and services, in particular the EU General Data Protection Regulation ((EU) 2016/679) (the “EU GDPR”) and the UK General Data Protection Regulation which reflects the retained and amended provisions of the EU GDPR that are incorporated into UK law under the UK European Union (Withdrawal) Act 2018 as amended (the “UK GDPR”), as these laws establish the most expansive data protection obligations.

It is important that you read this privacy notice so that you are fully aware of how and why we are using your data. This privacy notice supplements other notices and privacy policies and is not intended to override them.

 

 

 

1. What personal data do we collect?

BSI is the controller and responsible for your personal data (also referred to as "we", "us" or "our" in this privacy notice).

 

 

 

We collect and process personal data about you when you interact with us and our services. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data including name and title, username, job title and employer

Contact data including email address and telephone numbers

Technical Data including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website

Profile Data including your username and password, your professional interests, preferences, feedback and survey responses

Usage Data including information about how you use our website and services.

Marketing and Communications Data including your preferences in receiving marketing from us and our third parties and your communication preferences.

 

 

 

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We do not collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

 

 

 

2. How do we use this personal data and what is the legal basis of this use?

We will only use your personal data for a specific and lawful purpose. Most commonly, we will use your personal data in the following circumstances:

·         Where we need to perform the contract we are about to enter into or have entered into with you.

·         Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

·         Where we need to comply with a legal obligation.

Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/ activity	Type of data	Lawful basis for processing including basis of legitimate interest
To create, manage and administer your user account	(a) Identity (b) Contact	Necessary for our legitimate interests
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Technical	Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
To manage our relationship with you which (including newletters, feedback, complaints, personalised digests)	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical	Your explicit consent
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences	(a) Technical (b) Usage	Your explicit consent
To send you a personalised email digest of community activity of interest to you, if you have opted in to receive such information	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	Your explicit consent

 

 

 

 

 

 

We process the personal data listed in paragraph 1 above for the following purposes:

·         To create and maintain a user account on the BSI Convened Communities Hub and enable you to participate more fully in discussions, events, and access materials available only to community members;

·         To enable contact with other community members through public and private messages within the BSI Convened Communities Hub;

·         to comply with applicable law and regulation;

·         in accordance with our legitimate interests in protecting BSI's legitimate business interests, role as the National Standards Body, and legal rights, including but not limited to, use in connection with legal claims, compliance, regulatory and investigative purposes (including disclosure of such information in connection with legal process or litigation);

·         to respond to any comments or complaints we may receive from you, or to investigate any complaints received from you or from others, about our website or our products or services;

·         based on your explicit consent to you provide to personalise (i) our communications to you; (ii) our website; and (iii) products or services for you;

·         based on your explicit consent to monitor use of our websites and online services. We may use your information to help us check, improve and protect our products, content, services and websites, both online and offline;

·         when deemed necessary to monitor any customer account to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law and our legitimate interests;

·         we may use your information to invite you to take part in community events, market research or surveys.

 

 

 

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We will get your explicit opt-in consent prior to sending you emails regarding personalised content.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you to obtain your consent or where necessary to meet a legal obligation which permits us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

3. How is your personal data collected?

We use different methods to collect data from and about you including through:

Direct interactions. You may give us your Identity and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you:

·         create an account on our website;

·         subscribe to our service or publications;

·         request marketing to be sent to you; or

·         give us feedback or contact us.

Automated technologies or interactions. As you interact with our website and based on your explicit consentwe will automatically collect Technical Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy [LINK] for further details.

4. How will we share your personal data?

We may share your personal data with BSI Group companies to process it for the purposes of inter-group administration and to deliver products or services where elements of these are provided by BSI group companies other than those with which you have directly contracted. The British Standards Institution (ICO registration Z7888292) is the parent company of BSI Group. BSI Group is made up of different legal entities, including BSI Standards Limited (ICO registration ZA342039), BSI Assurance UK Limited (ICO registration ZA341951) and/or BSI Digital Trust (ICO registration Z1767162).

The following companies are partners for this BSI Convened Communities Hub and will be acting as independent controllers of your personal data associated with the Innovate UK BridgeAI programme:

·         UK Research and Innovation (“UKRI”) The Alan Turing Institute Digital Catapult

·         Knowledge Transfer Network Ltd

We may also share your personal data with the below third parties:

·         The sponsor of the BSI Convened Communities Hub, where the name of the sponsor is clearly shown on the Hub website.

·         Service providers acting as processors who provide IT and system administration services.

·         our professional advisors such as our auditors and external legal and financial advisors;

·         marketing and communications agencies where they have agreed to process your personal data in line with this Privacy notice;

·         market research companies;

·         our suppliers, business partners and sub-contractors; and/or

·         search engine and web analytics.
 

Personal data may be shared with government authorities and/or law enforcement officials if required for the purposes above, if mandated by law or if needed for the legal protection of our legitimate interests in compliance with applicable laws. Personal data may also be shared with third party service providers who will process it on behalf of BSI for the purposes above. Such third parties include, but are not limited to, providers of website hosting, maintenance, call centre operation and identity checking.

In the event that our business or any part of it is sold or integrated with another business, your details will be disclosed to our advisers and those of any prospective purchaser and will be passed to the new owners of the business.

Third-party links

This website may include links to third-party websites, plug-ins and applications, such as the parties involved in the programme. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

5. For how long will you keep my personal data?

We will not keep your personal data for any purpose longer than necessary to fulfil the original or a compatible purpose. In some instances, we are required to retain certain information by law or due to our role as the National Standards Body, and for as long as reasonably necessary to meet regulatory or accreditation requirements, resolve disputes, prevent fraud and abuse, or enforce our terms and conditions. Where this is the case, your personal data will only be processed for the relevant legitimate purpose and not used for marketing.

Where you are a community member, we will keep your personal data for the length of time you are actively using the community, until such point that you (a) choose to close your user account and associated personal data; or, if you have not chosen to delete your account (b) for 2 years from when you last interacted with the BSI Convened Communities Hub.

We may retain your personal data for a time beyond the specified retention period, to allow for information to be reviewed and any deletion to take place. After it is no longer necessary for us to retain your personal data, we dispose of it securely according to our Document & Information Retention Policy.

 

 

 

6. Where is my data stored?

The personal data that we collect from you is stored inside, the United Kingdom or the European Economic Area (“EEA”). It may be processed by staff operating outside the United Kingdom or EEA who work for us or for one of our suppliers, in which case the third country's data protection laws will have been approved as adequate by the European Commission, the UK’s Information Commissioner's Office, or other applicable safeguards will be in place. Further information may be obtained from our Privacy Team.  

7. What are my rights in relation to my personal data?

What we may need from you

To protect your confidentiality, it is important that we validate your identity before fulfilling your request. Where it is not possible to verify your identity by technical means, we will request specific information or documentation from you, for the sole purpose of verifying your identity, which will be securely deleted once your identity check is complete.     We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Your legal rights

The UK data protection laws grant you the following rights, which you can exercise by contacting our Privacy Team:

·         Right of access – you have the right to request a copy of the information that we hold about you.

·         Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.

·         Right to be erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records. This right is subject to mandatory retention periods and it is not a guaranteed or absolute right.

·         Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.

·         Right of portability – you have the right to have the data we hold about you transferred to another organisation.

·         Right to object – you have the right to object to certain types of processing such as direct marketing.

·         Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.

You have the right to ask us not to process your personal data for marketing purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data, clicking the unsubscribe button on any communication we have sent to you or by contacting us. privacyteam@bsigroup.com

Where you have consented to us using your personal data, you can withdraw that consent at any time.

If you have a complaint about how we have handled your personal data, you may be able to ask us to restrict how we use your personal data while your complaint is resolved. In some circumstances you can ask us to erase your personal data (a) by withdrawing your consent for us to use it; (b) if it is no longer necessary for us to use your personal data; (c) if you object to the use of your personal data and we don't have a good reason to continue to use it; or (d) if we haven't handled your personal data in accordance with our obligations.

7. Where can I find more information about BSI’s handling of my data?

Should you have any queries regarding this Privacy notice, about BSI's processing of your personal data or wish to exercise your rights you can contact BSI’s Privacy Team using this email address: PrivacyTeam@bsigroup.com.

If you are not happy with our response, if you are based:

·         in the United Kingdom, you can contact the Information Commissioner's Office https://ico.org.uk/;

·         in the EEA, you can contact the Dutch Data Protection authority, which is our lead supervisory authority in the European Union https://autoriteitpersoonsgegevens.nl/en;

·         anywhere else, you have the right to lodge your complaint with the relevant data protection regulator in the country where you are located.