Privacy Notice
We ask that you read this privacy notice carefully as it contains important information on who we are, how and why we collect, store, use and share personal data, your rights in relation to your personal data and on how to contact us in the event that you have a query or complaint.
The University of Warwick ("UoW") and The Department for Education ("DfE") are committed to protecting the privacy and security of personal data. The purpose of this notice is to promote transparency in the use of personal data, and to outline how the SSC Explorer collects and uses personal data when you access our website, in accordance with the UK General Data Protection Regulation 2016 ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018").
UoW and DfE determine the purpose(s) and means of the processing of certain personal data about you. When we do so we are regulated under the UK GDPR and DPA 2018 and we are responsible as "joint data controllers" of that personal data for the purposes of those laws. UoW and its third-party services (see below) also collect, use and are responsible for certain personal data about you. This is known as "processing" and UoW's third-party services are regulated by the same laws in this role.
Throughout this notice, "we", "our", and "us" refer to UoW and DfE; "you" and "your" refer to those accessing our website.
The personal data we collect and use
The following personal data may be collected, stored and used:
Website usage data
- IP address
- Browser details
- Pages accessed on the website
- Time and date of visit
Authentication data (when you create an account)
- Email address
- User ID (generated automatically)
- Authentication tokens (stored in cookies)
User profile data
- Name
- Email address
- Organisation (optional)
- Role (optional)
- Contact consent (whether you consent to be contacted regarding your feedback)
- Feedback content (relevance votes and freetext comments)
- Entity type and ID (the item you provided feedback on)
- Timestamp of feedback submission
Skill lists (when you create custom skill lists)
- Skill list name and description
- Skills selected
- User ID (to associate lists with your account)
- Creation and modification timestamps
API usage data
- API key (hashed)
- Organisation name
- Contact email
- Last used timestamp
How we obtain your personal data
We collect your personal data as follows:
- Automatically when you visit our website
- When you create an account
- When you submit feedback through our feedback forms
- When you create and save skill lists
- When you request API access
- Through the use of cookies (see our Cookies Notice)
Purpose and lawful basis for processing
We process your personal data for the following purposes under the following lawful bases:
Legitimate interests
- To provide you with information about skills, occupations, qualifications and knowledge from the Standardised Skills Classification
- To improve the functionality and usability of our website
- To maintain web server logs for security purposes
- To conduct statistical analysis of website usage to improve our service
- For system diagnostic and problem-solving purposes
Consent
- To contact you regarding feedback you have provided (only if you have given explicit consent)
Public task
- The lawful basis the Department for Education (DfE) relies on for this processing of your personal data is public task, under article 6(1)(e) of the UK GDPR. This allows us to process personal data when this is necessary to do our work as a government department. Additional information on how we gather evidence for policy development, evaluation and delivery can be seen here: Privacy information: stakeholders - GOV.UK.
Contractual necessity
- To enable you to create an account and use authenticated features
- To provide API access to authorised users
Please note that we may be required to disclose information for law enforcement purposes.
Retention of your personal data
The UK GDPR and DPA 2018 require that personal data should be kept for no longer than is necessary for the purposes for which the personal data are processed.
Personal data retention periods:
- Authentication cookies: 7 days or when you sign out
- User accounts: Until you request deletion or close your account
- User feedback: Retained for the lifetime of the service to inform ongoing development
- Skill lists: Until you delete them or close your account
- API keys: 90 days from creation (automatically expire)
- Web server logs: 90 days
Transfers outside the United Kingdom
Our service uses Supabase for authentication and data storage. Supabase stores data within the European Economic Area. If we transfer any of your personal data outside of the UK, we will ensure appropriate safeguards are in place in accordance with UK GDPR requirements.
Data subject rights
Under the UK GDPR and DPA 2018 you have a number of important rights free of charge.
You have the right to:
- Be informed of how we collect and use your personal data
- Access your personal data
- Require us to correct any mistakes in the data we hold on you
- Require the erasure of personal data concerning you in certain situations
- Restrict our processing of your personal data in certain circumstances
- Receive your personal data in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
- Object in certain situations to our continued processing of your personal data or at any time to processing of your personal data for direct marketing
- Object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
- Withdraw consent at any time (where processing is based on consent)
To exercise any of these rights, please contact us using the details below. If a subject access request is made and the request for access is clearly unfounded or excessive, we reserve the right to refuse to comply with the request in these circumstances.
Keeping your personal data secure
We keep your personal data secure at all times using organisational, physical and technical measures.
Where appropriate, we take measures such as:
- Anonymisation to ensure data cannot be used to identify you where identification is not necessary
- Encryption to ensure that data cannot be accessed without the right security credentials
- Use of industry-standard authentication providers (Supabase) with enterprise-grade security
- Regular security testing and updates
Where we engage a third party to process personal data, we do so on the basis of written contracts which conform to the security requirements of the UK GDPR.
Third-party services
We use the following third-party services that process personal data:
- Supabase: For authentication and database storage. Supabase maintains its own privacy policy at supabase.com/privacy
- Hetzner: For cloud infrastructure & web hosting. Hetzner provides more information about the data protections they use at hetzner.com/european-cloud
- Cloudflare: For directing encrypted web traffic. Cloudflare provides more information about its data privacy and protection at cloudflare.com/en-gb/trust-hub/privacy-and-data-protection/
- Founders & Coders: For application design, development and testing. Founders and coders maintains its own privacy policy at foundersandcoders.com/footerinfo/privacy-policy
How to contact us
We hope that our Data Protection Officer (DPO) can resolve any query, concern or complaint you may raise about our use of your personal data on the contact details below:
The DPO can be contacted via email at [email protected] or by post at:
The Data Protection Officer
Legal and Compliance Services
University of Warwick
University House
Kirby Corner Road
CV4 8UW
Making a complaint
The UK GDPR and DPA 2018 give you the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe that we have not complied with the requirements of the UK GDPR or DPA 2018 with regard to your personal data.
The ICO can be contacted at: ico.org.uk/make-a-complaint or by telephone on 0303 123 1113.
Changes to this privacy notice
This privacy notice was published on 21 November.
We may change this privacy notice from time to time. When we do, we will inform you by putting a message on the website.