Data protection and Privacy
Data Storage and Privacy
The EDA Website and the EDA application are operated by the National Centre for the Replacement, Refinement and Reduction of Animals in Research (“NC3Rs”) (“we”, “us” or “our”). Our registered office is at Gibbs Building 215 Euston Road, London NW1 2BE.
The NC3Rs takes your privacy seriously and recognises the importance of honest and responsible use of your “personal information” (being information which identifies and relates to you, either on its own or when combined with other information held by us. Your name, address and contact details are all examples of your personal information, if they identify you (also known as “personal data”)). The term “process” means any activity relating to personal information, including, by way of example, collection, storage, use, consultation and transmission. We are a “controller” of your personal information. This is a legal term - it means that we make decisions about how and why we process your personal information and, because of this, we are responsible for making sure it is used in accordance with data protection laws.
Should we ask you to provide, or should you choose to volunteer certain personal information about yourself to us when using this EDA Website, then you can be assured that it will only be used in accordance with this Policy.
The NC3Rs may change this policy from time to time by updating this page. You should check this page to ensure that you are happy with any changes or information. This policy is effective from April 2021.
What personal information we collect
We may collect the following information:
- Service information: if you create an account with us, your username, password and contact information including email address (we will only collect your name if you choose to give it to us e.g. you include it as part of your username), any internal communications within the EDA application (e.g. commands) and anything you create or share as part of your account;
- Correspondence information: details of each request or enquiry you submit to us, whether this is through the EDA application or to an NC3RS e-mail address/other contact method;
- IP address information: the IP address(es) you use to access the EDA Website and the EDA application (this information cannot be correlated with identifying information without directly accessing the EDA database, which is heavily secured in a different system);
- Recipient information: the e-mail address and/or other contact details you provide us with if you use the EDA application to send information (e.g. an EDA-generated spreadsheet) to a third party recipient; and
- Project information: means any personal information and/or experimental design information you choose to submit through the EDA application, all relevant details relating to each project you choose to submit to us using that application, as set out in more detail in the “EDA Application” paragraph below.
Most of this information will be collected primarily from you as information voluntarily provided to us, but we may also collect it where lawful to do so from (and combine it with information from) other individuals that you have agreed may provide your personal information to us (for example, as part of their request, enquiry or project details) and government, tax or law enforcement agencies. We may also collect personal information about you from your use of other websites run by the NC3Rs.
If any of the personal information you have given to us changes, such as your contact details, please update your account details within the EDA application without delay. If you do not use the EDA application this is not necessary, as the only personal information we collect when you visit the EDA Website is your IP address.
Use of your Personal Information
We use your personal information for particular purposes in connection with your use of the EDA Website or EDA application and the management and administration of our organisation.
We are required by law to always have a permitted reason or justification (called a “lawful basis”) for processing your personal information. There are six such permitted lawful bases for processing personal information. We have set out the different purposes for which we process your personal information and the relevant lawful basis on which we rely for that processing below.
Please note that where we have indicated below that our processing of your personal information is either:
- necessary for us to comply with a legal obligation; or
- necessary for us to take steps, at your request, to potentially enter into a contract with you, or to perform it
and you choose not to provide the relevant personal information to us, we may not be able to enter into or continue the contract or interaction with you.
We may use information about you for purposes described in this Policy. For example, we will use information about you for the following purposes:
Public interests: This is where us processing your personal information is necessary for the performance of a task in the public interest or in the exercise of official authority vested in us:
- to respond and/or deal with your request or enquiry – Service information, Correspondence information, Project information;
- to evaluate the information you provide to us through the EDA application, through our automated assessment procedure – Service information, Project information;
- to improve the EDA application, including diagnosis of technical problems, and to ensure that content from the EDA Website is presented in the most effective manner for you and for your computer (or other electronic Internet-enabled device) – Technical information, IP address information;
- to administer the EDA Website and the EDA application – Technical information;
- for internal record keeping – Service information, Correspondence information, Project information, IP address information;
- where necessary as part of any restructuring – Service information, Correspondence information, Technical information, Project information;
- to monitor access to and use of the EDA application and the EDA Website and to identify any abuse of the EDA application or the EDA Website (such as a denial of service attack) – IP address information.
Legal obligation: This is where us processing your personal information is necessary for compliance with one of our binding legal obligations
- for compliance with legal, regulatory and other good governance obligations – Service information, Correspondence information, Technical information, Project information.
- to enable secure management of account – Service information, IP address information.
Contract: This is where us processing your personal information is necessary for the performance of a contract with you (or to take steps at your request prior to entering into a contract with you)
- see the “EDA Application” paragraph below;
- to provide the services requested by you in accordance with our terms and conditions – Service information;
- to enable users to register an anonymised form of authentication in the EDA application – Service information;
- used in communication to assure users that it is a legitimate communication (e.g. password reset, account disabled) – Service information
- to enable users to create an account in the EDA application – Service information
- to ensure legitimate registration – Service information
- to allow users to control and maintain access to their account – Service information
- legitimate EDA application functionality to allow users to develop their experimental plan and obtain feedback on it – Service information
- legitimate EDA application functionality that allows users to share their experimental plans with other researchers who might not currently have EDA accounts – Service information, Recipient information
Legitimate interests: This is where us processing your personal information is necessary for the purposes of the legitimate interests pursued by a third party (the EDA application user)
- to allow EDA application users to send information (e.g. an EDA-generated spreadsheet) to a third party recipient – Recipient information
This list may be updated from time to time as business needs and legal requirements dictate. Some of the personal information that we hold will be kept in paper files, while other personal information will be included in computerised files and electronic databases.
In most cases, the information we process about you is required to deal with your request, enquiry, submission(s) through the EDA application, is required by law or is necessary for the exercise of our legitimate business interests and needs, in which case special care is taken to safeguard your rights and to ensure any such use is proportionate.
We may also convert personal information about you (which may include Project information) into anonymous data and use it (normally on an aggregated statistical basis) for research and analysis.
Special category personal information
We are required by law to treat certain categories of personal information with even more care than usual. These are called sensitive or special categories of personal information and different lawful bases apply to them. We will only collect special categories of personal information if you voluntarily provide them to us. We will not ask for your special categories of personal information and encourage you not to provide us with it.
Sometimes we need to disclose your personal information to other people and/or organisations. Details of the data sharing we undertake are set out below.
Inside the MRC/UKRI Group
Your personal information will be made available for the purposes mentioned above (or as otherwise notified to you from time to time), on a ‘need-to-know’ basis and only to responsible management, legal, audit, compliance, information technology and other corporate staff who properly need to know these details for their functions within the NC3Rs.
We will also need to share your personal information with other organisations in the group for our general business purposes/approvals with relevant decision makers, reporting and where systems and services are provided on a shared basis, for example IT support and the group’s project management board.
Access rights between members of the MRC group are limited and granted only on a need to know basis, depending on job functions and roles.
Where any Medical Research Council group organisations process your personal information on our behalf (as our processor), we will make sure that they have appropriate security standards in place to make sure your personal information is protected and we will enter into a written contract imposing appropriate security standards on them.
Outside the MRC/UKRI Group
Your personal information may also be made available to third parties providing relevant services under contract to us. These companies may use information about you to perform their functions on our behalf (as processors). We have put in place various security and data privacy measures, including with such third parties, in order to protect personal information. Examples of these third party service providers include service providers and/or sub-contractors, such as IT systems software and maintenance, back up, and server hosting providers. We will also share your IP address information with Google Analytics to monitor access to the EDA Website (see below for further information).
In certain circumstances, we will also disclose your personal information to third parties who will receive it as controllers of your personal information in their own right for the purposes set out above, in particular:
- if we transfer, purchase, reorganise, merge or sell any part of the organisation or the business of a third party, and we disclose or transfer your personal information to the prospective seller, buyer or other third party involved in a transfer, reorganisation or merger arrangement (and their advisors); and
- if we need to disclose your personal information in order to comply with a legal obligation, to enforce a contract or to protect the rights, property or safety of our staff, EDA Website and EDA application users or others.
We have set out below a list of the categories of recipients with whom we are likely to share your personal information:
- providers of IT support and maintenance, for example the MRC and Certus;
- consultants and professional advisors including legal advisors and accountants;
- courts, court-appointed persons/entities, receivers and liquidators;
- business partners and joint ventures;
- trade associations and professional bodies; and
We may also share your personal information with third parties (including to obtain feedback from other users), as directed by you.
We may also disclose specific information upon lawful request by government authorities, statutory and regulatory bodies including the Information Commissioner’s Office, the police and Her Majesty’s Revenue and Customs law enforcement and regulatory authorities where required or permitted by law and for tax or other purposes.
When you visit the EDA Website, we use a third-party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out such things as the number of visitors to the various parts of the site. This information is only processed in a way that does not identify anyone.
The EDA application provided through the EDA Website allows you to submit details of your projects to be critiqued in order to assist in the furtherance of such projects. Should you choose to submit your project details, in each case you will be given the option of:
- saving the Project information to your registered account on the EDA application for future retrieval;
- sharing the Project information with other specific registered members of the EDA application, whom you choose to share this information with;
- exporting a copy of the Project information from the EDA application; and/or
- deleting the Project information from your account.
Where you choose to save the Project information to your EDA application account and to share the Project information with other registered user(s), we will disclose those details (including correspondence in the covering message sent with the project being shared) and any other details that you ask us to share. By requesting such data sharing, this is part of the contract you have/will enter(ed) into with us which includes the disclosure of the Project information and any additional details volunteered by you to each identified registered user, whom you choose to share this information with.
Should the Project information contain the personal information of any third parties, you agree that by entering their details onto the EDA application, you have sought their prior consent to the processing of their personal information by the NC3Rs in accordance with this Policy.
Any exported Project information will be retained by the NC3Rs (unless you choose to delete it from your account, or to delete your account, in which case we will keep it for five weeks (one cycle of the backup process) after the deletion command is received).
Statistical information on the use of the EDA Website and EDA application may be collected to help provide analytics on user engagement and to help with future development.
Where in the world is your personal information transferred to?
If any of our processing activities require your personal information to be transferred outside the European Economic Area (“EEA”), we will only make that transfer if:
- the country to which the personal information is to be transferred ensures an adequate level of protection for personal information;
- we have put in place appropriate safeguards to protect your personal information, such as an appropriate contract with the recipient (please contact email@example.com if you wish to obtain a copy of these);
- the transfer is necessary for one of the reasons specified in data protection legislation, such as the performance of a contract between us and you; or
- you explicitly consent to the transfer.
Security & Data Storage
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure we have put in place reasonable physical, technical and organisational procedures to safeguard and secure the information we collect. However, no organisation can fully eliminate security risks associated with the transmission of personal information or intellectual property through online transactions, and you do so at your own risk.
How long do we keep your personal information for?
In relation to Service information, we will keep this for 3 days + five weeks (one cycle of the backup process) if it relates to an account that has never been activated, or until you, the user, deletes the account + five weeks (one cycle of the backup process) if it relates to an activated account. In relation to Project information, we will keep an EDA diagram exported and saved locally only during the session, and an EDA diagram saved in the EDA application until you delete the diagram + five weeks (one cycle of the backup process) or until the user deletes account + five weeks (one cycle of the backup process). In relation to Recipient information, we will keep this information for 3 days + five weeks (one cycle of the backup process) after which it will be deleted unless you have set up an EDA account in the interim, in which case the information becomes Service information.
If you set up an account in the EDA application, we will not delete your account because of inactivity, but any user may elect to delete their account at any time. We will therefore store your personal information held on your account until you delete the account.
If you are only using the EDA Website and not the EDA application, we will keep your IP address information during your use of the EDA Website and for up to 26 months afterwards as part of the Google Analytics Analysis of EDA Website usage.
We will hold your Correspondence information for up to 12 months from collection, and will remove all personal information from your Technical information within 12 months of collection.
We will only retain your personal information for a limited period of time. This will depend on a number of factors, including:
- any laws or regulations that we are required to follow;
- whether we are in a legal or other type of dispute with each other or any third party;
- the type of information that we hold about you; and
- whether we are asked by you or a regulatory authority to keep your personal information for a valid reason.
Links to other websites
The EDA Website may contain links to enable you to visit other websites of interest easily. However, once you have used these links to leave the EDA Website, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Controlling your personal information - your rights
We will not sell or lease your personal information to third parties unless we have your permission or are required to by law.
You have certain legal rights, which are briefly summarised in the table below, in relation to any personal information about you which we hold.
Where our processing of your personal information is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent we will stop processing your personal information for that purpose, unless there is another lawful basis we can rely on – in which case, we will let you know. Your withdrawal of your consent won’t impact any of our processing up to that point.
Where our processing of your personal information is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim.
If you wish to exercise any of your rights please contact firstname.lastname@example.org in the first instance.
You also have the right to lodge a complaint with the Information Commissioner’s Office, which is the UK data protection regulator. More information can be found on the Information Commissioner’s Office website at https://ico.org.uk/.
|What does it mean?
|Limitations and conditions of your right
|Right of access
|Subject to certain conditions, you are entitled to have access to your personal information (this is more commonly known as submitting a “data subject access request”).
If possible, you should specify the type of information you would like to see to ensure that our disclosure is meeting your expectations.
We must be able to verify your identity. Your request may not impact the rights and freedoms of other people, e.g. privacy and confidentiality rights of other individuals.
|Right to data portability
|Subject to certain conditions, you are entitled to receive the personal information which you have provided to us and which is processed by us by automated means, in a structured, commonly-used machine readable format.
If you exercise this right, you should specify the type of information you would like to receive (and where we should send it) where possible to ensure that our disclosure is meeting your expectations.
This right only applies if the processing is based on your consent or on our contract with you and when the processing is carried out by automated means (i.e. not for paper records). It covers only the personal information that has been provided to us by you.
|Rights in relation to inaccurate personal or incomplete data
You may challenge the accuracy or completeness of your personal information and have it corrected or completed, as applicable. You have a responsibility to help us to keep your personal information accurate and up to date.
We encourage you to notify us of any changes regarding your personal information as soon as they occur, including changes to your contact details, telephone number etc.
Please always check first whether there are any available self-help tools in your account management page.
This right only applies to your own personal information. When exercising this right, please be as specific as possible.
|Right to object to or restrict our data processing
|Subject to certain conditions, you are entitled to have your personal information erased (also known as the “right to be forgotten”), e.g. where your personal information is no longer needed for the purposes it was collected for, or where the relevant processing is unlawful.
|We may not be in a position to erase your personal information, if for example, we need it to (i) comply with a legal obligation, or (ii) exercise or defend legal claims.
|Right to withdrawal of consent
|As stated above, where our processing of your personal information is based on your consent you have the right to withdraw your consent at any time.
|If you withdraw your consent, this will only take effect for future processing.
If you believe that any information we are holding on you is incorrect or incomplete, please correct the information in your account details as soon as possible.
A cookie is a small piece of data which a website sends to a user's browser. The browser then sends the cookie(s) back when it makes subsequent requests to the website. Cookies may be stored on your computer's hard drive.
Cookies can allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, by gathering and remembering information about your preferences. Our cookies cannot be used to identify you personally. Overall, cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. You can choose to accept or decline analytical (non-essential) cookies when you first visit the EDA Website. Essential cookies enable core functionality of the EDA application and can only be disabled by changing your your browser settings. Many web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. Please bear in mind that if you do disable the use of essential cookies the EDA application will not function, although you will still be able to use the EDA Website.
- JSESSIONID: This cookie tracks your session ID, which is used to keep you logged in. This is first set before you log in to the EDA application, and is re-generated when you log in or out.
- AcceptTermsAndConditions: This cookie records that you have accepted the EDA application terms and conditions.
- _ga: This cookie is used to distinguish the individual users of the EDA website.
- _gid: This cookie is used to track visitors through the EDA Website for analytics purposes.
- _gat_gtag_UA_20009859_12: This cookie is used to track visitors through the EDA Website for analytics purposes.
Please refer to Google's technical documentation for more detailed information about these cookies (under the section 'analytics.js – Cookie Usage').
Remember that your password is personal and non-transferable. You are recommended to change it regularly. Remember to memorise it and avoid writing it down. Password Do's and Don'ts:
- Keep your passwords safe
- Change your passwords regularly
- Let anyone else use your password
- Use easily guessable words (e.g. your name)
- Re-use passwords too regularly
- Use the same password for different systems
Using a shared computer
You should take additional precautions when using public or shared computers. Remember you can be observed by others, so make sure you are not being overlooked and keep your password safe.
It is important for you to protect against unauthorised access to your password and to your computer, so be sure to log out when you finish a session.
How to log out of the EDA application
To log out from the EDA application, click on the downward arrowhead / chevron in the top right of any EDA application window (circled in blue in the image below).
Then click Log out (circled in blue in the image below).
If you use a shared or public computer to access the EDA application, you should log out to prevent other users from accessing your personal information.
Avoiding caching issues
Browsers store web pages in the cache on your computer to avoid having to fetch another copy when the user returns to the page. If the page has been updated since the user last looked, the user will sometimes miss new information because they're viewing the page from their local cache. In order to avoid viewing pages that are out of date it is a good idea to clear your cache regularly.
Instructions for popular web browsers:
Chrome: Click the menu icon at the top right corner of the screen and go to More tools > Clear Browsing Data. Select the items you want to delete, choose the period for which you want to delete them and click Clear Browsing Data.
Microsoft Edge: Go to Settings > Privacy > Clear browsing data. Then click Choose what to clear and select the items you want to delete, choose the period for which you want to delete them and click Clear now.
Firefox: Go to Tools > Clear Recent History. Choose the time range and the items you wish to clear and click Clear Now.
Disable password auto-complete function
Instructions for popular web browsers:
Chrome: Click the menu icon at the top right corner of the screen and go to Settings > Show advanced settings > Passwords and forms. Deselect the "Enable Autofill to fill out web forms in a single click" tick box.
Microsoft Edge: Go to Settings > Profiles. Choose the profile for which you want to disable auto fill. Select Passwords and toggle the switch next to Autofill passwords to the off position.
Firefox: Go to Tools > Options > Privacy > Saved forms > Settings. Select all options in the 'Clear Private Data' window, click OK, click 'Clear Saved Form Data Now'. Uncheck 'Save information I enter in forms and the Search Bar' and click OK.
Updates to this notice
We may update this notice from time to time to reflect changes to the type of personal information that we process and/or the way in which it is processed. We also encourage you to check this notice on a regular basis.
Where can you find out more?
If you want more information about any of the subjects covered in this privacy notice or if you would like to discuss any issues or concerns with us, you can contact us in any of the following ways in the first instance:
By email at: email@example.com
By telephone at: 0207 611 2233
By post at: NC3Rs, Gibbs Building, 215 Euston Road, London, NW1 2BE
If your query or concern has not been resolved after communicating with us in this way, UKRI has appointed a Data Protection Officer who you can contact. The current Data Protection Officer is David Hyett who can be contacted at firstname.lastname@example.org or David Hyett, Head of Information Governance, Polaris House, Swindon SN2 1FL.
 The National Centre for the Replacement, Refinement and Reduction of Animals in Research whose office is at Gibbs Building 215 Euston Road, London NW1 2BE (“the NC3Rs”) is an independent scientific organisation, tasked by Government with supporting the UK science base through the application of the replacement, reduction and refinement of the use of animals in research (the “3Rs”). Though it is represented legally by the MRC, which in turn is part of the executive non-departmental public body UK Research and Innovation (“UKRI”), the NC3Rs is managed independently. To avoid doubt, the MRC is the controller of personal data collected through the EDA Website and the EDA application, but it will only be managed by the representatives of the NC3Rs. Any references to NC3Rs shall mean the MRC or, in the event that MRC ceases to exist, to UK Research and Innovation.