We apply the UK Data Protection Act (incorporating the EU General Data Protection Regulation (GDPR)) to all of our global operations unless the local equivalent law is stronger.

The UK Data Protection Act (and GDPR) works in two main ways. It gives individuals rights over how their personal information is used and sets out rules for organisations that process personal information.

Our Information Security and Privacy Policy describes how we treat personal information.

Our Cookies  policy describes what cookies we use on our website and there purpose.  

Contact Details

British Council collects and processes personal information for a variety of reasons. If you wish to communicate with us about this privacy notice, or any issue relating to information governance or data protection, please contact us using the following details:

By post:

Information Governance & Risk Management Team
British Council
10 Spring Gardens
London

SW1A 2BN

Telephone: +44 (0)20 7389 4385

Email: InfoGovernance@britishcouncil.org

The British Council’s Data Protection Officer is our Director of Information Governance & Risk Management 

Telephone: (0)20 7389 4385

International transfers

British Council shares personal information within the wider British Council group of entities situated both within and outside the EU. We do this under a data sharing agreement that includes the appropriate EU model international data transfer clauses to make sure your personal information is protected, no matter which entity in the British Council group holds that information.

Where British Council makes transfers of personal information outside the British Council Group to another organisation we rely on the use of the EU model international data transfer clauses where the country the organisation is situated in is not listed as ‘adequate’ by the European Commission. 

Recipients 

We also use other organisations to process your personal information in order to carry out services on our behalf. We use them to:

  • Provide customer service, surveys and marketing
  • Personalise our services
  • Process payments
  • Carry out fraud and other legal investigations

Where we use another organisation, we make sure that your personal information is protected and remains in our control.

We also, in certain situations, share personal information to government bodies and law enforcement bodies. Where we do share personal information with these types of organisations we’ll make sure it’s protected, as far as it is reasonably possible.

Marketing

We’ll use your personal information to send you direct marketing and to better identify products and services that interest you. We do that if you’re one of our customers or if you’ve been in touch with us another way (such as registering to attend a British Council event or entering a competition).

This means we’ll:

  • create a profile about you to better understand you as a customer and tailor the communications we send you (including our marketing messages);
  • tell you about other products and services you might be interested in;
  • try to identify products and services you’re interested in; and

We use the following for marketing and to identify the products and services you’re interested in.

  • Your contact details. This includes your name, gender, address, phone number, date of birth and email address.
  • Information from cookies and tags placed on your connected devices.
  • Information from other organisations such as aggregated demographic data and publicly available sources like the electoral roll and business directories.
  • Details of the products and services you’ve bought and how you use them 

We’ll send you information (about the products and services we provide) by phone, post, email, text message, online banner advertising. We also use the information we have about you to personalise these messages wherever we can as we believe it is important to make them relevant to you.  We do this because we have a legitimate business interest in keeping you up to date with our products and services. We also check that you are happy for us to send you marketing messages before we do so. In each message we send, you also have the option to opt out.

We’ll only market other organisations’ products and services if you have said it is OK for us to do so.

You can ask us to stop sending you marketing information or withdraw your permission at any time.

Retention

British Council retains personal information in line with our corporate retention requirements.  Further details of our corporate retention schedule is available on request via the contact details above. 

Right to access personal information

Under the law any individual has a right to ask for a copy of the personal information held about them. This means that you can ask for the information that the British Council holds about you. This is known as the right of ‘subject access’.

When making a request you will need to give us: 

• a request in writing (by post or by email)

We may need to ask you to provide:

• proof of your identity

• proof of your home address

• any information that we reasonably need to locate the information you have requested (for example details of the British Council offices or staff that you have had contact with and when)

We will not start looking for your information until we receive all of the above. In order to submit your request, or for help making a request, please contact the Information Governance Advisor (Disclosures) at our Manchester office (details below). 

Although you should submit a request in writing, if you would like to speak to someone in person, you can contact the Information Governance Advisor using the following details:

Information Governance Advisor (Disclosures)
British Council
58 Whitworth Street
Manchester
M1 6BB

United Kingdom

Phone: +44(0) 161 957 7624

Email: IGDisclosures@britishcouncil.org

Rights concerning the processing of your personal information

Right to restrict processing of personal information

In some situations, you have the right to require us to restrict the processing of your personal information. We may restrict your personal information by temporarily moving the information to another processing system, making the information unavailable to users, or temporarily removing published information from a website. We may also use technical methods to ensure the personal information is not subject to further processing and cannot be changed. When we have restricted processing of personal information, this will be clearly indicated on our systems.

You can require us to restrict processing in the following circumstances:

  1. You are concerned that the information we hold about you is inaccurate. You can ask us to restrict the information until we are able to determine whether the information is accurate or inaccurate;
  2. We are processing your personal data unlawfully and you do not want us to delete the information but restrict it instead.
  3. We no longer need the information for the purposes for which we collected it, but they are needed by you for the establishment, exercise or defence of legal claims;
  4. You have objected to the processing (see below), and we need to decide whether the legitimate grounds we have to process the information override your legitimate interests.

Processing you think is unlawful

If you tell us that you think we are processing your personal information unlawfully, but you do not want the information to be erased, you have the right to require us to restrict the processing of that information.

We will ask you for an explanation about why you think the processing is unlawful, and may also ask that you provide evidence to support this view.

Processing of personal information you think is inaccurate

You can tell us if you think the personal information we are processing about you is factually inaccurate. You can require us to restrict how we use your personal information until we can verify the accuracy of the information. We will ask you for an explanation about why you think the information is inaccurate, and may also ask that you provide some supporting evidence of the alleged inaccuracy.

If we find that personal information we are processing about you is inaccurate, we will take appropriate steps to correct the information.

Personal information no longer needed by British Council, but needed by you in connection with a legal claim

In most circumstances, we will securely delete or dispose of personal information when we no longer need it for our legitimate business purposes. Our approach to retention is outlined in our corporate retention schedules. 

However, if personal information we no longer need would assist you in establishing, exercising or defending a legal claim, you can require us to keep the information for as long as necessary. We may ask you to provide an explanation and any available supporting evidence that a legal claim is on-going or contemplated. 

Right to erasure of personal data (“the right to be forgotten”)

In the following circumstances, you have the right to require that British Council securely deletes or destroys your personal information:

  • If the personal information we hold about you is no longer necessary for the purposes for which we originally collected it.
  • The processing is based on consent - if you have previously given your consent to British Council collecting and processing your personal information, and you notify us that you withdraw your consent. Please note: withdrawing your consent does not mean the processing of your personal data which occurred before the withdrawal was unlawful.
  • We are processing your personal information for direct marketing purposes, and you want us to stop.
  • If you think British Council has processed your personal information unlawfully.

If you think any of the above situations apply, we may ask you for an explanation and further information to verify this.

Right to object to processing

You have the right to object to the British Council processing your personal data in the following circumstances:

Personal information used for direct marketing

If we are using your personal information to send you direct marketing, you have the right to object at any time. If you exercise this right, we will stop processing your personal information for direct marketing purposes. However, we may keep your information on a “suppression list” to ensure your information is not added to any marketing lists at some point in the future.

Automated decision making and profiling

‘Profiling’ is automated use of personal data held on computer to analyse or predict things which have a legal effect, or other similarly significant effect, on the individual. Examples would include economic situation, health, personal preferences or interests and location. You have the right not to be subject to a solely automated decision (that is, a decision made electronically, with no human intervention), and this may include profiling (although there is no general right to object to profiling). If you are concerned the British Council has made a solely automated decision about you, you can object.

Please note, British Council is allowed to carry out automated decisions with no human intervention where you have given your explicit consent to this processing (although you have the right to withdraw your consent).

We are also permitted to make automated decisions with no human intervention in the following circumstances:

  • The automated decision is necessary to enter into, or perform a contract, or complete a contract involving you and the British Council.
  • The automated decision is allowed under a law passed at European Union level, or at the level of European  Union or EEA member state level (i.e., is allowed under a national law) or UK level. The law will provide safeguards to protect your rights and freedoms.

However, you still have a general right to object in both of the above circumstances, providing reasons why you think the processing is having a negative effect on you. If you do object, we will carefully consider your reasons, and decide whether to review the decision making process in your specific case.

Right to data portability

If you have provided your information to British Council, you have the right to request and receive a copy of that information in a structured, commonly-used and machine-readable format. 

You also have the right to ask us to send the information we hold about you to another organisation.

There are some situations in which the right to data portability does not apply. For further information, please contact: IGDisclosures@britishcouncil.org

Exercising your rights concerning the processing of your personal information

If you wish to exercise any of the above rights concerning the way in which we process your personal information, please contact:

Information Governance Advisor (Disclosures)
British Council
58 Whitworth Street
Manchester
M1 6BB

United Kingdom

Phone: +44(0) 161 957 7624

Email: IGDisclosures@britishcouncil.org

Your right to complain to a national data protection regulator (data protection supervisory authority)

If you think we have processed your personal information unfairly or unlawfully, or we have not complied with your rights under GDPR, you have the right to complain to a national data protection regulator. 

Complaints about how we process your personal information can be considered by the UK data protection regulator, the Information Commissioner’s Office (ICO). The ICO can be contacted using the following details:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

UNITED KINGDOM

Email: casework@ico.org.uk

If you live in a country or territory located in the European Union (EU) or European Economic Area (EEA), and you think that some, or all, of the issues you are concerned about have taken place in your country of residence, you can complain to your national data protection regulator. For contact details of national data protection regulators in the EU and EEA, please use the following link:

http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en....

You should be aware that from 25 May 2018 onwards, the EU or EEA regulator you first contact may not be the regulator that deals with your complaint. They may refer your complaint to another data protection regulator, and a number of regulators may work together to determine the outcome of your complaint. The overall handling of your complaint will be dealt with by a “lead supervisory authority”, which will be allocated during the complaint handling process.

If you live outside the EU or EEA, and the data protection issue you are concerned about relates to the processing of personal data in the country you live in, you may be able to complain to your national data protection or privacy regulator. Details of some national data protection or privacy regulators are detailed in the above link. Alternatively, you may be able to find details of your national privacy or data protection regulator by searching the internet.

If you have a concern about how we have processed your personal data, many data protection/privacy regulators will ask that you contact us first, outlining your concerns, allowing us to try and put the issue right, prior to contacting them with your complaint or concern.

 

External links