About the data we collect for CREST

About the data we collect for CREST

CREST Awards Privacy Information

The details of the data controller are: 

British Science Association 
165 Queens Gate 
London 
SW7 5HD 

Our ICO registration number is: Z7505720

The CREST Awards are managed by the British Science Association (BSA). We take the security of your personal data and the safeguarding of your privacy seriously. The data that we collect, process and use is treated in accordance with this Privacy Information, the General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. We aim to be clear how we collect and use your data and not to do anything with it that you would not reasonably expect.

The full BSA privacy policy is here.

The CREST Awards collect and process data in the following way:

Lawful basis for processing the data 

  1. Legitimate interests  
  2. We have previously relied on other lawful bases – if you think one of these may apply to you and you have questions, please get in touch using the email at the bottom of the page. 

Collection purpose

  1. Account owner names and email addresses are collected for operational communications. Account owners are teachers and students. 
  2. Student ethnicity, gender, disability, free school meal and age range data are collected separately to the overall project and are processed anonymously. In cases where an individual student is submitted it may be more possible to identify student data, however this information is stored and processed separately. There is an option ‘prefer not to say’ for all diversity data where people are not happy to provide this. 
  3. Student names are used for certificate printing to record the student’s achievement of the Award

Retention purpose

  1. To keep in touch with and maintain a record of teachers and students who have taken part in the Awards, so we can verify the date of the award if asked by the student in the future. 
  2. For future reporting purposes, e.g. a CREST impact report may be based on ~9 years of historical data.
  3. We ask for sensitive data such as ethnicity and disability for diversity monitoring purposes and collect and analyse this data anonymously. There is a prefer not to say option. For data collected not-anonymously in the past, this data has been brought in line with our current data collection standards and is now also stored anonymously.

Data held 

  1. Data on teachers who have submitted students – name, email, certificate delivery address. 
  2. Data on students submitted for Discovery and Bronze awards – name, school. 
  3. Data on students submitted for Silver and Gold awards – name, email, school, certificate delivery address. 
  4. Anonymous diversity data held on students (when ‘Prefer not to say’ is not chosen) -gender, age range, ethnicity, disability, free school meal data
  5. For the CREST submission platform, apply.crestawards.org, Survey Monkey collects geolocation data such as IP address. Momentive is the controller for this data. View their privacy policy.

How we collect the data 

  1. A teacher or student (expected to be 14 or over) signs up as a project owner to enter students for CREST Awards via the CREST website. 
  2. Online via Survey Monkey Apply – a platform owned by Momentive. (We formerly collected data via FluidReview, also owned by Momentive, and via a bespoke platform, my.crestawards.org.)

Retention period 

  1. Student and teacher data is stored for 5 years. For online accounts this means 5 years since last login.
  2. Some financial data will be stored for up to 6 years, including name, email address and bank details. This will be retained due to legal requirements. Get in touch using the email at the bottom of the page if you have questions about this.

Shared with a Third Party? 

  1. Users submit data online via CREST website. This is accessible to Momentive (who own Survey Monkey Apply (the new CREST platform) and FluidReview (the old CREST platform)). View Survey Monkey's privacy policy here. We previously used a third party for the platform my.crestawards.org, who we had a Data Processing Agreement with.
  2. Student names and certificate delivery address for Discovery, Bronze, Silver and Gold is sent to our printer to print CREST certificates. We have a Data Processing Agreement in place with them. 
  3. We use Xero to manage the CREST Award finances. Some data is transferred to Xero for the purposes of administering the CREST Awards. You can find Xero's privacy policy here.  
  4. We use a Stripe integration to allow card payments for the CREST Awards. You can find Stripe privacy policy here
  5. We previously used Mailchimp to send functional emails to Discovery and Bronze users. You can find their privacy policy here.

Security

To keep your personal data secure, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We store your data in a secure cloud-based service which requires ‘two step authentication’ to prevent unauthorised access.

We restrict access to your personal data to only those employees and contractors who need to know that information. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.


Visitors to our websites

When someone visits our websites we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to track data, such as the number of visitors to various parts of the site. This information is processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it. See Google’s Privacy Policy here.


Use of cookies by the BSA

www.britishscienceassociation.org and all our affiliated websites use cookies. Cookies are text files placed on your computer to collect standard internet log information and visitor behaviour information. This information is used to track visitor use of the website and to compile statistical reports on website activity.

For further information, visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.


The BSA is not responsible for the privacy notices and practices of other websites even if accessed using links from our website. We recommend that you read their privacy policies and have linked to them in this privacy information where we can.


Complaints or queries about this privacy information

The BSA tries to meet the highest standards when collecting and using personal information and we take any complaints we receive about this very seriously.

You can make a complaint if you think our collection or use of information is inaccurate, unfair or misleading.

We also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of BSA’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.

dataprotection@britishscienceassociation.org 

Access to personal information

What can you tell me about the data you have about me?

On receipt of evidence of your identity, we can provide:

  • confirmation that your data is being processed;
  • access to your personal data; and
  • any other supplementary information

In some cases, what will be provided may be limited if in sharing the data we would also be providing data on another individual. In these cases, we may have to ask for consent to contact the other individual for consent, edit out some of the data relating to the individual, or not share a portion of the data. If this is the case, we will communicate this with you as soon as possible and explain the reasoning behind this.

When will the information be provided?

Information will be provided within one month of receipt. However, we may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the you within one month of the receipt of the request and explain why the extension is necessary. 

How will the information be provided?

We will verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically, we will provide the information in a commonly used secure electronic format.

How to contact us

If you have any queries or concerns, please contact our Data Protection Lead:

Gill Riches

Director of Programmes

165 Queens Gate,

London,

SW7 5HD

E: Gill.Riches@britishscienceassociation.org 

W: www.britishscienceassociation.org

T: +44 (0)20 7019 4924

Changes to this privacy notice

This Policy was last updated on 06/12/2021.

This BSA Privacy Policy may change from time to time so you may wish to check it whenever you visit our website. If we make material changes, we will make this clear on our website or contact you directly.


    • Related Articles

    • Sharing data with CREST

      This article is to help organisations who submit data for the CREST Awards scheme. It's purpose is to help you understand the data sharing relationship between the British Science Association (BSA) who manage the CREST Awards, and you as another ...
    • For young people: How CREST handles your data

      If you are an adult, or would like the full details on how CREST handles data, check out our full privacy policy. The British Science Association, which runs the CREST Awards, holds personal data about you so that we can run the CREST Awards scheme. ...
    • Does CREST transfer data outside the UK?

      The CREST platform (apply.crestawards.org) is hosted by Momentive Europe in Europe, who sub-process data in the US. They have standard contractual clauses with the sub-processors to ensure data is processed lawfully. You can view Momentive's privacy ...
    • CREST for underrepresented audiences funding

      Engage Grants (formerly known as CREST for Underrepresented Audiences grants) are available twice a year, in the autumn and spring terms, to help support UK schools in challenging circumstances to run CREST Awards. Schools that have high numbers of ...
    • The CREST guiding principles

      The below principles are the overall ideas that govern how the CREST Awards work. They are different to the CREST criteria, although the criteria are based around these. Real-world context CREST projects and activities have a clear real-world ...