Privacy Policy

OXFORD LAWTECH EDUCATION PROGRAMME (OLTEP) PRIVACY POLICY

Oxford University Innovation Limited (“we or us”) is committed to protecting your personal data.

IMPORTANT INFORMATION AND WHO WE ARE

Purpose of this Privacy Policy

This Privacy Policy gives you information about how we collect and process your personal data for the purposes of delivering the OLTEP Programme, including any personal data you provide to us or that we obtain from another source and for any purpose.

Please read this Privacy Policy carefully. It sets out how we use your personal data and your rights as a data subject.

The Controller

A Controller of personal data is a person who decides the purposes and means of processing that personal data. The Controller of your personal data is Oxford University Innovation Limited, a company registered in England with company number 02199542. Our registered office is at University Offices, Wellington Square, Oxford, OX1 2JD. We are registered with the UK Information Commissioner’s Office under registration number Z6557298.

This privacy policy applies when we control the purposes for which your personal data is collected and used; it does not apply when we process personal data on behalf of someone else who controls how your personal data is used.

Changes to this Privacy Policy and changes to your personal data

We keep this Privacy Policy under regular review and we may update and amend it from time to time. We will post the updated and amended Policy on this website. We therefore recommend that you check this page from time to time for updates or changes to this Privacy Policy. If, at the time of the change or update, we still hold your personal data, we will inform you of any material update or change to this Privacy Policy by sending an email to the last email address you provided to us.

This Privacy Policy was last updated on 24 June 2024.

It is important that the personal data we hold about you is accurate and up to date. Please keep us informed of changes to the personal data that we hold about you and let us know if the personal data that we hold about you needs to be corrected or updated by contacting us at [email protected].

Third-party websites and links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control what personal data those third parties collect or process.

This Privacy Policy does not apply to any website operated by a third party. If you visit a third party website, please read its privacy policy, notice or statement to find out how that third party processes your personal data.

PERSONAL DATA WE PROCESS

Your personal data is any information that relates to you and that identifies you or allows you to be identified. Personal data that has been effectively anonymised is not personal data.

We may collect, use, store, transfer and process the following personal data about you:

Identity Data: first name, last name, username (which is your e-mail address)
Contact Data: e-mail address
Financial Data: VAT number, billing address, company name
Transaction Data: records of purchases and other transactions between you and us, including the contract between us and correspondence relating to that contract
Feedback Data: your responses to surveys and questionnaires
Performance Data: data about your performance and engagement with the learning content that allow us to track your progress
Marketing Data: your preferences about receiving newsletters and marketing from us
Queries and Requests: all communications and necessary data between you and us raising and dealing with queries about the processing of your personal data or requests to exercise your rights as a data subject

We do not process any Special Category Personal Data about you. Special Category Data is:

personal data revealing racial or ethnic origin;
personal data revealing political opinions;
personal data revealing religious or philosophical beliefs;
personal data revealing trade union membership;
genetic data;
biometric data (where used for identification purposes);
data concerning health;
data concerning a person’s sex life; and
data concerning a person’s sexual orientation.

We do not process any information about your criminal convictions or offences.

We do not take decisions about you based solely on automated processing.

Providing us with your personal data

You have no legal obligation to provide your personal data to us but, if you do not provide us with certain personal data, we may not be able to enter into a contract with you to provide the OLTEP Programme or, having entered into that contact we may not be able to perform it in full and may need to terminate it.

HOW IS YOUR PERSONAL DATA PROCESSED

A Processor of personal data processes the data on the Controller’s instructions: this may include collecting or otherwise managing personal data.

We use different methods to process data from and about you including through:

Direct Interactions. You may give us your personal data when you fill in a form on our website or correspond with us, contact us in some other way or take part in the OLTEP programme.

Subcontractors: Academics of the University of Oxford who are delivering the OLTEP Programme will interact with you on the Programme and are our processors.

Third parties. Thinkific Labs Inc. who providing hosting services for the OLTEP Programme are our processor and will collect personal data and provide it to us.

HOW WE USE YOUR PERSONAL DATA

We only process your personal data where we have a lawful basis for doing so.

The possible lawful bases are:

Consent: you have given clear consent for us to process your personal data for a specific purpose.
Contract: our processing is necessary for a contract we have with you, or because you have asked OUI to take specific steps before entering into a contract.
Legal obligation: our processing is necessary for us to comply with the law (not contractual obligations).
Vital interests: our processing is necessary to protect someone’s life.
Public task: our processing is necessary for OUI to perform a task in the public interest, and the task has a clear basis in law.
Legitimate interests: our processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect your personal data and that overrides those legitimate interests.

Purposes for which we will use your personal data

We have set out below, in a table format, the purposes for which we process your personal data, and which of the lawful bases on which we rely to do so. Where the lawful basis is our or someone else’s legitimate interests, we have identified what those legitimate interests are. We may have more than one lawful basis, depending on the purpose for which we process that personal data.

Please contact us at [email protected] if you need more information about the purposes for which we process your personal data or the lawful basis.

Purpose	Type of data	Lawful basis for processing
To send you a notification of the services start	(a) Identity (b) Contact	(a) Necessary for the performance of a contract with you (where our contract is with you) (b) Necessary for your legitimate interests and the legitimate interests of your trade or business (for you to take part in the Programme)
To deliver the Programme	(a) Identity (b) Contact (c) Transaction	(a) Necessary for the performance of a contract with you (where our contract is with you) (b) Necessary for your legitimate interests and the legitimate interests of your trade or business (for you to take part in the Programme)
To manage the contract for the provision of the Programme, including invoicing and being paid	(a) Identity (b) Contact (c) Financial (d) Transaction	(a) Necessary for our legitimate interests (to recover debts due to us) (b) Necessary for your legitimate interests and the legitimate interests of your trade or business (for you to take part in the Programme)
To manage our relationship with you including notifying you about changes to our terms, Privacy Policy or the Programme and other products and services	(a) Identity (b) Contact (c) Transaction (d) Marketing	(a) Necessary for the performance of a contract with you (where our contract is with you) (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our terms updated, to develop the Programme and other products and services, and to grow and market our business) (d) Necessary for your legitimate interests (to keep you up-to-date with any such changes)
For fraud and crime detection, monitoring and prevention	(a) Identity (b) Contact	(a) Necessary for our legitimate interests and your legitimate interests (to detect and prevent fraud and other crimes) (b) Necessary to comply with a legal obligation
To ask you and enable you to give feedback, provide references or complete a survey	(a) Identity (b) Contact (d) Marketing	Necessary for our legitimate interests (to study how training participants use the Programme, to develop the Programme and to grow and market our business)
To receive and respond to enquiries from you about the Programme and other products and services	(a) Identity (b) Contact (c) Marketing	Necessary for our and your legitimate interests (to engage with you and to facilitate the growth of our business, and to give you a response to enquiries)
To deal with your queries about our processing of your personal data, your requests to exercise your rights as a data subject and complaints	(a) Identity (b) Contact (c) Queries and Requests	Necessary to comply with a legal obligation
To liaise with the ICO	(a) Identity (b) Contact (c) Queries and Requests	Necessary to comply with a legal obligation

CHANGE OF PURPOSE

We will only use your personal data for the purposes for which we or our processors collected it, unless we reasonably consider that we need to use it for another purpose and that reason is compatible with the original purpose.

If you wish to have an explanation as to how the processing for the new purpose is compatible with our original purpose, please e-mail [email protected] with “Personal Data Enquiry” in the subject line of your e-mail. You may also contact us by other means listed on www.innovation.ox.ac.uk.

If we need to use your personal data for a purpose which is not compatible with our original purpose, we will notify you and we will explain the lawful basis which allows us to use your personal data for that new purpose.

MARKETING

We will not share your personal data with any third party for marketing purposes.

You can ask us to stop sending you marketing messages at any time by following the unsubscribe or opt-out links in any marketing message sent to you or by contacting us at any time at [email protected].

COOKIES

When you visit our website, we collect some basic information such as your internet service provider’s domain name, which pages you accessed on the website, and when.

Our service provider, Thinkific, uses cookies, which are small pieces of information that are saved to your device when you use our website. We use cookies which are necessary for our website to function and, if you consent to this, we also use non-essential cookies.

You can set your browser to refuse all or some cookies or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

DISCLOSURES OF YOUR PERSONAL DATA

We may share your personal data with the following third parties:

Academics of the University of Oxford who are delivering the Programme and who are our processors.
Thinkific Labs Inc. who is providing hosting services for the OLTEP VLE.
Microsoft, who provide the University of Oxford with Nexus365 solution and where we may use Office 365 (especially Outlook, OneDrive for Business, MS Excel, MS Word, MS Forms and MS Teams) to process your data.
Zoom, whose products may be used to deliver our live sessions.
MailChimp, whose services we may use to manage our email campaigns.
Other service providers based inside and outside the UK, to the extent they need to process your personal data to provide us with their services such as IT, system administration and business support services (including payment processing providers such as PayPal, VISA and Mastercard and website hosting services such as Amazon Web Services (AWS) who provide application servers and cloud storage).
Enforcement companies, based inside and outside the UK when we believe it is necessary to comply with the law or enforce our rights under our terms and conditions or in any contracts between us or to protect the rights, property or safety of OUI, our employees or customers, our business partners or others. This includes exchanging information with the police or other investigatory or law enforcement authorities and companies and organisations involved in fraud protection.
Business partners, law enforcement bodies, providers of fraud prevention and detection services, and recipients of fraud prevention and detection services, based inside and outside the UK, where we have reason to suspect fraud or the commission of any other criminal offence.
HM Revenue & Customs, the ICO and any other regulator to which we are subject.

INTERNATIONAL TRANSFERS AND WHERE WE STORE YOUR PERSONAL DATA

Our operations are principally based in the UK and the personal data that we process is mainly processed, stored and used within the UK and the European Economic Area (EEA). However, in order to offer you the best service we can provide, we also work with service providers from other parts of the world. This means that the data we process sometimes needs to be transferred, stored and used by organisations operating outside the UK and the EEA who work for us or one of our service providers in countries which may not provide the same level of protection for the rights of data subjects as do the UK and the EEA.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK and/or EEA.

DATA SECURITY

We have appropriate security measures to prevent your personal data from being accidentally or unlawfully destroyed, lost, altered, or disclosed or accessed in an unauthorised way.

We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will process your personal data only on our instructions and they are subject to a duty of confidentiality.

We have procedures to deal with any suspected or actual breach of security involving personal data.

If the law obliges us to do so, we will notify the UK Information Commissioner’s Office and you of a breach of security involving your personal data.

DATA RETENTION

How long will you use my personal data for?

We will retain your personal data only for as long as is necessary to fulfil the purposes we have specified in this privacy policy, to comply with the law, as required to meet any legal, accounting, or reporting requirements or for as long as we need it in connection with any actual litigation or if we reasonably believe there is a prospect of litigation.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Details of retention periods for different aspects of your personal data are set out in our data retention policy. You can access a copy by e-mailing us at [email protected] with “Personal Data Enquiry” in the subject line of your e-mail. You may also contact us by other means listed on www.innovation.ox.ac.uk.

In some circumstances you can ask us to delete your data: see “Your Rights as a Data Subject” below for further information.

YOUR RIGHTS AS A DATA SUBJECT

As a data subject you have the following rights:

To be informed about the collection and use of your personal data. That is one of the purposes of this privacy policy.

To request access to your personal data: you have the right to receive confirmation of whether or not we are holding or using your personal data and, if we are, to obtain a copy of your personal data.

To request the correction of your personal data: you have the right to have any inaccurate or incomplete personal data we hold about you corrected. We may need to verify the accuracy of any new data you provide.

To request the erasure of your personal data (the right to be forgotten): you have the right to ask us to delete or remove personal data where we have no good reason to continue using it. You also have the right to ask us to delete or remove your personal data where:
- you have successfully exercised your right to object to our using it (see below);
- where we have used your personal data unlawfully; or
- where we are required to erase your personal data to comply with the law.

We may not always be able to comply with your request for erasure for legal reasons. If that is the case, we will inform you about those legal reasons if you request erasure.

To request a restriction on the processing of your personal data: you have the right to ask us to suspend the processing of your personal data in the following circumstances:
- if you want us to establish the data's accuracy;
- where our use of your personal data is unlawful but you do not want us to erase it;
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your personal data but we need to verify whether we have overriding legitimate grounds to use it.

To request the transfer of your personal data (data portability): you have the right to receive the personal data you have provided to us and to have us transmit that data to another person, if it is feasible to do so, where:
- you provided your personal data to us;
- you gave consent to our using your personal data or we used that personal data to perform a contract with you; and
- we have processed that data by automated means.

To object to the processing of your personal data: you have the right to object where our lawful basis for processing is our legitimate interests (or the legitimate interests of a third party) and your particular situation leads you to think our processing affects your fundamental rights and freedoms.

In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data and that those grounds override your rights and freedoms.

To object to the use of your personal data for direct marketing purposes: you have the right to object where we are processing your personal data for direct marketing purposes.

To withdraw consent: Where you have given consent to our using your personal data for a specific purpose, you have the right to withdraw that consent at any time. Your withdrawal of consent will not affect the lawfulness of any use of your personal data based on your consent before you withdraw consent.

Not to be subject to a decision based solely on automated processing that produces legal effects concerning you or that similarly significantly affects you unless:
- it is necessary for entering into, or performing, a contract between you and us;
- is required or authorised by UK law; or
- is carried out with your explicit consent.

The ICO website contains more detail on the rights of data subjects.

We have appointed a data protection officer who acts as a contact point for data subjects. If you have any questions about this privacy policy, or wish to exercise your rights as a data subject, please e-mail [email protected] with “Personal Data Enquiry” in the subject line of your e-mail. You may also contact us by other means listed on www.innovation.ox.ac.uk.

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk) but please contact us first and give us the chance to resolve the problem.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it and that we do not act on any request except from you. We may also contact you to ask you for further information to clarify your request.

Time limit to respond

We try to respond to all legitimate requests within one month. It may take us longer than a month if your request is complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Fees

Normally you will not have to pay a fee to access your personal data, but we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in those circumstances.