Privacy & Data Protection Policy


You can contact us at hello@eracambridge.org.

This policy sets out Cambridge ERA:AI Fellowship’s (“ERA”, “our” or “we”) commitments and duties when it processes personal data. This policy takes account of UK and EU data protection laws, including the GDPR, in order to set out our basic expectations of our employees, volunteers, and contractors when they handle personal data for or on our behalf. A breach of this policy may result in disciplinary action.

Introduction and scope

Legal speak: What is personal data? What is special category data?

Personal data is any information about an identifiable living individual (or in data protection language, a ‘data subject’).

  • This includes both direct identifiers such as: name, location data, and online identifiers like IP address. But it also includes other information where we can link this to an individual, like employee ID. 

  • Personal data is very widely defined – it doesn’t just include “facts” about individuals; it includes decisions made about them and even subjective opinions held about them.

Special category data is personal data which is more sensitive - any information about health, religious or philosophical belief, sex life or orientation (which could include they/them pronoun preferences), racial or ethnic origin, political opinions, trade union membership, genetic data or biometric data that can uniquely identify a person (such as fingerprints or facial recognition technology). Where this policy discusses special category data, it also includes information about criminal convictions or alleged criminal activity, which is subject to similar rules.

When are we processing personal data?

Processing is any use that we (or a third party) make of personal data. This includes obtaining or creating it, amending it, storing it, sharing it, or even accessing, anonymising, or deleting it.

What obligations do we have?

ERA makes decisions about how and why it collects and uses personal data, and therefore has obligations as a “controller”, and under the General Data Protection Regulation (“UK GDPR”), the UK Data Protection Act 2018 and the Privacy & Electronic Communications Regulations 2003. These obligations and what you need to do to follow them are summarised in this policy. ERA does not hold information in relation to children, and does not work with and/or hire children (anyone under the age of 18).

Core data protection principles

ERA must observe the following principles when processing personal data:

2.1 Lawfulness, fairness and transparency

At a glance: We must always be able to justify our processing using a legal basis (e.g. consent or legitimate interests).We need to tell individuals when we collect their data.

We must always process personal data in line with individuals’ reasonable expectations and lawfully.

Transparency

Generally we should inform individuals about how their personal data will be collected and used by ERA. When working on any new initiative, we consider how individuals will be informed. Usually, this is by way of a ‘privacy notice’.

A privacy notice must contain the information listed in Annex 1.

Timing: When ERA collects personal data directly from the individual, we should provide the notice at the point of data collection (e.g. link to the privacy notice within an online form).

Where possible, when ERA collects the personal data from another source, we should provide our privacy notice to the individual within one month. If we intend to communicate with the data subject, or disclose the data to a third party, then information should be provided no later than that communication or disclosure.

Privacy notices should always be easily accessible, using clear and plain language, and age appropriate.

When carrying out any new processing, or making a change to any existing processing, you should consider whether this is covered by an existing privacy notice. If you are not sure, discuss this with ERA via contact details at the top of this page to help you check whether the new processing or change to the processing is necessary, and whether there is a need to update or provide a new privacy notice to data subjects. 

Lawfulness

We can only process personal data if we have a ‘legal basis’ under Article 6 of the UK GDPR. These include

  • the processing is necessary to perform a contract with the individual, or to take steps at the request of the individual before entering into a contract (for example, processing bank account details to pay an employee);

  • the processing is necessary for compliance with a legal obligation;

  • the individual has given consent to the processing; or

  • the processing is necessary for our legitimate interests – or those of a third party – unless those interests are overridden by the interests or fundamental rights and freedoms of the individual. We will carry out a “balancing test” to ensure that its legitimate interests justify the intrusion and outweigh any contrary interests of the relevant individual(s). 

To help you understand how the legal bases are used for processing, Annex 2 gives an example of appropriate legal bases for HR processing (including recruitment).

Where we need to process special category data, in addition  to our legal basis we must also be able to satisfy a condition under Article 9 of the UK GDPR, to overcome a general ban on processing such information. Relevant legal grounds can include compliance with employment laws, preventing and detecting unlawful activity, and the explicit consent of the data subject. There may be further conditions attached depending on the condition we rely upon.

Fairness

We must process personal data in a way that is fair to individuals. This means that we must treat people in an ethical way when it comes to processing their personal data.  We must not interfere with their privacy rights in a manner that cannot be justified. Practically, this means that we must: 

  • We need to consider how the processing may affect individuals and be able to justify any adverse impact.

  • We should only process personal data in a way that people would expect or be able to justify any unexpected processing. 

  • We must not deceive or mislead people when we collect their personal data.

Appropriate Policy Document:

At ERA, we process special categories of data for the purpose of:

  1. complying with health and safety obligations at work

  2. assessing employees’ fitness to work, complying with Equality Act requirements and promoting equality and diversity more generally

  3. checking applicants’ right to work (including criminal data)

  4. performing appropriate donor due diligence including, without limitation, to prevent and detect unlawful acts

  5. safeguarding the public, in particular the AI technical safety and AI governance community, for which we provide a community health function

  6. managing employee benefits,

  7. monitoring and building the demographic diversity of the AI technical safety and AI governance,

  8. supporting organisations that we work with to hire racially or ethnically diverse candidates into senior positions, and doing so ourselves.

We generally process these types of data:

  • for the purposes of performing or exercising obligations or rights in connection with employment, social security or social protection

  • as necessary for the establishment, exercise or defence of legal claims

  • to the extent personal data is manifestly made public by the data subject

  • in the course of our legitimate activities as they relate to our activities and to the extent that the processing relates solely to our members or former members or to persons who have regular contact with us in connection with our purposes;

  • for reasons of substantial public interest as specified under UK data protection law, including the following legal conditions:

  • identifying or keeping under review the existence or absence of equality of opportunity or treatment between groups of people specified in relation to that category with a view to enabling such equality to be promoted or maintained

  • (for racial or ethnic origin data only) identifying suitable individuals to hold senior positions in our organisation or organisations we work with

  • preventing or detecting unlawful acts

  • protecting the public against dishonesty and other harm and performing other protective functions

  • publishing data related to the commission of an unlawful act, dishonesty, malpractice or other seriously improper conduct of a person, unfitness or incompetence of a person, mismanagement in the administration of a body or association, a failure in services provided by a body or association

  • providing confidential counseling, advice, or support

We also sometimes rely on the explicit consent of the data subject to process special category data for the following purposes:

  1. Providing or facilitating community and mental health support services to team members (including staff, volunteers, contractors etc.),

  2. Carrying out efforts to increase the set of people we work with and the wider AI technical safety and AI governance field,

  3. Processing information in the course of carrying out our charitable activities (such as in making grants, providing career advising or support, suggesting relevant people for impactful opportunities or vice versa, and doing research or creating content).

In all such cases, we collect such data in accordance with this Policy, so it complies with the principles which require personal data to be:

  • Processed lawfully, fairly and in a transparent manner (Lawfulness, Fairness and Transparency);

  • collected only for specified, explicit and legitimate purposes (Purpose Limitation);

  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed (Data Minimisation);

  • accurate and where necessary kept up to date (Accuracy);

  • not kept in a form which permits identification of Data Subjects for longer than is necessary for the purposes for which the data is Processed (Storage Limitation); and

  • Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful Processing and against accidental loss, destruction, or damage (Security, Integrity and Confidentiality).

2.2 Purpose limitation 

At a glance: Say what you do, and do what you say…

We must only process personal data for purposes which are legitimate and which we have told the individual about in our privacy notice, unless we’re carrying out “invisible processing” (see 2.1). We should not use personal data in a way that is incompatible with these purposes unless an exception is provided under law or a new consent has been obtained from the individual.

In any case, you should consult ERA via contact details at the top of this page if you intend to process personal data for a new purpose so that they can help you assess necessity and compatibility and ensure that we meet all of our data protection obligations. 

2.3 Data minimisation and accuracy

At a glance: Use limited (i.e. the least necessary), quality data…

We only collect and use the minimum personal data that is necessary (and proportionate) for our specified purposes. 

We take particular care to ensure that personal data is recorded accurately and, where necessary, that it is kept up to date.

2.4 Storage limitation (i.e. data retention)

At a glance: Don’t be a data hoarder… hold data for the periods set out in our Data Retention Policy and not for longer than necessary for your purposes.

We must not keep personal data in an identifiable form for longer than is necessary for our purposes. At the end of this period, we must securely erase the personal data, return it to the relevant individual, or anonymise it - depending on what is most appropriate.

If you no longer require personal data, you should make sure that it is appropriately disposed of or anonymised – you should reach out to the ERA Directors if you have any questions over how to best dispose of data or ensure that it is anonymised.

If you think there is a gap in the Data Retention Policy regarding the data that you process, please notify ERA via contact details at the top of this page.

2.5 Data security (and data breaches)

At a glance: Stay safe and apply common sense to security controls and follow all security policies and processes.

General data security

ERA must keep all the personal data it processes secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures.

We do this by implementing various security measures, and also by making sure that similar measures are imposed on its processors (see the “Sharing Data” section below).

Personal data breaches

A ‘personal data breach’ is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (for example, this would include a ransomware attack, as well as leaving a document containing personal data on a train).

ERA is required to log and, where necessary, report any ‘personal data breaches’, as part of a data breach response program. Where we are required to report in Europe, there is a very short time-frame for this - 72 hours from becoming aware.

Other jurisdictions outside of Europe, including in the United States, may require that certain ’personal data breaches’ be reported to affected individuals and/or governmental bodies.  These requirements may differ from those in Europe, so it is important to understand the scope of individuals and information that may be impacted by a ‘personal data breach.

If you think you have become aware of any potential personal data breach, you should immediately inform ERA, take any steps available to you to stop any ongoing risk to individuals, and determine the scope of the incident (i.e., the systems affected, the types of information involved, and the individuals who may be impacted).

For information about data sharing with third parties, please see the “Sharing data” section at 4 below.

2.6 Accountability and data governance

At a glance: Ensure that key decisions regarding personal data are documented. We have specific obligations in high risk scenarios to undertake ‘data protection impact assessments’. We are also required to keep certain records. However, these requirements may be less formalised in the future - the key is that we can justify our actions on paper.

It is not enough for us to comply with the principles set out above – we must demonstrate our compliance. We do the following to ensure and document compliance include the following:

Privacy by design and default

We must consider the privacy implications of any new processing and any changes we make to how we process personal data. Where you are aware that you are carrying out new processing or making changes to your processing activities, you should design those new processes with privacy in mind - addressing privacy concerns early in the initiative, considering whether the use of personal data is proportionate and necessary, and implementing data minimisation (see 2.3 above). 

Data Protection Impact Assessments (“DPIA”)

In certain cases – where there is "high risk" processing activity - we should carry out a data protection impact assessment before we start the activity. 

There is more guidance here on when this is required. Examples are processing special category data on a large scale, or processing data from a third party without providing the individual concerned with a copy of our privacy notice (e.g. invisible processing).

A DPIA is a check conducted on a specific area of an organisation’s operations to identify and minimise privacy non-compliance risks. Such assessments will include a description of the processing activities and their purpose and an assessment of the need for and proportionality of the processing, the risks arising and measures adopted to mitigate those risks, in particular any safeguards and security measures which are needed to protect personal data and comply with the law. 

If this becomes necessary, reach out to ERA via the contact details at the top of the page, and ERA will support you to create a DPIA.

Record of Processing

ERA is required to keep a formal record of any processing of personal data (including the categories of personal data processed, the categories of data subjects and the purposes of the processing) which it carries out. The formal record may be kept and maintained at a project level.

3. Data subject rights

At a glance: We need to deal promptly with requests from individuals to exercise their rights given under the GDPR rules. If you receive a request, please forward it promptly to the ERA Directors, so that we can take steps to  action it in accordance with these rules.

Data subjects are entitled to use any means to make requests to us – these can be spoken as well as written requests - and we generally have one month to respond. So you must make sure that you can recognise a request made by a data subject and escalate it immediately.

In overview, individuals have the following rights:

  • Access: to obtain (i) confirmation whether ERA processes their personal data; (ii) a copy of the personal data (in a commonly-used electronic form, if the request is made electronically); and (iii) provision of supporting explanatory information. Sometimes this is referred to as a DSAR (data subject access request).

  • Portability: to request that their personal data is "ported" (i.e. transferred) to a specified third party, or to the individual him or herself, in a machine-readable and structured format (e.g. CSV files). There are exemptions – for example, this only applies to personal data which has been provided by the individual or collected automatically from the individual, which is held in digital format, and which ERA processes with the individual’s consent or to fulfill a contract with that individual.

  • Rectification: to request correction of inaccurate personal data. 

  • Objection: to object to: (i) processing for direct marketing purposes; (ii) profiling based on direct marketing; and/or (iii) processing based on ERA’s legitimate interests.

  • Erasure (a.k.a. the "right to be forgotten"): to request that personal data is erased in certain situations, for example, where: (i) the processing is based on consent and the consent is later withdrawn; or (ii) the individual has validly exercised a right to object and wishes the data to be erased.

  • Restriction: to request that personal data is "restricted" (i.e. block/ pause) whilst complaints (for example, about accuracy) are resolved, or if the processing is unlawful but the individual objects to erasure.

Individuals also have rights not to be subject to decisions taken solely on the basis of automated processing of personal data of an individual (i.e. no human involvement in the decision) which produce legal effects, or have similarly significant effects, unless taking such decisions is permitted by law. These types of effect are not defined in the UK GDPR, but a legal effect is something that affects someone’s legal rights and significant effects would include, for example, automatic refusal of an online credit application, and e-recruiting practices without human intervention (e.g. recruitment aptitude test which uses pre-programmed algorithms and criteria). There are limited exceptions to this. ERA currently uses automated individual decision-making technology (see below).

Automated individual decision-making

We aim to make fair and informed decisions on all applications to our fellowship. As a small team, we use AI systems to help us review the large volume of applications we receive.

We begin by considering the intended outcome of the fellowship. We work backwards to the types of skills, experience and attributes that indicate an applicant is likely to succeed. We translate these into objective numerical rubrics, and then we manually evaluate subsets of randomly selected applications to calibrate and validate these rubrics. Once finalised, we use AI systems such as large language models to score incoming applications. We ensure these scores match the ones given by humans on the sample set, and continue monitoring system performance by doing random checks of application scores.

After initial scoring, humans review applicants manually to make the actual application decision, taking into account the scores and other data we have on a candidate. We are careful to ensure outlier applications are appropriately handled, and have systems in place to flag people who might score low on the rubrics but could be a good fit for the fellowship anyway.

Under data protection legislation, you may have the right to have a human re-review the scoring part of the application process, express your point of view and to contest the decision. To exercise this right, write to ERA via the contact details at the top of this page.

4. Sharing personal data with third parties, and international transfers

At a glance: Whenever we share personal data with a third party, we need to consider how it will be protected. We need to take particular steps when transferring personal data internationally. 

Sharing data with third parties

The rules for data sharing depend on the ‘role’ played by the third party. In particular, there are specific requirements for sharing data with a ‘data processor’. A data processor is another organisation or person (not employees) who processes personal data on our behalf. An example is a payroll provider.

When sharing with a processor we must:

  1. Ensure that the processor provides satisfactory assurances about their data protection practices before it starts providing any service to us; and

  2. Enter into a written agreement with the data processor containing specified data processing terms which ensure that the data processor will provide adequate privacy, data protection and information security measures for our personal data. These are set out in Article 28 of the UK GDPR. In most cases, the third party may have their own standard data processing terms (for example, for Google Workspace). If you are unsure, please contact the ERA Directors.

These requirements do not apply if we are sharing personal data with another controller (i.e. another organisation who will use the personal data for its own purposes, rather than processing it purely on our behalf). However, the ICO has made clear that we should still enter into a data sharing agreement with other controllers when we share personal data with them (or include data sharing provisions in any other agreements we have with them), unless we are sharing small amounts of data on a one-off basis. 

International transfers

Where we transfer personal data to a third party based outside the UK (which includes e.g. third party data processors accessing the personal data from outside the UK in order to provide IT support services, or if we share a Google Doc with somebody in another country who does not work at ERA), a data transfer mechanism must be put in place unless that country has been deemed to provide “adequate” data protection under UK data protection law (as listed here), or if we can rely on certain narrow exceptions. Examples of a data transfer mechanism are: the receiver having signed an approved code of conduct, or - more typically - entering into  specific data protection clauses. In the UK, these clauses are in the UK International Data Transfer Agreement, which is a standard document prepared by the ICO. 

We are also required to carry out ‘transfer risk assessments’ in respect of any international transfer of personal data to countries that are not adequate, taking into account the data protection law and practices of those countries, including the ability of public authorities in those countries to access personal data. Depending on the results of this assessment, we may need to implement further measures to ensure that the personal data is adequately protected after it’s transferred. 

Examples of exceptions are: 

  • Where the individual whose data is being transferred has consented to the transfer, provided that we have provided them with information about the possible risks for the individual due to the country’s lack of adequate data protection law; 

  • Where the transfer is necessary for the individual to enter into a contract or for pre-contractual measures taken at the individual’s request (for example if an individual asks us to share their data as with a future employer who needs it in order to proceed with the individual’s employment); 

  • Where the transfer is necessary for us to conclude a contract with a third party that is in the individual’s interest; 

  • Where the transfer is necessary for important reasons of public interest;

  • Where the transfer is necessary for the establishment, exercise or defence of a legal claim; 

  • Where the transfer is necessary to protect an individual’s vital interests (i.e. in an emergency situation), where the individual is physically or legally incapable of giving their consent to the transfer.

All of these exceptions are interpreted very narrowly, and they will only be relevant in the context of one-off transfers of personal data. 

You should contact ERA where you believe that there will be a new type of transfer of personal data outside the UK and EU (for example, if we are working with a partner in a country we haven’t worked in before and will share personal data with them) or a change to an existing transfer to a non-adequate country that may increase the risk (e.g. a significant increase in volume or sensitivity of personal data being shared), so that ERA can assist you in identifying and putting in place an appropriate transfer mechanism and ensuring that the data transfers comply. You should follow any supplementary guidance or policies that ERA provides on data transfer compliance.

Training and monitoring

ERA is responsible for providing training on this policy and data protection to all staff who collect, use or have access to or responsibilities associated with managing personal data, or who are involved in the development of products, services or tools used to process personal data, both when they join us and then again at a frequency deemed appropriate by the ED of the project. 

ERA may periodically check compliance with this policy and other data protection-related policies, and implement corrective actions to rectify any non-compliance. If you think that this policy is not being complied with in any way at ERA, please bring this to the attention of ERA via the contact details at the top of this page.

Annex 1 - Privacy notice requirements

Information to be provided when we collect personal data directly from individuals:

  1. the identity of, and contact details of ERA; 

  2. the purposes and the legal basis for the processing;

  3. the legitimate interests of ERA, where applicable; 

  4. the recipients or categories of recipients of the personal data; 

  5. any international data transfers, including the location of any recipients and the methods used to ensure the adequate protection of those transfers (and how to obtain details of those methods);

  6. data retention periods;

  7. their rights under data protection rules; 

  8. the process available to data subjects to withdraw any consent; 

  9. whether the data subject is obliged to provide the personal data and the possible consequences of failure to provide such data; and

  10. the existence of any automated decision-making, including profiling, and the logic involved.

Information to be provided when we collect personal data from another source:

  1. all of the information above;

  2. the categories of personal data obtained from the third party; and

  3. the source of personal data. This information should be as precise as possible.

Annex 2 - Grounds for processing personal data (HR examples)

  • Data type – Normal data: e.g. names, contact information, job title, bank details etc.

    • Legal basis – Necessary to perform a contract

    • Example – Processing payroll data, administering benefits and pensions, managing employee mobility, facilities management disciplinary procedures etc.

  • Data type – Necessary to comply with a legal obligation and for exercising rights in the field of employment, social security and social protection law

    • Collecting information required for statutory sick pay purposes

    • Consent

  • Data type – Use photos of employees for internal/external communication purposes.

    • Sensitive data: e.g. medical information, sexual orientation, disabilities, information revealing ethnic origin or political opinions, trade union membership, biometric data etc.

    • Necessary to comply with a legal obligation and for exercising rights in the field of employment, social security and social protection law

  • Data type – Sickness or disability information for administration purposes, background checks,  administering benefits etc.

    • Monitoring equality or diversity under Data Protection Act 2018, Schedule 1, Part 2, para 8 (Additional conditions apply here).

    • Information regarding general  equal opportunities monitoring. 

When using consent as a ground for processing it must be presented clearly and separately from any other terms (e.g. not incorporated into the employment contract). Consent must also be freely given, specific and give separate options for different types of processing. In addition, it should be as easy to withdraw as to give consent.

Website-specific considerations: Cookies

Cookies are small pieces of data that websites store on a device. Cookies can improve browsing experience because they help websites remember preferences and understand how people use different features. Squarespace places two kinds of cookies on visitors’ browsers:

  • Necessary cookies so visitors can navigate and use key features on your site. 

  • Non-essential, or analytics and performance cookies, that collect information about how visitors interact with the site.