RCU Research Privacy Notice


The Data Protection Act (2018), based on the General Data Protection Regulation (GDPR), governs the way that organisations use personal data. Personal data is information relating to an identifiable living individual. Transparency is a key element of the Data Protection Act and this Privacy Notice is designed to inform you:

  • – how and why RCU uses your personal data for research,
  • – what your rights are under GDPR, and,
  • – how to contact us if you have questions or concerns about the use of your personal data.

Your Rights Under Data Protection

One of the aims of the General Data Protection Regulation (GDPR) is to empower individuals and give them control over their personal data. The GDPR gives you the following rights:

  1. The right to be informed
  2. The right to data portability
  3. The right of access
  4. The right to object
  5. The right to rectification
  6. Rights in relation to automated decision making and profiling
  7. The right to erase
  8. The right to restrict processing

Please note that many of these rights do not apply when the data is being used for research purposes, but we will always try to respond to concerns or queries that you may have.

Why are we processing your personal data?

RCU undertakes research for a variety of different clients within the post-16 learning and skills sector. Data Protection laws allow us to use personal data for research with appropriate safeguards in place under the legal basis of legitimate interest (research undertaken for some clients may have the legal basis of public intertest).

For all research projects RCU will be the Data Processor and the client who has commissioned the research will be the Data Controller (this might be for example government agencies, colleges or local authorities). The aims and purposes of the research are determined by the Data Controller and will be defined in the project specification. RCU will only engage in research contracts where data protection and data security standards can be maintained. Detailed risk assessments are carried out at the start of projects to verify this.

Research at RCU is governed by policies and procedures under ISO 20252 and the Market Research Society (MRS) Code of Conduct. RCU is an MRS Company Partner.

Collecting and Using Personal Data

All research projects are different and the information we collect will vary. However, researchers will only collect information that is essential for the purpose of the research. Research data is normally anonymised at source, or as quickly as possible after data collection so that individuals cannot be recognised and your privacy is protected.  You will not be able to withdraw your data after this point.  Some data e.g. survey data is frequently collected anonymously so cannot be withdrawn once you have given permission for it to be used.

Who do we share your data with?

Research outputs will not identify individuals unless your specific consent is sought (e.g. for a case study). Quantitative data relating to learners will be rounded to the nearest 10 and low numbers supressed to ensure that individuals cannot be identified.

RCU NEVER gives personal data to third parties outside of authorised members of the project team. The privacy of your personal data is paramount.

Storage and Security

RCU takes a robust approach to protecting the information it holds with dedicated storage areas for data with controlled access. RCU has ISO 27001 and Cyber Essentials certification. Alongside these technical measures there are comprehensive and effective policies and processes in place to ensure that all staff at RCU are aware of their obligations and responsibilities for the data they have access to. By default, people are only granted access to the information they require to perform their duties. Training is provided to new staff joining RCU and existing staff have training and expert advice available if needed.


Your information will not be kept for longer than is necessary and is kept in an anonymised format.  The length of time for which we keep your data will be specified for each project.

Contact Us

If you have a query about how your data is used by RCU, you would like to report a data security breach (e.g. if you think your personal data has been lost or disclosed inappropriately) or you would like to complain about how RCU has used your personal data please contact the RCU Data Protection Officer gwilson@rcu.co.uk

Further Information and Support

The Information Commissioner is the regulator for GDPR and you have the right to raise concerns with the Commissioner. The Information Commissioner’s Office (ICO) has a website with information and guidance for members of the public:


The Information Commissioner’s Office operates a telephone helpline, live chat facility and email enquiry service.  You can also report concerns online.

For more information please visit https://ico.org.uk/global/contact