Download a summary of the Public Involvement and Engagement Activity Privacy Notice [PDF]

What is the purpose of this Privacy Notice?

Imperial College of Science, Technology and Medicine (“Imperial”) is committed to protecting the privacy and security of your personal data.

This privacy notice describes how we collect and use personal data about you during and after your relationship with Imperial, in accordance with the applicable data protection legislation (the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR)).

Imperial is a "data controller", this means that we are responsible for deciding how we hold and use personal data about you. We are required under data protection legislation to notify you of the personal data contained in this privacy notice.

This notice applies to members of the public who take part in public involvement and engagement activities. This notice does not form part of any contract of employment or other contract to provide services. We may update this notice at any time.

It is important that you read this notice, together with any other privacy notice we may provide you with at specific times when we are collecting or processing personal data about you, so that you are aware of how and why we are using such personal data. By processing personal data we mean: collecting or storing personal data, transferring personal data from one location to another, using personal data to bring together people who are diverse in terms of, for example, age, sex and ethnicity or who have different experiences of health conditions.

An example of a linked privacy notice would be the Events Privacy Notice, which explains how Imperial processes the personal data of people attending events (including public lectures, demonstrations, tours, webinars, training and meetings).

The kind of personal data we hold about you

Personal data, means any information or details about a person that could identify them (find out who they are) either directly or indirectly.

We may collect, store, and use the following types of personal data about you:

  • Data captured about your involvement and/or engagement with Imperial.
  • Personal contact details such as name, job (voluntary or paid), title (for example Mr, Mrs, Miss, Ms), addresses, telephone numbers (including emergency contacts and next of kin), and email addresses.
  • Data about your socio-economic status.
  • Data about you so that we make sure the people we involve are diverse and represent the population, for example age, gender and education level.
  • Financial data so that we can cover expenses such as travel, for example bank account details.
  • Digital identifiers such as CCTV, photographs and your use/engagement with any systems and/or platforms

We may also collect, store and use the following "special categories" of more sensitive personal
data:

  • Data about your race or ethnicity, religious beliefs, sexual orientation and political opinions.
  • Data about your health, including any medical condition which you have provided to the
    Imperial where necessary.

How is your personal data collected?

We collect most of the personal data about you from you directly when you engage with Imperial or as part of activities/events in which you take part.

How we will use data about you and the legal basis for processing your data under data protection legislation

We will only use your personal data when the law allows. Most commonly, we will use your personal data in the following circumstances:

  • Where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in Imperial.*
  • Where it is necessary for legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.**
  • Where you have consented to the processing.***
  • Where it forms part of a legal obligation(s).****

Situations in which we will use your personal data

The situations in which we will process your personal data are listed below. We have indicated below with a corresponding symbol (*) the purpose or purposes for which we are processing or will process your personal data, as well as indicating which categories of data are involved.

  • To undertake public involvement and engagement in research. */***
  • To provide you with the information, products and/or assistance that you request from Imperial. ***
  • To contact you in relation to you taking part in public involvement and engagement activities including for the purposes of feedback. */***
  • To ensure we meet any and all legal obligations during your involvement with Imperial such as under the Equality Act and implementing accessibility adjustments and/or support as necessary. ****.
  • To provide you with relevant news and/or invitations to events.**/***
  • Making a decision about your suitability for a specific task/activity e.g. as part of your recruitment, role or appointment*.
  • Rewarding you for your time and/or reimbursing your expenses.**/***
  • Education, training and development requirements*/**.
  • To ensure compliance with legal obligations including health and safety and the Equality Act. ****
  • To prevent fraud. **/****
  • To conduct data analytics and surveys to review our activities, our personnel and those with whom we engage and involve. */** 
  • To ensure the data we hold about you is up to date and accurate. **/***

Some of the above reasons for processing your personal data will overlap and there may be several grounds which justify our use of your personal data.

If you fail to provide personal data

If you fail to provide certain data when requested, we may not be able to continue to involve you in public involvement and engagement activities and process your reward for time and expenses claims.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows Imperial to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

How we use particularly sensitive personal data (if relevant)

Some data that is particularly sensitive needs higher levels of protection. This data is called “Special Category Data”. We need to have additional reasons for collecting, storing and using this type of personal data. We may process this data in the following circumstances:

  • In limited circumstances, with your explicit written consent. *
  • Where processing is necessary for reasons of substantial public interest. **
  • For the purpose of undertaking research and statistical analysis. ***

Our obligations

We will use your particularly sensitive personal data (Special Category Data) (if any) in the following ways:

  • To ensure we meet any and all legal obligations with regards to your involvement with Imperial such as ensuring health and safety compliance. *
  • We will use data about your race or national or ethnic origin, religious, physical or mental health, or disability status or sexual orientation, to ensure meaningful equal opportunities, monitoring and reporting. **/***

Automated decision-making

You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making, unless we have a lawful basis for doing so and we have notified you.

Data sharing

We may have to share your data with organisations outside of Imperial which provide a service or are otherwise engaged with activities within Imperial. We require third parties to respect the security of your data and to treat it in accordance with the law.

We may also transfer your personal data outside the UK/European Union however when this happens, we will ensure protections are in place to ensure your data is secure.

Why might you share my personal data with third parties?

We may share your personal data with third parties where:

  • required by law,
  • it is necessary to administer the relationship with you; or
  • we have another legitimate interest in doing so.

Depending on your role, type of involvement or engagement with Imperial, we may disclose limited personal data to a variety of recipients including:

  • Other staff, agents, contractors and service providers (e.g. third parties processing data on our behalf as part of rewarding you for your time or paying expenses
  • Customer Relationship Management (CRM) platforms to manage data including reporting, recruitment activities and marketing programs.
  • Other entities within the Imperial group, for example Imperial Consultants (ICON) and other subsidiaries – where necessary.

How secure is my data with third-party service providers?

All Imperial third-party service providers are required to take appropriate security measures to protect your personal data in line with Imperial policies. We do not allow third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with Imperial instructions.

What about other third parties?

We may share your data with other third parties, for example in the context of the possible sale or restructuring of the business and operations within Imperial. We may also need to share your personal data with a regulator or to otherwise comply with the law.

Data Security

We have put in place appropriate security measures to prevent your data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your data to those staff, agents, contractors and other third parties who need to access it.

We also have procedures in place to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Data retention

How long will you use my data for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it, including for the purposes of satisfying any legal, accounting, or reporting requirements. Imperial maintains a central Retention Schedule [PDF], which defines broadly how long data is retained.

Where activity has a unique, individual retention, this will be explained to you at the point of data collection.

In some circumstances we may anonymise your personal data so that it can no longer be associated with you, in which case we may use such data without further notice to you.

Rights of access, correction, erasure, and restriction

Your rights in connection with personal data

Under certain circumstances, by law, you have the right to:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected.
  • Request erasure of your personal data. This enables you to ask Imperial to delete or remove personal data where there is no good reason for Imperial continuing to process it. You also have the right to ask Imperial to delete or remove your personal data where you have exercised your right to object to processing (see below).
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Request the restriction of processing of your personal data. This enables you to ask Imperial to suspend the processing of personal data about you, for example if you want Imperial to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal data to another party.

If you want to review, verify, correct or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact Imperial’s Data Protection Officer.

Right to withdraw consent

If you have given your consent to the collection, processing and transfer of your personal data for a specific purpose and then decide you would like to withdraw your consent for that specific processing please contact the Imperial team you are engaged with, or the Data Protection Officer (details below).

Once we have received notification that you have withdrawn your consent, we will no longer process your data for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Data Protection Officer

We have appointed a Data Protection Officer to oversee compliance with this privacy notice. If you have any questions about this privacy notice or how we handle your personal data, please contact the Data Protection Officer at:

Imperial College London

Data Protection Officer

e-mail: dpo@imperial.ac.uk

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.

Changes to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal data.

 

Version date – January 2026