We apply the UK Data Protection Act 2018 (incorporating the EU General Data Protection Regulation (GDPR)) to all our global operations unless the local equivalent law is stronger.
The UK Data Protection Act (and GDPR) works in two main ways. It gives individuals rights over how their personal information is used and sets out rules for organisations that process personal information.
Our Information Security and Privacy Policy describes how we treat personal information.
Our Cookies policy describes what cookies we use on our website and their purpose.
Your rights in relation to how we use your personal information
You can exercise your rights by submitting a request to IGDisclosures@britishcouncil.org. If additionally, you would like to speak to someone in person, you may contact us by telephone at +44(0) 161 884 0291.
We will ask you to provide proof of your identity and any information we may reasonably need in relation to your request (for example, details of the British Council offices or staff that you have had contact with and when).
We will not start looking for your information until we confirm your identity. If we feel that what you are asking for is excessive or your claim is unfounded, we can refuse your request.
Right to access your personal information
You have a right to ask what personal data we hold about you, to see or receive a copy of it, to be informed why we use it, who we have shared it with, for how long we keep it and whether there is automated decision-making in relation to your personal data.
Right to rectification
You can ask us to rectify any inaccurate personal data held by us about you. In that case, we will temporarily stop using it and take appropriate steps to correct it. We may ask you for some supporting evidence.
Right to erasure (“the right to be forgotten”)
In certain circumstances, you can ask us to delete your personal information:
- If we no longer need your personal data to achieve the purposes for which we originally collected it.
- If you decide to withdraw the consent you had previously given us to process your personal data and there is no other legal ground for our processing. Please note: withdrawing your consent does not make unlawful our processing of your personal data up until that moment.
- If you object to how we use of your data and no other lawful processing grounds apply.
- If you think British Council has processed your personal information unlawfully.
If any of the above situations apply, we may ask you for further information to verify this. We may not always be able to comply with your request if there are specific legal reasons, that we will notify you of.
Right to restrict processing
In some situations, you can limit the way we use your personal data, for example:
- If you question the accuracy of the information we hold about you, we will restrict its use until we are able to determine the correctness of such data.
- If you think we are processing your personal data unlawfully and you do not want us to delete this information but prefer us to restrict its use instead.
- We no longer need your data for the purposes for which we collected it, but you need this information to establish, exercise or defend legal claims.
- You have objected to the processing (see next section) and we need to decide whether the legitimate interests we have to process this information override your fundamental rights.
In these cases, we will stop processing your data except for storing it. We reserve the right to refuse a request where this information may be needed for legal claims, of where we have a valid lawful basis.
Right to object
You have the right to object to the British Council processing your personal data in certain circumstances and we will inform you of these in our privacy notices.
If you object to our processing that was based on our legitimate interest, we will restrict our use of your data while we re-assess whether our legitimate grounds override yours.
You also have an absolute right to stop your data from being used for direct marketing. In this case, we may keep your information on a ‘suppression list’ to ensure it is not added to any marketing lists in the future.
Right to data portability
This right enables individuals to move some personal data from one IT environment to another so it can be re-used for your own purposes across other services, e.g., moving banks. You have the right to receive a copy of the information you have provided to us in a structured, commonly used and machine-readable format. You also have the right to ask us to send this information to another organisation.
There are some situations in which the right to data portability does not apply.
Rights related to automated decision making (including profiling)
Automated decision-making is the process where a decision is made by using automated means only, with no human involvement. These decisions ca be based on factual data, on digitally created profiles or on inferred data. You have the right not to be subject to decisions made just by automated means (e.g. artificial intelligence) without any human intervention, if these decisions have a legal impact on you, or significantly affect your circumstances, behaviours or choices.
Please note that this right does not prohibit processing where you have explicitly consented to it, or it is lawful because it is authorised by UK or European law, or the processing is necessary for entering into a contract between you and the British Council.
However, you still have a general right to object in the above circumstances, and must provide reasons why you think the processing is having a negative effect on you. If you do object, we will carefully consider your reasons, and decide whether to review the decision-making process in your specific case.
Your right to complain to a national data protection regulator/supervisory authority
If you think we have processed your personal information unfairly or unlawfully, or we have not complied with your rights under GDPR, you have the right to escalate your complaint to a national data protection regulator.
Complaints about how we process your personal information can be considered by the UK data protection regulator, the Information Commissioner’s Office (ICO). The ICO can be contacted on the complaints section of their website.
If you consider that the issues you are concerned about have taken place in your country of residence and prefer to complain to your national data protection regulator:
- Contact details of national supervisory authorities in countries located in the European Economic Area (European Union + Iceland, Liechtenstein and Norway) are available in the European Data Protection Board website.
- Contact details of supervisory authorities in other countries can be found by searching the internet.
Many data protection supervisory authorities will ask that you contact us first to outline your concerns and to allow us to try and put the issue right, before they start looking into your complaint or concern.
British Council processing of personal information
International transfers
British Council shares personal information within the wider British Council group of entities situated both within and outside the EU. We do this under a data sharing agreement that includes the appropriate EU model international data transfer clauses to make sure your personal information is protected, no matter which entity in the British Council group holds that information.
Where British Council makes transfers of personal information outside the British Council Group to another organisation, we rely on the use of the EU model international data transfer clauses where the country the organisation is situated in is not listed as ‘adequate’ by the European Commission.
Recipients
We also use other organisations to process your personal information in order to carry out services on our behalf. We use them to:
- Provide customer service, surveys and marketing
- Personalise our services
- Process payments
- Carry out fraud and other legal investigations
Where we use another organisation, we make sure that your personal information is protected and remains in our control.
We also, in certain situations, share personal information to government bodies and law enforcement bodies. Where we do share personal information with these types of organisations, we’ll make sure it’s protected, as far as it is reasonably possible.
Customer Services
When you contact us through our webforms, social media, online chat, by email, or talk to our agents/operators, we may collect personal information you provide to us. This may include: your identification data (name, contact details), professional data (workplace, position), financial/payment data; details of previous interactions with us, such as queries, etc. We may occasionally collect health related information, for example, if you need to cancel your attendance to an exam.
We will process your information in relation to your request, such as to deal with your customer enquiry, to provide you with information about our products or activities, to manage our relationship with you or to help us improve customer experience.
We may rely on several lawful bases when we process your data: a) your consent, if you are not a client and have a query, wish to sign up for one of our events, or to receive our newsletters; b) if you have registered for one of our courses or examinations, or wish to purchase any product from us, our lawful basis is the contractual relationship with you, or on the pre-contractual nature of the service requested; c) when you speak to our operators, we may record calls for the purpose of conducting random quality checks that help us improve our customer assistance by phone, based on our legitimate interest to provide ongoing development to our operators and to deliver a continued quality service.
We use AI functionality to generate summaries of any previous engagements you may have had with our agents, so they can provide a personalised response, and also to generate suggested responses which the agent can review and select the most appropriate to each situation. We rely on our legitimate interest to improve the quality of our service to customers by applying this technology, while decisions and actions are always taken by our operators.
We will retain your personal information in line with our data retention schedules and with regulatory or legal requirements.
Marketing
With your consent we’ll use your personal information to send you direct marketing and to better identify products and services that interest you. We do that if you’re one of our customers or if you’ve been in touch with us another way (such as registering to attend a British Council event or entering a competition).
This means we’ll:
- better understand you as a customer and tailor the marketing communications we send you,
- tell you about other products and services you might be interested in,
- try to identify products and services you’re interested in.
The information processed consists of:
- Your contact details. This includes your name, gender, address, phone number, date of birth and email address.
- Information from cookies and tags placed on your connected devices.
- Information from other organisations such as aggregated demographic data and publicly available sources like the electoral roll and business directories.
- Details of the products and services you’ve bought and how you use them.
We’ll send you information about the products and services we provide by phone, post, email, text message, online banner advertising according to the communications channels you prefer. We also use the information we have about you to personalise these messages wherever we can as we believe it is important to make them relevant to you. We do this because we have a legitimate business interest in keeping you up to date with our products and services. We also check that you are happy for us to send you marketing messages before we do so. In each message we send, you also have the option to opt out.
We’ll only market other organisations’ products and services if you have said it is OK for us to do so.
You can ask us to stop sending you marketing information or withdraw your permission at any time.
Social Media
We may engage social media platforms such as Facebook or Instagram, for our digital marketing campaigns aimed at our customers or at new similar audiences, by using ‘list-based’ and ‘lookalike’ tools. We do this by uploading your contact data in pseudonymised format, e.g. a list of email addresses which is hashed and automatically deleted once used, to the social media platform to search for either user matches or new users with similar interests. These audiences will receive targeted ads on our products and services. We do not have the ability to identify who these users are or to access your accounts on these sites.
These activities take place under contractual arrangements, to ensure our advertising agency supplier acting on our behalf and their social media subcontractors only use the pseudonymised data for the provision of this service. Our advertising to these audiences is governed by the direct relationship between the social media platform and its users and we recommend you read their own privacy policies.
For social media advertising we rely on the consent you gave us to receive direct marketing from us. To identify and contact new audiences on social media platforms, we rely on our legitimate interest to increase the reach of our products and services.
If you wish to opt-out of seeing British Council ads on you social media account, you can do so on the site’s privacy settings, which offer options for users to control what ads they see on their profiles.
Third parties
Third parties, such as Microsoft, may collect personal data from you when you are visiting our websites, which offer appropriate opt-out choices as required by data protection law.
Microsoft collects or receives personal data from you to provide Microsoft advertising, as per the Microsoft privacy statement.
Retention
British Council retains personal information in line with our corporate retention requirements. Further details of our corporate retention schedule are available on request via the contact details, please contact: IGDisclosures@britishcouncil.org.
Fraud Checks
We undertake fraud checks on all customers because this is necessary for us to perform our contracted services to customers, by ensuring that the services we provide are duly paid for, and so that individuals themselves are protected from fraudulent transactions on their cards. Where we believe we may detect fraudulent activity we may block you from purchasing a product.
Given the volumes of transactions we deal with, we use automated systems including third-party systems for fraud detection purposes which analyses each sale in order to make automated decisions as to whether or not we will accept a sale. We find this is a fairer, more accurate and more efficient way of conducting fraud checks since human checks would simply not be possible in the timeframes and given the volumes of customers that we deal with.
The checks and decisions that are made look at various components including known industry indicators of fraud which our expert fraud detection provider makes available to us, as well as fraud patterns we have detected on our Sites. When combined, these generate an automated score indicating the likelihood of a fraudulent transaction. If our systems indicate a high score for you, then we may decline an order or even block you from our services. The specific fraud indicators are dynamic so will change depending on what types of fraud are being detected in the wider world, country and our sites at any time.
You have certain rights in respect of this activity. Our fraud detection is in place to protect all our customers as well as the British Council. You have the right to contest any fraud decision made about you and to be given more information about why any such decision was made by exercising your rights as noted above, please contact: IGDisclosures@britishcouncil.org.
General Data Protection Queries
If you wish to communicate with us about this privacy notice, or any issue relating to information governance or data protection, please contact the British Council’s Data Protection Officer, using the following channels:
By post:
Information Governance & Risk Management Team
British Council
1 Redman Place
Stratford
London
E20 1JQ
Telephone: (0)20 7389 4385
Email: InfoGovernance@britishcouncil.org
Notice Revised: 10 October 2023