Privacy notice

The Medical Research Foundation is the charitable foundation of the Medical Research Council (MRC), the UK’s main government funded body charged with improving health through medical research. We use our donated income to fund and support medical research, wherever we discover great opportunities that are not being pursued.

We are a charity registered in England and Wales (Reg. No. 1138223) and a company limited by guarantee registered in England and Wales (Co. No. 7366816). We are registered with the Fundraising Regulator and are committed to complying with its Fundraising Promise.

We are registered with the Information Commissioner’s Office (Reg. No. ZA207360). We are a data controller for the personal information we process, unless otherwise stated.

Data protection legislation gives you eight rights over your personal information. Whether a particular right applies depends on why information is being processed. Below we have outlined each of the rights and specified where a right would always apply.

The right of access: You have the right to ask for copies of the personal data that we hold on you. This right always applies. However, there are exemptions which mean you may not get all the information you have requested.

The right to rectification: You have the right to ask for any inaccurate or incomplete information to be updated. This right always applies.

The right to erasure: In some circumstances you have the right to ask for information to be erased.

The right to restrict processing: In some circumstances you have the right to ask us to restrict the way we use your personal data.

The right to object to processing: In some circumstances you have the right to object to the ways in which we are using your personal data.

The right to be informed: You have the right to be told how your personal information will be used before it is collected from you. This privacy notice is key part of how we are fulfilling this right, additional privacy notices and transparency statements may also be provided.

The right to data portability: In some circumstances you have the right to request a copy of your personal data in a structured, commonly used and machine-readable format, or have it sent to another organisation. Due to the way we collect and use information this right is unlikely to apply.

Rights related to automated decision-making including profiling: You have the right to not be subject to automated decision making, if this results in legal or other significant effects on you.

We may use your personal information in the way stated if you have applied to us for research and grant funding, if you are a co-applicant on a research funding application, or if you received funding from us.

The type of personal information we collect

We collect and process the following types of information:

- Name

- Contact details such as email address, phone number and postal addresses

- Salary

- Date of birth

- Employment and education history

- Equality, diversity and inclusion information, such as marital status, age banding, gender, sexual orientation, ethnicity, religion/belief, disability information

Images included photography for publicity purposes

How we obtain the personal information

Most of the personal information we process is provided to us directly by you or your co-applicant(s). This includes applications made through our online grants management system (FlexiGrant) or via off-line applications which were made prior to the introduction of our grants management system in 2021.

Why we need your information and what we do with it

We collect information so that we can:

- Manage your grant application including peer review assessment, shortlisting, interview

- Manage your grant award including progress, findings, monitoring and evaluation, and support translational opportunities including intellectual property development

- Publicise your grant award

Who we share your information with

Your personal data may be shared with:

- Our joint funding partners (where relevant)

- Our expert reviewers, assessors and review board and panel members

- Expert advisers on intellectual property matters

- The general public through publicity on our website, social media and other communications channels when we publicise successful grant awards

The lawful basis we process your information under

The lawful basis we use to process your personal data will depend on the category of data and what it is used for. It is likely to be:

- Performance of a contract

- Consent

Further information on the lawful bases is available from the ICO website.

How we store your information

Your personal information will be stored in the UK using encrypted electronic storage and transfer systems.

Our grants are manged through our online grants management system (FlexiGrant).

How long we keep your information

In accordance with our Records Management Policy and Records Retention Schedule, information we collect on grant award recipients will be kept permanently. The data of unsuccessful candidates will be kept for ten years then deleted from our electronic records.

The rights you have

The rights you have will depend on which lawful basis is used to collect and process your personal data. Where we rely in consent, you have the right to withdraw that consent at any time.

The rights that apply regardless of what lawful basis is used are:

- The right of access

- The right to rectification

- The right to be informed

Please contact us if you would like to exercise any of your rights with regards to your personal data.

We will use your personal data as outlined below in order to manage our relationship with you as a donor or prospective donor, bequest or legacy pledger, challenge event fundraiser or sponsor.

The type of personal information we collect

We collect and process the following types of information:

- Name

- Contact details such as email address, postal address, phone numbers

- Due Diligence on prospective major donors or partners

- Images (photographs) for publicity purposes

How we obtain the personal information

Most of the personal information we process is provided to us directly by you in response to our advertising or marketing campaigns, or where you have signed up to undertake a challenge event to fundraise for us. As a sponsor of a challenge event fundraiser, we receive the information that you consent to share through the fundraising online platform.

Where we carry out due diligence on prospective major donors or sponsors, we gather information which is publicly available online.

Why we need your information and what we do with it

We collect information so that we can:

- Process your donation

- Maintain our relationship with you

- Publicise your challenge event fundraising activities

- Record your communications preferences (including opting out of future communications

Who we share your information with

We do not share your information with anyone else. Where you act as a challenge event fundraiser for us we will obtain your consent to partake in publicity surrounding the event.

The lawful basis we process your information under

The lawful basis we use to process your personal data will depend on the category of data and what it is used for. It is likely to be:

- Consent

- Legitimate interest

Further information on the lawful bases is available from the ICO website.

How we store your information

Your personal information will be stored in the UK using encrypted electronic storage and transfer systems.

Your data including donations and challenge event sponsorship may be processed through donation platforms such as Enthuse, Much Loved, Just Giving etc.

How long we keep your information

In accordance with our Records Management Policy and Records Retention Schedule, your personal information will typically be kept permanently or for seven years post the termination of our relationship with you, and then deleted from our electronic records.

For further retention information specific to your relationship with us, please contact us.

The rights you have

The rights you have will depend on which lawful basis is used to collect and process your personal data. Where we rely on consent, you have the right to withdraw consent at any time. You can do this by contacting our Fundraising team.

The rights that apply regardless of what lawful basis is used are:

- The right of access

- The right to rectification

- The right to be informed

Please contact us If you would like to exercise any of your rights.

We may use your personal information in the way stated if you are a current or former trustee or committee member.

The type of personal information we collect

We collect and process the following types of information:

- Name

- Contact details such as email address, phone number and postal addresses

- Date of birth

- Employment and education history

- Nationality and Right to Work details

- Bank details

- Reference details

- Equality, diversity and inclusion information, such as marital status, age banding, gender, sexual orientation, ethnicity, religion/belief, disability information.

- Information and declarations required for registration with our regulatory bodies or to complete Know Your Customer (KYC) checks for our professional services providers

- Pre-appointment due diligence information such as whether you have been declared bankrupt, are disqualified from acting as a director or trustee, are subject to financial sanctions.

- Statements and declarations made in line with our policies, such as the annual declarations of interest

- Performance related information such as that collected in annual board effectiveness reviews

- Images included photography and electronic signatures

How we obtain the personal information

Most of the personal information we process is provided to us directly by you in the course of your appointment. Some information may be obtained through third parties such as references from your referees, publicly available information online for due diligence checks, or where we have used the services of a third party to recruit you.

Why we need your information and what we do with it

We collect information so that we can:

- Manage your appointment

- Meet our regulatory registration and reporting requirements

- Meet any training and development needs and monitor performance

- Meet our legal obligations such as under the Equality Act 2010

Who we share your information with

Your personal data may be shared with our regulatory bodies and our professional service providers, such as:

- Charity Commission for England and Wales

- Companies House

- Auditors

- Legal service providers

- Financial service providers

The lawful basis we process your information under

The lawful basis we use to process your personal data will depend on the category of data and what it is used for. It is likely to be:

- Performance of a contract

- Legal obligation

- Consent

Further information on the lawful bases is available from the ICO website.

How we store your information

Your personal information will be stored in the UK using encrypted electronic storage and transfer systems.

How long we keep your information

In accordance with our Records Management Policy and Records Retention Schedule, information we collect for regulatory reporting requirements will be kept permanently. All other information will be kept for six years post your termination date and then deleted from our electronic records.

The rights you have

The rights you have will depend on which lawful basis is used to collect and process your personal data. Where we rely in consent, you have the right to withdraw that consent at any time.

The rights that apply regardless of what lawful basis is used are:

- The right of access

- The right to rectification

- The right to be informed

Please contact us if you would like to exercise any of your rights with regards to your personal data.

We may use your personal information in the way stated if you are a current or former employee, secondee, agency worker, or student.

The type of personal information we collect

We collect and process the following types of information:

- Name

- Contact details such as email address, phone number and postal addresses

- Date of birth

- Employment and education history

- Nationality and Right to Work details

- ID documents

- Bank details

- Reference details

- Emergency contact details

- Equality, diversity and inclusion information, such as marital status, age banding, gender, sexual orientation, ethnicity, religion/belief, disability information.

- Shortlisting and interview records

- Information provided for security vetting checks

- Statements and declarations made in line with our policies, such as the annual declarations of interest

- Working patterns and hours

- Sickness and absence information

- Employee engagement and survey responses

- Offer and termination of employment or work experience

- Salary details

- Performance-related information

- Details of any grievances, disciplinaries and other casework that takes place during your employment

- Images included photography and electronic signatures

How we obtain the personal information

Most of the personal information we process is provided to us directly by you in the course of your employment. Some information may be obtained through third parties such as references from your referees, or where we have used the services of a third party to recruit you.

Why we need your information and what we do with it

We collect information so that we can:

- Manage your employment and employment records including payroll, pension scheme administration, rewards and benefits

- Pay you and manage your tax and NI contributions

- Enrol you with

- Meet any training and development needs and monitor performance

- Conduct workforce planning

- Carry out HR and legal casework such as grievances, disciplinaries and dismissals

- Conduct audits

- Prevent and detect fraud

- Record accidents and incidents and maintain general health & safety while you are at work

- Meet our legal obligations such as under the Equality Act 2010, RIDDOR 2013, Gender Pay Gap Regulations 2017

Who we share your information with

Your personal data may be shared with:

- Organisations you are seconded to or from, or are on work placement from

- Our professional service providers such as our IT and records management host organisation, HR advisors, occupational health providers, pre-employment security check providers, HMRC, payroll providers, pensions scheme administrators, travel service providers, insurance brokers and providers, auditors, lawyers, financial service providers, benefit providers etc

- Other employers (i.e. requesting references or responding to reference requests)

The lawful basis we process your information under

The lawful basis we use to process your personal data will depend on the category of data and what it is used for. It is likely to be:

- Performance of a contract

- Consent

Further information on the lawful bases is available from the ICO website.

How we store your information

Your personal information will be stored in the UK using encrypted electronic storage and transfer systems.

How long we keep your information

In accordance with our Records Management Policy and Records Retention Schedule, your personal information will be kept for six years post your termination date and then deleted from our electronic records. This is with the exception of your emergency contact details which will be deleted from our electronic records one month post your termination date.

The rights you have

The rights you have will depend on which lawful basis is used to collect and process your personal data. Where we rely in consent, you have the right to withdraw that consent at any time.

The rights that apply regardless of what lawful basis is used are:

- The right of access

- The right to rectification

- The right to be informed

Please contact us if you would like to exercise any of your rights with regards to your personal data.

We will use your personal data as outlined below in order to manage applications for employment or voluntary roles (including trustee and committee members).

This information applies to the application and selection process only.

The type of personal information we collect

We collect and process the following types of information:

- Name

- Contact details such as email address, phone number and postal addresses

- Date of birth

- Employment and education history

- Nationality and Right to Work details

- ID documents

- Reference details

- Equality, diversity and inclusion information, such as marital status, age banding, gender, sexual orientation, ethnicity, religion/belief, disability information.

- Information provided for security vetting checks

- Pre-appointment due diligence checks including bankruptcy, disqualification from acting as a director or trustee, financial sanctions

- Occupational health pre-employment checks

- Shortlisting and interview records

How we obtain the personal information

Most of the personal information we process is provided to us directly by you as part of your application process. Some information may be obtained through third parties such as references from your referees, or where we have used the services of a third party to advertise the vacancy.

Why we need your information and what we do with it

We collect information so that we can:

- Carry out the recruitment process e.g. to shortlist applications and conduct interviews

- Meet our legal obligations such as under the Equality Act 2010 and understanding accessibility needs to ensure reasonable adjustments are made for interview and any subsequent employment or appointment

- Carry out pre-employment or pre-appointment checks e.g. your right to work in the UK

- Carry out security vetting where appropriate for your role

- Check qualifications and other conditions of employment

Who we share your information with

Your personal data may be shared with:

- Organisations you are applying to be seconded to or from

- Our professional service providers such as our HR advisors, occupational health providers, pre-employment security check providers etc

- Other employers (i.e. when we request references)

The lawful basis we process your information under

The lawful basis we use to process your personal data will depend on the category of data and what it is used for. It is likely to be:

- Performance of a contract

- Consent

Further information on the lawful bases is available from the ICO website.

How we store your information

Your personal information will be stored in the UK using encrypted electronic storage and transfer systems.

How long we keep your information

In accordance with our Records Management Policy and Records Retention Schedule, if you are not offered an unconditional offer of employment or appointment, your personal information will be kept for six months post the appointment date of the successful candidate and then deleted from our electronic records.

The rights you have

The rights you have will depend on which lawful basis is used to collect and process your personal data. Where we rely in consent, you have the right to withdraw that consent at any time.

The rights that apply regardless of what lawful basis is used are:

- The right of access

- The right to rectification

- The right to be informed

Please contact us If you would like to exercise any of your rights with regards to your personal data, as either an employment or appointment applicant.

We may use your personal information in the way stated if you expert reviewer in the assessment and decision-making process for our funding.

The type of personal information we collect

We collect and process the following types of information:

- Name

- Contact details such as email address, phone number and postal addresses

- Employment and education history

- Skills and areas of expertise

- Equality, diversity and inclusion information, such as marital status, age banding, gender, sexual orientation, ethnicity, religion/belief, disability information

- Health information where we seek to have assessors with lived experience of the disease relevant to the funding call

- Health information or accessibility requirements to support your attendance at a panel meeting

- Statements and declarations made in line with our policies, such as the annual declarations of interest

How we obtain the personal information

Most of the personal information we process is provided to us directly by you. In some instances we may have received details from the MRC or our joint funding partners where we believe we have a legitimate interest to receive these details.

Why we need your information and what we do with it

We collect information so that we can manage your participation in our grant funding calls as a peer reviewer or assessor.

Who we share your information with

Your personal data may be shared with:

- Our joint funding partners (where relevant)

- Our grant applicants

- The general public where we announce the names of the panel members who assessed the funding call

The lawful basis we process your information under

The lawful basis we use to process your personal data will depend on the category of data and what it is used for. It is likely to be:

- Performance of a contract

- Legitimate interest

- Consent

Further information on the lawful bases is available from the ICO website.

How we store your information

Your personal information will be stored in the UK using encrypted electronic storage and transfer systems.

Our grants are manged through our online grants management system (FlexiGrant).

How long we keep your information

In accordance with our Records Management Policy and Records Retention Schedule, information we collect pertaining to funding calls will be kept permanently as part of our historical records.

EDI information pertaining to panel members will be deleted from our electronic records after six months.

The rights you have

The rights you have will depend on which lawful basis is used to collect and process your personal data. Where we rely in consent, you have the right to withdraw that consent at any time.

The rights that apply regardless of what lawful basis is used are:

- The right of access

- The right to rectification

- The right to be informed

Please contact us if you would like to exercise any of your rights with regards to your personal data.

We will use your personal data as outlined below in order to manage our relationship with you as a representative or employee of UKRI or the MRC, host institutions, partner funding organisations, our service providers or suppliers, landlords or building management service providers, trusts and foundations to which we apply for grant funding etc.

The type of personal information we collect

We collect and process the following types of information:

- Name

- Contact details such as email address, phone number and postal addresses

- Job titles

How we obtain the personal information

Most of the personal information we process is provided to us directly by you or the organisation you represent. Some information may be obtained through third parties such as other funding partners, or from publicly available information online.

Why we need your information and what we do with it

We collect information so that we can:

- work with partner organisations we provide services to us such as the MRC or UKRI

- carry out our business activities including payment to host research institutions, estate management (both as a landlord or tenant)

- operate our procurement and supplier processes, including securing tender applications, managing contracts, and making payments to organisations and individuals for goods or services

- work with partner organisations to run joint funding calls

- apply for funding from Foundations and Trusts

Who we share your information with

We do not share your information with anyone else.

The lawful basis we process your information under

The lawful basis we use to process your personal data will depend on the category of data and what it is used for. It is likely to be:

- Performance of a contract

- Legitimate interest

Further information on the lawful bases is available from the ICO website.

How we store your information

Your personal information will be stored in the UK using encrypted electronic storage and transfer systems.

How long we keep your information

In accordance with our Records Management Policy and Records Retention Schedule, your personal information will be kept for seven years from the end of the contract, relationship or service provision. and then deleted from our electronic records.

The details of employees or representatives of our partner organisations or joint funding partners will typically be held permanently as part of our historical records.

The rights you have

The rights you have will depend on which lawful basis is used to collect and process your personal data.

The rights that apply regardless of what lawful basis is used are:

- The right of access

- The right to rectification

- The right to be informed

Please contact us If you would like to exercise any of your rights.

We will use your personal data as outlined below in order to manage our relationship with you as a recipient of our communications mailing lists or social media contact.

The type of personal information we collect

We collect and process the following types of information:

- Name

- Contact details such as email address or postal address

- Social media profile information

- Job titles, employers or research organisations

- Communications preferences including opt-out information

- For event attendees, dietary requirements and access requirements

How we obtain the personal information

Most of the personal information we process is provided to us directly by you through signing up to our newsletter, consenting to receiving further communications from us such as from donors, connecting with us on social media, attending our events, or where we have an existing professional relationship with you.

Some communications recipients may have been former grant recipients of either us or our predecessor MRC charities, who believe we have a legitimate interest in contacting to notify of our fundraising activities. In these instances, your data is collected from publicly available online information.

We also maintain communications lists of medical researchers who we believe we have a legitimate interest in contacting to notify of our funding calls. In these instances, your data is collected from publicly available online information.

Why we need your information and what we do with it

We collect information so that we can:

- Maintain our professional relationship with you

- Notify you of our business activities including funding calls, funding awards, fundraising activities, event invitations, and other news we believe will be of interest to you

- Record your communications preferences (including opting out of future communications)

- Facilitate your attendance at one of our events.

Who we share your information with

We do not share your information with anyone else. Your data may be managed through data processors including Mailchimp, Eventbrite, social media channels.

The lawful basis we process your information under

The lawful basis we use to process your personal data will depend on the category of data and what it is used for. It is likely to be:

- Consent

- Legitimate interest

Further information on the lawful bases is available from the ICO website.

How we store your information

Your personal information will be stored in the UK using encrypted electronic storage and transfer systems.

Your data including communications preferences, may be managed through data processors including Mailchimp, Eventbrite, social media channels.

How long we keep your information

In accordance with our Records Management Policy and Records Retention Schedule, your personal information will be kept for as long as there is a business need to retain this and then deleted from our electronic records.

This will typically be for seven years from the end of our relationship with you but will depend on our relationship with you.

Newsletter recipient data will usually be retained for one year from the end of our relationship with you.

When you notify us that you do not wish to receive future communications from us, we will record this on our databases so that we do not contact you further.

For further retention information specific to your relationship with us, please contact us.

The rights you have

The rights you have will depend on which lawful basis is used to collect and process your personal data. Where we rely on consent, you have the right to withdraw consent at any time. You can do this through:

- Our mailing list management service (Mailchimp)

- Unfollowing us on our relevant social media channels

- Contacting us at the email provided in the communication

- Contacting us through our general enquiries email

The rights that apply regardless of what lawful basis is used are:

- The right of access

- The right to rectification

- The right to be informed

Please contact us If you would like to exercise any of your rights.

If you have a question or complaint about our use of your personal information, please contact us.

You also have the right to raise the issue with the Information Commissioner’s Office.