Behavioural Insights Team - Privacy notice

What personal information is being processed and what for

Cheshire East Council - in partnership with North Yorkshire County Council - has commissioned the Behavioural Insights Team (BIT) to better understand the services provided by the voluntary, community, faith and social enterprise (VCFSE) sector in their localities. This privacy notice sets out how we collect and use your personal data if you are a participant in this project.

Contact details

Cheshire East Council is the data controller and is responsible for your personal data collected in connection with this project. BIT is the data processor. This notice applies to the personal data we collect directly from you and personal data which is provided to us by third parties. Where we collect personal data from you directly, please make sure that any personal details you provide are accurate and up to date and let us know about any changes as soon as possible.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, including any requests to exercise your legal rights in relation to your personal data, please contact the DPO:


You also have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues ( We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

The purpose for which BIT is processing your personal data is to contact you to offer support.  If you choose to participate, we will collect your name, email address and or phone number.

Why we are allowed to use your information

It is necessary to process the personal data identified above to deliver a set of surveys and interviews which will meet the local authorities’ requirements of improving services in their localities.

We are therefore relying on the lawful basis provided by GDPR Article 6(1)(e) – public task, which is covered by the Local Govt Act 2000, Part 1 relating to the Promotion of economic, social or environmental well-being

Who we will share your information with

Your information will be accessed by a limited number of researchers and advisors in BIT’s project team working on this project.

BIT may disclose your information to third parties in connection with the purposes of processing your personal data set out in this notice.  These third parties may include:

  • other companies in BIT’s group [that are based within the United Kingdom];
  • regulators, law enforcement bodies and the courts, in order to comply with applicable laws and regulations, assist with regulatory enquiries, and cooperate with court mandated processes, including the conduct of litigation;
  • suppliers, research assistants and sub-contractors who may process information on behalf of BIT [e.g. cloud services to store data, transcription services to transcribe an interview]. These third parties are known as data processors and when we use them we have contractual terms and policies and procedures in place to ensure that your personal data is protected. This does not always mean that they will have access to information that will directly identify you as we will share anonymised or pseudonymised data only wherever possible. We remain responsible for your personal information as the controller; and
  • any third party to whom we are proposing to sell or transfer some or all of our business or assets.

We may also disclose your personal information if required by law, or to protect or defend ourselves or others against illegal or harmful activities, or as part of a reorganisation or restructuring of our organisations.

Where we get your information from

Cheshire East Council have offered the support of the Behavioural Insights Team.  Volunteer coordination points who have chosen to take up the offer have subsequently been in contact directly with the Behavioural Insights Team.

The personal data we collect comes directly from you.

How long we will keep your personal information

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. When it is no longer necessary to retain your personal data, it will be securely deleted.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Taking the above factors into consideration, our anticipated date of deletion for your personal data is within six months of completing the project (anticipated to be completed by July 2023).

In some circumstances, we will retain an anonymised dataset (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

How your information is stored

We take reasonable steps to protect your personal information and follow procedures designed to minimise unauthorised access, alteration, loss or disclosure of your information.

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing.

We ensure that those who have permanent or regular access to personal data, or that are involved in the processing of personal data, are trained and informed of their rights and responsibilities when processing personal data.  We provide such access on a need-to-know basis,and have measures in place which are designed to remove that access once it is no longer required.

Physical personal devices used by BIT are encrypted to protect your data, and confidential hard copy data (including special category data) is kept in locked rooms or cabinets.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

International Transfers

Your personal information will not be transferred outside of the European Economic Area (“EEA”).  References in this notice to the EEA include the UK, even where the UK is no longer a member of the European Union / European Economic Area.

What happens if you don’t provide us with your information

We are unable to offer support and provide the service if you do not provide your data.

Will your information be used to make automated decisions


Your rights

You have a number of rights regarding your personal data, including withdrawing your consent where we have asked for it.

You can also ask for a copy of the information we hold about you and ask us to correct anything that is wrong. For detailed information about your rights please see our privacy notice.

Page last reviewed: 02 March 2023