1. About this privacy notice
The purpose of this privacy notice is to explain how the University of Oxford ('the University', 'we', 'our', 'us') hold and use personal data held in IRAMS (Internal Research Application Management System).
IRAMS is the system used for research funding schemes managed internally by the University of Oxford. It comprises a front end web application and a back end linked to Dynamics365 Customer Relationship Management (CRM).
Data are held on the following:
- Oxford academics and researchers (applicants and co-applicants) who apply for the research funding schemes
- Administrative staff who may act as application form editors on behalf of the applicants
- Administrative staff given the role of departmental approvers, who approve applications on behalf of their department/faculty/academic divisions as part of the application approval process
- Administrative staff who are the funding scheme owners and who create and manage the internal funding schemes
- Co-applicants at other institutions who apply for funding as part of a collaborative project (as co-applicants) or who are eligible to apply as applicants in their own right.
The personal data are collected in the web application when applications are created for a funding scheme, in case for support templates that are uploaded as part of the application process, and in the back end where funding schemes are created and maintained. Personal data are held in the applicant, co-applicant and editor records in Dynamics365 as well as the application records. These records also contain the case for support (if required by the funding scheme) and any email notifications that are auto or manually generated.
The University of Oxford encompasses the University's central and international offices (North America, China and Japan); academic departments, gardens, libraries, and museums. Please see the University's privacy notices relating to other activities and relationships.
2. Information we collect
We, the University, collect information directly from you when funding schemes are created in Dynamics365 and when applications are created, submitted and approved in the web application. For Oxford staff, data are also pulled through from their PeopleXD record which is linked to their Oxford user ID.
We may hold the following types of personal data about you:
Name, title, job title, gender (Oxford employees only), Oxford user ID (Single Sign-on (SSO)), academic department/faculty and division, ORCID ID, name of external institution for external applicants, and contact details (address, mobile/work telephone and email addresses).
3. How we use your data
Once schemes have been created, and applied to in the web application, the applications are accessed in Dynamics365 and packs are downloaded for review by selection committees.
For successful applications, data are passed to the Research Accounts team in Finance Division who are responsible for setting up research and departmental awards on Oracle financials.
4. When and how we share your data
We do not share the data within the collegiate University or with third parties.
5. How we protect your data
The University takes precautions to safeguard your personal information against loss, theft and misuse, unauthorized access, disclosure and destruction through the use of appropriate administrative, physical and technical security measures.
IRAMS is hosted on infrastructure within the University's network and is protected by logical access controls. Access to Dynamics365 CRM is limited to individuals authorised as IRAMS administrators who need to see and use the data to carry out their duties. Access to the funding schemes in the web application is via SSO. External applicants can only access the schemes once they have been allocated a temporary SSO.
6. How long we keep your data
We will only retain your data for as long as we need it to fulfil our purposes.
Application records in Dynamics365 (including documents and email notifications):
Application records will be deleted 5 years after the date last modified, where the application has not progressed to the fund owner review step
- For unsuccessful applications the records will be deleted 10 years after the applicant has been notified that their application was unsuccessful
- For successful applications, the records will be deleted 10 years after the project end date.
Applicant/co-applicant/editor records in Dynamics365
- Records will be deleted for Oxford leavers once all associated applications have been deleted as per the application record data retention schedule
- Records for non-Oxford applicants and co-applicants will be deleted once all associated applications have been deleted as per the application record data retention schedule
- Records for current Oxford employees will be retained.
Funding schemes in Dynamics365
- Inactive schemes will be deleted 5 years after the last modified date
- Active schemes will be deleted once all associated applications have been deleted as per the application record data retention schedule.
7. The legal process for processing your data
We will only use your personal data where the law allows us to do so. Most commonly we rely on the following legal base for processing your personal data:
Where we have a legitimate interest to do so for purposes listed within this privacy notice. Where we use legitimate interest as the basis for our processing we have carefully considered each of the ways we process your data to ensure that we carry out our activities with a focus on the interests of you, and in the most efficient and effective way.
8. Your legal rights and choices in connection with your data
Under certain circumstances, by law you have the right to:
Request access to your personal data (commonly known as a "subject access request"). This enables you to receive a copy of your data and to check that we are lawfully processing it.
Request correction of your data. This enables you to ask us to correct any incomplete or inaccurate information we hold about you.
Request erasure of your data. This enables you to ask us to delete or remove your data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your data where you have exercised your right to object to processing (see below).
Object to processing of your data where we are processing it to meet our public interest tasks or legitimate interests and there is something about your particular situation which makes you want to object to processing on this ground.
Request the restriction of processing of your data. This enables you to ask us to suspend the processing of your data, for example if you want us to establish its accuracy or the reason for processing it.
Request the transfer of your data to another party.
If you want to exercise any of the rights described above or are dissatisfied with the way we have used your information, please contact the University's Information Compliance Team at firstname.lastname@example.org . The same email address may be used to contact the University's Data Protection Officer. We will seek to deal with your request without undue delay, and in any event in accordance with the requirements of GDPR. Please note that we may keep a record of your communications to help us resolve any issues which you raise.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office at the ICO website.
9. How to contact us
If you have any questions about this privacy notice or about your personal data, or if you want to provide updates to your data or exercise any of your rights as outlined above, please contact us at one of the following address:
IRAMS Support Team, IT Services
University Offices, Wellington Square
Oxford, OX1 2JD, United Kingdom
+44 (0)1865 280089