At the IFS, we are committed to protecting and respecting your privacy. This policy explains when and why we collect personal information about people who use our services, for example through attending our events, visiting our website or signing up to our mailings lists or joining as a member; how we use this data; the conditions under which we may disclose it to others; and how we keep it secure.
We may change this policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our website, you’re agreeing to be bound by this policy.
Any questions regarding this policy and our privacy practices should be sent by email to email@example.com.
As part of our research activity, we also work with datasets originating in the UK and overseas, some of which contain personal data. For information about how we deal with these datasets, you can contact our Data Protection Officer (see below).
The Institute for Fiscal Studies was founded in 1969. Established as an independent research institute, IFS was launched with the principal aim of better informing public debate on economics in order to promote the development of effective fiscal policy.
The Institute for Fiscal Studies is a registered charity (no. 258815) and a company limited by guarantee, registered in England (no. 954616). The registered address is 7 Ridgmount Street, London WC1E 7AE.
At the IFS, we use a range of data sources to help us answer research questions. Some of that data contains information on individual people who have either taken part in a survey or who are part of an administrative dataset. Data are made available to us from outside organisations via data sharing agreements and we have to follow strict procedures in order to gain access. We only ever receive data in de-identified or anonymised formats. This means that no directly identifying information is shared with us.
If you take part in a survey, the data collector will have provided you with a privacy notice that informs you how your data will be used but because we do not know who you are, we are not able to directly provide you with a privacy notice ourselves. If we hold data on you as part of an administrative dataset, we also cannot provide you with a privacy notice directly.
More information about specific datasets and how we use the data can be found by following these links:
When you sign up on our website to attend an event or to receive news from us, we will collect and process your data to allow us to carry out your request.
This information will typically include your name, email address, research interests, billing address and company and/or sector (optional). For paid-for events, financial data will also be collected and processed by a third-party processor.
For events, we may also ask for any special dietary and disability requirements that will help us make your attendance at the event as comfortable as possible. Providing this information will always be optional.
When you sign up to attend an event, we will use your information to process this request. This may include:
Contacting you before the event with important information, and in some cases immediately afterwards to share any presentations or reports associated with the event.
Making a name badge for you, which will contain your full name and organisation (if shared with us).
Producing a delegate list with your full name and company (if shared with us), to be handed out to all attendees of the event.
We will also store your information in order to help report to our funders and to help us analyse past event performance (for example, which types of events are popular with which types of people). We will not pass on any identifiable data to funders when we do this, and any analysis produced internally will be for our own purposes only.
When you sign up to receive news from us, either via the mailing list form or when you sign up to attend an event and give us permission to contact you in future, we will use your data to send you regular emails about upcoming events or research which we think you might be interested in.
In the course of doing all of the above, we will sometimes use third party software to help us process your data, all of which will either be registered with the EU-US Privacy Shield programme or will have entered into model EU clauses with any sub-processor it uses and based outside the EEA or has established a set of binding corporate rules with its foreign subsidiaries who are based outside the EEA or the Information Commissioner has made a positive finding of adequacy in relation to the territory in which the sub-processor is based and to which your Data may be transferred.
We will not share your personal data with any other third-party, unless we have expressly asked permission from you to do so (for example, if we are running a joint event with another organisation, we may ask for your permission to share your details with them).
The lawful basis for processing this information is Legitimate Interests (Article 6(1)(f)).
For people who have signed up to attend an event, we have a legitimate interest in processing their data in order to facilitate the running of the event. You have a legitimate interest in us processing the data in this way, as it allows you to attend the event.
We have a legitimate interest in informing members of the public who have expressed an interest in our work (either by directly signing up on our website, or by attending an event and opting in to hearing more about similar events or research) about these topics. You benefit as well through hearing more about our research where it relates to your work.
We will only hold your personal information on our systems for as long as is necessary to carry out the above uses. For example:
If you sign up to an event, we will store your data for up to five years after the event. After this period, we will anonymise all data on attendees and keep only attendance numbers and a broad breakdown by sector.
If you sign up to our mailing list, we will store your data either until you unsubscribe (there will always be an option to opt-out on every email we send) or you have not opened an email from us in the past year.
The IFS will collect data from job applicants, such as is required to allow us to assess their suitability for the role and to compare applicants’ skills and experience. This will include data from application forms/CVs, as well as data acquired during interviews, from referees and other third parties (for example, as part of security background checks).
Processing data from job applicants allows the organisation to manage the recruitment process, assess and confirm a candidate's suitability for employment and decide to whom to offer a job. The organisation may also need to process data from job applicants to respond to and defend against legal claims. It may also use the data to inform future decisions about where and when to recruit.
The organisation needs to process data to take steps at your request prior to entering into a contract with you. It may also need to process your data to enter into a contract with you.
In some cases, the organisation needs to process data to ensure that it is complying with its legal obligations. For example, it is required to check a successful applicant's eligibility to work in the UK before employment starts. The organisation may process special categories of data, such as information about ethnic origin, sexual orientation or religion or belief, to monitor recruitment statistics. It may also collect information about whether or not applicants are disabled to make reasonable adjustments for candidates who have a disability. The organisation processes such information to carry out its obligations and exercise specific rights in relation to employment.
For some roles, the organisation is obliged to seek information about criminal convictions and offences. Where the organisation seeks this information, it does so because it is necessary for it to carry out its obligations and exercise specific rights in relation to employment. The IFS will only seek this information for applicants who have been offered a job or, in most cases, have been appointed.
Access to the data is given to the recruitment team and administrators and IT staff as needed for the performance of their work. Data collected for equal opportunities monitoring will not be viewed in conjunction with the candidate’s application and will be used only in aggregate.
Some data may be shared with the candidate’s nominated referees. In the case of academic referees, they will be contacted for all shortlisted candidates. In the case of employment referees, they will only be contacted once a job offer has been made, and the candidate will first be informed.
The lawful basis for processing information from a job application is Contract (Article 6(1)(b))
Where information is required to comply with legal obligations (e.g. it is required to check a successful applicant's eligibility to work in the UK before employment starts) the lawful basis for processing some information is Legal 6(1)(c).
Where we process special categories of data, the special condition for processing this information is that processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject Article 9(2)(b).
Where we process information about criminal convictions and offences, we also comply with Article 10 of the GDPR.
Data may be kept for approximately three years for candidates who have been interviewed in case other vacancies arise for which previous applicants may be suitable. Data will be deleted once a year for all other unsuccessful candidates for jobs where the deadline fell more than a year before.
Information about candidates who apply for jobs via recruitment agencies will be treated in the same way.
When you sign up to become a member of the IFS, either on our website, or by email, or by post, we will collect personal information about you to help us process your membership. This information will typically include your name, email address, postal address, telephone number, billing address and company and/or sector (optional).
For corporate members, we will also collect information on relevant contacts at your business who wish to receive news from us in future.
Financial data will also be collected to process your membership subscription, but will only be stored by a third party processor. It will not be kept by the Institute.
Information is sent to members about research and events, based on the stated or assumed interests of those concerned.
We’ll use your email and postal addresses to send you all membership materials and to invite you to AGMs, where appropriate. We may contact you for feedback on the membership scheme or the running of the IFS from time to time.
If you are a corporate member, we will publish your company name on our website as one of our corporate members.
In the course of your membership, we will sometimes use third party software to help us process your data, all of which will either be registered with the EU-US Privacy Shield programme or will have entered into model EU clauses with any sub-processor it uses and based outside the EEA or has established a set of binding corporate rules with its foreign subsidiaries who are based outside the EEA or the Information Commissioner has made a positive finding of adequacy in relation to the territory in which the sub-processor is based and to which your Data may be transferred.
The lawful basis for collecting information from members is Contract (Article 6(1)(b))
Keeping the information is also necessary for us to carry out services offered to members, such as inviting them to events and sending them publications.
For some member information, the legal basis is Legal obligation Article 6(1)(c) because members are company-law members of the organisation, so the information constitutes a register of members.
We will hold your personal information for as long as you are a member. After your membership has expired, we will keep your information for as long as is required by UK law, or for up to 2 years, whichever is longer.
We collect data about traffic to our website and how people use our website using Google Analytics Hotjar and OptinMonster. The data available to us aggregated and anonymised, so that we cannot access personal information, such as IP addresses, and cannot identify how any individual has used the website. We may collect information about your computer, including your operating system and browser type, for system administration and in order to create reports. This is statistical data about our users’ browsing actions and patterns, and does not identify any individual.
Google Analytics is a web analytics tool that helps website owners understand how visitors engage with their website. Google Analytics customers can view a variety of reports about how visitors interact with their website so that they can improve it.
Like many services, Google Analytics uses first-party cookies to track visitor interactions as in our case, where they are used to collect information about how visitors use our site. We then use the information to compile reports and to help us improve our site.
Cookies contain information that is transferred to your computer’s hard drive. These cookies are used to store information, such as the time that the current visit occurred, whether the visitor has been to the site before and what site referred the visitor to the web page.
Google Analytics collects information anonymously. It reports website trends without identifying individual visitors. You can opt out of Google Analytics without affecting how you visit our site – for more information on opting out of being tracked by Google Analytics across all websites you use, visit this Google page.
The information we collect from our Analytics is used to inform our understanding of how visitors use our website, how we can best serve them with targeted messaging, how we structure the website and how content is arranged there.
This aggregate, anonymous data that we collect is not deleted from our systems, so that we can track use of the website over time.
The organisation takes the security of your data seriously. It has internal policies and controls in place to ensure that your data is not lost, accidentally destroyed, misused or disclosed, and is not accessed except by our employees in the proper performance of their duties.
Data that we collect is stored either on our internal network or on our web server, both located in our UK offices. The IFS is compliant with ISO27001:2013 and takes seriously its duty to preserve the confidentiality, integrity and availability of data, as appropriate. This means that all information is handled according to its classification (for example personal data, publicly available data) and that access to the data is restricted accordingly, both through electronic and physical means. Staff are trained to ensure awareness of the importance of data security and practical knowledge of how to keep data safe. In addition, back-ups of our data are stored offsite in a secure UK location, which is also compliant with ISO27001:2013.
Where we use external companies to collect or process data on our behalf, your information may be transferred to, and stored at, a destination outside the UK. However, we will ensure that the information has the same protection as if it were being held within the EEA because our hosting company either benefits from the Privacy Shield or has entered into model EU clauses with any sub-processor it uses and based outside the EEA or has established a set of binding corporate rules with its foreign subsidiaries who are based outside the EEA or the Information Commissioner has made a positive finding of adequacy in relation to the territory in which the sub-processor is based and to which your data may be transferred.
You can ask to be removed from our mailing list at any time, either by unsubscribing on an email we have sent you, or by emailing us at firstname.lastname@example.org.
You can also:
request a copy of your personal information, and to have any inaccuracies corrected.
request that we remove all of your personal data from our systems.
request that we restrict the way we process your data.
To do any of the above, please email email@example.com, with as much information as possible about your request, and we will respond within 30 days. In some cases, this may mean that we cannot carry out the activity for which you originally provided your information: for example, if you applied for a job, we may not be able to process your application.
If you are unhappy with the way we have processed or stored your information, you also have the right to complain to the Information Commissioner’s Office. Please visit their website for more information on how you can do this.
By continuing to use our website, you will be deemed to have accepted these changes.
Data Protection Officer
Institute for Fiscal Studies
7 Ridgmount St