The CREST Awards are managed by the British Science Association (BSA). We take the security of your personal data and the safeguarding of your privacy seriously. The data that we collect, process and use is treated in accordance with this Privacy Information, the General Data Protection Regulation, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003. We aim to be clear how we collect and use your data and not to do anything with it that you would not reasonably expect.
The CREST Awards collect and process data in the following way:
CREST Award Entries
Lawful basis for processing the data
Substantial public interest (where relevant)
Equality monitoring (where relevant)
We have previously used consent to process data - if you think this lawful basis applied when you entered data, please get in touch using the email address at the bottom of this notice.
Account owner names and email addresses are collected for operational communications. Account owners are teachers and students (students are expected to be over 16)
Student ethnicity, gender, disability and age data are held (when provided) and used for anonymised diversity analysis
Student names are used for certificate printing and to record the student’s achievement of the Award.
To keep in touch with and maintain a record of teachers and students who have taken part in the Awards, so we can verify the date of the award if asked by the student in the future.
For future reporting purposes, e.g. a CREST impact report may be based on ~9 years of historical data
We ask for sensitive data such as ethnicity and disability for diversity monitoring purposes and analyse this data anonymously. Educators are not required to submit this information if they would prefer not to. We are working on revising the website to allow educators to submit this data in such a way that it is separated from student names.
Data on teachers who have submitted students for Discovery and Bronze awards – name, email, role, address
Data on teachers who have submitted students for Star, SuperStar, Silver and Gold awards – name, email • Data on students submitted for Discovery and Bronze awards – name, gender. ethnicity, disability, date of birth, school
Data on students submitted for Silver and Gold awards – name, email, age, gender, ethnicity, school, address
How we collect the data
A teacher or student (expected to be over 16) signs up as a project owner to enter students for CREST Awards via the CREST website
For Discovery and Bronze: on line via my.crest – a bespoke platform owned by the BSA
For Star, SuperStar, Silver and Gold: on line via Fluid Review – a platform owned by SurveyMonkey.
Student data is nine years and teacher data is five years.
Data on students who did CREST awards (and their teachers) prior to September 2017 is stored on our legacy database, which is held within a secure office and only accessible by a small number of BSA staff. Data which is beyond the retention periods is not processed but may be stored until we disable the database in late 2018.
Financial data is deleted after six months but may be retained by our finance team for longer due to legal reasons. See the financial section of the full privacy information.
Is any data sent to a third party?
Student names and certificate delivery address for Discovery, Bronze, Silver and Gold is sent to our printer to print CREST certificates.
CREST Youth Panel
Lawful basis for processing the data
We collect the data to assess if someone is suitable to join the panel, and to ensure we have parental consent for them to join.
We collect gender and geography (postcode) to monitor and develop the diversity of the Youth Panel and to understand if it represents to makeup of CREST students more widely.
To maintain communications with the Youth Panel members
Parent name and contact details, student name, email, date of birth, postcode and gender
How we collect the data
Through application forms emailed to the BSA staff member responsible for the panel
Two years after leaving the panel.
Unsuccessful applicant data is securely destroyed immediately
Shared with a Third Party?
To keep your personal data secure, we maintain physical, technical and administrative safeguards. We update and test our security technology on an ongoing basis. We store your data in a secure cloud-based service which requires ‘two step authentication’ to prevent unauthorised access.
We restrict access to your personal data to only those employees and contractors who need to know that information. In addition, we train our employees about the importance of confidentiality and maintaining the privacy and security of your information.
The my.crestawards.org (run by SOON_) service is hosted within a secure private virtual network which cannot be directly accessed via the internet unless through SOON_'s public load balancer (accepting only HTTP traffic) or via a VPN account. This means the servers are protected from brute force attacks since they cannot be directly accessed. Further to this, SOON_'s Database holding confidential user data also resides within the private network and also cannot be accessed over the internet, only servers within our network can connect to it. Also the database is username/password protected and only the technical team within SOON_ has direct access to the database (required for maintenance). We run a production battle tested and proven linux based operating system which is automatically patched with the latest security updates. Each server we run can only be accessed directly from the internal private network over SSH (Secure Shell) with a username and strong password, only SOON_'s development team have accounts to these servers.
Transfer of your personal information outside the European Economic Area
The CREST Awards website https://bsa.fluidreview.com is hosted in Canada. We take steps to try to ensure that they provide an adequate level of protection in accordance with the GDPR.
Visitors to our websites
For further information, visit www.aboutcookies.org or www.allaboutcookies.org. You can set your browser not to accept cookies and the above websites tell you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
Links to third party websites
The BSA is not responsible for the privacy notices and practices of other websites even if accessed using links from our website. We recommend that you read their privacy policies and have linked to them in this privacy information where we can.
Complaints or queries about this privacy information
The BSA tries to meet the highest standards when collecting and using personal information and we take any complaints we receive about this very seriously.
You can make a complaint if you think our collection or use of information is inaccurate, unfair or misleading.
We also welcome any suggestions for improving our procedures.
This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of BSA’s collection and use of personal information. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the address below.
Access to personal information
What can you tell me about the data you have about me?
On receipt of evidence of your identity, we can provide:
confirmation that your data is being processed;
access to your personal data; and
any other supplementary information
In some cases, what will be provided may be limited if in sharing the data we would also be providing data on another individual. In these cases, we may have to ask for consent to contact the other individual for consent, edit out some of the data relating to the individual, or not share a portion of the data. If this is the case, we will communicate this with you as soon as possible and explain the reasoning behind this.
When will the information be provided?
Information will be provided within one month of receipt. However, we may extend the period of compliance by a further two months where requests are complex or numerous. If this is the case, we will inform the you within one month of the receipt of the request and explain why the extension is necessary.
How will the information be provided?
We will verify the identity of the person making the request, using ‘reasonable means’. If the request is made electronically, we will provide the information in a commonly used secure electronic format.
How to contact us
If you have any queries or concerns, please contact our Data Protection team:
Tel: 020 7019 4946
Changes to this privacy notice
This Policy was last updated on 28/01/19.