Legal bases for processing your personal information
We’ll process your personal information only where we have a legal basis for doing so, including:
- our contractual obligations with you, or to begin entering a contract with you;
- our legitimate interests (or those of a third party) and your interests and rights don’t override our interests;
- your consent; or
- to comply with the law.
When we refer to our legitimate interests, we mean:
- to assess your suitability for our courses, jobs, or other opportunities;
- to operate your account with us, and maintain platforms we run such as our Course Hub or the community Slack;
- to improve our Platforms, services, marketing efforts, and user experience;
- to communicate with you, including collecting feedback and connecting you with opportunities;
- to assess the impact of our work, and to promote our work through, for example, case studies and blog posts;
- to advance the fields we operate in;
- to generally protect our legal rights.
Special category data
Some information is “special category data” under the UK GDPR. We sometimes collect special category data, for example we ask for your ethnic origin in our course application form for diversity monitoring.
We’ll usually collect this from you directly, and ask for your consent before processing this data. In rare situations we may rely on other legal bases to process it, for example, to protect your vital interests or to obtain legal advice.
Automated individual decision-making
We aim to make fair and informed decisions on all applications to our courses. As a small team, we use AI systems to help us review the large volume of applications we receive.
We begin by considering the intended outcomes of each course. We work backwards to the types of skills, experience and attributes that indicate an applicant is likely to succeed. We translate these into objective numerical rubrics, and then we manually evaluate subsets of randomly selected applications to calibrate and validate these rubrics. Once finalised, we use AI systems such as large language models to score incoming applications. We ensure these scores match the ones given by humans on the sample set, and continue monitoring system performance by doing random checks of application scores.
After initial scoring, humans review each applicant manually to make the actual application decision, taking into account the scores and other data we have on a candidate. We are careful to ensure outlier applications are appropriately handled, and have systems in place to flag people who might score low on the rubrics but could be a good fit for the course anyway.
After decisions have been made, we have a different person review a sample of the decisions to check them. We also use demographic data given to us in the application form for aggregate DEI monitoring, to understand and address any biases in our process.
Under data protection legislation, you may have the right to have a human re-review the scoring part of the application process, express your point of view and to contest the decision. To exercise this right contact us via the details at the top of this privacy policy.
Information sharing
We may share your information:
- with people on our courses, for example by adding you to a calendar invites for your cohort where you can see each other’s names and emails.
- publicly, for example if you’ve consented to us publishing your course project submission.
- with third-party service providers, who will process it on our behalf. We use third-party providers of certain services such as database hosting, website hosting, website analytics, email automation, and payment processing.
- with other organizations for the purposes set out in this Privacy Policy, including those with relevant opportunities if you consented to this when applying
- in exceptional circumstances, where there’s a legal or “duty of care” imperative (for example if we need to safeguard other individuals)
- with government authorities and/or law enforcement officials if required for the purposes above, if required by law, or if required to protect our legitimate interests (e.g. with HMRC for tax regulation purposes in the UK);
- with funders and investors to help our organization grow;
- if all or part of our organization is closed, combined with another organization, or becomes its own organization, we’ll share your personal information with external advisors (such as lawyers, accountants, or financial advisors) who are helping us with this process and the owners of the new organization; and
- in connection with any legal process or potential legal process.
Cross-border transfer of your personal information
When we share your information with people or organizations outside the UK it might be subject to data protection laws that offer less protection than inside the UK. Where this is the case, we take steps to protect your personal information, including by entering into contracts that have been approved by the relevant authorities (such as “standard contractual clauses” or an “international data transfer agreement”).
How long do we keep your personal information?
We’ll keep your personal information while we need it to achieve the purposes for which we collected it, to comply with our legal and regulatory obligations, to exercise our legal rights, and to protect ourselves from legal claims.
If we no longer need this personal information for the purposes set out in this Privacy Policy, we’ll delete it or anonymize it so that nobody can identify you from the information.
How do we secure your personal information?
We put in place organizational and technical measures to protect your personal information. These measures include taking all steps reasonably necessary to ensure our IT systems are secure and putting in place procedures to deal with suspected data breaches. In the unlikely event of a data breach, we’ll take steps to minimize the loss or destruction of data and, if required by law, we’ll notify you. We’ve implemented data security policies and procedures, and relevant staff receive data security training.
Our security measures include:
- encrypting information in transit;
- encrypting information at rest;
- using single sign-on to access most internal services;
- enforcing TOTP or hardware security key 2-step verification to access key internal services;
- using password managers to reduce the likelihood of successful phishing attacks;
- making and storing encrypted backups of critical data;
- enabling built-in antivirus software and keeping devices up to date;
- using slow password hashing algorithms;
- taking reasonable steps towards the physical and cyber security of where we host our data (such as using reputable third-party providers); and
- using PCI Compliant payment processors to securely handle your payment details
Where we’ve given you (or where you’ve chosen) a password that enables you to access certain parts of our Platforms, you’re responsible for keeping this password confidential.