How we use your information

This privacy notice tells you what to expect when the Centre for Security Failures Studies (Centre) collects personal information. It applies to information we collect about:

  • Visitors to our websites;
  • Victims of security failures in relation to information enquiry;
  • People who are using our services, for example the persons who subscribe to our newsletter, our members or persons who request our publications from us;
  • People who report a security failure;
  • Job applicants, contributing authors and current or former employees;
  • People we are interviewing and surveying in relation to our research;
  • People who support us, for example our partners and sponsors.

Visitors to our websites

When someone visits we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will be up front about this. We will make it clear when we collect personal information and will explain what we intend to do with it.

Use of cookies by the Centre

You can read more about how we use cookies on our Cookies page.

Search engine

Our website search and decision notice search is powered by WordPress. Search queries and results are logged anonymously to help us improve our website and search functionality. No user-specific data is collected by either the Centre or any third party.


We use a third party provider, MailChimp, to deliver our monthly e-newsletter. We gather statistics around email opening and clicks using industry standard technologies including clear gifs to help us monitor and improve our e-newsletter. For more information, please see MailChimp’s privacy notice.

Online data collection tool

We collect information volunteered by members of the public and security professionals about security problems using an online reporting tool hosted by SmartSurveys™. Our visitors are invited to see their privacy notice.

Security and performance

The Centre uses a third party service to help maintain the security and performance of the our website. To deliver this service it processes the IP addresses of visitors to the Centre’s website.


We use a third party service,, to publish, manage and maintain our website, and some of our conference and e-learning microsites. These sites are hosted at, which is run by Automattic Inc. We use a standard WordPress service to collect anonymous information about users’ activity on the site, for example the number of users viewing pages on the site, to monitor and report on the effectiveness of the site and help us improve it. WordPress requires visitors who want to post a comment to enter a name and email address. For more information about how WordPress processes data, please see Automattic’s privacy notice.

People who call us to obtain information

When you call the Centre’s helpline, we collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness.

Our helpline also offers a translation service for customers when English is not their first language, and this particular service is provided by a third party company. The company that provides this service does not retain any information from the calls or record them.

People who email us

The Centre uses a third party service, Proton Technologies, to secure its electronic communications and maintain the highest possible level of privacy. Any email sent to us, including any attachments will be stored on web-servers hosted in Switzerland, in Europe’s most secure datacenter and underneath 1000 meters of solid rock. In this specific location, user data is protected by strict Swiss privacy laws and seamlessly encrypted once received by the Centre. Email monitoring or blocking software are also being used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.

The Centre will use an automatic end-to-end encryption solution when communicating electronically with users unfamiliar with encryption technology.

People who use our services

The Centre offers various services to the security community, organisations and the public. We use third parties to deal with some publication requests and certain aspects of our services delivery, but they are only allowed to use the information to send out the publications and support us in the delivery of our services.

We have to hold the details of the people who have requested the service in order to provide it. However, we only use these details to provide the service the person has requested and for other closely related purposes. For example, we might use information about people who have requested a publication or to become a member or contributing author to carry out a survey to find out if they are happy with the level of service they received. When people do subscribe to our services, they can cancel their subscription at any time and are given an easy way of doing this.

Sometimes, the Centre conducts research to serve the interest of a particular organisation, for example a charity or corporation. This means that we provides proprietary research and consulting services to specific clients. We do not disclose information about our clients and the data we hold about them is strictly confidential.

People who report a security failure

Many businesses and security professionals are volunteer to report certain specific information about security failures to the Centre for Security Failures Studies. The report may contain sensitive information, for example extensive details about a particular security failure, the types of parties involved and its aftermaths. The Centre compiles this information into a database which is useful to its members and to inform, to a certain extent, the public. The Centre for Security Failures Studies cannot therefore give any guarantee as to how the information contained in the database will be used by those accessing it, but people reporting security failures should know that the main purpose of the database is to facilitate research, information exchange and organisational learning. However, the Centre can guarantee that the security and anonymity of the data and information collected, processed and contained within our database is amongst our primary concerns.

When businesses and individuals fill in our reporting forms, they are asked to provide their contact details. The Centre for Security Failures Studies will use this for its own purposes, for example to conduct further research, but will not put it in our database of security failures. Contact details provided in relation to the reporting of a security failure are systematically anonymised and encrypted. Reporting a security failure is a process entirely volunteer and people reporting failures can withdraw from the process at any time and at their own initiative.

The reporting

We provide an online form for this purpose, hosted by WordPress. We use the data collected by the form to record the security failure, to allow our members to analysis the data, to inform our members about various trends and to make decisions about further research and also to further develop our services and products. We retain personal information only for as long as necessary to carry out these functions, and in line with our retention schedule. This means that logs and security failure reports will be retained for ten years from receipt, and longer where this information leads to development of new theories or analytical methods. We retain de-personalised information about organisations and individuals for as long as it is necessary to help inform future actions, but no entity is identifiable from that data.

Job applicants, contributing authors and current or former employees

When individuals apply to work with the Centre, we will only use the information they supply to us to process their application and to monitor recruitment statistics. Where we want to disclose information to a third party, for example where we want to take up a reference or obtain a ‘disclosure’ from the Criminal Records Bureau we will not do so without informing them beforehand unless the disclosure is required by law.

Personal information about unsuccessful candidates will be held for 12 months after the recruitment exercise has been completed, it will then be destroyed or deleted. We retain de-personalised statistical information about applicants to help inform our recruitment activities, but no individuals are identifiable from that data.

Once a person has taken up a function at the Centre, we will compile a file relating to their role. The information contained in this will be kept secure and will only be used for purposes directly relevant to that person’s function. Once their involvement with the Centre has ended, we will retain the file in accordance with the requirements of our retention schedule and then delete it.

People we are interviewing and surveying

The Centre may, time to time, decide to interview and survey individuals or organisations. Research participants should know that the data we collect are systematically de-personalised, anonymised and treated with strict confidentiality. This means that no identifiable information will be kept as soon as the data has been processed by our researchers.

We do not share our research raw data with third parties, apart when requested to do so by law. Data collected is encrypted and kept secure at the Centre. Participating to research is a voluntary process and withdraw from the research is possible at any time.

People who support us

People and organisations can support the Centre in many way, for example by becoming a partner or by donating. The Centre thus collects and processes data about its supporters and part of that data contains identifiable parts, such as their names. The Centre offers to its supporters the possibility to remain identifiable. However, our default position is to make our supporters unidentifiable, thus anonymous.

Complaints or queries

The Centre for Security Failures Studies tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

This privacy notice was drafted with brevity and clarity in mind. It does not provide exhaustive detail of all aspects of the Centre’s collection and use of personal information. However, we are happy to provide any additional information or explanation if needed. Any requests for this should be sent to the address bellow.

Access to personal information

The Centre tries to be as open as it can be in terms of giving people access to their personal information. Individuals can find out if we hold any personal information by making a ‘subject access request’ under the Data Protection Act 1998. If we do hold information about you we will:

  • give you a description of it;
  • tell you why we are holding it;
  • tell you who it could be disclosed to; and
  • let you have a copy of the information in an intelligible form.

To make a request to the Centre for Security Failures Studies for any personal information we may hold you need to put the request in writing addressing it to our Information Governance department, or writing to the address provided on our contact page.

If you agree, we will try to deal with your request informally, for example by providing you with the specific information you need over the telephone.

If we do hold information about you, you can ask us to correct any mistakes by, once again, contacting the Information Governance department.

Disclosure of personal information

In many circumstances we will not disclose personal data without consent. However and according to circumstances, we may need to share personal information with government bodies, such as law enforcement agencies.

Links to other websites

This privacy notice does not cover the links within this site linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated on 28 December 2016.

How to contact us

If you want to request information about our privacy policy, please visit our contact page.