Your personal information (such as your name and contact details, known as ‘personal data’) is protected by specific legislation:
- Until 25 May 2018: The Data Protection Act 1998
- 25 May 2018 onwards: General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
We take our responsibilities around data very seriously and it’s important to us that you understand how and why we ask for and work with your details. Your privacy is important to us and we have policies to ensure that we collect only the data that we need to carry out our business and that we don’t keep it any longer than we need to.
This policy explains how we collect, manage, use and protect your personal data, including how we work with third parties.
We never sell or swap your details with any other organization for their marketing purposes.
If you would like more information on anything in this policy, please email us at firstname.lastname@example.org.
Understanding your rights
Right to be informed
Right of access
You have the right to access a copy of your personal data and receive certain information about what the data is and how and why we are processing it. Please note that we will require you to prove your identity before we disclose any information.
Right to rectification
If you feel that any of the information that we hold about you is incorrect, do let us know so that we can look into it.
Right to object
You have the right to object to the processing that we have outlined in this policy.
Right to erasure / to be forgotten
You have the right to request that we delete your information and can discuss this with us at any time.
You should know that there are some circumstances where we may need to keep your details, for example, if it is necessary to comply with a legal or regulatory obligation on us. If this situation occurs, then we will explain and discuss these circumstances with you.
Right to restrict processing
You can request that we restrict processing of your data as an alternative to deleting it – this means that we will keep the data but stop processing for most purposes. You may want to exercise this right if you feel that the data is inaccurate, that our processing of it is unlawful, whilst we progress a request from you to object to processing, or if we have no further need of the data, but you require us to keep it in relation to the establishment, exercise or defense of a legal claim.
Rights related to automated decision making
You have rights to avoid being subject to decisions based solely on automated processing (including profiling) which has a significant effect on you. At IAOCR we do not carry out any such processing.
Right to data portability
You have the right to request a copy of certain personal data to have it transferred to another organization in certain circumstances.
You should know that there are some circumstances where these rights may not apply, but where this is the case we will always explain this to you. Please do contact us if you have any questions or concerns on how we collect and use your personal data, or on your rights, as we are always happy to speak to you. You also have the right to make a complaint direct to the UK’s data protection authority, the Information Commissioner’s Office (ICO). The ICO can be contacted at: https://ico.org.uk/global/contact-us/ and concerns can be also logged via the ICO website.
Why we collect and use personal data
We collect personal data to help us to process your requests, keep in touch with you and to help us to interact with you in the most effective way.
Examples of why we process your personal data may include:
- To keep you updated on our work;
- To provide services, products or information you have requested;
- To check with you on how you want us to contact you, and record these preferences;
- To notify you of changes to our policies when these affect you;
- To ensure that content from our site is presented in the most effective way for you and your computer;
- If we need to do so to comply with a law, process or regulatory requirement;
- To process a job application you may make with us.
The information that we collect
The personal data that we collect about you will be based on how you interact with us, but we collect the following information from you:
- Your name;
- Your business postal and business email addresses;
- Your telephone number or numbers if applicable;
- Events that you have taken part in or enquired about;
- Our telephone system lists the numbers that have recently called or been dialed, but we do not link these to any individual’s records.
Some personal data is legally considered to be sensitive, and so is subject to additional safeguards – in data protection law this is known as ”special category” data. Data on the following matters is classed in this way:
- Ethnic origin;
- Political opinions;
- Religion or philosophical beliefs;
- Trade union membership;
- Biometrics (where this is used for identification purposes);
- An individual’s sex life; or
- Sexual orientation.
Similar protections apply to personal data relating to criminal convictions and offences.
We will only collect or use this type of data if there is a specific reason for doing so. For example, in order to comply with our Equality, Diversity & Disability Policy to demonstrate that we are providing equal opportunities to all people wishing to gain an accreditation. If you register as a learner, as part of the process of obtaining an accreditation we will ask for ethnicity, gender, disability and employment status. At the point of collection, you have the option not to provide us with this data if you do not want to.
How and when we collect information about you
There are a number of ways that we collect information; most often this will be directly from you, for example, if you fill out a form on our website. Whenever we ask for information from you we will explain why we are asking for it (including by reference to this policy) and you will always be given a choice about how we communicate with you.
In some circumstances we will gather data from publicly available sources (such as LinkedIn). We do not buy lists of data to use for our marketing purposes or share data with other organizations for them to use in their marketing purposes.
Anonymous information: cookies
Our legal basis for processing your information
We will always make sure that we consider why we are processing your personal data and identify our legal basis for doing so. Often this will be because you have given us your consent. We may also process your data where we are furthering our legitimate aims and have assessed that the processing is not likely to be too intrusive, or to unduly infringe on your rights and freedoms. In legal terms, this is called the “legitimate interests” basis.
In some cases, we have a statutory duty to process information and we will always comply with any appropriate regulations or guidelines.
We may also process your personal data where it is necessary to carry out the terms of a contract which we have with you (or when we are in the process of forming that contract with you).
We will make it easy for you to tell us if you would like to receive “marketing” communications from us and hear more about our initiatives or news and the ways in which you would like to receive this information (post, email, SMS and phone). In every communication, we will always make it clear how you can tell us if you choose not to receive further marketing communications, either at all, on certain topics or by certain methods.
If you tell us that you do not want to receive marketing communications, we will remove you from our list and will then not send you any further communication.
Processing your data on the basis of your consent:
There are a number of circumstances where we only process your data on the basis of your consent. Examples of this are:
- To send you marketing by email.
- To send you direct messages through social media.
You can withdraw your consent at any time. If you wish to do so, or have any questions on this, please do just get in touch with us at email@example.com.
The Legitimate Interests basis
We might further our legitimate interests in the following ways:
To communicate with you about marketing and fundraising materials or products:
- To respond to requests for information, such as where you have asked for information by completing a form on our website
- To send you mail relating to activity that we think you may be interested in (unless you have told us you do not want this). We will always consider how much mail you receive from us, and what the topic is, to ensure that it is appropriate.
- To use social media
To ensure we understand our clients and potential clients that we contact and so we can contact them in a way that is relevant for them and to make sure that we are using our marketing budgets effectively:
- To segment and analyze our data that we hold so that we can understand who our clients and potential clients are and contact them about specific activity.
- To ensure that we contact only people whose interests may align with our business.
- To manage our everyday business needs.
- To update our database records to keep them accurate, for example, to amend an address where we receive returned mail.
- To contact former job applicants whose details have been retained by us.
You have the right to object to us processing your data on the grounds of our legitimate interests. If you would like us to stop using your data on this basis, please do get in touch with us at firstname.lastname@example.org.
How we work with third parties in processing personal data
At IAOCR, we sometimes work with third parties. It’s important that you understand the circumstances where this might happen and who we work with.
We never sell or swap your details with any other organization for their marketing purposes.
These are some examples of how we work with third parties:
- Where we sign a contract with a third-party supplier to carry out services for us. These contracts will always hold a supplier to our own high standards of data protection, to ensure that they treat your information with the same care as we do.
- Where you register to take part in an event (such as a meeting) and we may have to provide your details to the event organizer
- Where we need to provide information to third parties for accreditation purposes as part of the system for complying with the requirements of any relevant qualifications and credits frameworks. If you would like to know which specific organization applies to your particular accreditation please contact us at email@example.com and we will be pleased to let you know.
Third party suppliers
We may use companies to provide services and process your personal data on our behalf, where they have a specific expertise or can offer the most cost-effective solution for us.
Whenever we work with a company in this way, we will always have a contract with them, to be certain that they treat your data with the same level of care and respect as we do. We will only send them the data that they need to carry out their specific service, and they are required to delete it or return it to us once they have completed this. Your data will only ever be passed to them for the services that they carry out on our behalf, it is never shared for their marketing purposes.
Third Parties who send us data
Some third-party organizations collect data on our behalf and share it with us in accordance with their policies and procedures for data protection compliance. Some of these organizations are Data Management companies, which we use to ensure that data you have provided us with is up to date. We do not use this to add new contact data; so if we already have your address, we may update this, but if we do not have your telephone number we will not use one of these companies to find and record it. Whenever you give your data to any organization, you should always make yourself aware of their Data Protection and Privacy Policies.
Where we have a legal requirement
We will always share data where we have a legal requirement to do so. If we were to merge with another company or restructure, we may also share your personal details with other entities involved in the merger/restructure for that purpose.
How long we keep your data for
We want to make sure that we have up to date records for as long as you are actively engaged with IAOCR, for example receiving newsletters, updates or correspondence from us. Once you are no longer an actively engaged, we will keep your data for a set period of time, which we calculate depending on the information that you originally provided and why you gave it to us. At the end of this time period, we will remove any personal details from our records of you to ensure that any information is entirely anonymous. In most cases we will keep records for four years to make sure that we have appropriate records of any conversations or enquiries in case you ask us to come back to them later.
In the case of people who receive an accreditation with us, we are obliged to keep this information according to the requirements of any qualifications and credits frameworks
What happens at the end of this time period?
At the end of this time period, we will remove your personal details from our records to ensure that they are entirely anonymous.
Your right to be forgotten
You have a right to be forgotten, which means that you can ask us to delete your personal details. You should know that there are some circumstances where we may need to keep your details, for example, in order to comply with a legal obligation. If this situation occurs then we will explain and discuss these circumstances with you.
If you would like to discuss or exercise this right, please do get in touch with us at firstname.lastname@example.org.
How we keep your information secure
IAOCR takes the care of your data very seriously and we use a combination of organizational and technological security measures to protect your personal information to the highest possible standards. This includes the use of secure servers, firewalls, virus and malware protection.
Access to all IAOCR data is protected by complex passwords. We make sure that only staff who need to access your personal data can do so. Any member of our staff who has access to your personal data is given training to make sure that they understand the importance of keeping your information safe and secure at all times.
Whilst we take all of the measures that we’ve outlined above, unfortunately the transmission of information using the internet is not completely secure. Although we will do our best to protect your personal data sent to us this way, we cannot guarantee the security of data transmitted to our site.
In the extremely unlikely event that we experience a data breach, our data protection function will work immediately to close the breach, analyze the cause of the breach and put in place preventive measures to avoid a similar breach recurring.
Where we keep your information and when it might be transferred outside of Europe
IAOCR is aware that countries outside of the European Economic Area have differing standards of data privacy. Much of our data is kept within IAOCR systems here in the UK, but there are a number of exceptions that you should be aware of.
Some countries have been determined by the European Commission to have “adequate” standards of data protection compliance. Organizations we work with who process data in the USA have verified that their data processing standards meet the standards in the EU-US Privacy Shield, which sets out clear safeguards and transparency responsibilities for US-based organizations processing data from EU citizens, or that they otherwise have proper safeguards in place.
How to control the marketing that we send you
We want to make sure that we keep in touch with you when and how you want. Every marketing communication that we send will outline how you can update us on your preferences and all of our emails have an Unsubscribe link.
You are also always welcome to get in touch with us at email@example.com.
We will ensure that our records are updated as soon as possible once we receive your instructions. For our postal communications, it can take up to 28 days for any change to take full effect because of the production times for our marketing campaigns, but in most cases we would expect the change to be effective much more quickly.
Information on profiling
We undertake a number of different activities that can be known as “profiling”. We use these to help us to understand how best to manage our resources, so that we can understand your interests.
The most common form of profiling that we undertake is to segment and analyze the information on the database we use for marketing purposes. We typically use segmentation to identify particular audiences for some of our communications, for example by job title.
If you do not wish us to use your details in this way, please contact us at firstname.lastname@example.org.
How we use your information if you apply for a role at IAOCR
We collect information from anyone who applies to work at IAOCR. We only use this information for our recruitment or employment purposes and it is entirely separate to our business marketing database.
When you apply to work at IAOCR we will ask for information about you and your work history to understand how your expertise and past experience matches the requirements of a role.
We might disclose details outside of IAOCR as we process your application when we will ask for details of referees and we will contact them to verify the information that you have given us – when we contact them, we will share your name and the role that you have applied for. We contact referees on the basis of our legitimate interests as an organization to understand applicants and their suitability for the roles they apply for.
All candidates applying to work at IAOCR will automatically have their application details saved and retained on our secure systems for 12 months. We use this information to identify candidates who were unsuccessful in their application but who we feel may have an interest in and suitability for another role.
If you would like for us to remove your personal details from our system at any time before that, email us at email@example.com.
You should know that we may keep anonymous statistical information about applicants to develop our recruitment processes and for equality and diversity monitoring, but this does not contain any information that could be used to identify individual job applicants.
Changes to this Policy
This policy was last updated in May 2018.
From time to time, we may make changes to this Policy and you will always be able to see here when it was last updated. If we make significant changes, such as in how or why we process your personal data, we will also publicize these changes on our website or may contact you directly with more information.
Please do revisit this policy each time you consider giving your personal data to IAOCR.
Telephone: 01628 784906