Data Protection Policy

Introduction

The British Infection Association (BIA) is committed to a policy of protecting the rights and privacy of individuals, including members, in accordance with the General Data Protection Regulation (GDPR) and domestic UK data protection legislation (“the Data Protection Legislation”).

The BIA processes personal data in order to administer the membership database and generally perform the duties of a membership organisation. This involves the personal data of members but also of a variety of individuals in third party organisations.

In compliance with our stated policy, the BIA will ensure that all this information about individuals is collected and used fairly, stored safely and securely, and not disclosed to any third party unlawfully.

All members, office-bearers and any entity who deals with the BIA must comply with the terms of this policy.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments to Data Protection or other legislation.

Key Concepts

The BIA is a ’Data Controller’ in terms of the Data Protection Legislation. The definition of ’Data Controller’ together with other key Data Protection Legislation definitions can be found at Annex A.

Data Protection Principles

The Data Protection Legislation requires that anyone processing personal data must

comply with Eight Principles of good practice. These Principles are legally enforceable.

The Principles require that personal information:

Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met;
Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
Shall be accurate and where necessary, kept up to date;
Shall not be kept for longer than is necessary for that purpose or those purposes;
Shall be processed in accordance with the rights of data subjects under the Act;
Shall be kept secure i.e. protected by an appropriate degree of security;
Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection or an accredited security arrangement is in place.

Rights of Data Subjects

The data subject has rights under the act. These consist of:

The right to be informed that processing is being undertaken;
The right of access to one’s personal information;
The right to prevent processing in certain circumstances;
The right to correct, rectify, block or erase information regarded as incorrect.

Data Subjects also have the right to take any complaints about how BIA process their personal data to the Information Commissioner:

https://ico.org.uk/concerns/

0303 123 1113.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Membership Personal Data

Personal data of members held by BIA is as provided by members at the point of membership application. These will include Name, Work Address, Mailing Address, chosen email for the member profile, current institution, current job level, Trainee/Consultant Status, and membership category chosen. The membership category will determine whether fees apply. Where fees are applicable additional details will be held for the purpose of collecting member fees.

Legal Basis for Processing

BIA uses members’ personal data in line with the lawful basis of legitimate interest, in order to maintain and manage each individual’s BIA membership. This means BIA will use personal data as part of the normal business administration process required to run the Association including engagement with third parties which include but are not limited to:-

Elsevier Publishers for BIA Journal of Infection access;
Direct Debit collections with personal data as supplied by the member;
Reports back to the BIA Trustees;
HMRC; and
the BIA outsourced Accountants.

In the event that any processing of personal data is contemplated by BIA which requires the consent of the data subject(s), such consent will be obtained prior to any processing.

Third Parties

There are situations where personal data held by BIA is shared with or is accessible by third party organisations such as our professional advisers, website and IT support providers, payment card processors and the like. In such cases BIA will have arrangements in place with such third parties setting out parties' roles and responsibilities for data protection and with legally binding obligations for the protection of personal data.

Security

BIA are committed to protecting the privacy of personal data and will use appropriate standards of technology and operational security to protect personal data including a secure server and network firewall connection. Operationally, access to personal data is restricted to authorised personnel who are under a duty to maintain the confidentiality and security of such information.

Retention of Personal Data

Member’s data will be held for the term of the member’s active membership as requested by the member and then for any period required in order to comply with HMRC rules or any other regulations or legislation.

If a member actively requests that their membership be cancelled – this will be actioned on receipt of such request, however some information will need to continue on file for a period of time in accordance with tax and accounting practices. Where a member’s BIA membership expires or their fees lapse and/or direct debit fails to collect and no payments are made against the membership (as applicable), a member’s personal data will be removed from the system:

after 3 attempts to contact the member with no response;
after 1 year maximum for free members, and
until no longer required for tax purposes for fee paying members.

Duties and Responsibilities

The BIA Council is responsible for ensuring compliance with this policy. The Council will meet regularly and address any data protection related issues that arise and generate initiatives or communications as necessary to ensure compliance with this policy.

At an operational level, the Council will ensure that:-

there is always someone with specific responsibility for and knowledge of data protection who will act as the internal and external point of contact, handle complaints from data subjects and report to the Association on data protection operation;
anybody wanting to make enquiries about handling personal information knows what to do and who to refer enquiries to;
queries about handling personal information are promptly and courteously dealt with;
methods of handling personal information are clearly described;
a regular review and audit is made of the way personal information is held, managed and used, including where new categories of personal data are processed or where processing takes place or if processing is deemed to present a risk to the rights and freedoms of individuals;
appropriate records of processing records are maintained;
methods of handling personal information are regularly assessed and evaluated, particularly if new processing takes place or if processing is deemed to present a risk to the rights and freedoms of individuals;
performance with handling personal information is regularly assessed and evaluated;
breaches of personal data are promptly assessed, contained and mitigated; and
breaches of personal data are reported to the ICO and data subjects where necessary.

Procedure For Review

This policy will be updated as necessary to reflect best practice or future

amendments made to the Data Protection Legislation.

The ICO’s website (www.ico.gov.uk) provides further detailed guidance.

For help or advice on any data protection issues, please do not hesitate to contact: BIA@hartleytaylor.co.uk

Annex A

Key Definitions

‘Personal Data’ means data which relate to a living individual who can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of, the Data Controller and includes any expression of opinion about the individual and any indication of the intentions of the Data Controller or any other person in respect of the individual. Under the GDPR, the definition of personal data will explicitly extend to IP addresses.
Sensitive Personal Data’ means information about an individual’s ethnicity, political opinions, their religious beliefs or other beliefs of a similar nature, membership of a trade union, disability, sexual orientation, the commission or alleged commission by them of any criminal offence, or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings of the sentence of any court in such proceedings.
Under the GDPR, the term ‘sensitive personal data’ will be replaced by the definition special category data which means any personal data information about an individual’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual or oientation and their genetic or biometric data.
‘Processing’ means any operations or set of operations which is performed on personal data whether or not by automated means such as collection, use, disclosure or storage of personal data etc.
‘Data Controller’ means the organisation which, either alone or jointly with another organisation,determines the manner and purpose of the processing of personal data. The Data Controller is primarily responsible for compliance with the Data Protection Legislation.
‘Data Processor’ means an organisation (such as a contractor) which processes personal data on behalf of a Data Controller. Under the GDPR a Data Processor also has responsibilities for compliance with the Data Protection Legislation
‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed