The RSE collects personal information relating to a variety of data subjects from Fellows of the RSE and members of the Young Academy of Scotland through to attendees at events, awards applicants, venue clients and staff members throughout the course of its activities. This document delineates the types of personal information that the RSE is likely to collect, the ways in which we collect and process personal information and the rights of data subjects as outlined by General Data Protection Regulation (GDPR, 2018).
The RSE may collect a number of different personal details which are about a person and which, (either on their own or in combination with other information already held about that person) will allow us to identify that person as an individual. Depending on the nature of your relationship with the RSE, these details may include but are not limited to the following:
· first name;
· login credentials (including username and password);
· postal address (including billing/shipping addresses);
· telephone number (including home and mobile telephone numbers);
· email address;
· social media account ID (including Facebook usernames and Twitter handles);
· device information (such as MAC address, IP address, operation system and browser type);
· location information (such as GPS signal emitted by your mobile device);
· date of birth;
· information necessary for legal compliance (including details of ethnicity or disability access requirements);
· payment information (such as bank account, debit or credit card details);
· educational institute details (such as your school, university or college);
· marketing preferences (for example where you have opted in to receive our newsletter(s));
· reason(s) for contacting us (such as requests or enquiries);
· opinions, preferences, feedback, complaints, comments and /or suggestions (including comments made on our social media pages);
· online browsing habits, activities and behaviour (i.e. which RSE web pages you have visited and when);
· visit history, habits, activities and behaviour (i.e when you have visited the RSE’s premises, attended an event or participated as a committee member);
· preferences, access needs and dietary requirements;
· employment related information;
· security related information (including security incident reports and CCTV footage of our public areas).
In accordance with GDPR, the RSE endeavours to collect personal information directly from the data subject and will use all such information solely for the predefined purpose(s) for which that information has been provided.
The RSE may collect information from and/or combine any personal information which has been provided by a data subject with other sources when it is lawful to do so and when so doing is likely to enhance the efficiency and relevance of the services that we provide to others. Such sources may include:
· Google or other internet search engine results or publicly available data from Facebook, Twitter and similar social medial, or other information in the public domain;
· individuals and/or organisations whom you have confirmed may provide us with personal information;
· government, tax or law enforcement agencies;
· other sources (such as when personal information about you is volunteered by a third party, e.g. in a complaint or as part of a group booking).
The RSE may also on occasion collect and use sensitive personal information such as dietary or access and assistance requirements which may indicate a health condition. In all such instances, however, we will ask you to provide the necessary details only. For example, we may need to collect sensitive personal information in order to assist with any access requirements that you may have and to comply with our legal obligations under equality legislation. In other cases, we will collect this type of information only with your clear consent. Should you provide us with any sensitive personal information in any other instance, you will be deemed to have consented to our collection and use of that information.
The RSE collects personal information through one or more of the following data collection media:
· our physical site (i.e. through the data subject’s interaction with staff members, systems or equipment located within 22-26 George Street, Edinburgh);
· websites and micro sites as may be updated and/or extended from time to time, including our main website at www.rse.org.uk and the individual web portals associated with our services;
· other online/mobile interactive features;
· official social media pages (which may be provided in partnership with a third party social media platform such as Facebook or Twitter where other privacy policies and practices will apply);
· communication channels (i.e. telephone, SMS/text message, email and fax).
The personal information collected may be stored in electronic and/or hard copy formats.
How does the RSE use personal information?
The RSE may use personal information for a variety of purposes, depending upon the data subject’s relationship with the RSE and/or the specific service(s) that have been requested. The RSE will use personal information for one or more of the following purposes:
· to enable the data subject to participate in and/or use our services;
· to respond to, action and/or deal with the data subject’s feedback, requests and enquiries;
· to ensure that our services are provided in the most effective manner for the data subject and the device that he/she is using;
· to manage and improve services;
· to review and analyse the data subject’s use of our services in order to develop and improve the quality of our offering and strengthen our relationship with him/her;
· to personalise our services and present the data subject with content and information which are tailored to his/her needs;
· to send the data subject communications (including e-mail marketing and fundraising communications) with his/her consent where required;
· to invite the data subject to provide feedback, assist with surveys and input into consultation exercises;
· to provide the data subject with administrative information and/or service announcements and updates (including changes to our policies and terms);
· to ensure our records are accurate and up to date;
· to fulfil any contractual obligations assumed by the RSE (e.g. in the provision of tickets for an event, the processing of payments and/or the delivery of services);
· to comply with our legal obligations and to perform our statutory and public functions and duties;
· to administer our legitimate internal management analysis, audit, forecasts and business plans and transactions;
· to enforce our rules and policies (e.g. our Diversity Policy);
· to ensure the data subject’s safety and the security of our premises;
· to establish, defend or exercise our legal rights;
· to comply with orders, requests received from public, regulatory, governmental and judicial bodies;
· to comply with our legal, regulatory and internal governance obligations (e.g. record retention policies).
Personal information will, however, be processed if and only if one or more of the following conditions has been satisfied:
· The data subject has provided informed, unambiguous consent for his/her information to be used for a specified purpose(s);
· It is necessary for the RSE’s fulfilment of a contract with you (e.g. the purchase of tickets or the hiring of a room);
· It is necessary for the purposes of the RSE’s legitimate interests;
· The RSE is under a legal obligation to do so (e.g. for equality monitoring, employment or health and safety purposes);
· It is in the public interest and required in the performance of our official duties.
The RSE takes all possible steps to protect the security of personal information in accordance with our legal obligations with information being stored either in secure storage or electronically in a secure server and/or databases which are password protected and made accessible to staff on a need-to-know basis only.
Please note, however, that the RSE cannot guarantee the security of the transmission of personal information via the internet. All personal information should therefore be submitted online if and only if the data subject is accepting of the incumbent security risks.
For how long will the RSE retain personal information?
The RSE will keep personal details on record until we have dealt completely with a data subject’s request, enquiry or contract and then for a reasonable period thereafter in accordance with data protection and other legislation as set out in the RSE’s Records Management Policies and Procedures.
Should the RSE decide that the retention of personal information is no longer necessary, all such information will be destroyed/deleted in a secure and confidential manner.
Any personal information provided to the RSE in relation to its Fellows, Young Academy of Scotland members and recipients of awards may, however, be kept indefinitely for the purposes of maintaining a comprehensive archive of the RSE’s activities.
Data subjects are entitled to request:
· If and how their personal data is being collected and processed;
· A description of the nature of the personal data that is being collected and processed;
· Copies of, and/or to access their own personal information (see How do I make a subject access request? below);
· That their personal information be corrected and/or amended where inaccurate or incomplete;
· That their personal data be deleted or that the RSE stop using their personal data where there is no longer a need to do so;
· That the RSE stop sending direct marketing communications.
A subject access request should be submitted in writing to the RSE’s Data Protection Officer via [email protected] or to The Data Protection Officer, The Royal Society of Edinburgh, 22-26 George Street, Edinburgh, EH2 2PQ.
The RSE may require an individual to verify his/her identity and/or to provide further details in order to locate the required information but will endeavour to respond to all such enquiries within one calendar month once the necessary information has been provided.
In instances where a subject access request is likely to result in the disclosure of personal information relating to a third party, the RSE will require that third party to consent to the disclosure. If consent from that person cannot be obtained, the subject access request may be denied.
A personal data breach is defined as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In instances where a data breach is likely to endanger the data subject’s rights or freedoms, the RSE will notify the ICO within 72 hours of becoming aware of the breach by completing and submitting a Data Protection Breach Notification Form (https://ico.org.uk/media/for-organisations/documents/2666/security_breach_notification_form.doc) and will record the breach in the RSE’s Data Protection Breach Log. Both documents will state:
· The date and time of the breach (or an estimate);
· The date and time that the breach was detected;
· Basic information about the nature of the breach;
· Basic information about the personal data concerned;
· The effects of the breach; and
· Any remedial action taken.
Whenever possible, they will include also:
· Full details of the incident,
· The number of individuals affected and its possible effect(s) on them,
· The measure(s) taken to mitigate those effects, and
· Details of the RSE’s notification of the breach to affected data subjects.
If these details are not yet available, the RSE will provide them or an indication of the likely timescale required to provide them to the Information Commissioner’s Office (ICO) by completing and submitting a second notification form within three days of the initial notification.
If a personal data breach is likely to affect the personal data or privacy of the RSE’s data subjects adversely, the RSE will notify them of the breach without unnecessary delay, detailing:
· The RSE’s name and contact details;
· The estimated time and date of the breach;
· A summary of the incident;
· The possible effect(s) that the breach could have on the individual;
· The measures taken by the RSE to address the breach;
· How the affected individuals can mitigate any possible adverse impact of the breach.