Anatomical Society Data Protection Policy 2018

Key details
• Policy prepared by/updated by: Anatomical Society Council.
• Approved by council on: 15.11.2018

Introduction
The Anatomical Society needs to gather and use certain information about individuals from time to time. These can include, but is not limited to, individuals who apply to join the society, its members, businesses, service providers and anyone that wishes to participate in any activity organised by the society.

This data protection policy describes how and why this personal data is collected, handled and stored to meet the Anatomical Society data protection standards and to comply with data protection law. As such this policy ensures that the Anatomical Society:
• Complies with data protection law and follows good practice
• Protects the rights of staff, members and partners
• Is open about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach.

Data Protection Law
The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 came into effect in the UK in May 2018. As such the Anatomical Society has made some changes to its Data Protection Policy as outlined below.

The Society holds personal information/data (on paper, or computer or other media) on our members and non-members (i.e. employees, award holders, training programme participants, delegates to meetings, suppliers of services and financial information – such as the RSB, Wiley-Blackwell, Webree and others with whom we communicate). We aim to make sure that that this personal information is processed in accordance with legal requirements. Members, staff and outsourced organizations working on behalf of the Society, including social media (i.e. Twitter, Facebook, and LinkedIn) are expected to comply with data protection legal requirements. This document explains the data protection policy of the Anatomical Society. 

What does the law cover?
The Anatomical Society will comply with the data protection principles set out in the GDPR. Each principle is explained below, together with a brief summary of how the Society complies with the principle in practice. 

A reference in this Policy to "you" means an individual who is a member or non-member of the Society as well as members (e.g. Trustees; Committee Members) and staff (e.g. Data Protection Officer) who carry out the Society’s policies and a reference to "we" means the Society.

Principle 1: Processed fairly and lawfully and in a transparent manner
This means telling you what privacy information we hold about you and what we do with it. We comply with the GDPR requirement to provide detailed, specific information to you. We do this through our privacy notice, which contains all the information required by the GDPR. Whenever we collect personal data directly from you, we provide you with a privacy notice when you first give us your personal data. When we collect personal data from a third party or a publicly available source, we will give you a privacy notice as soon as possible after collecting or receiving your data.

All of the details regarding how we collect information about you is outlined in the privacy notice. If you wish to see all the information held about you in the membership database (outsourced to RSB Ltd) you can contact the privacy manager using the details set out in the privacy notice or included at the end of this policy

Principle 2: Obtained for specified, explicit and legitimate purposes 
We have registered with the Information Commissioner (the person responsible for the operation of the DPB) and told the Commissioner about the purposes for which we process personal information. Please see our privacy notice for details about which legal bases are used to process your personal data in various scenarios. Membership data is processed on legitimate interest grounds and in order to deliver the contract.
We will only collect your personal data for specified, explicit and legitimate purposes. We will not process your personal data in any manner incompatible with those purposes unless we have first informed you of the new purpose and (where necessary) you have consented.

Principle 3: Personal information shall be adequate, relevant and not excessive in relation to the purpose for which they are processed 
In practice, this means not asking you for more information than we need. That is why we only ask for limited and specific information from our members and non-members. 

Principle 4: Personal information shall be accurate and, where necessary, kept up- to-date 
We check the accuracy of the information we hold about staff and our members at least once a year. For members this is on renewal of your membership. In the meantime, if any information which you have previously given us changes (e.g. your email address), you are free to notify us at any time so that we can correct our records. Other records (e.g. historical records of financial transactions) are checked as needed.

Principle 5: Personal information processed for any purpose(s) shall not be kept for longer than is necessary for that purpose or those purposes 
We will not keep personal data in an identifiable form for any longer than is necessary for the purposes we collected it. For financial data we will keep records for 6 years. We will keep all other information for 20 years. Certificates of Employers Liability Insurance will be kept for 40 years. Governance records, a fixed asset register and annual trustees’ reports and accounts will be kept permanently. We will keep a record of AS staff, trustees and member names and affiliations only in the historical record of the society on the ground of legitimate interest unless you request that these be erased.

Principle 6: Personal information shall be processed in accordance with the rights of data subjects under this Act
The GDPR gives individuals a number of rights. These include your right to request details of the personal information the Society holds about you. If you want to find out what this is, please send a written request using the contact details which appear at the end of this Policy. Under certain circumstances, by law you have the right to:
• Request access, Request correction, Request erasure, Object to processing, Request restriction of processing, Request the transfer of your personal data, Withdraw consent.
For all such access requests, the data will be provided within one month (statutory maximum) and there is no fee chargeable. However the society reserves the right to charge a ‘reasonable fee’ if the request is manifestly unfounded, excessive or repetitive. For full details of your legal rights see the Privacy notice.

Principle 7: Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal information and against accidental loss or destruction of, or damage to, personal information
This means that we follow sensible procedures to make sure that personal information in filing cabinets and held on computer cannot be accessed by unauthorised personnel and that we have back-up procedures in place to ensure that we can recover personal information in the event of computer failure.

Principle 8: Not transferred to non-European Economic Area (EEA) countries without adequate protection 
Personal information if sent outside the European Economic Area will only be sent to bona fide individuals and/or organisations and then only with consent of the individuals concerned, or in compliance with one of the other exemptions to the Data Protection Bill. 
https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/
Members, staff and outsourced organisations working on behalf of the Society who deal with international transfers of data are expected to comply with not just Principle 8 but all the data protection principles. 

Principle 9: Data Protection Officer and Data Breach Procedure
The Anatomical Society is compliant with the mandatory GDPR requirement of having a privacy manager that can be contacted at the address below. Any data breach detected internally by staff or trustees within the Anatomical Society, or any data breach reported to staff or trustees of the Anatomical Society by third party contractors, should be immediately reported by email to the President, Secretary and Privacy Manager. Where required, breaches will then be reported to the Information Commissioner‘s Office (ICO) within 72 hours, and those concerned if needed as outlined under GDPR requirements. 
• https://ico.org.uk/for-organisations/report-a-breach/
Furthermore the Anatomical Society will also report any such breach to the charities commission.

Anatomical Society Meetings

At a meeting of the Council of the Anatomical Society on the 9th July 2015, it was agreed that people attending Anatomical Society meetings will be instructed that there is to be no unauthorised visual reproduction and dissemination of material at Anatomical Society meetings (e.g. lectures, presentations, posters, exhibits) into the public domain (including social media) in order to comply with data protection and confidentiality principles.


Images/Photos

All meetings delegates are advised on registering for an Anatomical Society meeting that photos are being taken in which they may be identified for Society marketing and publicity purposes on legitimate interest grounds. However, people have the right to object to legitimate interest processing. By submitting an image/image for an Anatomical Society Prize you are confirming that you have obtained permission from people in any photos that you send to the Society that they are content for their photos to be used on the Anatomical Society website/newsletter and other media. By submitting an image for an Anatomical Society Prize you will be required to confirm that you own the copyright of the image or have gained the explicit permission of the copyright holder for the image to be submitted for a specific award and to be used on the Anatomical Society website/newsletter and other media by selecting yes to the following statement; “I consent to the Anatomical Society processing and storing my personal data that is associated with this application.”.

Policy scope

This policy applies to:
• The head office of the Anatomical Society
• All staff and volunteers of the Anatomical Society
• All contractors, suppliers and other people working on behalf of the Society.
It also applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside the data protection legislation.

This notice does not form part of any contract of employment or other contract to provide services.

Data protection risks
This policy helps to protect the Anatomical Society from some very real security risks, including:
• Breaches of confidentiality
• Failing to offer choice in that all individuals should be free to choose how the Anatomical Society uses their data.
• Reputational damage can cause a data breach.

Responsibilities

• Everyone who works with the Anatomical Society has some responsibility for ensuring that data is collected, stored and handled appropriately.
• The Anatomical Society council is ultimately responsibility that the Anatomical Society meets its legal obligations in this regard.

General guidelines to Anatomical Society Councillors and staff

• The only people able to access data covered by this policy should be the people who need it to carry out designated work on behalf of the society (see Data use section below).
• Data should not be shared informally. Where access to confidential data is required, employees should request it for the designated person who has responsibility for permitting access to that data.
• The Anatomical Society will facilitate Councillors and staff who handle such data to receive appropriate training in data control on induction, with regular refresher training of once per year as recommended by the ICO.
• All data should be kept secure through the use of strong passwords and not be disclosed to unauthorized people either within the society or externally (see Data storage section below).
• Staff or Councillors unsure of any aspect of data protection should request help from the privacy manager before proceeding to ensure GDPR compliance.

Data use

Any personal data collected by the Anatomical Society will not be used by the society other than to process the data for the purpose for which it was collected.  For a full list of the lawful bases the Anatomical Society uses for processing personal data, please see our privacy notice.
When processing this data councillors and staff should ensure the following;
• When working with personal data, all councillors and staff should ensure the screens of their computers are always locked when left unattended.
• Personal data should not be shared informally and data must be encrypted being transferred electronically.

Data storage

The Anatomical Society is committed to safe data storage. When data is stored on paper it should be kept in a secure place where no unauthorised people can see it. This also applies to print outs of electronic data.
• When not required, the paper or files should be kept in a locked drawer or filing cabinet.
• All individuals working on behalf of the council should make sure paper and prints outs are not left where unauthorised people could see them.
• Data print outs should be shredded and disposed of securely when no longer required.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
• Data stored electronically must be protected by strong passwords that are changed regularly and not shared between employees.
• If data are stored on removable media (e.g. CD, disk drives etc) they should be locked away securely when not in use.
• Data should be stored on designated drivers and servers and should only be uploaded to an approved cloud computing services.
• Servers containing personal data should be sited in a secure location.
• Data should be backed up frequently and backups should be tested regularly.
• Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
• All servers and computers containing data should be protected by an approved security software and a firewall.

Data accuracy

The law requires that the Anatomical Society takes reasonable steps to ensure data is kept accurate and up-to-date [Principle 4]. We check the accuracy of the information we hold about you at least once a year upon renewal of your membership. In the meantime, if any information which you have previously given us changes (e.g. your email address), you are free to notify us at any time so that we can correct our records. 
• It the responsibility of all councillors and staff who work with data to take reasonable steps to ensure that it is kept as accurate and as up-to-date as possible.
• The Anatomical Society makes it easy for individuals to update their information. If any information which you have previously given us changes (e.g. your email address), you are free to notify us at any time so that we can correct our records.
Subject access requests
Under certain circumstances, by law you have the right to:
• Request access, Request correction, Request erasure, Object to processing, Request restriction of processing, Request the transfer of your personal data, Withdraw consent.
If an individual contacts the Anatomical Society requesting information this is called a subject access request.  To make a subject access request please contact the privacy manager at the address which appears at the end of this Policy. For all subject access requests, the data will be provided within one month (statutory maximum) and there is no fee chargeable. However the society reserves the right to charge a ‘reasonable fee’ if the request is manifestly unfounded, excessive or repetitive. For full details of this see our privacy notice.

Anatomical Society Privacy Statement

The Anatomical Society at all times aims to ensure that individuals are aware that their data is being processed, and that they understand how their data is being collected and used by the Society. To this end the Anatomical Society has a privacy notice setting out how data relating to individuals is used by the Society. This can be found on the Anatomical Society website. http://www.anatsoc.org.uk/policies/privacy-statement

 

Changes to the Anatomical Society Data Protection Policy or Privacy Statement

We may change our Data Protection Policy and Privacy Statement from time-to-time to reflect any changes to our practices, in accordance with changes to legislation or with best practice. Future revisions to either document will be posted on our website as soon as practicable after the change takes place.

Contact details for the Privacy Manager
Privacy Manager
Anatomical Society
c/o Department of Anatomy and Human Sciences
King’s College (London), Guy’s Hospital Campus
Room HB4.2N Hodgkin Building
London, SE1 1UL
Office Tel: 0207 848 8234
E-mail: maryanne.piggott@kcl.ac.uk
www.anatsoc.org.uk


END