Author/Date: Lynn Wilson March 2018
Current Version/Date: v.2.0 Dec 2020
Review Schedule: Annually
Next Review: April 2022
Responsibility: Operations Manager
This policy describes how we collect, use and handle your information when you use our website and services. It has been written to reflect changes in the UK law after Brexit and the move to the UK General Data Protection Regulation (UK-GDPR) which comes into force on 1st January 2021 and sits alongside the amended version of the Data Protection Act (DPA 2018). See bibliography for more detail on the amendments.
What & Why
We collect and use the following information to provide, improve and protect our services.
We collect, and associate with your membership, information like your name, email address phone number, physical address and account activity. We also request information to assist us monitor for equal opportunities (EO) and this is stored on our Maximizer database.
The EO information contains disability-related questions and qualifies as ‘special categories of personal data’ under GDPR Article 9.2.
We always request your explicit consent to collect and store this data and it is only used for processing for specific purposes (ie so we can anonymously report on our membership demographics).
Your Attendance at NADP Events
We collect and record non-members’ information like your name, email address phone number, physical address and account activity. We also request disability-related information from all delegates to ensure we can do our best to meet your needs. This data qualifies as ‘special categories of personal data’ under GDPR Article 9.2.
We always request your explicit consent to collect and store this data and it is only used for processing for specific purposes (ie so we can do our best to meet your needs).
Information is collected via our website. This uses Hyper Text Transfer Protocol Secure (HTTPS) which means all communications between your browser and the website are encrypted. We receive notification that your information has been submitted to the website and we access it directly from there. It is not emailed to us. This information is stored on our Maximizer database and, with your explicit consent, it may be shared with the conference or event venue should they need to be aware of your particular requirements in order to provide reasonable adjustments.
We use Worldpay to handle all card transactions and we ensure that we meet Payment Card Industry Data Security Standards (PCI-DSS) by completing the Worldpay SaferPayments scheme every year to protect cardholder information.
We may share information as discussed below, but we won’t supply it to advertisers or other third parties.
The third parties we use are…
- Website hosts, GURU Cloud hosting https://www.guru.co.uk/
NADP files/data are hosted in a secure physical environment in the UK, in a locked rack behind locked doors with heavily controlled access. Backups of these servers are in a similar setup but in another location inside the UK. Staff have access to these servers via SSH and physically, however this would only happen when requested by an authorised contact or by a court order. All staff have had training for GDPR compliance.
- Maximizer CRM Database (through ADVOCO Solutions http://www.advoco-solutions.co.uk/ )
All Maximizer CRM sites use GeoTrust high grade encryption certificates. NADP files/data are hosted in a purpose-built environment using Maximizer-owned hardware within dedicated secured racks. The environment consists of secondary firewall (hardware) and failover firewall with dedicated switch and failover switch. The firewall is tightly configured to only allow traffic through to designated endpoint from designated sources. Backups of these servers are in a similar setup but in another location inside the UK. Both locations are ISO 27001 certified.
Certain pieces of NADP information may be stored in a Dropbox account and the Dropbox system can be used to securely transfer limited information from files when necessary (for example, sensitive information to venues or financial information to the treasurer/accountant). Dropbox is committed to the security and the protection of users’ data in line with legal requirements and best practices at all times. As detailed in their Trust Guide and demonstrated by their existing practices, which are ISO/IEC 27018:2014 certified, they conform with all the provisions of the GDPR.
- Conference Venues
- Conference/Event Presenters
People presenting at our conferences and events will be informed anonymously of whether any participants in their session require additional arrangements to access the session. They will receive a list of names of attendees in their session but no contact details. You may choose to share these on the day if you wish to do so.
You have the right to withdraw your consent to your information being used at any time.
If you request that your information is no longer shared with other organisations, such as a conference venue, we will ask them to delete any records that they hold. However, this may affect the reasonable adjustments that they are able to offer.
You have the right to raise any concerns you have directly with NADP: firstname.lastname@example.org
You have the right to report a concern to the Information Commissioners Office (ICO): https://ico.org.uk/concerns/
We’ll retain members’ and non-members information for as long as we need it to provide you with services. If you resign your membership, we will also delete this information. But please note: (1) there might be some latency in deleting this information from our servers and back-up storage; and (2) we may retain this information, if necessary, to comply with our legal obligations or resolve disputes.
Law & Order
We may disclose limited information to third parties if we determine that such disclosure is reasonably necessary to (a) comply with the law; (b) protect any person from death or serious bodily injury; (c) prevent fraud or abuse of NADP or our users; or (d) protect NADP’s property rights.
If we are involved in a reorganisation, merger, acquisition or sale of our assets, your information may be transferred as part of that deal. We will notify you (for example, via a message to the email address associated with your membership) of any such deal and outline your choices in that event.
Have questions or concerns about NADP, our services and privacy? Contact us at email@example.com
The Keeling Schedule describes the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc)(EU Exit) Regulations 2020
https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/946117/20201102_-_GDPR_-__MASTER__Keeling_Schedule__with_changes_highlighted__V3.pdf [Accessed 22nd December 2020]