This policy sets out how the Hansard Society uses any personal data you provide to us, what your rights are in relation to that data, and how you can exercise your rights.
apply to become a member of the Hansard Society
apply for a job or academic placement with us
book a place at one of our events or training sessions
contact the office by email, phone, post or social media
donate or leave a legacy to the Society
download assets from our website e.g. a briefing paper, dataset, or report
enrol as a Hansard Society Scholar
participate in one of our education or research projects or speak at an event
provide an academic or employment reference to us
provide goods and services to support delivery of our work
purchase a publication
sign up to our newsletter
subscribe to our journal, Parliamentary Affairs
subscribe to our Statutory Instrument Tracker
visit our website
Depending on the nature of your engagement with us, the personal information we collect may include one or more of the following:
IP (internet protocol) address
credit card details
Gift Aid eligibility
academic and employment references
Sensitive personal information may also be collected in relation to:
employment applications (e.g. age, ethnicity, gender, employment history, health information, trade union membership, commission of criminal offences), all of which is subject to prior written consent.
research projects – e.g. age, ethnicity, gender, employment, political views, religious beliefs, etc – but this will be done under the specific ethical terms and conditions governing each individual project. This is made available to participants at the start of the project and consent to participate can be withdrawn at any time.
We collect, store and process personal data to:
administer the Society’s membership system
communicate via our e-newsletter with those who have subscribed to it
communicate with stakeholders about our research
enhance and modify our communications and services
meet obligations arising from any contract we have entered into
notify subscribers of any changes to the services we provide
process job and academic placement applications
provide user support for our Statutory Instrument Tracker
receive and process donations and legacies
respond to any enquiry made about our research and services
We retain personal data only as long as needed in relation to the activity for which it has been provided. Retention periods are reviewed regularly.
We are required to hold some types of information for longer periods to fulfil our contractual or legal obligations. For example:
where the activity involves some form of financial transaction, this is retained for at least seven years for auditing purposes.
personal data arising from research and education projects is retained for the length of time required by project grant terms and conditions. Where research data is archived for permanent preservation (e.g. focus group transcripts or survey results), this is cleaned of personal identifiers prior to deposit.
We will not sell your data to a third party for direct marketing or any other purpose. It will be retained solely for the purpose(s) for which it was provided to the Hansard Society.
We may disclose your personal information to:
our accountants and auditors
our Board of Trustees
We may also disclose personal data:
to any regulatory or law enforcement body if required to do so, e.g. HM Revenue & Customs (HMRC), Quality Assurance Agency for Higher Education (QAA), UK Visas (UKVI)
if we need to enforce our terms and conditions or other agreements for services that we provide
to Oxford University Press to process subscriptions for our journal, Parliamentary Affairs
Some data is shared with third party ‘processors’ that we utilise to carry out core business functions and deliver services. These include:
Active Campaign – CRM system
Braintree – online payments system
Digital Ocean – client host for online payments processing
Dropbox – cloud file storage
Give As You Live – online donations
G-Suite – email, calendar, contacts and Google Analytics
Netlify – online form functionality for website
PayPal – online payment provider
Picatic – event registration
Zapier – online task automation tool
When using third party service providers to process data on our behalf, we disclose only the personal information that is necessary to deliver the function or service required. This may involve the transfer of data outside the European Economic Area (EEA) depending on where the third party’s servers are based. However, all have their own Privacy Policies and operate under the EU-US Privacy Shield initiative, certifying that they meet EU data protection standards.
Depending on the nature of the activity or service for which personal data has been collected and stored, our ‘legal base’ for processing it is one of the following four provisions. The examples given are illustrative not exhaustive.
1. Consent: the individual whom the personal data is about has consented to the processing.
For example, the processing of personal data (name/email address) required for electronic dissemination of our newsletter is based on Consent, as subscribers voluntarily gave their data to us for this specific purpose and confirmed their request via email. Each newsletter contains a clear link to enable users to unsubscribe.
2. The processing is necessary in relation to a contract which the individual has entered into or because the individual has asked for something to be done so they can enter into a contract.
For example, in relation to any processing of personal contact and financial data where a person applies to become a Hansard Society member, books a place on a training course, requests a demonstration of, or subscribes to, our Statutory Instrument Tracker, or orders a publication for electronic download or home delivery.
3. The processing is necessary because of a legal obligation that applies to us.
For example, in relation to the processing of personal and academic data provided by applicants to the Hansard Society Scholars Programme, and their home universities, and which is governed by QAA regulatory requirements, UKVI Tier 4 licence requirements, and security clearance requirements to work in Parliament.
4. The processing is in accordance with a ‘legitimate interest’
For example, to meet our charitable objectives we collect and process limited forms of personal data (name, email, organisation and role/job title) in order to disseminate our research findings to stakeholders (including parliamentarians and the media) and convene debate on topical political issues. Data processing is undertaken only on a limited, as-required basis and recipients have the option to unsubscribe.
The only personal data collected is your IP (internet protocol) address.
Using Google Analytics, we track and analyse aggregated statistical data about online visitor behaviour and events: for example, as a percentage of our users, what is their journey through the site, what technology (platform) do they use, what is their browsing time and duration, what pages do they visit, how are they referred to and from the site?
Users can set their browsers to block cookies but this may result in a loss of functionality in relation to some of our website features.
We do not generally work with those aged 18 or under. An exception to this is our Mock Elections in Schools project held in advance of every general election for over five decades. Schools submit data detailing their mock election results, including the names, age, and class of participating pupils. Photographs and videos have also been sent to the Society, including via social media. Unless documentation has been provided by the schools granting specific permission for the processing of this personal data we do not use it.
We have deleted historic data from our mock election programme files. We have retained aggregate electoral result information at school level for future research purposes and archival preservation. However, personal data – pupil and teacher names, contact details – has been reviewed and deleted.
You have a right …
To be informed – about the collection and use of your personal data.
Of access - you have the right to access your personal data and supplementary information, and be aware of and verify the lawfulness of the processing.
To rectification – you can ask that your information be updated or corrected.
To be forgotten (erasure) – you can ask that your information be permanently deleted.
To restrict processing – you can ask to limit the way in which we use your data.
To data portability – you can ask to have your information transferred to another organisation.
To object – you can seek to prohibit certain uses of your personal data (processing based on legitimate interest or the performance of a task in the public interest).
Not to be subject to automated decision-making and profiling. (We do not use these forms of data processing.)
If you want to know what personal data we hold about you, how and why we process it, and receive a copy of that data, you can ask us for it. Formally, this is known as a ‘data subject access request’ (DSAR).
To submit a request for access to any personal data we hold and process about you, contact the Society in writing, by email or by telephone at:
Data ProtectionHansard Society Room 1.17 1st Floor Millbank Tower 21-24 Millbank London SW1P 4QP +44 (0)203 925 3979 email@example.com
To help us answer your request as quickly as possible, please….
Provide sufficient information for us to identify you
Supply proof of your identity (e.g. a copy of your passport, driving licence or utility bill)
Detail the information to which your request relates
Confirm which right you wish to exercise
By law we must respond to your request within one month, unless the request is deemed ‘complex’. We will provide information about the personal data requested usually in a structured, machine readable format. In most instances, for the data we hold and process, that will be in the form of a downloadable .CSV file. Depending on the nature of the request, however, the information may be provided in other formats.
This policy was updated in accordance with the General Data Protection regulation (GDPR) 2018 and the Data Processing Act 1998.
We will amend the policy from time to time as required. This will be highlighted on our website, email communications, and e-newsletters, as well as in updates to terms and conditions governing our provision of services.
DATE: 17 May 2018