Privacy Notice

The exact nature of the data we may process (in other words, collect and use) will depend on which aspect of our work you are connected with. Personal data that we may process in connection with our work (outlined above) could, where relevant, include:

• Personal and contact details (i.e. full name, job title, address, phone number, e-mail address(s)).
• Membership information (i.e. AURPO ID Number, date commenced, level, payment status, AURPO Regional Group, professional interests).
• Other biographical information (i.e. qualifications, membership level of other societies / organisation etc.)
• A record of our communications with you.
• Guidance and services you have received from us, and have been interested in.
• Analysing data about guidance, campaigns, events or services which help us to target / tailor communications that we think are of interest or relevance to you.
• Online surveys that capture information you wish to feedback to us about events you have attended, how The Association is run, for the provision of guidance, or to feedback views / comments to relevant radiation protection related bodies (i.e. the Health and Safety Executive, Environment Agency, the RPA / RWA / MPE assessment body (currently RPA2000).
• Photographs you supply for your AURPO website profile.
• Photographs taken at AURPO events you attend
• Any other personal data shared with us via electronic communication (i.e. e-mail or via the AURPO website forum(s)) or, via printed communications; in accordance with this notice.

What Sensitive Personal Data do we Collect?

• Health data (that we only collect and use when providing events that you sign up to attend, i.e. food allergy information and mobility impairments). This information may not directly describe your health, but health information about you may be inferred from it.

We collect personal data from the following sources:

• From you directly.
• From information generated when you use our: guidance, resources, register for workshops / conferences (events), and send communications.
• From our partner societies (i.e. The International Radiation Protection Association (IRPA), The Society for Radiological Protection (SRP), The Institute of Physics and Engineering in Medicine (IPEM), the RPA / RWA / MPE assessment body (currently RPA2000).
• When you visit our website we automatically collect technical information such as your IP address login / logout times, password resets. We also collect and use your personal data via cookies – please see our Cookies Policy.

In general, we may combine your personal data from these different sources for the purposes described in this notice.

We use your Personal Data for the purposes specified in this notice, for both members and non-members, including:

• To run The Association we will contact members as specified in The Association’s Constitution.
• To administer memberships, processing membership fees and member benefits, including access to the Members Area of the website, and administration of accounts.
• Providing services related to your membership including the promotion of: guidance, resources, events and sending relevant communication such as notifications of national / international changes guidance / standards / legislation.
• For Affiliate members, promoting your company at events and publicly on our website.
• Providing services to you that you have registered for, such as events.
• Providing delegates and attendees of the attendance list of an event for professional networking.
• Updating your records.
• To carry out and / or test the performance of, our guidance, resources and internal processes.
• To improve the operation of The Association and that of our partners.
• To follow guidance or comply with governmental and regulatory bodies.
• For management and auditing of our operations including accounting.
• To monitor and to keep records of our communications with you.
• For raising awareness of radiation protection.
• For promoting communications to help us to offer you relevant information and job adverts from other members (including Affiliates), Partner Societies and related institutions / governmental and regulatory bodies.
• To develop, improve or review our existing or upcoming guidance, resources, events and communications with you.
• To administer our website.
• Facilitating professional networking by giving members (excluding affiliates) access to a limited membership list.
• For the prevention of fraud or misuse of services.
• For the establishment, defence and / or enforcement of legal claims.

Legitimate Interests

We process you Personal Data where it is in our legitimate interests to do so, provided our use is fair, balanced and does not unduly impact on your rights. Our legitimate interests generally include operating as a membership association, as specified in The Association’s Constitution, in pursuit of our aims and involving non-members in events such as speakers, exhibitors and honorary guests. A Legitimate Interests Assessment was carried out in April 2019.

Explicit Consent

When registering for events we will request your Explicit Consent to collect and process your Sensitive Personal Data such as Health Data that relates to your food allergies and mobility impairment(s). This is so we can make the necessary adjustments to meet your needs.

Contract

Where non-members register for services provided by The Association, we will collect Personal Data provided to us. We will only collect and process Personal Data that is required to fulfil our contractual obligations with you when we organise events such as the Annual Conference.

We share some of your Personal Data with relevant organisations that are necessary to provide membership related services to you.

The organisations with whom we share data also have an obligation to tell you how they will use your information. We advise you to look at their privacy notices / policies. If you require any assistance with this, please contact us at: enquiries@aurpo.org.uk

Harris Associates

We disclose data to our contracted administration provider, Harris Associates who support The Association with various important administrative tasks such as conference preparations and bookings, communications, newsletter, website, and membership administration. The Personal Data shared with Harris Associates is limited to data they require to fulfill the contract between The Association and themselves.

The Society for Radiological Protection

We disclose data to our Partner Society, The Society for Radiological Protection (SRP), in order to provide you with SRP International Membership which entitles you to additional benefits with SRP, including Affiliation to the International Radiation Protection Association (IRPA). The information shared will be limited to your name, e-mail address and AURPO membership status.

Event Venues

When we run events such as the Annual Conference, we share your Personal Data with organisations that host the events. For example, by registering to attend the Annual Conference, we will share relevant Personal Data with the host organisation / venue provider, so suitable and sufficient services can be delivered to you for the duration of the event. This may include Personal Data that is needed to provide you with accommodation and meals, if you have registered for these features.

You may also supply us with Sensitive Personal Data such as Health Data relating to food allergies and mobility impairments. We will share this information with organisations that host our events so you are given the provisions you require.

We also use third party organisations, known as data processors, to provide certain services on our behalf. In order to deliver these services, these organisations may have access to Personal Data.

Each data Processor will have their own Privacy Notice that explains how they comply with the law (GDPR). They will hold it securely and retain it for the duration we require.

UK2.net processes personal data on our behalf. You can find their Privacy Notice here:

https://www.uk2.net/terms-and-conditions/gdpr-policy/

We only keep your Personal Data for as long as we need it.

Your Personal Data that forms your membership information will be kept for as long as you are member of The Association and for no-longer than two years after your membership is terminated. Personal Data of other parties that is used to contact you regarding upcoming events run by AURPO will be kept for as long as it is relevant or until we are instructed to erase it.

Personal Data and Sensitive Personal Data that we collect in addition to your membership information for the purposes of attending events, will only be kept for as long as is necessary to provide you with services relating to that event.

UK data protection law gives people a wider range of rights in relation to their Personal Data. The rights are as follows:

• The right to be informed (i.e. told how your data will be used – this Privacy Notice for example)
• The right of access to your Personal Data held by an organisation
• The right to have inaccurate data corrected
• The right to erasure (known as ‘the right to be forgotten’)
• The right to restrict processing of your Personal Data
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling

Some of these rights won’t apply in all circumstances, but they do give you a good deal of control over how your information is used by organisations. See below to find out more.

More Information

The Information Commissioner’s Office (ICO) website is the best source of information about your data protection rights as they apply in the UK.

See:

• Your rights under the GDPR:
  • https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/
• How to exercise your rights with organisations that process your Personal Data
  • https://ico.org.uk/for-the-public/

Accessing your Data

One of the most common ways in which people exercise their data protection rights is to request a copy of the information an organisation holds about them.

If you would like to make a request to AURPO for the data we hold about you, see Requests for Personal Information, below.

If you have any concerns about how The Association uses your data, or would like us to help you exercise your rights as listed above, contact: enquiries@aurpo.org.uk

Accessing your Personal Information

UK data protection law entitles individuals – or those acting on their behalf – to request access to personal information The Association may hold about them, and to find out how the University uses and shares their data. This is known as a Subject Access Request.

How to make a Subject Access Request

Before you submit a request it may help to read the guidance on requesting personal data from the Information Commissioner’s Office. Subject Access Requests received by The Association are handled by the Executive Team.

When you are ready to submit your request, remember to include:

A clear explanation of the data you require. Please submit your request in writing via e-mail, as it helps both you and us keep a record of your exact request. Where possible, include dates and names of individuals who you think may hold your Personal Data.

Scanned copies of two documents as proof of identity (e.g. passport, birth certificate, driving licence or campus card). Make sure one of the forms of ID has your current postal address.

If you are submitting the request on behalf of someone else, a signed form of authority so we can establish that you are entitled to access their data.

Requests can be emailed to: enquiries@aurpo.org.uk

What happens to a Request?

On receipt of the required documentation the Executive Team will contact the appropriate individual(s) to obtain the data you have requested. In order to provide you with the correct data we may ask you to give further information.

Once we have gathered all the data, we will review it to check that it is in scope of your request, and to find out if it contains information about other people (third parties).

We will consider the rights of third parties whose information is included in the material you have requested. Where possible, third party Personal Data will be removed prior to the information being released. If this is not possible, we will seek consent of the third party to release the information to you. On occasion, this may necessarily involve disclosing to them that you have made this request. Where consent cannot be obtained or is refused, we will consider whether it is reasonable to release the information to you.

What will I Receive?

You will receive a copy of the Personal Data you have requested, if it is held by The Association. Under the GDPR, people making a Subject Access Request are also entitled to the following information:

• The purposes of the processing.
• The categories of Personal Data concerned.
• The recipients or categories of recipient to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations.
• Where possible, the envisaged period for which the Personal Data will be stored or, if not possible, the criteria used to determine that period.
• The existence of the right to request from the Data Controller (AURPO) Rectification or Erasure of Personal Data or restriction of processing of Personal Data concerning them, or to object to such processing.
• The right to lodge a complaint with a supervisory authority (ICO).
• Where the Personal Data is not collected from the individual, any available information as to their source.
• The existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the individual.

Much of this information will be in this Privacy Notice, and our response may highlight this relevant material.

Providing Our Response

Our response can be provided in digital or paper copy. Where we have received the request electronically, we will provide our response in the same way, unless otherwise requested.

Where our response is sent via email, we will password protect your data before sending it to you. Please ensure that you have given us your current postal address so we have a secure means of sending you the password to access our response.

Our response will be provided within one calendar month of receipt of the written request, fee (if applicable), ID and all information required to locate your data.