Privacy & Data Protection Policy
This Privacy Policy sets out how the Design Research Society (DRS) uses and protects any information that you give the DRS when you use this website. Any personal data you provide to DRS is regulated by the General Data Protection Regulation.
The Design Research Society is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.
The Design Research Society may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 25 May 2018.
What we collect
We may collect the following personal information from members:
• Name and job title
• Contact information including email address
• Demographic information such as postcode, preferences and interests
• Other information relevant to membership
We may also collect the following data from all web users:
• Click stream data (type of computer, browsing software, address of referring website, etc.)
• HTTP protocol elements (server address, domain name, date and time of visit, etc.)
• Search terms
What we do with the information we collect
For purposes of the GDPR, the Design Research Society, is the “data controller”.
Unless we are obliged or permitted by law to do so, and subject to any third party disclosures specifically set out in this policy, your Data will not be disclosed to third parties. This includes our affiliates and / or other companies within our group. All personal Data is stored securely in accordance with the principles of the GDPR. For more details on security see the clause below. Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website.
We require this information to understand our membership and web site visitors and provide you with a better service, and in particular for the following reasons:
• Internal record keeping.
• Membership administration.
• Improvement of our service to members.
• Completion and support of the current web site activity.
• Website and system administration.
• Research and development.
• To comply with our Constitution with regard to member networking.
Web access logs are used for statistical purposes only (e.g. to measure the use/performance of the site) except in the event of a security breach when they could be used for the purpose of tracing the breach. No information gathered from web logs is given or sold to any third party.
Data and Information Security
We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
Links to other websites
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy statement. You should exercise caution and look at the privacy statement applicable to the website in question.
Controlling your personal information
You may choose to restrict the collection or use of your personal information in the following ways:
Logging into the website and updating your preferences, particularly with respect to receiving emails and newsletters which we send from time to time.
We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.
You may request details of personal information which we hold about you under the General Data Protection Regulation. If you would like a copy of the information held on you please write to admin@designresearchsociety.org
If you believe that any information we are holding on you is incorrect or incomplete, you are able to check this against your membership profile on this website. You are also welcome to write to us at admin@designresearchsociety.org We will promptly correct any information found to be incorrect.
Data Protection Policy
Definitions
Society: Design Research Society
GDPR: General Data Protection Regulation
Responsible Person: Tracy Bhamra - DRS Chair
Register of Systems: A Register of all systems or contexts in which personal data is processed by the society
Data Protection Principles
The Society is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and nor further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of the individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage. Using appropriate technical or organisational measures.
General Provisions
- This policy applies to all personal data processed by the Society.
- The Responsible Person shall take responsibility for the Society’s ongoing compliance with this policy.
- This policy shall be reviewed at least annually.
Lawful, fair and transparent processing
- To ensure its processing of data is lawful, fair and transparent, the Society shall maintain a Register of Systems.
- The Register of Systems shall be reviewed at least annually.
Individuals have the right to access their personal data and any such requests made to the Society shall be dealt with in a timely manner
Lawful purposes
- All data processed by the Society must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public tasks or legitimate interests. See ICO guidance for more information – https://ico.org.uk/for-organisation/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/
- The Society shall note the appropriate lawful basis in the Register of Systems.
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent will be kept with the personal data.
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be made available and systems should be in place to ensure such revocation is reflected accurately in the Society’s systems.
Data minimisation
- The Society shall ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
- Accuracy
- The Society shall take all reasonable steps to ensure personal data is accurate.
- Where necessary for the lawful basis on which the data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Archiving/removal
- To ensure that personal data is kept for no longer than necessary, the Society shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
- The archiving policy shall consider what data should/must be kept, for how long, and why.
Security
- The Society shall ensure that that personal data is stored securely using modern software that is kept-up-to-date.
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
- When personal data is deleted this should be done safely such that the data is irrecoverable.
- Appropriate back-up and disaster recovery solutions shall be in place.
Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, the Society shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information can be found on the ICO website – https://ico.org.uk/for-organisation/guide-to-the-general-data-protection-regulation-gdpr/personal-data-breaches/