11th Jan 2019
CSAR will hold personal details supplied by individuals for one or more of these three reasons only:
- The individual has applied to become a member of CSAR or is a current or former member. Membership entitles individuals to attend CSAR lectures and other events.
- The individual has applied to buy a ticket to a CSAR visit
- The individual has applied to the CSAR PhD Student Awards or is a previous applicant.
By applying for membership, or to buy a visit ticket, or for the CSAR PhD Student Awards, an individual provides their consent to CSAR holding their data for the relevant purpose.
Where an individual has applied for a Family membership, that individual is asked to confirm that he/she has obtained consent for all members of the family identified on the membership application form.
CSAR does not hold data on individuals provided by third parties.
Subject access requests
Individuals wishing to make a subject access request are asked to contact firstname.lastname@example.org
Membership data is held securely in a platform provided by www.membermojo.co.uk, for which the security details can be seen below.
CSAR does not export data on individuals to third parties (other than to www.membermojo.co.uk for the purposes of administering its membership system).
CSAR holds data in both cases for five years in order to be able to demonstrate to the charity, tax and other authorities that the charity is properly governed. After that period, the data is deleted.
Members can see and amend their data at https://www.csar.org.uk/update-details/
Members can chose to be emailed for two optional purposes:
- To receive notification of future events
- To be invited to provide feedback on events that have taken place
On joining, these options are opted out. Members can opt in when they join, or subsequently change their preferences by going to https://www.csar.org.uk/update-details/
Members are not able to opt out of receiving emails that relate to the administration of their membership e.g. notification of the expiry of their membership, or notification of the Annual General Meeting of the charity.
Members or former members can apply to have their data erased five years after leaving CSAR.
Membermojo information governance
membermojo provides online membership services for organisations.
In data protection terms we are the data processor for your organisation member data, and your organisation is the data controller. (ICO key definitions)
- What personal data is stored - you define the personal data (membership form) that needs to be held for your organisation.
- Gaining consent - your form can include 'accept terms' fields that must be ticked before the form completes. We store the date that the application, and therefore the consent, was completed.
- Where data is stored - all servers and backups are hosted in secure UK facilities.
- How data is protected - we provide security and access controls for your member data.
- How long data is kept for - you define how long personal data is retained and we automate the deletion.
We also provide functions that assist members and administrators to exercise individual rights under GDPR.
- Right to access - members can sign in to view their own personal data.
- Right to rectification - members can sign in and amend their own personal data.
- Right to Erasure - administrators can securely delete personal data for members requesting their data be erased. Erasing a member will remove their member record and anonymise any activity, attendance and (optionally) payment records.
- Terms and Conditions provide the written contract required by GDPR between data controllers and processors.
- membermojo security.
More details on data protection principles and GDPR can be found on the Information Commissioners Office (ICO) website.
Visit ticket data
CSAR members seeking to buy a ticket for a CSAR visit do so through the www.eventbrite.co.uk platform.
The only data held by Eventbrite on behalf of CSAR is that provided by the ticket purchaser during the transaction.
CSAR PhD Awards data
CSAR PhD Awards data is held in a Google Drive with dual factor authentication. Data is held for five years, after which it is deleted.
Last revised 9 October 2018