Purpose of policy
To outline our obligations under Data Protection laws, inform individuals about how we collect and use data, and to inform how personal data can be deleted on request, and how access to data on persons may be provided. This policy should be made available on the RLUK website.
The Data Protection Act (1998) will be replaced by the Data Protection Bill, that will incorporate the EU General Data Protection Regulation into UK law.
RLUK is based in the UK and collects and processes information about its members and other individuals in the UK and Ireland. RLUK is obligated to comply with data protection laws. The policy applies to the executive, the Board, and all member representatives, contractors and suppliers of RLUK. Each of these has a responsibility to ensure data is collected, stored, and handled appropriately.
This policy helps to protect RLUK and our members from data security risks including breaches of confidentiality and security, or failing to provide choices to members about how data about them may be used. Members and others also have the right to access personal data about them being held by RLUK, and to check whether it is accurate, and to correct such data where necessary.
“Personal data” in the GDPR is interpreted broadly, and includes addresses, financial data, but also IP addresses and other types of identifying information.
“Special category data” includes information about race, political opinions, religion, health, and other categories. RLUK does not collect sensitive personal data, with the exception of data provided by meeting attendees to provide suitable accommodations (dietary information, access requirements).
RLUK maintains a register of members as required in the Articles of Association 2016 (6.2). Member representatives are defined in 6A. We keep records of our Trustees to comply with Charity Commission reporting requirements.
Purposes for collecting and processing data
We collect and process data for the following purposes:
- To keep an accurate record of our member organisations and their representative, and our Trustees
- Invoices including personal bank account details, to process expenses
- IP addresses, to assess website visitor trends
- Registration data for conferences and meetings, to register delegates at events and make suitable accommodations
- Survey data, to provide research and expertise to the membership
- Member library catalogue data, for ingest to COPAC
This data may be provided to us in correspondence including post and email, event registration forms (eg Eventbrite), in invoices, membership applications.
Sharing of personal data
RLUK does not share personal data with organisations outside of the UK/EU. We have members in Ireland, which may require transfer of data outside of the UK.
RLUK does use some online services which are headquartered outside of the EU, but which have asserted compliance with all relevant EU data handling laws.
Any research activities or partnerships with organisations based outside the EU will be treated on a case by case basis, and participants who opt in to such activities will be clearly informed about how their data will be handled in such instances.
According to the law, data must be kept up to date. RLUK will poll our members at least annually for any changes not otherwise reported.
RLUK is obliged to provide access to individuals to their own data, for the purpose of correcting, deleting or making portable the data. Data access requests should be made in writing, by contacting the Executive Director, RLUK. Requests will be considered in accordance with RLUK’s legal requirements including the Charities Commission. All written requests will receive a response within 30 days.
RLUK is obliged to report and respond to any serious data breaches (inappropriate access of data, loss, alteration) to the Information Commissioner’s Office within 72 hours.
Should a member or other individuals wish to report a breach, our reporting procedure is as follows:
- Requests should be made in writing to firstname.lastname@example.org
- RLUK to enact notice and takedown procedure – and where technically possible make the content private (eg blogposts, social media posts) until the investigation has concluded;
- Respond to the complainant in writing within the required timeframe. The outcomes could include permanently retracting and deleting the data, a correction, or determining that there was not a breach;
- RLUK to notify the ICO of the breach.
In the case of any serious data breaches arising from the use of third-party services, RLUK will follow the service’s own procedures.
The RLUK Board is responsible for data protection. For any questions or comments about the policy, please contact the Executive Director, RLUK.
 These include e.g. Dropbox, Eventbrite, Google, and Twitter