25 May 2018
What this privacy notice covers
The purpose of this notice is to give you a clear explanation about how HRLA – and any third parties we work with – collect and use the personal information you provide to us. We take care to ensure that we use your information in accordance with all applicable laws concerning the protection of personal information.
- Who is collecting your personal data?
- Policy statement
- The lawful basis for collecting your personal data
- When do we collect your personal data?
- What kind of personal data do we collect?
- Storage and protection of your personal data
- Who do we share your personal data with?
- Your rights
- Retention and Disposal of Data
- Changes to the Policy
1. Background to the General Data Protection Regulation (GDPR)
The General Data Protection Regulation 2016 (GDPR) replaces the EU Data Protection Directive of 1995 and the Data Protection Act 2018 supersedes the UK’s Data Protection Act 1998. The purposes of these laws is to protect the “rights and freedoms” of living individuals in relation to their personal data.
The data protection principles which govern the processing of personal data are as follows. Personal data must be:
- Processed lawfully, fairly and in a transparent manner.
- Collected only for legitimate purposes that have clearly been explained to you and not further processed in a way that is incompatible with those purposes.
- Adequate, relevant and limited to what is necessary in relation to the legitimate purposes.
- Accurate and, where necessary, kept up to date.
- Kept in a form such that you can be identified only as long as it is necessary for processing. We should not keep personal data for longer than we need it.
- Processed in a manner that ensures appropriate security of the personal data.
HRLA is accountable for complying with these principles, and this policy aims to reflect our processes and records which we will maintain to demonstrate our compliance.
You can find out more about these principles and our obligations here.
2. Who is collecting your data?
The Human Rights Lawyers’ Association (“HRLA/We”) is a membership organisation open to all connected with the law and legal profession who have an interest in human rights law in the United Kingdom.
We currently have over 2,000 members including solicitors, barristers, advocates, judges, government lawyers, legal academics, legal executives, in-house lawyers, pupils, trainees and law students. HRLA exists to increase knowledge and understanding of human rights and to aid their effective implementation in the UK legal framework and system of government. We aim to further research, education and training in the areas of human rights law and practice and facilitate the exchange of views between specialists from different areas of expertise and the wider legal community.
HRLA is run by an elected executive committee of volunteers whose names are published on our website. HRLA engages an Independent Consultant (“Administrator”) to assist the committee with the day to day management and administration of the association. For the purpose of the GDPR our data controller is our Administrator who can be contacted at firstname.lastname@example.org
3. Policy Statement
HRLA is committed to compliance with all relevant EU and UK laws in respect of personal data and to the protection of the rights and freedoms of individuals whose information we collect and process in accordance with the GDPR.
The GDPR and this policy apply to all of our personal data processing functions in relation to our members and any other personal data that we process from any source. This policy sets out the kind of personal data that is collected from you, the lawful basis on which it is collected, how it is processed and your rights in relation to requesting access, rectification and deletion of your personal data.
Partner organisations and third parties working with us which have or may have access to personal data will be required to adhere to all obligations imposed by data protection legislation.
In the unlikely event of a data protection breach, it will be reported within 72 hours to the appropriate authorities and the member(s) directly concerned.
4. The lawful basis for collecting your personal data
As a membership organisation, HRLA has a legitimate interest in collecting, storing and processing the personal data of our members in order to keep them informed of our activities related to the HRLA’s objectives as set out above. Alternatively, we consider that by joining as a member you give your consent for HRLA to collect and process your personal data.
If you are not a member of HRLA, but have attended HRLA events, entered HRLA competitions (e.g. the Annual Judicial Review Competition) or have applied for the HRLA Bursary Scheme (“Bursary Scheme”), we will retain your data to serve the legitimate interest in storing and processing that data for the purpose of your attendance and interest in our events, your competition entry or your application.
We may store information concerning how recipients use our email updates for the purposes of web analytics. This is anonymised, but allows us to see which emails are opened, and how often, by recipients so that we can continue to provide events and activities of interest to our members.
We may retain and process the data of individuals who visit our website for the purposes of our legitimate interests as an organisation. Where this data is retained or processed, it will be balanced against individual privacy rights and anonymised. Where the information you provide includes sensitive data (in connection with a bursary application) we will seek your explicit consent to store and retain that data in connection with your communications with us. We may retain the names and personal data of Bursary recipients for the purposes of reviewing the Bursary and communicating with Bursary alumni. The legal basis for the retention and processing of this data is a combination of our legitimate interests and consent.
5. When do we collect your data?
HRLA collects personal data when:
- Individuals or organisations voluntarily sign up to become a member either online through our website or by emailing or positing us a membership form;
- Individuals voluntarily apply to our bursary scheme, judicial review competition or to be published in the Young Lawyers’ Committee Journal;
- Individuals request to attend education and training events organised by the HRLA.
We also collect the personal data (name and contact details) of persons within organisations with whom we may wish to partner with for producing an event or publication connected to our stated objectives.
We also collect anonymous data from visitors to our website which allows us to evaluate how our website is used and from time to time take steps to improve it.
6. What kind of data do we collect?
We may collect and process the following personal data about you:
- Information that you voluntarily provide such as your name, address, telephone, email address, place of work or study, your status (solicitor, barrister, lawyer, academic, student, pupil or trainee etc) and your bank details for the processing of membership fees;
- If you contact us requesting further services or to report a problem with our website we may collect additional information and may keep a copy of that correspondence;
- We may from time to time ask you to complete surveys for research purposes, although there will be no obligation to respond to such requests.
If you access our website we may also collect information about your computer including where available your IP address, operating system and browser type, for system administration. This is statistical data about our users’ browsing actions and patterns and does not identify any individual.
7. Storage and protection of your personal data
Your personal data is kept by HRLA in an encrypted format, on password protected devices, and will only be accessed by those who need to use it in line with this policy. We are committed to ensuring that the personal data we store is protected from misuse, loss or unauthorised access.
When you provide us with your personal data, it is exported to Mailchimp for the purpose of producing membership updates sent by email. At least annually we review our Mailchimp mailing list in order to delete the personal data of inactive/unresponsive members or those who have not renewed their membership subscription. All members can manage their own Mailchimp profiles and request that their personal data is deleted via a link which is provided in the footer of all of our email communications. Alternatively, members can email email@example.com directly to be removed from the Mailchimp mailing list.
8. Who do we share your personal data with?
Mailchimp and Survey Monkey
We use Mailchimp and Survey Monkey for newsletters and client surveys respectively. These applications store data in the United States but have taken steps to comply with GDPR and are both signed up to the EU-US Privacy Shield. Their privacy policies can be found here:
Survey Monkey https://www.surveymonkey.com/mp/legal/privacy-policy/
HRLA partners with other organisations, businesses and universities for event space. When you sign up to attend our events your name may be disclosed to the host organisation, business or university for the purposes of your registration at that event only. We ensure that these lists are deleted after events and that the data is not retained or processed in any further way.
We retain records of event attendees for the purposes of CPD compliance. If an individual or a Professional Body (e.g. Bar Standards Board/Solicitors Regulatory Authority) contacts us regarding such attendance we will provide the information necessary for the purposes of establishing CPD compliance.
9. Your Rights
The GDPR provides the following rights for individuals in relation to their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights in relation to automated decision making and profiling
You may make a Subject Access Request relating to how we process your personal data. HRLA will respond to requests for information from Data Subjects within 30 days, although this may be extended to two months for complex requests in certain circumstances.
You are also entitled to complain to us about how your personal data is processed or how we handled a Subject Access Request and to appeal against how any complaint has been handled by us.
10. Retention and Disposal of Data
We will not keep personal data in a form that permits you to be identified for a longer period than is necessary in relation to the purpose(s) for which the data was originally collected. The retention period for each category of personal data is set out in our Retention and Disposal Policy. Personal data will be retained in line with our Retention and Disposal Policy and, once its retention date is passed, it will be securely destroyed.
On at least an annual basis, HRLA will review the retention dates of all the personal data processed by us and we will identify any such data that is no longer required. This data will be securely deleted or destroyed in line with our Retention and Disposal Policy.
Any data retention that exceeds the retention periods defined in our Retention and Disposal Policy must be approved and the justification for the retention clearly identified and recorded.
We may store personal data for longer periods if it will be processed solely for historical research or statistical purposes; for example to remain in touch with the recipients of our Bursary Scheme.
11. Change of Policy
HRLA may amend this privacy statement from time to time. Any changes we may make in the future will be posted on our website and, where appropriate, notified to you by email.