General Data Protection and Privacy Policy

STATEMENT

The Institute of Industrial Accident Investigators (also referred to below as ‘we’, ‘us’ ‘the Institute’ ‘IIAI’ or ‘the IIAI’) is committed to open and transparent use of data which is secure and gives members, prospective members, customers and potential customers confidence that data is used in a socially responsible way and in compliance with the EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

 

THE IIAI: who are we, what do we do and how are we contacted?

The Institute is an Unincorporated Association Limited by Guarantee providing professional recognition and qualification to accident investigators Worldwide. If we need to enter into certain legal contracts, we do so as the IAI Research & Development Centre (RDC) which is a UK Company Limited by Guarantee (Reg. No. 05039136). Both the Institute and RDC are not for profit organisations and have a common registered office at Old Bank, The Triangle, Paulton, Bristol BS39 7LE. Our email contact is [info@iiai.org.uk] and our phone is 01726 832695.

All of our data processing and communication takes place on secure systems in the EU which we keep under review.

 

When do we collect personal data?

• When you communicate with us by email, telephone, post or in person.
• When you apply to be a Member of the Institute of Industrial Accident Investigators’.
• When you or your organisation requests information about, or purchases, any of our products or services direct from us or through an organisation that has been licensed and accredited to deliver them by us.
• When you consent to receive marketing communications from us or update your preferences in relation to them.
• In the form of cookies when you visit the IIAI web site at www.iiai.org.uk
• When you access the secure areas of the IIAI web site.
• When you register for one of our courses, events, awards or competitions or when you complete an application form for membership or services.
• When you take part in an IIAI survey or poll.
• When you agree to be featured in an article or news release.

 

How and why we process data:

Under the GDPR, there are six lawful bases for processing personal data and we have listed below the five that apply to us.

Consent: this is the basis for all our marketing and business email and telephone communications (note; any person may, at any time, opt-in or out of hearing about our services or products as they, their organisation or employer wish). This may be direct from the IIAI or by consent that you give through a third party when, for instance, applying for an IIAI approved product or service but where your contract is with the third party. Where the latter is the case, the third party form will have an IIAI consent section. Consent is also the basis for data from membership surveys or for feed back on a third party delivered IIAI product or service.

Contract: we use this basis to process all data that is necessary to deliver any of our products or services or for you to become an IIAI member, renew your membership or upgrade it. This includes any print, telephone or electronic communications needed for administration. It may also include data provided by your employer if, for instance, they pay for your membership or a service or product involving you or communications from us where you need, for instance, event joining instructions.

Legal: this will vary on a case by case basis but arises when we are required to comply with laws and regulations.

Vital Interests: this basis might arise where, for instance, personal data such as food allergy or medical condition information is shared to protect a person.

Legitimate Interest: this applies when, in possession of your or your organisation’s data as a potential customer, we contact you about products or services which we believe will be of interest.

 

DATA PROCESSORS AND JOINT DATA CONTROLLERS

A Data Processor is an organisation that we securely pass your data to…

a). because they undertake marketing you have opted in to, or

b). because we were supplied it in order to pass it on to them, or

c). to satisfy a contractual obligation to you regarding any of our products or services.

Data is only shared with the following organisations for the purposes identified and we have suitable data processing contracts in place with each.

 

Neucom Ltd

To send out email notifications of IIAI/RDC Sponsored Training sessions and the IIAI Executive Committee Fellowship Lectures to IIAI Members.

To send out membership renewal notices and new membership cards.

 

Fasthost
All IIAI email communications go via a secure server at Fasthost.

 

Joint Data Controller (JDT)

A joint data controller is a secondary organisation that we need to pass your data to (or receive it from) in order to fulfil a material obligation or contractual service and both we and the JDT need to process the data in order to deliver.

Data is only passed to the following organisation for the purposes identified and we have suitable data processing contracts in place.

 

Neucom Ltd

When you apply for membership, Neucom receives hard and electronic copies of applications and undertakes preliminary processing for us before passing to the IIAI Memberships Committee for electoral consideration. Depending on outcome, Neucom generates an initial email communication and prepares the welcome pack for IIAI Executive Committee endorsement and despatch.

Neucom manages the IIAI Info Desk, Instructor and Approved Centre processes for us and passes all data to us. In respect of the above, both the Institute and Neucom securely store and control data.

When you complete a course that we certificate or examine, your approved centre controls that data but we will be a joint processor for administration purposes and will also control and store the data in respect of members and non members.

 

SUPPLEMENTAL INFORMATION:

Your Rights:

GDPR gives you a right…

To be informed: when we collect data from you, it is your right to be told how and why we require or would like it, what we will do with it and how you can control the data of yours that we have. This policy is part of that overall process.

Of access: you have the right to ask if we hold data on you and, if so, what it is. You can do this by post or email via the contact details above. Requests are free of charge unless repetitive, excessive or manifestly unfounded (in which case, a reasonable fee of £50 will be charged). We will always aim to respond within 5 working days.

To rectification: if any data we hold about you is incorrect, we will update it as soon as you inform us unless verification is needed. Members should keep us informed when data such as contact address, email, phone number or qualifications change.

To erasure: you have the right to request that we completely erase any data we hold

on you and such can be done via the contact details above. We will inform you of the outcome of this request and any associated erasure within 4 working weeks.

To restrict processing: you may request that we restrict your data from being processed but still hold it on our systems if required or necessary under GDPR. In all cases here, you can do this in writing via the contact details above.

To data portability: if you request us to share your data with another controller we will do this in an easily transferable secure format and will also send you a copy of your data via the same means at your request.

To object: whilst we will ensure that you may keep your preferences up to date, you may object at any time to marketing communications and we will cease these upon receipt of a request from you.

To know about automated decision making and profiling: you have the right to know if we profile you or make marketing decisions about you using wholly automated processes. We do not use any automated marketing or profiling systems.

 

Alan Dell

 

 

IIAI Executive Committee Chairman