Data Protection Statement
Your Personal Data
The Pensions Research Accountants Group (“PRAG”/ “we”) collect and hold personal data about our members and other contacts for the purposes of our activities. The new General Data Protection Regulations (“GDPR”) come into force in May 2018, which will apply to how we do this. We want to take this opportunity to update you on how we collect, use and process your personal data.
What we need
PRAG will be what is known as a ‘Data Controller’ of the personal data you provide to us. We only collect basic personal data about members and other contacts, including name and contact details (physical and email). Members provide and maintain the information held in respect of them and it is an individual’s decision as to whether it is work or personal details provided. The database also includes information concerning role, employer organisation (if relevant) any areas of expertise/ special interest and the willingness to be a member of a working party. The information collected does not include any sensitive personal data or any other special types of information.
The Executive may from time to time decide to collect other information from members for the purposes of PRAG’s activities, but only with individual consent.
The legal basis for holding and processing your personal data is your consent, where you have provided this, and otherwise our legitimate interest.
Why we need it
We need to know your basic personal data mainly in order to provide you with news on PRAG activities, publications and events. We will only use the information held for the legitimate purposes of PRAG in the furtherance of its objectives as notified to the members.
What we do with it
The information PRAG holds is maintained on a database which is hosted by a third party administrator and to which our appointed third party secretariat has access. The third party secretariat is a data processor. The engagement terms of any third party agents or service providers include data protection clauses.
We will not process data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed or would otherwise reasonably expect this.
We have a Data Protection policy in place to govern the effective and secure processing of your personal data.
All the personal data we process is processed by our appointed secretariat in the UK. However, for the purposes of IT hosting and maintenance, this information may be located on servers within the European Economic Area (“EEA”). We may also make use of third-party providers with servers located outside the EEA (such as Eventbrite and PayPal). Any transfer or processing of data out of the EEA will be protected by appropriate safeguards as required by law.
Who has access
Access to personal data is restricted to the database administrator and the secretariat. In corresponding with individuals, e-mails are sent without disclosing recipients.
Any changes to a member’s contact details are only made by the member using the on-line functionality of the database. It is the responsibility of members to keep their own personal details up to date.
On occasion, contact details may be released to facilitate communication between individual members or other contacts, but not without the permission of the individuals concerned.
No third parties will have access to personal data unless the law allows.
How long we keep it
PRAG will retain personal data for no longer than necessary. Member records will be maintained for no more than six years after the end of the last year of which an individual was a member of PRAG. If a member decides not to renew their membership and advises the Secretariat that their details should be removed, they will be deleted (unless a legal exemption applies).
What are your rights
You may request to see the information we hold about you to check its accuracy. If you wish to raise a complaint about how we have handled your personal data, you can contact our Secretariat who will investigate the matter.
If you are not satisfied with our response or believe we are not meeting legal requirements you can complain to the Information Commissioner’s Office (ICO).