Adoption of Policy
Policy approved by the Society of Pensions Professionals (SPP) Council on 27/3/19
Effective date: 29/3/19
Next review date: 29/3/21
We hold personal data about employees of our Members and about other individuals (“other contacts”) with whom we have contact in the course of our activities. This policy sets out how we seek to protect such personal data.
The requirements of the General Data Protection Regulations (“GDPR”) apply from May 25, 2018. SPP is a data controller of the personal data of employees of Members and other contacts for the purposes of the requirements. The GDPR sets out a number of principles, with which data controllers must comply when processing personal data. In summary, personal data must be:
- Processed lawfully, fairly and in a transparent manner.
- Collected only for specified, explicit and legitimate purposes.
- Limited to what is necessary.
- Accurate and kept up to date.
- Kept for no longer than is necessary.
- Processed in a manner that ensures appropriate security.
The data controller is responsible for, and must be able to demonstrate compliance with, these data protection principles. Council is ultimately responsible for ensuring that SPP meets its legal obligations.
This policy applies to all data that SPP holds relating to identifiable individuals.
SPP only holds basic personal data about employees of Members and other contacts, including name and contact details (physical and e-mail). Employees of Members provide and update the information held in respect of them and it is an individual’s decision as to whether it is work or personal details provided.
The database also includes information concerning role, employer organisation, any areas of special interest and membership of, or willingness to be a member of, Council, a Committee or a working party. The information collected does not include any sensitive personal data or any other special types of information.
Council may from time to time decide to collect other information from employees of Members for the purposes of its activities, but only with individual consent.
Use of Data
SPP will only use the information held for the legitimate purposes of SPP in the furtherance of its objectives as notified to the Members. The legal basis for holding and processing personal data is the individual’s consent, where this has been provided, and otherwise SPP’s legitimate interest.
The information SPP holds is maintained on a database hosted by SPP, to which the SPP Secretariat has access.
We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed or would otherwise reasonably expect this.
Access to Data
Access to personal data is restricted to the SPP.
Any changes to an individual’s contact details are only made on the instruction of the individual or on the instruction of another party, whom he or she has authorised to do so. It is the responsibility of individuals to ensure that we keep their personal details up to date.
On occasion, contact details may be released to facilitate communication between employees of Members or other contacts, but not without the permission of the individuals concerned.
No third parties will have access to personal data unless the law allows.
Personal data will only be accessed and updated through the central database. No copies will be saved to any other computers, laptops, tablets or mobile devices or transferred unless specifically authorised by Council and subject to appropriate safeguards.
SPP will take reasonable steps to ensure data is kept accurate. It is however the responsibility of employees of Members to ensure that their own personal details are up to date.
We will retain personal data for no longer than necessary. Records relating to individuals will be maintained for no more than six years after the end of the last year in which an individual was actively engaged with the Society. If a Member decides not to renew membership, and advises the Secretariat that details of their employees should be removed, they will be deleted (unless a legal exemption applies).
Subject Access Requests and Complaints
Employees of Members or other contacts may request to see the information held about them. Any complaints about how an employee of a Member’s or other contact’s personal data has been handled may be made by contacting the SPP Chief Executive Officer (firstname.lastname@example.org) who will investigate the matter. The Chief Executive Officer will always verify the identity of anyone making a subject access request.
Action in the event of a breach
On either the discovery of a breach by a director or the Secretariat, or the receipt of a notification of a breach from a third party, an e-mail will be sent immediately to all members of Council.
The SPP Chief Executive Officer or his assistant will take any immediate action reasonably necessary to mitigate the impact of the breach. The SPP Chief Executive Officer or his assistant, will advise Council of the actions taken and any further actions being proposed in response to the breach. A register of any compliance failures will be maintained. Where legally required, the Information Commissioner’s Office will also be informed.
A data protection statement will be made available on the SPP website, to explain how data is being used, how it is protected and how to exercise SPP rights relating to the data. The data protection statement will also be available to other contacts via the website.
Location of Processing
All the personal data we process is processed by the SPP Secretariat in the UK. However, for the purposes of safekeeping, this information may be backed up on servers within the EEA. For the purposes of backing – up, we may also make use of third party providers with servers located outside the EEA. Any transfer or processing of data out of the EEA will be protected by appropriate safeguards as required by law.