Member Privacy Statement

AAC SIG (The SIG) wish to process data lawfully and within the General Data Protection Regulation (GDPR).

Information on the GDPR can be found on this web site:


We consider this to be important in safeguarding your privacy; meeting the needs of our members and providing you with the information required to meet our organisational objectives.

We are required to be open and transparent by sharing with you the nature and extent of the data we collect, why we need to have the data and how it will be stored, who that information will be shared with and how long we will retain the information. We are also obliged to tell you that you have a right of access and can correct or instruct us to delete or destroy information at any time (subject to legal and regulatory requirements). However, refusing us the right to process data will end your membership.

Any references to the AAC SIG, the SIG, ‘we’ or ‘us’ refer to:

The Augmentative and Alternative Communication Specific Interest Group

Royal College of Speech & Language Therapists 

2 White Hart Yard

London

SE1 1NX

Please be aware that this notice will be updated as necessary to reflect best practice in data management and to ensure compliance with any changes or amendments made to relevant laws or regulations.

 

Why are we collecting your personal data (The Lawful Basis)?

In order to fulfil our obligations to you we need to record and maintain personal data. This information is used to manage your membership, members’ meetings and process the membership fee.

 

What is being collected and how will it be processed?

The SIG collects personal data such as your name, address, email address and telephone number. We collect this information from you as part of your membership application. Only appropriate information will be gathered and only processed to the extent that is needed to fulfil our operational needs or to comply with any legal and regulatory requirements.

 

How we store your information

Information will be stored electronically in our office, in the Cloud and on computer systems owned by committee members from time to time. We will take the appropriate technical and organisational security measures to safeguard information. We will ensure that the data collected is processed in line with this privacy statement, your rights under the Data Protection Act 1998 and the GDPR.

Committee members agree to take the appropriate security measures to safeguard information. As a minimum: 

  • Password protect computers and iPad;

  • Install and maintain branded internet security software;

  • Routinely backup data (if required);

  • Avoid transporting physical paper files where possible;

  • When posted, recorded delivery or other secure trackable services will be employed;

  • Encrypt electronic data (including emails) and physical media (for example USB sticks) containing sensitive personal data such as name and address;

  • SIG data, including paper files, will not be left unattended in cars, on trains or other vehicles;

    Be aware of the SIG Privacy Statement and their responsibilities.

 

Committee members, who process data, will also have an understanding of the GDPR and will be adequately trained in, data security; including their obligations to the SIG, its members, relevant laws and regulations.

The SIG make use of cloud services operated by Google. It is our understanding that these organisations meet the requirements of the GDPR but we cannot be held responsible for a data breach emanating from these companies. 

We also employ branded anti-virus software and we routinely back up our data stores.  

In addition to our electronic records, we also hold paper-based files. Physical documents containing sensitive data will be destroyed when no longer required but some paper-based materials will inevitably be retained, for a period of time. 

 

Who will we share your personal data with?

We will not share or distribute data with the following exceptions:

1.     We will share data within the management committee in order to meet our obligations to the members. 

2.     We will share data where we are required to do so by law or other regulation.

3.     We may also share data where the information has been made public.


How long will we keep information?

We continually review the information we hold, and delete what is no longer required. When your membership ends we will review the information we hold, and delete specific items that are no longer required. The remaining data will be subject to review but all personal data will be destroyed or deleted within six years subject to any legal, regulatory or insurance obligations and other operational practices.

Financial data pertaining to the recovery of debts, pertaining to taxation, our accounting, statutory and regulatory obligations will be retained for a period of six years. 

 

Who has access to your data?

You have the right to ask for a copy of the personal data that we hold. Within one calendar month we will send this information to you electronically. We have the right to make a charge for requests that are repetitive or excessive.

Some ‘virtual’ personnel/services will have access to limited data sets depending upon their job function. For example we rely upon commercial service providers to process your membership fee. 

Committee members and contractors are aware that a breach of the rules and procedures identified in this privacy statement may lead to disciplinary action being taken against them and that the Information Commissioner’s Office (ICO) and other law enforcement agencies will be informed in the event of a serious or malicious information breach.


 

Marketing

As a member, we will contact you with information concerning the SIG and its various activities. 

 

Data Breaches

GDPR introduces a duty on all organisations to report certain types of data breach to the Information Commissioner and, in certain cases, to the individuals who will be directly affected. Internal records of all data breaches will be kept by the SIG. 

 

Where a data breach is likely to result in a high risk to your rights and freedoms, we will notify you, any other individuals affected and the ICO without undue delay, in order to mitigate any potential loss. 

 

Where notification to the ICO is required, it will include: 

1.     The name of the SIG’s acting Chair;

2.     The nature of the breach;

3.     The type of data breach and the people affected;

4.     The likely consequences;

5.     Measures taken by the SIG to mitigate adverse effects.

 

Consent 

The GDPR requires us to obtain your specific agreement to the processing of your information. Without your consent we will be unable to process your membership. Should consent be withdrawn your membership will terminate. 

Within our membership application process, you are asked to individually confirm that:

  1. You agree to us holding and processing your personal information;

  2. You agree to us contacting you regarding the SIG meetings and other activities.

Your right to complain

In the event that you wish to complain about the way your personal data has been handled by the SIG, you should write to ‘The Chair’, stating your case.

Your complaint will be investigated and you will receive a response as soon as reasonably practicable.

If you remain dissatisfied, you may refer the matter to the Information Commissioner’s Office at:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

Cheshire, SK9 5AF

Email: casework@ico.org.uk 

Telephone: 0303 123 1113.