< Back to Policies and guidelines
In this section

Privacy policy

Updated 08-04-2024
 

Who we are and how to contact us

The Royal Statistical Society is a registered charity in England and Wales (charity number 306096) and has a wholly owned subsidiary, RSS Services Limited (company number 3982652). In this policy, ‘we’, ‘us’, ‘our’, or ‘RSS’, refers to both the Royal Statistical Society and RSS Services Limited.

Our address is 12 Errol Street, London EC1Y 8LX.

If you have any questions about this policy, or how we use your personal data, then please contact gdpr@rss.org.uk
 

Purpose and scope of this policy

This policy explains how we protect your data while providing services that we believe will be of interest to you.  

This policy applies whether you are a member of the Royal Statistical Society, a customer, employee, or a user of any of our services, including those provided by our subsidiary, RSS Services Limited.
 

How we collect personal information

We collect personal data in connection with specific activities such as membership requests, registration for conference or events, booking a training course, hiring our rooms, campaigning, volunteering or employment. 

Personal information may be collected online, by post, over the telephone or in person.
 

What personal information we collect

The information we collect will vary depending on the services you use but may include:

  • Name
  • Address
  • Phone number
  • Email address
  • Date of birth
  • Marital status
  • Job title
  • Employer
  • Website analytics (including your device model, browser and IP address)

Special category data

Special category data requires greater protection due to the sensitive nature of the information.

We may collect data about sex, gender, health, disability, religion, race and ethnicity to ensure that we are complying with legal requirements and providing the best possible services to you.

We may use special category data for monitoring and improving policies, processes and practices, particularly with regard to equality, diversity and inclusion.
 

Where we store your data

We store your data on Microsoft 365 / Azure servers located in the UK and EU.
 

How we protect your data

The RSS is Cyber Essentials certified and has a wide range of processes and technical controls in place to protect your data. We operate on the Principle of Least Privilege with accounts subject to Role Based Access Controls (RBAC) and enforced Multifactor Authentication (MFA). Data is encrypted at rest on devices and in transit.

GDPR and cyber security training is provided to all staff.

Suppliers must demonstrate a commitment to data protection and provide evidence of relevant certification (e.g. Cyber Essentials, ISO 27001).

Please note that no service is completely secure; any data that you share with us is done so at your own risk. If you have any concerns that your MyRSS account or personal information has been compromised, please get in touch straight away.
 

The lawful basis for processing your personal data

We process personal information as a Data Controller as defined by the UK General Data Protection Regulation (UK GDPR). Our purposes for processing are:

Legitimate interest: contacting you about your membership and services that we believe are directly relevant to you.

Consent: providing targeted communications such as newsletters that subscribers  can opt out of at any time.

Contractual: fulfilling a contractual obligation such as providing a training course.
 

How we use your personal data

Use of your data depends on how you interact with our website, services and activities:

Membership
We use the personal data you provide to us as a member for the purpose of servicing your membership. It is provided as legitimate interest. It includes, but is not limited to: sending you renewal information and administering your membership; sending you Significance magazine; providing information about our Conference, events and training courses; updates on our activities; and providing access to electronic journals. We will normally contact you via email, although we might occasionally need to write to you or phone you. If your membership lapses, we may contact you for up to 12 months after the lapse date to give you an opportunity to re-join unless you have expressly told us that you do not want to be contacted.

If you change your email address, or if any of the other information we hold is inaccurate or out of date, please email us at membership@rss.org.uk.

Conference and events 
We use the personal data you provide as a delegate to events for the purpose of managing your attendance. It is provided as legitimate interest. Your data will be used to communicate with you throughout the process, including to confirm we’ve received your registration and payment, to clarify where we might need more detail to fulfil a booking, or to resolve any issues that might arise with your booking.

Training courses 
We use the personal data you provide as a delegate to a training course for the purpose of managing your attendance. We process your data as legitimate interest. Your data will be used to communicate with you throughout the process, including to confirm we’ve received your registration and payment, to clarify where we might need more detail to fulfil a booking, or to resolve any issues that might arise with your booking. We do not pass, or sell your data to any third party, except the course tutor.

Competitions and awards
We may share your entry form with the judges of the competition or award. If the competition or award is sponsored, then some of the judges may be external. If so, we will redact as much personal information as possible before sharing your entry details and ensure that they have data protection policies in place.

Newsletter 
If you wish to receive the emailed Royal Statistical Society newsletter, we will collect and process your data on the basis of consent. To provide the newsletter service, we do need to share your contact details with the IT service provider (see "How we may share your data" below).

Research data
Any data shared with the RSS for the purposes of research will be restricted to users that have been agreed with the data provider in advance. Where possible, RSS will anonymise all data sets.
 
Recruitment and employment 
To comply with our contractual, statutory, and management obligations and responsibilities as an employer, we process personal data, including special category data, from job applicants and employees.  

In certain limited circumstances, we may legally collect and process sensitive personal data without requiring the explicit consent of an employee.

Further information on what data is collected and why it’s processed is given below.
 
  • Statutory responsibilities are imposed through law on the organisation as an employer. The data processed to meet statutory responsibilities includes, but is not limited to, data relating to: tax, national insurance, statutory sick pay, statutory maternity pay, family leave, work permits, equal opportunities monitoring.
  • Contractual responsibilities arise from the contract of employment. The data processed to meet contractual responsibilities includes, but is not limited to, data relating to: payroll, bank account, postal address, sick pay; leave, maternity pay, pension and emergency contacts.
  • Management responsibilities are necessary for the organisational functioning of the organisation. The data processed to meet management responsibilities includes, but is not limited to, data relating to: recruitment and employment, training and development, absence, disciplinary matters, email address and telephone number.
Management of volunteers 
If you’re a volunteer then we will need to use your personal data to manage your volunteering, from the moment you enquire to the time you decide to stop volunteering with us. This could include: contacting you about a role you’ve applied for or we think you might be interested in, and expense claims you’ve made. It could also include information from sections and groups about things happening where you volunteer and about your volunteering, including asking for your opinions on your volunteering experience. 

We may collect and retain extra information about you (e.g. references, details of emergency contacts, medical conditions, etc) for legal or contractual reasons.
 

How we may share your data

We never sell your information to a third party. We work with trusted partners who function as Data Processors to provide services to our members:

Online payments are processed by Opayo (formerly SagePay) which is a service owned by Evalon that is fully PCI DSS compliant.

Direct Debits are processed by Access PaySuite (formerly SmartDebit) and are fully PCI DSS compliant.

Our Content Management System (CMS) and Customer Relationship Management (CRM) database are provided by Smart Impact and use technologies from Kentico and Microsoft. This enables us to provides online services in MyRSS and our wide range of newsletters.

CRM data is stored in Microsoft Azure.

Our Significance website is hosted by Hostwinds.

Online and hybrid events use Microsoft Teams and may be uploaded to YouTube.

Some meetings may be automatically transcribed by Microsoft Teams or using Otter.ai. Our meeting policy states that attendees must be given an opportunity at the beginning of the meeting to object to automated transcribing, in which case minutes will be taken manually. Any automatic transcriptions are reviewed for accuracy and will be permanently deleted within 60 days.

RSS Journals and Significance magazine are published by Oxford University Press. There is integration between MyRSS and the OUP website to allow members to access their relevant publications.

Mentoring services are provided by Pushfar.  

Competitions and awards may be sponsored and/or judged by third parties. If so, we will redact as much personal information as possible before sharing your entry details and ensure that they have data protection policies in place.

We may run ad campaigns to help direct users to the most relevant part of our website. Ad services may be supplied by Google, Meta and LinkedIn

Fonts used on this site are served by the Google Fonts API. This is to improve accessibility, site loading speeds and font compatibility across devices. Review the Google Fonts Privacy and Data Collection statement for more information.

Internet services are provided by Exponential-e.

If asked by the police, or any other regulatory or government authority investigating suspected illegal activities, we may be legally required to share your personal data.

To carry out our contractual and management responsibilities, we may, from time to time, need to share an employee’s personal data with one or more third party. To meet the employment contract, we are required to transfer an employee’s personal data to third parties, for example, to pension providers and HM Revenue & Customs. Similarly, to fulfil our statutory responsibilities, we’re required to give some of an employee’s personal data to government departments or agencies e.g. provision of salary and tax data to HM Revenue & Customs.
 

How long we hold your personal data

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for.

Ceased members: we retain personal data for 6 years to comply with legal, regulatory and financial obligations, resolve disputes, prevent fraud and abuse, maintain security, or fulfil your request to "unsubscribe" from newsletters and bulk communications. A historical record of members is maintained for posterity with the minimum amount of information we require to achieve this.

Staff: we retain your personal data for 6 years after you leave.

Job applicants: one year

Web analytics: 14 months

Surveys: data is anonymised as soon as possible and no later than 1 year

Complaints: 6 years
 

Your data protection rights 


Access: you have the right to ask us for copies of your personal information.

Rectification: you have the right to ask us to rectify information you think is inaccurate.

Erasure: you have the right to ask us to erase your personal information in certain circumstances.

Restriction: you have the right to ask us to restrict the processing of your information in certain circumstances.

Objection: you have the right to object to processing.

Data portability: you have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you.

Decision making – you have the right not to be subject to a decision based solely on automated processing, including profiling

Consent – you have the right to withdraw your consent where it is the legal basis for data processing

These are legal rights, so they only apply in certain circumstances and are subject to exemptions.

To exercise any of the above rights, please contact gdpr@rss.org.uk. We have one month to respond to you; there is no requirement to pay any charge.

You will need you to provide information that will help us confirm your identity.
 

Who to contact if you are unhappy

In the first instance, please talk to us directly so we can resolve any problem or query.

You also have the right to contact the Information Commissions Office (ICO) if you have any questions about data protection or wish to make a complaint
 

Updates to this policy

If we make substantial changes, we will bring these to your attention where reasonably possible. You can always access the latest version of this policy on our website.