GDPR and Privacy
The British Society of Animal Science is the professional body for those with an interest in furthering, undertaking and applying animal science.
The Society requires to acquire, control and process information about Data Subjects.
To comply with the law, information (specifically personal data) must be collected and used lawfully, fairly, and transparently.
1. Data Protection Obligations
1.1 The Society must comply with the Data Protection Principles which are set out in the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
1.2 The Data Protection Principles are essentially:
1.2.1 First Principle Personal data shall be processed fairly, lawfully and in a transparent manner (‘lawfulness, fairness and transparency’).
1.2.2 Second Principle Personal data shall be obtained only for specified, explicit and legitimate purposes, and must not be further processed in any manner incompatible with those purposes (‘purpose limitation’).
1.2.3 Third Principle Personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which that data is to be processed (‘data minimisation’). Personal Data should only be collected to the extent that it is required for the specific purpose notified to the Data Subject. Any data which is not necessary for that purpose should not be collected in the first place.
1.2.4 Fourth Principle Personal data shall be accurate and, where necessary, kept up to date (‘accuracy’).
1.2.5 Fifth Principle Personal data must be kept in a form that permits identification of Data Subjects for no longer than is necessary for the purposes for which the Personal Data are processed (‘storage limitation’).
1.2.6 Sixth Principle Personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
1.2.7 Seventh Principle The Data Controller shall be responsible for, and be able to demonstrate compliance with all the above principles (‘accountability’).
1.3 The Society and all staff or others who process or use Personal Data (referred to as Data Users) must ensure that they follow these Data Protection Principles. In order to ensure that this happens, the Society has approved this Policy.
1.4 Personal data only includes information relating to natural persons who:
- can be identified or who are identifiable, directly from the information in question; or
- who can be indirectly identified from that information in combination with other information.
1.5 Personal data may also include special categories of personal data or criminal conviction and offences data. These are considered to be more sensitive and may only be processed in more limited circumstances.
2. The Data Controller
2.1 The Society is to be regarded as the Data Controller.
3. Responsibilities of Data Users
3.1 All Data Users are responsible for:
3.1.1 Complying with the Data Protection Principles
3.1.2 Informing the Society of any changes to information that they have provided, e.g. changes of address, either at the time of appointment or subsequently.
3.2 If and when, as part of their responsibilities, Data Users collect Personal Data, they must comply with the Data User Guidelines set out in Section 2 of this Chapter 1.
4. Rights to Access Information
4.1.1 What information the Society holds and processes about them and the purposes of the processing
4.1.2 The categories of Personal Data concerned
4.1.3 The recipients or categories of recipient to whom the personal data has been or will be disclosed, in particular recipients in third countries (i.e. those outside of the EEA) or international organisations
4.1.4 How long it is envisaged their Personal Data will be stored for by the Society (either the relevant period, or the means by which that period is determined)
4.1.5 That they have the right to complain to the ICO
4.1.6 In the event that the Personal Data is not collected directly from the Data Subject, any available information as to its source
4.1.7 The existence of any automated decision-making including profiling and details about the logic and any consequences involved in such automated processing
4.1.8 How to gain access to their Personal Data
4.1.9 How to keep their Personal Data up to date and the existence of the right to rectification or erasure of Personal Data.
5. Subject Access Requests
5.1 All Data Users have a right under the GDPR to access certain Personal Data being kept about them either on computer or in certain paper files. Any person who wishes to exercise this right should make a Subject Access Request outlining the information they require, together with satisfactory identity documentation, to the Society either by email (email@example.com) or by post to the British Society of Animal Science, PO Box 3, PENICUIK EH26 0RZ. They may make an initial enquiry by phone but will be advised to make their SAR in writing, for record purposes.
5.2 The Society will respond to a first Subject Access Request free of charge, but may charge a fee in respect of further requests for the same information, although the Society has discretion to waive this.
5.3 The Society will respond to Subject Access Requests as quickly as is practicable, but will ensure that the information is provided within a month (or such other timeline as legislation may require) of being satisfied as to the identity and authenticity of the request.
5.4 Given that strict statutory timeline, data users are required to immediately intimate any Subject Access Request to the DPO even if it does not use that exact phrase if it can be inferred that the Data Subject is requesting sight of their Personal Data. Subject Access Requests will be dealt with on a case-by-case basis.
5.5 If a Subject Access Request is ‘manifestly unfounded or excessive’ the Society can charge a fee or refuse to respond but will need to provide evidence of how such conclusion was arrived at.
5.6 Any fee charged for a Subject Access Request will be reasonable, and based on the actual cost to the Society of complying with the request.
5.7 For complex or numerous Subject Access Requests, the Society may extend the response deadline for up to a further two months. If it does so then it shall inform the Data Subject within a month of receiving the Subject Access Request and will explain why an extension is merited.
6. The lawful basis of processing
6.1 The Society may process a given set of Personal Data only if it has a lawful basis for doing so. GDPR provides a number of possible lawful bases, as follows:
Consent: the individual has given clear consent for the Society to process their personal data for a specific purpose.
Contract: the processing is necessary for a contract the Society has with the individual, or because they have asked the Society to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for the Society to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for the Society to perform a task in the public interest or for its official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for the Society’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
The legal bases for processing of Sensitive Personal Data are more limited, and subject to additional conditions.
6.2 The Society may process some Special Categories of Personal Data of Members and/or staff prior to their admittance as Members or as members of staff and/or during their time with the Society. In this situation the Society will use Articles 9(2)(b) and (g) of the GDPR as its legal basis for processing (i.e. it is necessary for carrying out obligations under employment, social security or social protection law. As such no Data Subject consent will be sought for this type of data processing.
6.3 The Society may also ask for information about particular health needs, such as allergies to particular forms of medication, or any medical condition such as asthma or diabetes. The Society will only use this information in the protection of the health and safety of the individual and will seek explicit consent to process this sensitive personal data in any other circumstance.
6.4 The application forms that all prospective staff and others are required to complete will include a section requesting consent to process the applicant’s personal and/or special categories of personal data. Such requests will specify the purposes that said personal and/or special categories of personal data will be used for. A refusal to give consent on such a form will not prevent the application from being processed but may mean that the Society cannot put in place as high a level of safeguards as it normally would for staff and others.
6.5 The Society will keep a record of when and how they obtained consent from any relevant data subject and keep a record of what the data subject was told at the time.
7. Processing Special Categories of Personal Data
7.1 As outlined above, sometimes it is necessary to process sensitive personal information. This may be to ensure that the Society is a safe place for everyone, or to operate other Society policies, such as the sick pay policy or the equal opportunities policy. Data Subjects will not be penalised for not giving their consent and will be alerted where not giving such consent may impact on the Society’s ability to assist them fully.
8. Publication of Society Information
8.1 The names of senior officers of the Society or any other personal data relating to staff, Council and/or Committee members will be published when any statute or law or operational necessity requires such personal data to be made public.
8.2 Limited information relating to Society staff and members will be made available via searchable directories on the public website, in order to meet the legitimate needs of visitors and enquirers seeking to make appropriate contact.
9. Retention of Data
9.1 Personal data will not be kept longer than is necessary for its purpose. Different categories of Personal data will be retained for different periods of time. Personal data will be destroyed or erased from the Society’s systems when it is no longer required.
9.2 The Society has a duty to retain information including personal data relating to data users and data subjects, for a period of time following their departure/cessation of engagement with the Society, mainly for statutory or legal reasons, but also for other purposes such as being able to provide references, or for financial reasons, for example relating to pensions and taxation.
9.3 The Society may keep personal data stored for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, or scientific, historical, or statistical purposes but such data is subject to the implementation of appropriate safeguards
10. Deletion of Personal Data - Right to be forgotten
10.1 The right to erasure (also known as ‘the right to be forgotten’) is a right of all Data Subjects under the GDPR. The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data when there is no compelling reason for its continued processing.
10.2 The right to erasure does not provide an absolute ‘right to be forgotten’. Data subjects have a right to have personal data erased and to prevent processing in specific circumstances.
10.3 The Society can refuse to comply with a request for erasure where the personal data is processed for the following reasons:
10.3.1 To exercise the right of freedom of expression and information
10.3.2 To comply with a legal obligation for the performance of a public interest task or exercise of official authority
10.3.3 Archiving purposes in the public interest, scientific research historical research or statistical purposes or
10.3.4 The exercise or defence of legal claims.
11. Data Breach - Report within 72 hours
11.1 Compliance with the GDPR is the responsibility of all data users. It is the responsibility of data users to ensure that all data is secure at all times. Any data user who considers that rules, policies and guidelines have not been followed in respect of any personal data (including their own) should raise the matter.
11.2 A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data.
11.3 Key responsibilities include ensuring that:
11.3.1 The Society is informed immediately when a breach has (or is suspected to have) occurred and
11.3.2 Appropriate action is taken if a member of staff, Council or Committee or other Data User becomes aware that there appears to be a breach due to another’s action or inaction.
11.4 Data users should also be aware that the inappropriate sharing and disclosing of information orally is also considered a breach.
11.5 A notifiable breach has to be reported to the ICO within 72 hours of the Society becoming aware of it. The GDPR recognises that it will often be impossible to investigate a breach fully within that time-period but allows the Society to provide information in phases.
11.6 Despite the fact that not all breaches are notifiable to the ICO they should always be reported to the Society as soon as possible and without undue delay.
11.7 If a data breach occurs despite a data user having complied with the Society's policies and their legal responsibilities under the GDPR, data users will receive support and guidance in reviewing their data management responsibilities and processes. Data users will also be given help to put strategies in place to avoid a reoccurrence and to address the impact the data breach has on any affected person.
11.8 If a data breach occurs as a result of a data user’s non-compliance with the Society's policies and their legal responsibilities under the GDPR, data users must be aware that this will lead to careful consideration of their position and potential sanctions under the GDPR.
Use of Personal Data
12. Key Concepts
12.1 This part of the policy provides data users an introduction to some basic points of practice relating to the handling and processing of Personal Data at the Society.
12.2 Data users should be aware of all of the collection points of personal data within the Society as data users will need to provide individuals with information on how their personal data is processed. Such information will typically take the form of a reference to our privacy notice at the point where personal data is collected.
12.3 There are three key concepts data users should be aware of to assist in understanding their data protection obligations:
12.3.1 Purpose Data controllers can only process personal data where they have a clear purpose for doing so. The purpose must be recorded by the Society for future reference.
12.3.2 Fairness In defining the purposes for which the Society processes Personal Data, the fairness of that processing must be considered. For some types of processing the required elements of fairness are clearly outlined in the legislation, but for many others they are not. In such cases, the Society has tried to take a broad approach to deciding what is fair in each case, based on an interpretation of the GDPR and in conjunction with advice from the ICO, the Society’s own legal advisers and on wider practice.
12.3.3 Transparency All data subjects must be able to feel that there is no intention to hide from them details of how their personal data is collected, used and distributed by the Society. One of the functions of this policy is to provide that assurance.
13. Personal Data
13.2 Personal data should only be amended/entered by appropriate data users who must be satisfied as to the identity of the information provider before effecting any change.
13.3 In the case of ‘self-service’ systems, data subjects are responsible for the maintenance of certain elements of their personal records following secure login.
14. Sharing Data Externally
14.1 In general no personal data should be disclosed to third parties unless the authority and authenticity of the request can be established. Disclosures requested by those claiming to be relatives or friends of the data subjects should be refused unless the consent of the data subject is obtained for such disclosures or proper authority is demonstrated.
15. Disposal of Personal Data
15.1 When personal data is to be disposed of, the following procedures will be followed:
15.1.1 All paper, or other physical documentation containing personal data will be permanently destroyed by secure shredding or incinerating.
15.1.2 All computer equipment or media that are to be sold or scrapped will have had all personal data completely destroyed, by re-formatting, over-writing, degaussing or other effective process.
15.2 Data users should note that merely erasing/deleting electronic files does not necessarily equate to destroying them.
16. Unsolicited Email Communication
16.1 It is expressly prohibited for any data user using the Society’s electronic media or services to transmit or facilitate the transmission of unsolicited commercial marketing communications. Data users should be aware that any breaches under this heading could be considered as gross misconduct, resulting in dismissal/termination of contract.
17. Use of Email
17.1 The following principles must be followed when making use of the Society’s email system:
17.1.1 Data users must be aware that an electronic mail message is not necessarily a confidential means of communication and therefore:
(a) Email should at all times be treated as a permanent written record which may be read by persons other than the addressee. Consequently data users should apply the same standards that would be expected in a formal letter.
(b) Email is to be used for Society business purposes only. Care must be exercised when transmitting confidential information, personal data or commercially sensitive information. Other methods of sending such information including by encrypted means may be more appropriate. If in any doubt contact the DPO.
17.2 Although email is provided primarily for business use, occasional sending or receiving of email for personal, non-business purposes is acceptable. However, data users need to demonstrate a sense of responsibility and may not abuse the privilege, which may be withdrawn at the Society’s discretion.
17.3 Data users must respect the confidentiality of other people’s electronic communications and must not attempt to read, “hack” into other systems or other people’s logins, “crack” passwords or use others’ passwords, breach computer or network security measures, or monitor electronic files or communications of other data users or third parties.
17.4 Passwords are unique to each data user, and must not be made available to any other data user. For the avoidance of doubt, upon the termination of a data users employment / engagement, (for whatever reason) they are required to provide password details to the IT Department.
17.5 No email may be sent which attempts to hide the identity of the sender, or represent the sender as someone else.
17.6 Digital signatures can have the same legal effect as written signatures; consequently any data user signing a document transmitted by e-mail on behalf of the Society must be aware that by so signing the document the data user has effectively bound the Society to comply with the content of the document. The data user must only do so if they have the necessary authority to bind the Society in this way.
17.7 All business records such as; contracts, agreements, financial statements or other records and any correspondence connected with any legal proceedings should be stored appropriately in accordance with the Society’s retention and use table. These may be needed for legal, regulatory, tax, contractual, audit and evidentiary purposes.
17.8 All users should be aware that emails can be retrieved even if they have apparently been deleted from the system. Email is as permanent as the written word and should be treated as such.
17.9 Data Users should also be careful that they do not breach any copyright, trademark or other intellectual property right in pre-printed or published material that they incorporate into their e-mail for transmission to third parties or for general publication.
17.10 Data users should exercise caution when copying, downloading or transmitting to third parties any published material that has been written by other people without their consent. This could expose the Society to legal action by the owner of the copyright.
17.11 Data users should, at all times, exercise a general duty of care with respect to the drafting of emails; insofar as the emails will clearly be circulated or published for, or on behalf of, the Society, the reputation and business interests of the Society are at risk by the careless use and abuse of email by any of its data users.
18. Social Media
18.1 Data users must not, whether at work or out with, disclose personal or confidential information via their own personal use of social media; make derogatory or discriminatory comments about the Society, its data users or members; harass or bully data users/members or disclose any personal data without permission. Data users should be aware that any breaches under this heading could be considered as gross misconduct, resulting in dismissal/termination of contract.
19.1 It is important to ensure that information is appropriately secured, maintains integrity, ensures appropriate confidentiality, is readily retrievable and is compliant with data protection legislation.
19.2 Many of the requirements around data protection can be achieved through a common sense approach to data security, for example:
19.2.1 If you leave any computer switched on and unattended lock the computer
19.2.2 Be conscious of who can see your work and screen, especially in public places
19.2.3 Only print files if you are certain that you will collect the printing
19.2.4 Never leave IT equipment unattended in public places and take special care in public places like airports, hotels and conferences or meetings
19.2.5 If you must leave IT equipment or any paperwork in your vehicle, ensure it is locked in the boot, out of sight
19.2.6 Paperwork and computers should be transported in a secure carrier and no information should be visible to other travellers
19.2.7 All electronic devices used to access Society data should be PIN/fingerprint or otherwise securely protected at all times
19.2.8 Any electronic data containing personal information should be encrypted/protected by a password or otherwise to prevent unauthorised access.
20. Data Loss and Breach Prevention
20.1 Data loss can be prevented by data users. Adhering to security procedures and practices is critical if the Society is to maintain high compliance standards.
20.2 Data Users should avoid the following when dealing with personal data:
20.2.1 Using unsecured email or paper, especially when sending sensitive personal data
20.2.2 Using unencrypted USB/ Memory sticks, CDs and storage devices
20.2.3 Transferring data online
20.2.4 Working remotely where your screen is exposed to third parties.
20.3 Personal data should neither be stored nor shared using
20.3.1 Online file sharing or cloud based services such as Dropbox, or Slack or
20.3.2 Social media sites e.g. Facebook, Twitter, LinkedIn
21. Physical Security
21.1 Material containing personal information should never be transported to or stored at home in paper format when you work at home, security should be of the same standard as that which is provided in the Society.
21.2 If you travel by public transport, keep all Society information to hand. Hold onto bags or laptops rather than placing them on luggage racks. Keep smaller storage media, such as portable drives, in secure compartments of bags, rather than in a jacket pocket.
21.3 If you travel by car, lock Society information in the boot. Do not leave it in plain sight.
21.4 Dispose of Society information securely and appropriately. For example, do not dispose of documents you no longer need in general waste or recycling bins; use a shredder if you have one at home, otherwise use the normal confidential waste facilities in the Society.
21.5 The Society has bags for the disposal of confidential waste within the Society’s office. Confidential documents must not be placed in general waste bins.
21.6 Staff should ensure all confidential files/documents are securely locked away and not left on desks.
21.7 Documents created, received or used by data users in the normal course of business are the property of the Society, unless otherwise agreed. This includes documents compiled by external consultants contracted by the Society.
21.8 The Society’s official documents constitute its corporate memory (intellectual property), and as such are a vital asset for ongoing operations, and for providing evidence of business activities and transactions. They assist the Society in making better informed decisions and improving business practice by providing an accurate record of what has occurred before.
21.9 Therefore, documents are to be:
21.9.1 Managed in a consistent and structured manner
21.9.2 Suitably named, adhering to the naming convention guidelines)
21.9.3 Disposed of, or permanently archived, in accordance with this policy.
21.10 Documents, especially those containing personal data, need to be protected from unauthorised users for many reasons and also to ensure that no deletions or amendments are made to a document without the owner being aware.
22. Guidance and Best practice for Secure Remote Working
22.1 Do not use a non-Society email account for Society business. Society email accounts are accessible via the Internet so you should not need to use any other account.
Compliance with this policy
All persons referred to within the scope of this policy are required to adhere to its terms and conditions. All employees should understand that this policy is incorporated into their contract of employment.
Any data user failing to comply with the requirements of this policy may be subject to disciplinary action. Data Users should be aware that significant breaches may be considered to be gross misconduct, resulting in dismissal or termination of engagement.