Nuclear Institute Privacy Policy
This Privacy Policy replaces all previous versions and has been updated to reflect the requirements of the General Data Protection Regulations (GDPR) in effect from 25 May 2018. It gives details of the items of personal data that we collect from members and customers and explains how we store and process your data. It also sets out the rights you have in relation to any personal data you choose to share with us.
Definitions
- Personal data – information such as your name, email address, telephone numbers, and home, and work addresses. For members who pay their subscriptions by direct debit this may also extend to bank account details. For event bookings, job title, credit card number if supplied, purchase order numbers, and details of accounts payable contacts are included.
- Data controller – the Nuclear Institute.
- Data processor – the NI’s staff, some volunteers, and some of our suppliers eg mailing house. A list of the latter is given at the end of this Policy.
It is our policy to meet three requirements in relation to collection and use of your data:
- to collect the minimum amount of data necessary to meet your needs as a member/customer of the Nuclear Institute
- to collect data that enhances your engagement with us as a member/customer
- to safeguard the data we hold about you to the best of our ability.
To do this we have data procedures in place that are followed by staff and volunteers alike and hereby provide access to the data protection policies of our suppliers. We also provide below the relevant procedures for you to either make a complain/raise a concern and to make a Subject Access Request (SAR). We provide training to our staff and volunteers and the latter are required to sign a data processor contract with us if they are permitted to handle members’ data.
Personal data we collect and store
As well as core details like name, address, email, phone, date of birth, gender, membership grade, job title, employer and bank details, we may also collect data on your dietary and access requirements and your qualifications, other registrations, and experience. This could include a CV, current and past employment details, organisation chart, your signature, and name and contact details of your proposers/referees. Proposers and referees also have the same rights over their data as our members and customers and may request its removal at any time. Their data is only used for the purposes of confirming the suitability of applicants for professional membership.
The majority of this information is stored electronically in our Customer Relationship Management (CRM) system but we also hold hard copies of your original membership applications for Members and Fellows. Historically our data has included passport numbers which we stopped collecting in 2017.
Other data that you are invited to submit through our membership portal includes mailing preferences, selection of branch and special interests. For event bookings some events require us to keep a hard copy of your completed booking form otherwise this is held electronically.
All of this information is collected in an effort to give you the best experience as a member or customer.
What we do with your data
For professional membership applications your data is shared with a limited number of assessors/interviewers involved with reviewing your application. For those also registering with our licensing bodies – Engineering Council, Science Council and Society for the Environment (pending approval) – we supply a limited amount of data to them in relation to your registration. More information can be found in their privacy policies (see below).
For all members a limited amount of data (usually just name and email/postal address and telephone number) may be shared with selected volunteers who sit on our branch or other Community committees (YGN, WiN, SIGs) so that they can circulate information about forthcoming meetings, events etc which are a benefit of your membership.
All volunteers count as Data Processors under GDPR and are required to sign a contract which specifies how they must use any data provided to them by the Nuclear Institute. No data is held outside the NI’s central system and data is provided from HQ to volunteers on an ‘as needed’ basis. It must be destroyed after use and a new list provided for future use/mailings etc to ensure its currency.
The only personal financial data we hold about some of our members is your bank account and sort code. This is only shared with our direct debit providers in order to process your membership fees. This data is only accessed by key authorised staff.
For data provided by our customers who are not members (mainly our Events customers and Journal subscribers) the key elements of personal data that we collect and use include name, job title, organization affiliation and this is used for delegate lists, name badges, and pre- and post-event information such as circulation of slides and the collection of feedback. We may also collect information about your dietary and access requirements and possibly photos for speaker biographies and publicity purposes. Any photos taken at the event may also be used in our publications and website. For customers paying by credit card, we do not store the security code which is collected separately from the full card details.
From time to time we collect data via proprietary software such as Survey Monkey. Whether these surveys are answered anonymously or not it is our policy to switch off the option to collect your IP address. We may collect additional data, eg mobile phone numbers, which are only used for the stated purpose of the survey and not stored separately.
The lawful basis on which we store and use data
As a membership body we collect data primarily to fulfil the benefits of your membership. This includes activities such as sending your membership journal and subscription renewal documents by post and sending information about your membership such as newsletters, events listings and branch/network communications by email. In addition, telephone numbers, work details, job titles, interests etc will help us to determine the membership benefits and services of most value to you.
We also use some elements of data, such as date of birth, gender, job title and geographical location, to determine other services that might be of value to you.
We process all this data under the heading of ‘Legitimate interest’ which is one of the six ways in which data is permitted to be collected and used under GDPR. For the Nuclear Institute this means that by choosing to be a member or attend a Nuclear Institute event, the NI has your agreement to send you information about that membership and/or that event. You are welcome to opt out of receiving this information at any time but should understand that this may limit our ability to fulfil your membership or event booking.
As a member/non-member, you may login to your NI account at any time to update your mailing preferences. It is your responsibility to ensure that the details we hold about you are current and accurate. As well as a postal address (members only) and an email address, we require at least one phone number on which you can be contacted.
How do we store and share your data?
The majority of the data we hold about you is on our CRM system known as OM.net (developed by 3Si). This has been updated in early 2018 in order to adapt to GDPR.
The possible other methods of storage include:
- Paper filing systems – for professional membership applications and membership renewal letters returned with subscription payments (up to 8 years). Some events are filed in paper format.
- Sage accounts – contains basic contact details and bank details
- Network folders – files of data exported from the CRM system are retained in our secure network folders on our main server. Our servers are supplied by our website company (Senior) and IT company (Shiva)
- Proprietary software – SurveyMonkey, MailChimp, Dropbox – data from these sources may be exported to Excel files and stored in network folders. If you have any questions about these services you should see their individual Privacy Policies (listed at the end).
The third parties that we may share your data with include:
- Smart Debit – direct debit processing company
- Century One – publisher/mailing house for membership magazine
- Hall Associates Europe – membership subscription collection agency
- External events organising companies such as Nu-Tech Associates or Marick Communications – please note that events organised externally will be advertised as such on our website
- Our licensing bodies including the Engineering Council and Science Council, both of which act as joint Data Controllers with the NI and as Data Processors for the NI.
- Your company if it is a Company Member of the Nuclear Institute. This is only the case where the company is paying for your membership subscription.
Please note that we will never sell or pass on your data to commercial companies for marketing purposes. Any third-party services that the NI feels would be of interest or value to our members will generally be promoted through the membership newsletter or website. You are then responsible for any link/contact you make with such organisations including the provision of your data.
How do we transfer your data?
In the limited circumstances outlined above for transferring your data to our partners, this is always done by password-protected Excel spreadsheet or secure file transfer. The password is always communicated separately, either by email or, where possible, by phone. For large amounts of data, Dropbox may be the preferred method, again password protected for personal data.
What are your rights in relation to data stored by the NI about you?
The NI is anxious that members provide sufficient data in order to get the most out of their membership or event attendance. We also want to be able to continue to send you content we believe to be of value to you.
However we also regularly review our policies in order to work towards minimising the amount of data that we need to collect.
You may at any time opt in and out of various mailing lists, or from all communications, by logging in to your account and amending your preferences.
If you do not opt out of communications but if you effectively ‘lapse’ your membership through non-payment of the membership subscription, we will in any case lapse your membership after one year of non-payment. However we may retain your contact details for a further two years in order that we can advise you of any membership offers that may be of help in retaining your membership. Again, you may opt out of these communications at any time by amending your mailing preferences.
Other rights you have are:
- to request information about the data we hold on you (Subject Access Request)
- to have your details removed from our records (right to be forgotten).
How to initiate a SAR
- Your request must be addressed to the CEO and copied to our Admin inbox. You must include proof of your identity, usually a passport, which may be kept as proof of your request.
- Your request should state your full name and address. More information may be requested to ensure the correct record is accessed.
- You will be contacted by phone within 10 working days to confirm your identity.
- A full list of the data we hold about you will be provided within 20 working days of your request being received.
How to have your details removed
- Your request must be addressed to the CEO and copied to our Admin inbox. You must include proof of your identity, usually a passport, which may be kept as proof of your request.
- Your request should state your full name and address. More information may be requested to ensure the correct record is accessed.
- You will be contacted by phone within 10 working days to confirm your identity.
- You must return your membership certificate (for member records only).
- Any physical data held about you will be shredded. Your electronic records in Excel format will be removed from all Excel files. Your CRM record will be anonymised. This means that any financial records will remain on our system for statutory purposes (up to 8 years) but the remainder of your record will have removed your name and all other identifying details.
Important – please note that where this request has been made it will no longer be possible to provide you with any details about your membership or event attendance or even to confirm that you were a member in the past. No claim about membership can be made by you or anyone else about your prior membership. A list will be kept of everyone from whom such a request is received.
For more information on your rights see the ICO website.
This Policy was last updated in June 2022.
Suppliers/contractors
Engineering Council
Science Council
Smart Debit
Century One
Shiva Technology
Senior (cookie policy)
3Si
Nu-Tech Associates
Marick Communications
Proprietary software suppliers’ privacy policies
SurveyMonkey
MailChimp
Dropbox