SPR Privacy & Data Protection Policy
About the Society for Psychical Research
The Society for Psychical Research, SPR, is a charitable company which was founded in 1882 for exclusively charitable purposes which are set out in our constitution which takes the form of a Memorandum & Articles of Association. The SPR is governed by the provisions of our constitution and by our Council, which is the Board of Directors of the company as far as the various Companies Acts are concerned. The Directors of the SPR are also Charity Trustees under Charity Law. The majority of members of the Council are elected by the membership of the Society at our Annual General Meeting, AGM. Membership of the Society is open, and anyone (over the age of 16) may apply to join the Society.
The SPR operates as a special form of learned scientific society in which the society brings together experts in the field, with members of the society who have an interest in the field, as well as members of the public for the specific purpose of the discussion of scientific theories and ideas. The full nature and extent of the SPR’s operation within the field of psychical research are set down in our aims and objectives which are set out in our constitution which forms our mission statement. The SPR operates as a valuable national and international resource for both current researchers in the field, as well as those who wish to research the history of the field and the development of scientific theories and thought within the field. The SPR has extensive data holdings in relation to this aspect of psychical research and a large archive held for us at Cambridge University. In addition to this the SPR also publishes three publications including an academic Journal. This Privacy & Data Protection Policy has been drawn up with these uses in mind.
The purpose of the SPR’s Privacy & Data Protection Policy
The SPR is committed to a policy of protecting the rights and privacy of members, supporters, individuals, organisations, staff and volunteers in accordance with the General Data Protection Regulations, GDPR. The GDPR are the new Data Protection laws & Regulations that replace the older UK Data Protection Act 1998 on the 25th of May 2018. The SPR will notify the UK Data Protection authority, The Information Commissioner’s Office, ICO, of any breach of these laws and regulations, and they, and or the SPR may take disciplinary action against anyone found to have caused that breach.
We would like to remind you that by using, or continuing to use, these resources and facilities and having, and or by continuing to have membership of the SPR, you are agreeing to be bound by our Terms and Conditions including this Privacy & Data Protection Policy. This policy explains how we collect, use and store the personal information you provide to us. 'Personal Information’ is information which identifies you, or another person, or is capable of doing so.
This policy may change from time to time and, if it does, the up-to-date version will always be available on the SPR website, or on request from the SPR Office. Please note that by continuing to use the SPR website and or the SPR’s facilities and resources, you are agreeing to any updated versions.
Legal Requirements & Personal Data
The SPR is a Data Controller under the terms of GDPR & the Data Protection Act 1998. The GDPR and the Data Protection Act 1998 apply to ‘personal data’ which means any information relating to a living identifiable person who can be directly or indirectly be identified by particular by reference to other information known as an identifier. In this context the ‘identifier’ is any piece of information that will enable an individual to be identified as a particular individual. This definition provides for a wide range of personal identifiers to constitute personal data, including name, membership or other identification number, location data or online identifier. The DPA 1998 was updated and upgraded by the GDPR to reflect changes in technology and the way organisations collect information about people.
This legislation applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria set down for this purpose.
There is a second type of personal data which is even more personal and therefore sensitive which relates to such matters as:
- (a) racial or ethnic origin of the data subject
- (b) political opinions
- (c) religious beliefs or other beliefs of a similar nature
- (d) trade union membership
- (e) physical or mental health or condition
- (f) sexual orientation
- (g) criminal record
- (h) proceedings for any offence committed or alleged to have been committed.
The SPR have decided that we will not be collecting data about people in any of these areas, so therefore we will not ask you to provide us with any information relating to these matters.
The way in which the new GDPR changes & updates the requirements of the UK Data Protection Act 1998
The General Data Protection Regulations build upon the requirements of the UK Data Protection Act 1998, DPA 1998. The SPR is already fully compliant with the DPA 1998 as a matter of good practice. There are two main set of changes.
The first is that many of the things that were left by the DPA 1998 to be implemented as a voluntary code of good practice have now become legal requirements in their own right. The second key set of changes is that the new GDPR Legislation is designed to put the individual whose information, or data, is used by an organisation to which the individual belongs, or has a connection with, in the driving seat. This means that the organisation must specifically ask for informed consent before requesting the individual to provide their data to the organisation.
Purposes for which the SPR holds data
The SPR will only hold data for the following purposes:
- Realising the SPR’s Charitable objectives
- Membership processing and administration
- The staging of events such as our Annual Conference, Study Days and Lectures
- Research & collaboration with other organisations about research
- The awarding of research grants
- The publication of our Journal, Proceedings, and Paranormal Review
- Providing a strictly confidential Spontaneous Cases Service
- Maintaining and extending our archives
- Journalism & the media where necessary
- Keeping legally required accounts & records
- Staff administration
- SPR Volunteers
Managing Data Protection
Many organisations and governmental bodies including some charities are required by the terms and conditions of GDPR to appoint a Data Protection Officer, DPO, to oversee the operation of the GDPR within an organisation. The SPR does not fall within this category, but we have chosen to voluntarily appoint a Council member to act as our DPO.
The Principles of GDPR as they apply to the SPR
The GDPR legislation lays out six key principles for processing of personal data. These are:
Lawfulness, fairness and transparency
This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and understandable. Therefore informed consent to collect and use data for a certain specified purpose is required under GDPR. The public have the right to know what is being gathered and have this corrected or removed.
The SPR will only seek to gather and collect the minimum of amount of information which is compatible with the SPR’s purposes. We will inform you of the purpose for which we will require your data at the time we ask for information, and we will expressly ask for your permission to do so through informed consent.
The SPR will only use the information which is provided to us in this manner for the purpose for which we asked for your consent to let us use that data. We will not use that data for any other purpose.
The SPR has a policy and procedure for correcting mistakes and errors and for making a Data Subject Access Request, so that SPR members, supporters, organisations, service users or members of the public, or anyone who has had contact with the SPR may apply for a copy of the data that the SPR holds on them. The SPR also has a policy to correct inaccurate information in relation to this. Please see below.
Organisations should only use data for a legitimate purpose specified at the time of collection. This data should not be shared with third parties without permission. The SPR will only ask to collect the minimum of data in the form of information about members, supporters, organisations, service users and members of the public as and when we need it. We will always explain the purpose for which we need this information, and we will always ask for your permission for us to use the data you have provided to us. We will only use the data you have given to us for a given specific purpose, for that purpose. We will not use your data for any other purpose. We will not in general share your data with any third parties, and if we consider that there may be a need to do so, we will ask for your specific permission to allow us to do so. We will never share your data with third parties without your specific consent.
The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data en masse without purpose. The SPR will only ask for the minimum amount of data that is required for a given specific purpose, and we will always ask for your permission in order that you can provide us with this data. We will always explain why we need the information we are requesting from you and the purpose we will be using it for when we ask you for any information about yourself or your organisation.
Some large companies and charities have caused problems to people as a result of their large bulk mailings by post or electronic means to their potential or actual customers, supporters and beneficiaries for commercial and fundraising purposes. The SPR does not carry out this sort of mailing exercise. We will only send to you communications that you have given us permission to send to you in connection with membership administration, and the general administration of the SPR, and to notify you of SPR events that you have expressed an interest in knowing about. If we need to contact you about any other matter on a regular basis or through a general mailing, we will ask for your permission to do so.
The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased.
The SPR is committed to keeping accurate and up to date records, and we review our records regularly to ensure their accuracy, and the necessity for hold the data we do. Any data that is no longer required for the specific purpose for which it was given will be deleted and erased.
The SPR recognises that despite our best efforts things can still go wrong. The SPR will put right any mistakes or errors in the data that the SPR holds about its members, supporters, service users, and organisations the SPR works with as well as members of the public. The SPR will do this when notified of the mistake or error by the member, supporter, person or organisation concerned.
Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data. The SPR takes the matter of secure data storage very seriously which is covered in our Data Storage policy – Please see below.
Integrity and confidentiality
Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction. The SPR takes the privacy, confidentiality, security and integrity of all personal data very seriously which are covered by our Data Storage & Risk Management policies ( please see below ), as well as our commitment to ensuring the accuracy of the data we hold. Please see above.
Information and records relating to SPR members and supporters and anyone the SPR may have contact with will be stored securely, and will only be accessible to authorised SPR personnel for certain specified tasks. This may include the retention of suitable data in a suitably anonymised form for research and archival purposes, for a suitable and appropriate time period which will be kept under review. This information will only be stored for as long as it is needed for the authorised purpose for which it was sought, and for which specific consent was given, or is needed by legal & statutory purposes, and will be disposed of, or deleted in a secure and appropriately way when this time period has expired.
The consequences of breaching GDPR Data Protection can cause harm or distress to SPR members and supporters as well as members of the public if their data is released to inappropriate people, or they could be denied a service to which they are entitled. This policy is designed to manage and therefore minimise these risks and to ensure that the reputation of all concerned including the SPR are not damaged through inappropriate or unauthorised access and sharing.
The SPR operates a policy of regularly reviewing our Risk Management policies and procedures so that we can minimise or exclude risk and ensure that we keep your data safe and secure.
Data Subject Access Requests
Any SPR member or supporter or organisation, or anyone who has had contact with the SPR has a right to see what data the SPR holds about them by making a Data Subject Access Request under GDPR to the SPR. That person or organisation has the right to make a correction to the information held about them if that information is incorrect. This request must be made in writing to the SPR stating that the request is made under GDPR to the Data Protection Officer C/O the SPR. The requested information may be provided in a suitable commonly used electronic form for convenience and will be provided within the GDPR timescale of 20 Working Days from receipt of the request.
Members of the public may request certain information from certain governmental bodies under the Freedom of Information Act 2000. The Act does not apply to the SPR. However if at any time the SPR undertakes the delivery of services under contract with certain of these governmental bodies we may be required to assist them to meet the Freedom of Information Act request where we hold information on their behalf.
Data subject – This is a term used to refer an individual whose personal information is the data in question.
Processing – This refers to the collection, storing and transferring of personal data.
Profiling – This is something that is often done by larger organisations and involves automatic processing of personal information (often in large batches) to evaluate aspects of the individuals’ behaviour and make decisions or take actions. The SPR does not do this.
ICO – The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest. In the Republic of Ireland, the Data Protection Commissioner holds a similar position.
Data Controller – This is the person within an organisation that decides what data is collected, used for and who it is shared with.
Senior Information Rights Owner (SIRO) – This is usually a board level role to oversee data policies.
Data Protection Officer – This role is required in certain circumstances, such as public authorities and those organisations dealing with sensitive data. The SPR has voluntarily chosen to appoint a Council member to serve as the Data Protection Officer. Note that a Data Subject Access Request must be submitted in writing (see above).
Data Processor – This refers to anyone, sometimes a third-party organisation or business, for example a partner organisation, or the SPR’s printers.
If SPR members and supporters or organisations or members of the public have specific questions about information security and data protection in relation to the SPR please contact the Data Protection Officer C/O the Society for Psychical Research. The Information Commissioner’s website (ico.gov.uk) is another source of useful information.
Approved in Council, 12th April 2018