Privacy Policy

This privacy notice sets out the data processing practices of the ICSA: The Governance Institute, the UKRIAT Division of the Institute of Chartered Secretaries and Administrators (ICSA). We are a body operated under Royal Charter (RC000248). Our registered office is at Saffron House, 6-10 Kirby Street, London, EC1N 8TS.

Please note that all data thus captured will be used and held in accordance with the requirements of the Data Protection Act 2018 (DPA) and the EU General Data Protection Regulation (GDPR).

We have notified the Information Commissioner’s Office (ICO) of our processing operations and our ICO registered number is Z656922X.

This notice explains:

  • What ICSA does
  • How to contact ICSA about our use of your personal data
  • Why ICSA processes personal data and the legal basis for it
  • How ICSA uses personal data for marketing purposes
  • Recipients of personal data for processing on ICSA’s behalf
  • ICSA’s data retention periods
  • Your rights as a data subject
  • Cookie policy and use
  • Third party websites
  • The security of the personal data that ICSA holds
  • Changes to our policy and practice

What ICSA does

ICSA is the international membership and qualifying body for governance professionals. We train, qualify and support those who work in company secretarial and governance capacities across many industry sectors.

The UKRIAT division of ICSA is one of nine divisions of the international body. Based in the UK, its members, students, subscribers and customers work in 62 jurisdictions including those reflected in the name of our division; the UK, the Republic of Ireland, and the Crown Dependencies. Throughout this notice ICSA refers to the UKRIAT division of ICSA.

Our membership services are supported by our trading companies, ICSA Services Ltd and ICSA Publishing Ltd which provide professional development resources to members, students and customers. These include training and conferences, books and online subscriptions and consultancy services.

How to contact ICSA about your personal data

ICSA is the data controller. If you have any requests about your personal data or queries with regard to how we handle your data you can contact the Data Officer (DO) by phone on 020 7580 4741, email do@icsa.org.uk , or write to us at Data Officer, ICSA: The Governance Institute, Saffron House, 6-10 Kirby Street, London, EC1N 8TS. In this notice DO means Data Officer.

Why ICSA processes personal data

ICSA collects and processes personal data in order to provide its services. Our services include the provision of membership, qualifications, subscriptions, publications, events, undertaking research and consultations, delivering job alerts, the provision of information and experiences to promote the governance profession, sponsorship and advertising.

In order to provide these services, we collect data directly from individuals through online enquiry forms, print and online applications, in email, over the phone and in person.

The table below shows ICSA’s data processing activities in more detail.

Data processing 
ActivityPurpose of ProcessingLawful basis
Studying for ICSA qualifications
  • Membership administration and support
  • Contractual
  • Providing learning support and content
  • Contractual/legitimate interest
  • Providing student benefits
  • Contractual
  • Examination entry and marking
  • Contractual
  • Giving results and progression options 
  • Contractual/legitimate interest
  • Certification and graduation
  • Contractual
  • Giving information about other services
  • Legitimate interest/consent
Being a member of ICSA
  • Membership administration & support
  • Contractual
  • Providing updates on institute business
  • Contractual
  • Supporting professional development  
  • Legitimate interest
  • Supporting membership progression
  • Legitimate interest 
  • Providing knowledge services
  • Contractual
  • Undertaking research & consultations
  • Legitimate interest 
  • Undertaking advocacy and mentoring
  • Legitimate interest 
  • Maintaining a public register
  • Contractual
  • Giving information about branch events
  • Consent
  • Giving information about other services
  • Consent
Subscribing to ICSA’s knowledge services
  • Subscriber administration & support
  • Contractual
  • Providing knowledge services
  • Contractual
  • Giving information about relevant content
  • Legitimate interest
  • Giving information about branch events
  • Consent
  • Giving information about other services
  • Consent
Being an ICSA customer for events and publications
  • Booking/purchasing
  • Contractual
  • Delivery/pre & post event information
  • Contractual
  • Giving information about similar activities
  • Legitimate interest
  • Giving information about other services
  • Consent
Making an enquiry
  • Providing answers and support
  • Legitimate interest
  • Giving information about other services 
  • Consent

The legal basis on which ICSA processes personal data

ICSA relies upon different legal basis for the processing personal data according to the relationship and purpose for which it is collected, as explained below.

Contractual

We need to process personal data about members, students and subscribers, and those enquiring about our work, in order to deliver and administer the services that we provide.

The contract with members includes delivering invitations to vote at divisional and international AGMs and in the election of Honorary Officers, providing notification of updates to the Charter and byelaws, administering the renewal and progression of membership, providing knowledge services, supporting and monitoring the undertaking of continuing professional development and providing preferential access to events. When necessary, personal data is used in the management of disciplinary matters.

The contract with students includes administering the renewal and progression of membership, supporting the student’s learning experience, providing learning support and content, providing exam entry and results, enabling progression and providing knowledge services and preferential access to events. When necessary, personal data is used in the management of disciplinary matters.

The contract with subscribers includes subscriber administration and support and the delivery of knowledge services. For professional subscribers, this includes providing preferential access to events and access to the governance helpline.

Members, students and subscribers can opt out of their knowledge service emails by logging into the communication centre in MyICSA and updating their preferences.

The contract with customers includes using personal data for the booking of delegate places on training and events or the delivery of content or training and consultancy services, pre service information and post-service evaluation.We may also send previous customers information about similar products and services that we think will be of interest to them. Customers can opt out of any of these communications at any time.

Legitimate interest

ICSA keeps members, students and subscribers informed of its networking and events activities and new publications via updates on the basis of legitimate interest. It is in both the interest of the Institute that its members, students and subscribers are aware of the activities and initiatives from which they can benefit. This kind of information is also a legitimate part of what anyone with a relationship with a professional body might reasonably expect to receive. These updates take place through a monthly membership e-newsletter, G+C magazine, and the periodic distribution of event calendars or key date notifications via post and email.

ICSA also undertakes a variety of activities to support and champion the governance profession. This can involve surveys and research as well as making those in the profession aware of legal and regulatory developments. In many cases this will involve contact with members, students and subscribers, but it may also involve contact with non-members in roles that are part of, or are linked with, the governance profession. This is also a legitimate interest as it is the kind of activity that might reasonably be expected of a professional body.

Members, students and subscribers can opt out of their membership e-newsletter by logging into the communication centre in MyICSA and updating their preferences.

Consent

ICSA seeks consent from members, students, subscribers, customers and anyone who enquires about ICSA products and services to send them marketing information. Consent is sought for:

  • Marketing information about ICSA’s products and services to support good governance
  • Marketing information about the networking and professional development events run by ICSA branches
  • Marketing information from the Graduate Hub about entering the governance profession. This may include qualification routes, work experience opportunities, open days and related content such as case studies and the findings of wellbeing and salary surveys.

For each of these areas of activity, marketing consent is sought by channel for email, telephone and post. Some additional optional information can be provided so that the information that we deliver can be more tailored and relevant to your stated interests.

Compliance with a legal obligation

ICSA operates as a membership and qualifying body on the basis of its Royal Charter and byelaws which set out how it fulfils its purpose and is accountable to its stakeholders. The byelaws require us to keep a register of members which, for transparency, is published online at, https://www.icsa.org.uk/directory-of-members. The register contains details of active Fellows, Associate and Affiliated members and Graduates of the Institute. Each entry comprises full name, membership grade, and date when the grade of membership was achieved. The full register maintains a records of current and former members. However, only information about active members is published online, and records of former members are not.

ICSA is also required to keep a register of students which is not published. If a member does not want to have their name published in the online register they can contact us in writing to request its removal.

Both registers can be consulted to verify an individual’s Chartered or student status. The member’s register can be consulted by the public at any time. The student register can only be consulted by request to ICSA. In the event that ICSA is contacted directly about either register by a prospective employer or client to verify the ICSA status of an individual, ICSA will seek the consent of the individual concerned before releasing any information. We may be required in some cases by law to disclose details without your consent e.g. on a request from the police.

How ICSA uses data for marketing purposes

Consent

ICSA gains marketing consent from individuals in several ways:

  • online through a self-registration process
  • in person over the phone
  • in person at an event

In accordance with the DPA, ICSA requires marketing consent to be freely given, specific and fully informed. It is revocable at any time and ICSA keeps a digital record of your consent in the v-Tiger CRM system, including when consent is given or withdrawn.

Marketing consent has to be given directly to ICSA by the individual concerned and cannot be given by a third party. If your personal data is passed to ICSA from a third party with your consent, such as a referral from a partner, employer or agent, consent for further marketing communication, if relevant, will be gained directly from you by ICSA.

For marketing consent to be fair and transparent, our privacy notice is available at the point at which consent is collected so that you understand what you are consenting to and how you can change it.

If you opt into marketing, ICSA will use your personal information to send you the information that you have consented to receive about services that will be most relevant to you. We will only send you information in line with the preferences that you indicated when you provided your personal data and will never pass your personal data to third parties for marketing purposes.

If you opt into receiving marketing about branch networking and professional development events, the data that you provide will be maintained securely within ICSA systems. For each event that takes place your name will be shared with the event organisers as part of a delegate list, but will not be stored on a local database.

If at any point you would like to opt-out of receiving communications from ICSA, or would like to change the channels that we use to contact you (such as email or post) please visit the Communication Centre in your MyICSA account, contact us at do@icsa.org.uk or write to the Data Officer at ICSA: The Governance Institute, Saffron House, 6-10 Kirby Street, London, EC1N 8TS.

Recipients of personal data for processing on ICSA’s behalf

In carrying out our business, including meeting our obligations to members, students, subscribers, customers and other stakeholders, ICSA uses specialist sub-contractors who process the personal data that ICSA holds on our behalf. These are:

  • Alchemetrics Ltd for the provision of single customer view and CRM services
  • Chord UK for the provision of member care and subscriber welcome calls
  • Electoral Reform Services, for the provision of online voting services
  • EventsForce for the provision of event booking  services
  • Fast Stats, for the analysis and segmentation of marketing data
  • Impelsys Inc for the delivery of the CSPOnline subscription service
  • Maxemail for email broadcasting services
  • NBNi for the sale and despatch of books, including the IngramSpark print on demand service
  • Nelson Croome for the provision of online training
  • SecPay for taking online payments
  • St Austell for the delivery and fulfilment of mail
  • Sterling Solutions for the printing and delivery of letters, welcome packs and certificates
  • Sungard Systems for the provision of IT server recovery
  • Unicorn for the provision of e-learning services
  • Warners for the distribution of G+C magazine

We will ensure that all the suppliers that we work with are required to respect your privacy and abide by all data protection laws.

Retention periods

Data rentention
RelationshipRetention period
Members and Graduates  Full contact and activity records are maintained whilst your membership is active.  After your membership has ceased, your record is flagged as inactive and your contact details are omitted from routine ICSA communications. When a membership record has been inactive for 12 months, the majority of the personal and non-personal data that we hold is deleted. A minimum core record of your membership is then maintained on the register of members in perpetuity, in accordance with ICSA’s Charter and byelaws. The minimum core record comprises your membership number, full name, membership grade, date of election to membership and date of exit. If your exit is the outcome of a disciplinary process, a note of this will also be retained. No other information is held about former members and the historical register is not published.
Students Full contact and activity records are maintained whilst your student membership is active.  If you progress into membership, your student records become the basis of your membership record and continue to be maintained in full for the duration of your active membership. If you do not progress into membership, after your student membership has ceased, your record is flagged as inactive and your contact details are omitted from routine ICSA communications. When a student record has been inactive for 12 months, the majority of the personal and non-personal data held is deleted. A minimum core record of your student membership is then maintained on the register of students in perpetuity, in accordance with ICSA’s Charter and byelaws. The minimum core record comprises your student membership number, full name, examinations passed and date on which they were taken, the date of your student membership commencing and date of your exit. If your exit is the outcome of a disciplinary process, a note of this will also be retained. No other information is held about former students and the student register is not published.
Professional subscribers When your professional subscription service ends your contact record will be marked as inactive for a period of 12 months after you exit and excluded from routine marketing communication.  After this time a basic core record of subscriber number, full name, entry and exit date will be maintained. This core record will be deleted at the end of a six year period, when financial records also expire.
Subscribers to free web services & Grad Hub As a subscriber your data will be retained for so long as you interact with ICSA’s website by logging in or participate in activities such as events. Your subscriber account will be maintained for an 18 month period since last contact, and then deleted. Before the data is deleted, we will send you a message so that you are aware of our actions and can reactivate your account if required.
Professional development services customers ICSA retains the data of customers of our training, event, content and consultancy services for 36 months after the last purchase, after which time contact records are deleted and only financial records are maintained for the statutory accounting period of a remaining 4 years before they are securely destroyed.
Enquirers ICSA will use the personal data that you give us in the course of an enquiry to answer your query and support any follow on actions that arise from it. If the enquiry progresses into a relationship with ICSA your personal data will be held as part of that relationship. If the enquiry does not progress, your data is deleted 6 months after your last contact with ICSA. Before the data is deleted, we will send you a message so that you are aware of our actions.
Research participants If you are not an ICSA member, graduate, student or subscriber, and participate in any of the research or consultations that the Institute undertakes, your personal data will be used throughout the course of the project as appropriate, and to advise you on the outcomes. Once the project is completed, a record of your participation is retained and you may be invited to take part in other projects in the future. Your data will be deleted within 36 months of your last contact with ICSA. Before your data is deleted, we will send you a message so that you are aware of our actions and can reactivate your account if required.
Financial transactions Records of all financial transactions (excluding payment details) are maintained for 7 years and then securely destroyed.

Data subject’s rights

You have the following rights in respect of your personal data.  In order for you to exercise these rights at ICSA we will need to confirm your identity. This may be by you providing your membership, student or subscriber number, date of birth or a form of ID such as a passport or driving licence so that we can verify that you are the data subject before releasing information to you.

The right to be informed – you have the right to be told about the collection and use of the personal data you provide. This privacy notice sets out the purpose for which we process your personal data, how long we will keep your data and with whom we will share your data. If you have any questions on how and why we process your data, please contact the DO. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/

Right of access – you have the right to know whether we are processing your personal data, and to a copy of that data. We would need as much information as possible to enable us to locate your data. We will respond to your request within 28 days of receipt of your request. If you want to exercise this right, please contact the DO at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/

Right to rectification – you have the right to have any incorrect personal data corrected or completed if it is incomplete. You can make this request verbally or in writing. We will need as much information as possible to enable us to locate your data. We will look at any request and inform you of our decision within 28 days of receiving the request.  If you want to exercise this right, please contact the DO at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/ 

Right to erasure – this right, often referred to as the right to be forgotten, allows you to ask us to erase personal data where there is no valid reason for us to keep it. We will look at any request and inform you of our decision within 28 days of receiving the request.  If you want to exercise this right, please contact the DO at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/ 

Right to restrict processing – you have the right to ask us to restrict processing of your data. We will look at any request and inform you of our decision within 28 days of receiving the request.  If you want to exercise this right, please contact the DO at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/ 

Right to data portability – you have the right to move, copy or transfer your personal data from one IT environment to another. This right applies to data that you have provided to us and that we are processing on the legal basis of consent or in the performance of a contract and where that processing is by automated means. We will respond to your request within 28 days of receipt of your request. If you want to exercise this right, please contact the DO at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

 Right to object – you have the right to object to our processing of your personal data based on (i) legitimate interests, or for the performance of a task in the public interests/exercise of official authority (including profiling); (ii) direct marketing (including profiling); and (iii) for purposes of scientific/historical research and statistics.

  1. Legitimate interests/legal task – your objection should be based on your particular situation. We can continue to process the data if we can demonstrate compelling legitimate grounds which override your interests.
  2. Direct marketing – you have an absolute right to ask us to stop processing for the purposes of direct marketing. We will action your request as soon as possible.
  3. Scientific/historical research and statistics - your objection should be based on your particular situation. If we are conducting research where the processing is necessary for the performance of a public task, we can refuse to comply with your objection.

If you want to exercise this right, please contact the DO at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/

 

Rights relating to automated decision making including profiling – you have rights in respect of automated decision making, including profiling. Where we carry out solely automated decision making, including profiling, which has legal or similarly significant effects on you, we can only do this if it is in connection with a contract with you, we have a right under law or you have provided your explicit consent. We will tell you if this happens and tell you how you can request human intervention or challenge the decision. If you want to exercise this right, please contact the DO at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/ 

Processing based on consent

Where ICSA processes your personal data based on your consent you have the right to withdraw that consent at any time without reason. You can opt-out by using the unsubscribe option in any marketing that we send you or in your Communications Centre in MyICSA.

The right to lodge a complaint to a supervisory authority

If you are unhappy with any aspect of our handling of your data you can make a complaint to the Head of Secretariat who will consider the matter for you. If you are still not satisfied, you can make a complaint to the Information Commissioner’s Office - https://ico.org.uk/concerns/

Cookies

A cookie is a small piece of information sent by a web server to a web browser, which enables the server to collect information from the browser.  Find out more about cookies on http://www.allaboutcookies.org/  

We use cookies to identify you when you visit this website and to keep track of your browsing patterns and build up a demographic profile of our site users so that we can continue to improve it.

Our use of cookies also allows registered users to be presented with a personalised version of the site, carry out transactions and have access to information about their account.

Most browsers will allow you to turn off cookies.  If you want to know how to do this please look at the menu on your browser, or look at the instruction on http://www.allaboutcookies.org/  Please note, however, that turning off cookies will restrict your use of our website.

The table below demonstrates which cookies we use, what they do and what disabling them will mean for your continued use of our online services.

A simple table title
CookieWhat it doesThe  consequences of disabling the cookie
First party (ICSA) session cookie Session cookies enable you to move around the website and use its features, such as accessing secure areas. These cookies do not contain any personal information.  Without these cookies, services on the website may not function properly.
First party (ICSA) Persistent cookie: dontShowCookieBar This cookie records whether a user has accepted cookies on our website. Without this cookie, the cookie information bar will continue to be displayed.

Third party (Google analytics) persistent cookies

These cookies collect information about how visitors use our site. This information helps us to improve our site performance. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. 

To disable: Download the Google Analytics opt-out browser here

Consequences: Your visit to ICSA’s website will not be recorded and reported by Google Analytics. Your web use will not be impaired. 

By continuing to use the ICSA website you agree to accept cookies on your device in accordance with this policy. This policy only relates to our website and does not cover links to third parties.

Third party websites

Our website may contain links to other websites that are outside our control and are not covered by this privacy notice.  If you access other sites using the links provided, the operators of these sites may collect information from you that will be used by them in accordance with their privacy policy, which may differ from ours.

The security of the personal data that ICSA processes

ICSA protects the personal data that it holds with technical and organisational security measures. Our cyber security arrangements and framework of data protection policies, procedures and training are kept under regular review to ensure that we keep the data we hold secure.

Changes to the privacy notice

This privacy notice was published on 18 May 2018. It is regularly reviewed and will be updated when necessary. If we make any significant changes we will communicate them to you.

Queries

If you have any queries about the policy and how it affects you, please contact the Data Officer via do@icsa.org.uk or in writing at ICSA: The Governance Institute, Saffron House, 6-10 Kirby Street, London, EC1N 8TS.

Published 18 May 2018

Search ICSA