The National Governance Association is committed to protecting and respecting your rights. This policy sets out the basis on which any personal data we collect from you, or that you provide to us, is used.
Our contact details
National Governance Association
- Address: 36 Great Charles Street, Birmingham B3 3JY
- Phone number: 0121 237 3780
- E-mail: firstname.lastname@example.org
- Policy date: June 2023
The type of personal information we collect
We currently collect and process the following information:
- Email address
- Postal address
- Telephone number
- Governance role (for example, chair/vice chair)
- Images, video and audio (with consent)
- Bank details / credit card details (only where required to process payment)
- Online identifiers (IP addresses and cookie identifiers)
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- Posting copies of Governing Matters magazine and other publications
- Sending out NGA’s weekly e-newsletter via email
- Ensuring access to member-only content on the NGA website
- To process payments
- To administer and maintain membership records
- To notify you of NGA membership benefits
- To support registration at NGA events
- To allow access to the Gold service for Gold members and to provide advice
- For research purposes
- To allow schools and trusts to use of our Governance Professionals Jobs service (to advertise governance professional roles)
- We capture photography, video and audio to deliver and promote our services (by consent)
The majority of customer personal data is held in our Customer Relationship Management (CRM) system. Our website holds a minimum amount of personal data that is designed to permit authentication (logging in).
We also receive personal information indirectly, from the following sources, in the following scenarios:
When a user visits the NGA website at nga.org.uk, we use Google Analytics 4 (a third-party service) to collect information about user behaviour. This information includes:
- ClientIDs consisting of a string of numbers unique to each website user
- Number of times and time of day of previous visits to the website
- Information about how the user found the website, their search and browser history
- IP addresses
Hotjar is a technology service that helps us better understand our users’ experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback.
- a device's IP address (processed during your session and stored in a de-identified form)
- device screen size
- device type (unique device identifiers)
- browser information
- geographic location (country only)
- the preferred language used to display our website
Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
All behaviour and interaction data collected will be retained for no longer than one year. It will then be automatically deleted. All Feedback responses data submitted is stored in accordance with the HotJar Data Retention Policy. More information on the cookies employed by Hotjar is available from our cookies policy.
Online platforms for events
We use Zoom to host online events. You will need to submit personal details such as your name and email address in order to sign in and access Zoom. We enable appropriate security settings to reduce the risk of personal data being misused, and so that unauthorised people cannot access the event. We continually monitor the Zoom security protocols to check that they continue to meet our, and your, requirements.
Recording online events
- We let event participants know at the beginning of each online event that the event will be recorded.
- We sometimes share the event video recording with event participants and/or upload to our website – we will also make attendees aware of this at the start of each event.
- We retain chat transcripts (which contain the name that attendees’ submit to the Zoom platform – their ‘display name’) as a record of discussion.
- Attendees are also free to download chat transcripts themselves.
- By taking part in a recorded event, attendees accept that the information that is displayed will be recorded.
We may share information with:
These organisations help us to fulfil our obligations as a service provider and are themselves subject to their own policies as under law. These organisations include:
- AuthO – third party service used to authenticate users (allowing NGA members and Learning Link subscribers to log in, manage their account and access content). All of the data Auth0 has about an end user is located in the Auth0 user profile.
- Mailchimp (email services)
- Sage 50 (financial management software)
- Edurio – used for the annual governance survey. Edurio’s privacy notice can be found here: https://edurio.com/terms/en
- Spire Business Management Solutions Ltd (Spire BMS) – NGA uses Spire BMS to manage our CRM system in order to deliver membership services. Through this database, NGA is able to track memberships and renewals. Spire BMS’s privacy notice can be found here: https://www.spirebms.co.uk/privacy/
- Surftech IT – Surftech IT provide NGA with IT support services. Surftech IT have access to the following data to fulfil this contract: First name, last name and email address. Surftech’s privacy notice can be found here:
- Redactive – design and distribute NGA’s Governing Matters magazine. Postage addresses are shared so that the magazine can be sent out to the address provided to NGA. Redactive’s Privacy notice can be found here: https://redactive.co.uk/our-privacy-policy/
- Virtual College – Virtual College provide the Learning Link platform which will be used by all users to undertake their e learning. They may access information to support you in using the platform. Virtual College will have access to the following data to fulfil this contract: First name, last name and email address. The Virtual College Privacy notice can be found here: https://www.virtual-college.co.uk/privacy-policy
Under the UK General Data Protection Regulation (UK GDPR), the lawful bases we rely on for processing this information are:
- We have a contractual obligation
- Legitimate interests
NGA relies on two main legal bases for its use of your data. Firstly, that our use is necessary in order to perform our contract with you. For example, this applies when we use your data to provide you with access to your membership benefits, to fulfil orders for the services you have requested, to manage product and technical support, to bill you and to run integral support tools including engagement of essential third-party providers.
Secondly, we rely on the ‘legitimate interests’ basis where our use of the data has been analysed to be balanced in our interests. This would cover our marketing and business intelligence and certain sales functions, certain use of our analytics tools, our personalisation of your content, and our engagement of third-party providers to provide any non-essential functions.
How we store your personal information
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
All websites (including CRM) are hosted on industry standard secure servers where access to personal data is encrypted behind authentication. Passwords for accessing the encrypted data are themselves encrypted and stored in the National Governance Association network behind full network permissions.
User connection when accessing the website and CRM is encrypted through the appropriate use of certificates.
We keep information linked to your account during the term of your subscription/membership but we will keep this information under regular review to ensure we still need to use it. We will disable your account if your account is terminated for any reason. We may then keep limited data about your account for a period in line with our data retention policy from time to time in force. To determine the appropriate period, we consider the amount of data, its nature and sensitivity, the potential for harm and whether we can achieve our purposes through other means as well as our applicable legal requirements. Details of our records retention policy is available upon request. We will regularly cleanse this data. We will also delete your data on your request though we may hold a list of the ‘opt out’ requests to administer your request.
Your data protection rights
Under data protection law, you have rights including:
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
If you would like to access your personal information, you can contact NGA by the following means:
- Write to NGA and address the letter to “The Data Protection Officer” at National Governance Association, 4th Floor, 36 Great Charles Street, Birmingham, B3 3JY.
- Contact us at: email@example.com
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to us at:
- Phone number: 0121 237 3780
- E-mail: firstname.lastname@example.org
You can also complain to the ICO if you are unhappy with how we have used your data.
- The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Helpline number: 0303 123 1113
- ICO website: https://www.ico.org.uk