Doctors’ Association UK Privacy Notice

This privacy notice provides information on what data we use about you, why and our legal basis for processing. We have also included details of the organisations we use to help us process.

Who We Are

The Doctors’ Association UK (DAUK) is a not-for-profit membership organisation. We are the data controller for your information. You can contact us via:

• Communications Lead:     press@dauk.org
• Data Protection Lead: contact@dauk.org

The Doctors’ Association UK is not required by law to have a data protection officer, nor to register with the Information Commissioner.

How We Use Your Information

We collect information about:

• Our members and volunteers
• Our suppliers
• Visitors to our website

As a member or volunteer we collect from you:

• Identifiers – Name, Email Address, telephone/mobile number (optionally) and for UK Doctors GMC number
• Information about your membership payments from our third party payment processors Stripe and Paypal. We do NOT hold data relating to your payment methods e.g. card numbers
• Details of your social media logins when you join our various social media groups. This is limited only to what the providers give us but can include additional identifiers if you have provided them such as profile. The social media providers may also collect information for their purposes – please see their privacy notices for details (provided in our Register of Processing Activities)
• Information you post on our social media channels, provide to us as emails, letters and telephone calls.

As a supplier we collect from you only information relevant to our contract with you e.g. contact details of your agents, payment information etc.

As a visitor to our website we collect information about your IP address, browser and pages visited. These are only used for the delivery of website services. If you sign in on our website you are a member and additional information applies. If you supply us with joining information via our website, this is used to process your application and then to populate your membership record / invite you to social media channels.

Purposes of Processing

We process your data for the purposes of running the membership organisation. This includes meeting management, allowing discussion between members of issues, providing information and news and handling membership fee payments. For our website we do not use third party tracking, but cookies are used for the functionality of the website and to manage interactions such as logging in.

Legal Basis for Processing

Our legal basis for processing differs for the purposes:

• Purposes of running the organisation – these are the legitimate interest of the organisation UK GDPR Article 6 1(f).
• Management of membership fees – this is a contract between ourselves and you as a member; hence this is under UK GDPR Article 6 1(b)
• Social media and information provided to discussion forums – this information is provided by yourselves by consent and hence is under UK GDPR Article 6 1(a).

Note that we may be required by law to provide information in some circumstances (e.g. court requests) and hence the legal obligation basis UK GDPR Article 6 1(c) may also apply in some circumstances.

Your Rights

If we hold data about you, you have rights in respect of your data including:

• to be supplied information on our uses
• to see what data we are holding about you
• to request correction or erasure of your data
• to object to processing

If you wish to exercise any of these rights, please use the contact details at the top of this document.

As we are using consent as a legal basis for the social media and discussion forums, you have the right to withdraw your consent to this use at any time. You may do so by deleting your own participation on the forums, or you can request that we remove you from the group(s) and delete your messages.

You also have the right to complain to the supervisory authority. In the UK, this is the Information Commissioner, and they can be contacted via their website at https://ico.org.uk

Requirement to Provide Data

There is no requirement on you to provide information to us. We are a voluntary participation organisation.

Automated Decision Making including Profiling

We do not carry out these activities

Revisions to this Notice

This notice is reviewed annually. The last review date was 01/08/2023.

Records of Processing Activities

Under Article 30 of the UK GDPR we are required to keep a record of all our processing activities and provide you with certain information. Much of this duplicates information on our privacy notice and is provided here for convenience.

1. The name and contact details of the controller and, where applicable, the joint controller, and the data protection officer.

The Doctors’ Association UK (DAUK) is a not-for-profit membership organisation. We are the data controller for your information. You can contact us via:

• Communications Lead:     press@dauk.org
• Data Protection Lead: contact@dauk.org

The Doctors’ Association UK is not required by law to have a data protection officer, nor to register with the Information Commissioner.

2. The purposes of the processing.

We process your data for the purposes of running the membership organisation. This includes meeting management, allowing discussion between members of issues, providing information and news and handling membership fee payments.

3. A description of the categories of data subjects and of the categories of personal data.

We collect information about:

• Our members and volunteers
• Our suppliers
• Visitors to our website

As a member or volunteer we collect from you:

• Identifiers – Name, Email Address, telephone/mobile number (optionally) and for UK Doctors GMC number
• Information about your membership payments from our third party payment processors Stripe and Paypal. We do NOT hold data relating to your payment methods e.g. card numbers
• Details of your social media logins when you join our various social media groups. This is limited only to what the providers give us but can include additional identifiers if you have provided them such as profile. The social media providers may also collect information for their purposes – please see their privacy notices for details (provided in our Register of Processing Activities)
• Information you post on our social media channels, provide to us as emails, letters and telephone calls.

As a supplier we collect from you only information relevant to our contract with you e.g. contact details of your agents, payment information etc.

As a visitor to our website we collect information about your IP address, browser and pages visited. These are only used for the delivery of website services. If you sign in on our website you are a member and additional information applies. If you supply us with joining information via our website, this is used to process your application and then to populate your membership record / invite you to social media channels.

4. The categories of recipients to whom the personal data have been or will be disclosed including recipients in third countries or international organisations

The data is disclosed to:

• Other members in the course of interactions such as on social media
• Our suppliers who act as data processors to us (listed below) for the purposes of delivering services
• The social media providers (listed below) where you choose to join them. These services are generally controllers in their own right for their purposes.

5. …transfers of personal data to a third country or an international organisation.

A number of the organisations noted below operate in multiple countries. We do not own these platforms and therefore rely on their warranties in respect of safeguards.

For our own platforms, we follow the measures given in (g) below

6. the envisaged time limits for erasure of the different categories of data

For membership data and messages directly to us:

• We retain your membership details for as long as you are a member. When you cease to be a member, we remove you from the membership rolls
• For messages you send us, we retain these for 6 months

For social media data:

• Where we can set retention limits, these are set at 6 months.  Where the social media providers do not allow us to set retention periods, we follow their retention.
• When you cease to be a member, we remove you from the social media groups. Information you have posted there however will generally remain until the end of the retention period.

For financial transactions and supplier data:

• Financial transactions and information relating to them are retained for 6 years after the current financial year in line with normal financial recording
• This applies also to supplier contracts and information relevant to those contracts.

7. a general description of the technical and organisational security measures referred to in Article 32(1) or section 28(3) of the 2018 Act.

For our platforms we follow the following technical measures:

• All transmissions across public networks are secured with appropriate encryption (generally TLS1.2 and above)
• Data stored on our own devices is encrypted at rest so that in the event of theft of devices it cannot be read
• That all logins for our data use multi-factor authentication where possible, and in all cases use strong passwords.
• All our contracts have appropriate data processing clauses in them flowing down the responsibilities we hold as data controller to our processors

Organisationally, we minimise access by:

• Allowing only committee members access to membership lists, mailing lists and servers
• Restricting administration access to social media platforms to committee members

Our Processors

Revisions to this Notice

This notice is reviewed annually. The last review date was 01/08/2023.

Data Protection Policy

Our Commitment

The Doctors’ Association is committed to ensuring that data is managed in an appropriate manner. We follow the data protection principles in all our work; in particular we want to ensure you have “no surprises” – transparency – in how we use data.

Volunteer guidance on data handling is given in our separate guidance.

All use of data is subject to the data protection principles which are (in summary) that data shall be:

• Processed lawfully, fairly and in a transparent manner
• Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
• Adequate, relevant and limited to what is necessary
• Accurate and, where necessary, kept up to date
• Kept in a form which permits identification of data subjects for no longer than is necessary
• Processed in a manner that ensures appropriate security

Our policies and procedures are designed with these principles in mind.

Where data is not required to be identifiable, we shall use anonymised or pseudonymised data to minimise risk.

Key People

The details of how to contact us are given in our Privacy Notice. The committee form the key people of the organisation and can be contacted via the details given.

Training

As a volunteer organisation for Doctors, we expect members to have their own training on data handling as part of their professional role. Volunteers are expected to meet this standard. We ensure that all volunteers are aware of our policies and processes as part of their introduction to volunteering, and refresh this regularly.

Subject Access Requests and Data Subject Requests

We deal with all requests as required by the law. Please use the contact us link to register a request.

Revisions to this Notice

This notice is reviewed annually. The last review date was 01/08/2023.