This policy has been updated to incorporate the General Data Protection Regulation (GDPR) in May 2018. The principles of GDPR build on the existing Data Protection Act 1998 (DPA) but the obligations are more extensive. This policy will set out what the ABS are doing to comply with the GDPR.
The ABS is committed to maintaining high standards of security and confidentiality for information in our custody and control. Safeguarding this information is critical to the successful operation of the ABS. The ABS will treat all information in its care and control with the same degree of security and confidentiality and this policy applies to all organisations within ABS and all of its employees.
The Association of Breast Surgery (ABS) shares an office with BASO ~ The Association for Cancer Surgery (BASO ~ ACS). The Association of Breast Surgery was originally a branch of BASO ~ The Association for Cancer Surgery, but the two Associations have been separate organisations since 2010. A service agreement is now in place to formalise the shared aspects of the administration of the two Associations.
Since May 2020 the two Associations have no longer shared a database. The ABS database now holds information relating to past and current ABS members and those individuals who have attended ABS conferences and events (including joint conferences with BASO ~ ACS). Every attempt has been made to ensure that the ABS no longer holds any data for anyone who has never been a member of the ABS (or ABS at BASO or BASO Breast Group) or attended an ABS (or ABS at BASO or BASO Breast Group) conference or event. However due to the database having been shared with BASO ~ ACS for many years and because of the historic way in which individuals joined the ABS, ABS at BASO or BASO Breast Group there may be some data retained that applies to BASO ~ ACS. If any such data is found it will be deleted.
In May 2020 the two Associations also separated off their servers, which were previously shared. Again every attempt has been made to ensure that neither Associations holds data which is not relevant to them. However due to how the Associations were historically run it is possible that some data may have been retained. The ABS undertakes not to use this data and to destroy any such data that is found.
The two Associations undertake to ensure that neither Association uses the membership or event delegate information of the other Association in order to contact individuals and that they respect the data of each other’s Association whilst they continue to share an office space.
This privacy notice was updated on: 25th June 2020
If you have any questions about this policy please e-mail email@example.com or write to Association of Breast Surgery, at the Royal College of Surgeons, 35-43 Lincoln’s Inn Fields, London, WC2A 3PE.
WHAT DATA WE GATHER ON OUR MEMBERS
We collect the following information from our members:
- Name and Job Title
- CV and qualifications
- Contact information including e-mail addresses
- Demographic information, such as postcode, hospital region, deanery
- Website usage data
- Bank details
- Event registration information
- GMC Number
- Correspondence between the individual member and the Association
Collecting this data helps us understand and identify our members, enabling us to deliver improved membership services.
The ABS specifically uses the data for:
- Our own internal records
- Contacting you with a response to a specific enquiry
- Sending updates on events and information we think might be relevant for our members
- Sending information about conferences, meetings and courses being run by the Association and their partners
- Sending updates in relation to the Association including details on how to vote for regional representatives and Trustee posts
- Sharing relevant information with ESSO (European Society of Surgical Oncology) for the sole purpose of setting up affiliate membership
- Sharing relevant information with EJSO (European Journal of Surgical Oncology) for the sole purpose of setting up paper and/or electronic subscriptions
- Sharing relevant information with our website provider in order to set up a login to access the ABS member’s area of the Association of Breast Surgery website
- Sharing names and email addresses with regional representatives so that they can represent the views of members in their region at ABS and Mammary Fold committee level
WHAT DATA WE GATHER ON OUR EVENT DELEGATES
We collect the following information from our event delegates:
- Name and Job Title
- Contact information including a postal and e-mail addresses
- Website usage data
- Event registration information
- Correspondence between the individual delegate and the Association
THIRD PARTY DATA PROCESSORS
Third party data processors are companies/associations which the ABS have passed on either member or event delegate data. The ABS has written confirmation from all its data processors that they will use the data we provide in line with GDPR, will not distribute this data to anyone and will delete the data provided once its purpose has been served. A list of data processors is available.
COOKIES AND HOW WE USE THEM
A full cookies policy is available to view on the ABS website.
- enabling a service to recognise your device so you don't have to give the same information several times during one task
- recognising that you may already have given a username and password so you don't need to do it for every web page requested
- measuring how many people are using the site, so it can be made easier to use and there's enough capacity to ensure it is fast enough
We use Google Analytics to measure how many people use this site. We do this to make sure the site is meeting users' needs and to understand how we could improve it.
Google Analytics stores information about what pages you visit, how long you are on the site, how you got here and what you click on. We do not collect or store any personal information (e.g. your name or address) so this information cannot be used to identify who you are. We also do not allow Google to use or share our analytics data.
The ABS website contains links to other websites.
Please note that we have no control of websites outside the following domains:
www.associationofbreastsurgery.org.uk (and online event registration which is hosted on an event specific area starting events.associationofbreastsurgery.org.uk)
CONTROLLING INFORMATION ABOUT YOU
When you complete an ABS membership application form you will be asked to:
- Opt-in to receive communications from us by email or post
- Opt-in to have your details passed to your regional representative (for applicable membership grades)
- Opt-in to have your details passed to ESSO and the EJSO (for applicable membership grades)
As a non-member delegate attending an event run by the Association you will be asked, when appropriate, to:
- Opt-in to have your name and hospital name printed on the delegate list
- Opt-in to have your name and hospital name shown on the Conference App
- Opt-in to receive information about future events run by the Association
If you have agreed that we can use your information in this way, you can change your mind by contacting the Association:
- Send an e-mail to firstname.lastname@example.org
- Write to us at Association of Breast Surgery, at the Royal College of Surgeons of England, 35-43 Lincoln’s Inn Fields, London, WC2A 3PE.
The ABS does not release your details to any organisation or external body unless we have your permission.
Any personal information we hold about you is stored and processed under our data protection policy, in line with the Data Protection Act 1998 and the General Data Protection Regulation 2018.
The ABS complies with its legal obligations in relation to record retention and has an archive policy. Staff training is undertaken to ensure that record retention complies with this policy.
The policy is updated when required.
We will always hold personal information securely and process it in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures in accordance the GDPR.
\Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The ABS office is secure and the relevant records and information are kept locked away as appropriate. ABS staff are trained in the relevant processes to ensure this security.
The ABS have put in place the appropriate procedures to ensure personal data breaches are detected, reported and investigated effectively. In the event of a breach where the individual is likely to suffer some form of damage (e.g. through identity theft or confidentiality breach), the ABS will report to the ICO (Information Commissioners Office) and notify the affected individual. The necessary steps will be taken to rectify and tighten up the current mechanisms of securing all data records held.
Any wilful disregard or intentional breach of the Data Protection Policy by employees shall be regarded as a disciplinary offence and handled with the ABS Disciplinary Procedures. Any wilful disregard or intentional breach of the Data Protection Policy by data processors (and identified data controllers in in their own right) acting on ABS’ behalf under contract shall be regarded as a breach of contract and treated as such.
If you suspect your data has been compromised you should contact the ABS immediately on email@example.com or 020 7869 6853/6855.
SUBJECT ACCESS REQUEST
Individuals have the right to access personal data and supplementary information held by the ABS. The right of access allows individuals to be aware of and verify the lawfulness of the processing.
Subject Access Requests must be in writing and will respond to requests within one month from the date of the request. In order to verify requests, individuals may be asked for further evidence of identify.
The ABS will not charge for such requests, however, excessive or repetitive requests for the same information by an individual will be subject to a charge being enforced. The fee will be based on the administrative cost of providing the information.
The information held by us will be sent in an electronic format and we will request confirmation of an individual receiving this.
If the ABS receives a subject access request from a third party we will seek verification as to the authenticity of the request. Data requests should be made by contacting the Data Manager by e-mail at firstname.lastname@example.org or by post at the Association of Breast Surgery, at the Royal College of Surgeons of England, 35 – 43 Lincoln’s Inn Fields, London WC2A 3PE. Staff receiving communication about potential data requests by telephone, social media or in person should refer the individual to the privacy notice, which outlines the form in which requests should be made. Requests must be titled, “Subject Access Request” and should be accompanied by proof of ID from the individual and an outline of the nature of the request i.e. whether they wish to access specific documents or are requesting a general search of our records.
RIGHT TO BE FORGOTTEN
The GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing and the ABS will respond to such requests within one month.
The right is not absolute and only applies in certain circumstances.
When considering a request to be forgotten the Association also needs to consider factors and obligations other than GDPR.
When does the right to erasure apply?
- Individuals have the right to have their personal data erased if:
- the personal data is no longer necessary for the purpose which you originally collected or processed it for;
- the Association is relying on consent as the lawful basis for holding the data, and the individual withdraws their consent;
- the Association is relying on legitimate interests as the basis for processing, the individual objects to the processing of their data, and there is no overriding legitimate interest to continue this processing;
- the Association is processing the personal data for direct marketing purposes and the individual objects to that processing;
- the Association has processed the personal data unlawfully (i.e. in breach of the lawfulness requirement of the 1st principle);
- the Association has to do it to comply with a legal obligation
If the Association has disclosed the personal data to others, it must contact each recipient and inform them of the erasure, unless this proves impossible or involves disproportionate effort. If asked to, the Association must also inform the individuals about these recipients.
The GDPR defines a recipient as a natural or legal person, public authority, agency or other body to which the personal data are disclosed. The definition includes controllers, processors and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Where personal data has been made public in an online environment reasonable steps should be taken to inform other controllers who are processing the personal data to erase links to, copies or replication of that data. When deciding what steps are reasonable you should take into account available technology and the cost of implementation.
When does the right to erasure not apply?
The right to erasure does not apply if processing is necessary for one of the following reasons:
- to exercise the right of freedom of expression and information;
- to comply with a legal obligation;
- for the performance of a task carried out in the public interest or in the exercise of official authority;
- for archiving purposes in the public interest, scientific research historical research or statistical purposes where erasure is likely to render impossible or seriously impair the achievement of that processing; or
- for the establishment, exercise or defence of legal claims.
The GDPR also specifies two circumstances where the right to erasure will not apply to special category data:
- if the processing is necessary for public health purposes in the public interest (e.g. protecting against serious cross-border threats to health, or ensuring high standards of quality and safety of health care and of medicinal products or medical devices); or
- if the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This only applies where the data is being processed by or under the responsibility of a professional subject to a legal obligation of professional secrecy (e.g. a health professional).
The ABS can also refuse to comply with a request for other reasons
- request for erasure will be refused if it is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.
If the ABS deems that a request is manifestly unfounded or excessive we will:
- request a "reasonable fee" to deal with the request; or
- refuse to deal with the request.
In either case the ABS will justify their decision.
The ABS will base any fees imposed on the administrative costs of complying with the request and the request will be completed upon receipt of the appropriate fee.
If the ABS has refused a request for erasure we will inform the individual stipulating the following:
- the reasons you are not taking action;
- their right to make a complaint to the ICO or another supervisory authority; and
- their ability to seek to enforce this right through a judicial remedy.
The ABS will also provide this information if it requests a reasonable fee or needs additional information to identify the individual.
The ABS have the following social media accounts under its control:
These social media platforms are open and any individuals wishing to follow the ABS are welcome to do so. Any user on these platforms has analytics available to them from the provider. The ABS has no additional analytics available to it.