Introduction

This document has been written to provide you with information about how we are handling or intend to handle personal information. It sets out the basis on which any personal data we collect, create or otherwise obtain from or about you will be processed by us. Please read it carefully to understand our views and practices regarding your personal data and how we will treat it.

Scope

This document concerns personal data we use relating to visitors to our website and to our actual and prospective customers and suppliers. It does not relate to personal data we use relating to employees – privacy information about employees is contained in staff privacy notice.

Data Protection Compliance Management Policy Statement

The Board Development Agency (‘the BDA’, ‘we’, ‘us’) is committed to compliance with all relevant Data Protection Legislation and we will formally delegate appropriate powers and responsibilities to our personnel to ensure that we are fully able to comply with the Data Protection Legislation.

We maintain a range of policy documents and procedures setting out how we intend to implement management controls sufficient to ensure legal compliance and will ensure that these documents are reviewed periodically. The BDA will ensure that all relevant personnel and/or other people we commission to process personal data on our behalf, either directly or indirectly, have received appropriate and sufficient training in the application of the organisation’s policies.

We will make sure that sufficient and appropriate resources are available to ensure that we meet our legal obligations in respect of Data Protection Legislation.

We will ensure that we work within the data protection principles and that we will implement sufficient controls to demonstrate compliance with the Data Protection Legislation including the keeping of sufficient records of data processing activities, risk assessments and decisions relating to data processing activities.

We will uphold the rights and freedoms of people conferred on it by Data Protection Legislation.

Information We Hold

The BDA collects and uses information about customers and prospective customers and suppliers including:

  • Name, work address, telephone number and email address, job title, records of meetings, communication or other contact, products and services you express interest in, instructions you give to us, orders you place with us and supporting documentation you ask us to review relating to your business activities.
  • We might collect audio and video recordings of you: a) if you attend any training or seminars via video conferencing with us; or b) if you leave us voice mail messages on our equipment.

Uses of Personal Data

We use personal data primarily to build and maintain commercial relationships with people including the following:

  • managing enquiries, sales opportunities and leads, and proactive business development activities
  • managing relationships with prospective, actual, and former customers and suppliers and others who we think may benefit or be of interest to our business including creating and maintaining customer records and to keep in regular contact with you
  • marketing our products and services, product development and research including the use of direct marketing by email, phone, social media and traditional mail to raise awareness of products and services that we believe may be of interest to you
  • managing projects, client instructions, customer relationships, and the delivery of our services including handling consultations and support requests
  • reviewing the business activities of the client’s company including agendas, reports, minutes, strategies, policies and procedures
  • obtaining feedback
  • financial management including invoicing, chasing debts, making payments etc.
  • audit and regulatory requirements.

 

Lawful Basis for Processing

The lawful basis for processing the data involved in the above activities are:

  • Steps taken to enter into or in order to fulfil the contract for services that we have with our customers
  • Pursuant to the legitimate interests of BDA which are; to promote BDA and our activities, to enable us to administrate and run BDA efficiently and effectively as a commercial business, and to ensure that we remain accountable to our customers and other relevant stakeholders
  • We may process personal data for compliance with our legal obligations (e.g. for financial and taxation purposes, or health and safety law).

If we process personal data on the basis of consent, we shall ensure that we provide sufficient information for the consent to be specific, informed, and freely given.

Sharing Personal Data

Who we may share your information with:

We sometimes need to share information with other organisations, where it’s relevant. Where this is necessary we are required to comply with all aspects of data protection law.

Who we share your personal information with depends on the products and services we provide to you and the purposes for which we use your personal information. For most products and services we will share your personal information with our own service providers such as our IT suppliers and fraud prevention agencies.

Who else we may pass your information to may include:

  • Our employees
  • providers of goods and services, including companies that assist us in mailing out our letters, leaflets and newsletters
  • professional advisers consultants and training providers
  • IT providers
  • Insurers
  • legal representatives, defence solicitors, courts and tribunals
  • police forces, tax collection agencies and customs and excise

We may also disclose your personal information:

  • to the extent that we are required to do so by law
  • in connection with any ongoing or prospective legal proceedings
  • in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk)

Data Storage and Retention

How we store your personal information

Your information is securely stored on the Board Development Agency’s Microsoft Office 365 account, Fasthosts webmail, Google, Adobe, Zoom account, SAGE financial system, Stripe account, PayPal account and Websites and Learning Management System (WordPress) and Social Media accounts (Facebook, LinkedIn and Twitter).

The BDA will hold your personal data for the length of time that we need it to:

  1. a) provide you with services,
  2. b) send you marketing and promotional materials
  3. c) meet our legal obligations and/or protect or defend our business.

We keep your client records in accordance with our document retention policy.  If you are no longer a client, we hold the data for 6 years from the date of the end of the contact.  Due to the nature of our training products information such as bank account information will be deleted in line with our retention policy unless otherwise requested.

European transfers

A large majority of the personal data that we collect is held within the United Kingdom and European Economic Area (EEA). Data protection law allows the BDA to hold personal data if it is inside the EEA. The EEA includes all EU Member countries as well as Iceland, Liechtenstein and Norway.

In very rare circumstances some of the personal data we collect may be stored overseas and this is the case for our personal data held in Zoom. This data is held outside the EEA and we have ensured that there are suitable safeguards for the people whose information we transfer. In appointing an overseas data processor there are suitable arrangements in place in the form of Standard Contractual Clauses. Further details are available here FAQs – International Transfer of Data – Updated June 2021 – FINAL (zoom.us)

Security Measures

Technical and physical security measures

The BDA protects the privacy and security of all data that we control and process. This protection includes:

  • Baseline security recruitment checks
  • Wherever possible, servers based within the United Kingdom
  • Network security measures, including updating of systems to maintain the security and integrity

Policies and procedures

The BDA also ensures that its policies and procedures reflect good practice for data protection and that staff are aware of these. This includes:

  • the Data Protection Policy and Procedures
  • online data protection training for all new staff – completion is monitored and recorded
  • a procedure for reporting and dealing with suspected breaches of data protection
  • limiting employee access to sensitive information
  • protecting against unauthorised access to customer data by using data encryption, authentication and virus detection technology
  • requiring service providers with whom we do business to comply with relevant data privacy legal and regulatory requirements
  • conducting background checks on employees and providing data privacy training to our team members
  • continually assessing our data privacy, information management and data security practices

Your Rights

Under data protection law, you have rights including:

Your right of access – You have the right to ask us for copies of your personal information.

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.

Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact: Yvonne Atkinson, Director if you wish to make a request.

Email: Yvonneatkinson@boardagency.org.uk

Address: The Board Development Agency, 45 South Street, Bedminster, Bristol, BS3 3AU.

Phone No: 0117 963 1333

How to Contact us or Complain

If you have any concerns about our use of your personal information, you can make  contact with Yvonne Atkinson, Director

Email: yvonneatkinson@boardagency.org.uk

Address: The Board Development Agency, 45 South Street, Bedminster, Bristol, BS3 3AU.

Phone No: 0117 963 1333

If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Email casework@ico.org.uk

Online at https://ico.org.uk/concerns

Please note we can’t be responsible for the content of external websites.

Version Control
Version 1.2 Issued [1.11.2023]