We promise to respect your privacy and look after the personal data you share with us both directly and that which we may get from other organisations.
We will keep it safe and will not share it with third parties unless they are contracted to work for us to deliver a specific service for your benefit, we have your consent to do so, or we are required to do so by Law or Court Order.
For the purposes of the Data Protection Act 2018 and the General Data Protection Regulation (Regulation (EU) 2016/679) (together, the data protection legislation), the BSA is the data controller of your personal data. We are registered with the Information Commissioner's Office (the ICO) under registration number Z6542797.
Our data protection officer for the purpose of applicable data protection law may be contacted at Privacy@bsa.org.uk. If you have any questions or would like to discuss further, you can call us on: 020 7520 5900 or write to us at 6th Floor, York House, 23 Kingsway, London, WC2B 6UJ.
What we collect
We may collect and process the following information about you:
Information from you
You may give us information about you by:
- filling in forms or your personal profile on our website www.bsa.org.uk (our Website) or by filling in forms or registering to attend the BSA Annual Conference via our Conference website www.bsaconference.org (our Conference website);
- corresponding with us by email, text, via social media including Twitter and LinkedIn or other channels;
- calling us on the phone;
- writing to us;
- participating in the BSA Conference, a BSA event, seminar or an event provided with a partner firm; or
- by giving us your business card.
The information that you give us may include:
- your name;
- your email address;
- your phone number, landline and/or mobile;
- your postal address;
- details of the BSA member, Associate Member or Affiliate firm that you work for;
- details of the non-member firm that you work for;
- your job title;
- a work biography and portrait photograph if you speak at a BSA event or hold office on the BSA Council; and
- if you are a registered user of either of our Websites we may also collect anonymised statistical information about the information you receive and pages that you visit.
If you attend a BSA event or an event or webinar that we run with another organisation we may also:
- collect payment details from you;
- take details of any personal dietary and access requirements you have; and
- take photographs of the event for use in newsletters, on our Website, social media feeds (Twitter and LinkedIn) and in publications such as the BSA Yearbook.
Information from other sources
From time to time we may receive your name and contact information from a third party source, including but not restricted to another BSA Member, Associate Member, Affiliate, the Prudential Regulation Authority, Financial Conduct Authority, Bank of England, other financial trade association or a company working with us to deliver the BSA Annual Conference, BSA Annual Lecture or our seminar/event programme.
We take all reasonable steps to ensure that the information we hold about you is accurate and you should contact us if any personal data we hold about you is inaccurate (for example you should provide us with your new email address if you change from one Building Society to another).
What we do with the information we collect
The BSA is a membership organisation with Members, Associate Members and Affiliates. Below we have set out how we use personal data we collect from individuals who fall into each of these groups.
Members include all UK building societies and a number of the larger credit unions. These firms pay an annual subscription to the BSA for the provision of services including:
- information, guidance and technical support;
- the provision of meetings, events and seminars;
- individual firm and sector support; and
- the expectation that the BSA will champion the mutual sector directly and indirectly to stakeholders such as parliamentarians (Westminster and devolved nations), civil servants, regulators and the media.
To discharge this responsibility the BSA holds and uses the contact information for individual employees and executive and non-executive directors within Member firms.
The information is used to:
- provide information and technical guidance via our Website, email alerts, newsletters, blogs, magazines and other communication channels;
- arrange meetings, panels, forums and working groups;
- provide relevant events, conferences and seminars, and
- involve members in policy matters communicating with them for input and opinion.
Associate members include a broad range of firms, most of whom have an interest in the provision of services to BSA Members. Associate Member firms pay an annual subscription to the BSA to receive a range of services, including:
- information via email alerts, newsletters, blogs, magazines and other communication channels;
- meetings with representatives from Associate members;
- provide information about relevant events, conferences and seminars; and
- provide opportunities for Associate Members to give us editorial and visual content for BSA publications and offer them relevant speaking opportunities.
We will not provide personal data relating to the employees of our Members to Associate Member firms without their permission. The exception is the provision of a list of registered delegates for events run by the BSA. This information may also include access and/or dietary requirements where an Associate Member provides accommodation and/or catering, but otherwise will be restricted to the minimum needed for the effective operation of the event.
Affiliates pay the BSA an annual subscription for the provision of:
- information and technical guidance via our Website, email alerts, newsletters, blogs, magazines and other communication channels;
- membership of relevant panels, forums and working groups; and
- access to BSA events, seminars and conferences.
We will collect and use the minimum level of personal data about Affiliate Member employees pursuant to the effective delivery of these services.
This category of person will include the employees of:
- The Prudential Regulation Authority;
- Bank of England;
- Financial Conduct Authority;
- elected representatives in Westminster and the legislative houses of the devolved nations;
- Government Civil Servants;
- members of the House of Lords;
- relevant charities and consumer bodies; and
- relevant journalists by subject interest.
Such individuals may register on our Website as a member of the public to receive policy information, publications, newsletters and magazines and information about events, seminars and the BSA Conference and Annual Lecture. Individuals have control over their personal profile. In addition, individuals may sign up to specific email marketing lists in order to receive news about areas of interest.
The BSA may retain name, email address, telephone number, postal address and in the case of MPs, details of the constituency that they serve in order to communicate information of relevance and interest in relation to their work. We may also from time to time invite these individuals to attend or speak at BSA events.
Members of the Public
Members of the Public (everyone else) can access the public part of our Website. They can browse our Website and print material without registering or providing any personal data. For those who choose to receive email alerts on particular subjects and/or BSA publications, press releases, blogs or event information there is an opportunity to register on our Website and set up their personal preferences, or sign up to specific email lists. To receive this information a member of the public will need to provide us with their:
- email address; and
- postal address (if selecting to receive postal versions of documents/publications).
From time to time members of the Public contact the BSA by phone, email or post with an enquiry or complaint about a BSA Member, or a general enquiry. In doing so they may provide us with their contact details. We will answer their query using the contact information supplied or noted by them as preferred.
Non-Executive Director (NED) Register
From time to time individuals ask to have their name included on our register of potential non-executive directors. This information includes contact details – name, postal address, email address and telephone number/s together with a short CV.
This information is provided by you for the express purpose of the BSA sharing it with member firms looking to recruit a new NED. We require member firms with whom details are shared to hold this information securely and not share it further (for example, with a recruitment firm) without your consent.
We will never sell or licence your personal data to any third party. However we may disclose your personal data if required:
- to a firm contracted to work for the BSA to provide a service such as event registration and operations, which makes our service to you more efficient and effective, or which delivers specific expertise which we do not have;
- if we are under a specific legal or regulatory duty to do so;
- if we have your consent to do so;
- if required for the purposes of fraud reduction; or
- if BSA Members determine that the Building Societies Association in whole or part should merge with a third party/alternative trade association, personal data held will be one of the transferred assets.
Secure retention of the password you create on our Website is your responsibility. If your password has to be updated manually by a member of BSA staff, it is your responsibility to change it to something secure and memorable to you as soon as you can.
Our Websites may contain links to and from other websites. If you follow a link to any other website, please note that that these websites will have their own privacy policies and you should check them before providing any personal data. We do not accept any responsibility or liability for these policies.
Where we store your data
- Any personal data in paper format, such a letters, is held securely. Data held on our Website is located on secure servers in the United Kingdom.
- Registration data for BSA events is held on secure servers in the United Kingdom and may be held temporarily on servers in the United States of America (USA). Where we transfer your data outside of the European Economic Area for any reason, we will ensure that there is adequate protection in place in respect of that transfer. Should you wish to obtain a copy of the safeguards we have in place, please let us know.
- Credit card payment transactions are securely processed through Square (https://squareup.com/gb/security) using servers located in Europe and the USA.
- Email activity and storage, together with scanned letters and documents are held in the Cloud within a secure infrastructure.
The BSA Cloud infrastructure and our Website are penetration tested annually using a strict security protocol and updated as required. We will do everything reasonably necessary to prevent unauthorised access.
How long we keep your data
Personal data may be retained for different periods of time dependent on a number of criteria. Our general policy is to retain your data for the shortest period that is consistent with the fulfillment of these criteria and limit it to what we need. These policies do not affect your rights:
whether you have a one off or on-going service from the BSA.
- If you have registered on our Website your information will be retained whilst you remain registered (see operational requirements).
- If you attend a BSA event as a delegate (e.g. conference, seminar, annual lunch or annual lecture) we will retain details of your attendance for a period of 7 years after the event.
- If you attend the BSA Conference as an Exhibitor we will hold this information for a period of 7 years after the event.
- We retain a back-up of our Website database which is refreshed every seven days. This ensures that in the event of an issue we can restore the database and our services, but does mean that deleted account details will be retained for maximum of seven days. However when our website design or function is changed or updated, "the Project" a copy of the database immediately prior to that change will be held during the iimplementation phase of the project and for a warranty period of up to three-months. This is to ensure that the data can be restored in the event of an issue during or after the project during the warranty period.
Your relationship to the BSA
whether you are the employee of a Member, Associate Member an Affiliate or are a member of the public.
- With the exception of your website registration, we will retain any personal data that you provide whilst your employer remains a BSA member (Member, Associate Member or Affiliate) for the duration of your employment. It is the responsibility of you or your employer to inform us if you leave your employer..
- If you ask us a consumer query we will hold your information for a period of 1 year only.
- these may impact the required period of data retention.
The lawful basis under the GDPR that we collect your personal data
- For all BSA member groups and key stakeholders, data is collected, stored and used on the basis of legitimate interests, to fulfil the reasonable expectations of the individuals and the firms by whom they are employed.
- Members of the Public who self-register at www.bsa.org.uk and www.bsaconference.org will enter into a relationship with us and we will process their data for the purpose of delivering our services to them.
- Members of the Public will be asked to give their consent to receive marketing information on specific topics and/or through specific publications by various different means (such as email, phone and post). We will also seek consent for the provision of other information such as details of BSA events open to the Public.
- We will communicate with individuals who provide their business card to a member of BSA staff on the basis that the processing of the contact information provided is necessary in order to contact them. We will seek their consent before subscribing them for any ongoing or regular communication or marketing information.
By law you have a number of rights in relation to your personal data. Further information and guidance about your rights and how to exercise them can be obtained from the office of the Information Commissioner (ICO).
- The right to be informed – You have the right to be provided with clear, transparent and easily understandable information about how we use your information and your rights. This is why we are providing you with the information in this policy.
- The right of access – If we are processing your personal data, you have a right to have access to what we hold.
- The right to rectification – You have the right to have your information corrected if it is inaccurate or incomplete.
- The right to erasure – This is also called the right to be forgotten. It enables you to request the deletion or removal of your personal data where there is no compelling reason for us to keep it. This is not a general right; there are exceptions.
- The right to restrict processing – You have the right to block or supress further use of your information. When processing is restricted we can still store your information, but may not use it further. We will keep a list of people who have asked for further use of their information to be blocked to make sure the restriction is respected.
- The right to data portability – You have the right to obtain and reuse your personal data for your own purposes across different services. For example if you decide to switch to a new provider, this enables you to move, copy or transfer your information. This right exists when we are processing your personal data based on consent or on a contract and the processing is carried out by automated means.
- The right to object – You have the right to object to certain types of processing, including where we process your data for direct marketing purposes.
- Rights in relation to automated decision making and profiling – This relates to your rights in the event that a firm uses your personal data to automatically profile you in some way. The BSA does not undertake automated decision making or profiling.
In addition, even if you have given the BSA consent to use your personal data you may withdraw that consent at any time by:
- amending or deleting your personal profile on www.bsa.org.uk if you have one;
- clicking the unsubscribe link at the bottom of any email we send to you; or
- contacting us at Privacy@bsa.org.uk.
You also have the right to complain or raise any concerns you have with the ICO who can be contacted by telephoning 0303 123 113 or writing to Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.
You can get in contact with us by emailing us at Privacy@bsa.org.uk or writing to us at BSA, 6th Floor, York House, 23 Kingsway, London, WC2B 6UJ.