The mark of the conservation professional
The IHBC cares about the data we seek from you, and gathers, manages and protects data provided by you in line with official guidance on statutory duties and our charitable objectives to help conservation and it's practice.
For further explanation of why we seek the information we do, and more details of related to our policies, see our data protection guidance and our IHBC Quick Guidance below.
In line with these principles and our duty of data care, we:
NB: Email is our primary way of communicating with you, including for important information regarding the IHBC, your membership, events and news via national office, volunteers and Branches.
If wider access to your personal email contact details is a concern, to maintain the full value of IHBC services, we recommend that you set up a dedicated 'personal' email account exclusively for IHBC related activities, which can be managed and, as needed, closed at your discretion.
You also have the option to exclude select personal details from wider IHBC communications, including by choosing 'No Branch' for your Branch option, and by excluding your name from the IHBC Yearbook directory by choosing the 'No Yearbook entry' option.
The IHBC, including constituent parts and interests such as our Branches and our trading arm, IHBC Enterprises, holds and manages personal and professional information in accordance with our ‘Legitimate Interests Assessment’ , which informs our statutory responsibilities as a ‘data controller’ and ‘data processor’.
The Legitimate Interests Assessment highlights the special relevance to our core duty – as a charity that supports the public interest in built and historic environment conservation practice – of our procedures for the gathering, management and protection of personal data.
Our support for specialist conservation practice ranges from membership services that include those offered through our voluntary Branches, as well as sector research and advocacy. These benefit from being informed, proportionately, by data relevant to evolving professional practices.
To help the IHBC in this work, the institute encourages members to:
The ‘Right to be informed’ statement offers additional detail in line with current guidance.
Under the General Data Protection Regulation (GDPR), the IHBC’s priority is both to maintain existing standards and duties as a data controller, as well as to respond to new duties, including as a ‘data processor’. This requires that, from 25 May 2018, the IHBC ‘must have a valid lawful basis in order to process personal data.’ Link
GDPR guidance notes that ‘legitimate interests, one of the ‘six available lawful bases for processing’, can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.’
There is wide range of guidance relating to these matters, both in place and under development, with essential background at:
Terms for the IHBC’s ‘Legitimate Interests Assessment’
Article 5 of the GDPR requires that personal data shall be… ‘processed lawfully, fairly and in a transparent manner in relation to individuals’ and ‘collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes’. (emphasis by IHBC)
The Legitimate Interests Assessment (LIA) below responds directly to the above official guidance on GDPR and data processing, which also notes that:
‘There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual.
‘Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.’
‘There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
The IHBC recognises that the LIA is not ‘stand-alone’ data protection tool. It is supported by the ‘Privacy Notice’ that offers users and prospective users an accessible, explanation of the management processes adopted in accordance with our Legitimate Interests Assessment, as well as a statutory ‘Right to be Informed’ statement of personal rights to control the data held.
IHBC: Legitimate Interests Assessment (LIA)
The IHBC, including constituent parts and interests such as our Branches and our trading arm, IHBC Enterprises – though its Business Plan as adopted by IHBC Trustees on 08 September 2016 – addresses the above ‘three principles’ of ‘legitimate interests’ in processing data held by the institute as follows:
LIA: Data Protection Impact Assessment (DPIA)
Official UK guidance states that:
‘You must carry out a DPIA when:
Processing that is likely to result in a high risk includes (but is not limited to):
IHBC data processing does not ‘result in a high risk to the rights and freedoms of individuals’. As such, The LIA does not identify risks that suggest a need to do a Data Protection Impact assessment (DPIA).
|ICO Guidance on what information must be supplied by IHBC
|Data obtained directly from data subject
|Identity and contact details of the controller (and where applicable, the controller’s representative) and the data protection officer (DPO)
|Jo Evans (IHBC Secretary) (ex officio controller); Lydia Porter (representative). The IHBC does not carry out functions on a large enough scale to require a DPO. Contact for all is via email@example.com.
|Purpose of the processing and the lawful basis for the processing
|Membership support and sector advocacy and understanding, as detailed in the LIA
|The legitimate interests of the controller or third party, where applicable
|Membership support and sector advocacy and understanding, as detailed in the LIA
|Categories of personal data
General data could include - name, address, personal contact details, photo etc.
Sensitive data could include - date of birth, bank details, employment and personal information
Special data could include - racial or ethnic origin, disabilities, organisational membership, physical health etc.
|Any recipient or categories of recipients of the personal data
|Details of transfers to third country and safeguards
|Membership database hosting takes place in the UK.
|Retention period or criteria used to determine the retention period
|Retention periods for core membership services and management data are for the duration of membership, with duration of relevant professional data determined for professional purposes through the LIA, with opt outs available.
|The existence of each of data subject’s rights
|Full information access and opt-outs offered on request, including opt outs on historic information offered on request in line with the privacy statement and LIA.
|The right to withdraw consent at any time, where relevant
|Withdrawal of consent is available on request at any time with opt outs on historic information offered on request in line with the privacy statement and LIA.
|The right to lodge a complaint with a supervisory authority
Complainants have the right to lodge a complaint with a supervisory authority, and/or to submit a complaint to the IHBC Secretary
|The source the personal data originates from and whether it came from publicly accessible sources
|Data originates from service users.
|Whether the provision of personal data is part of a statutory or contractual requirement or obligation and possible consequences of failing to provide the personal data
|The provision of personal data is not necessarily part of a statutory or formal contractual requirement though subscribing to membership and related events does raise an obligation for the IHBC to provide services, including advocacy, in support of conservation, while failing to provide some core personal data may limit or preclude some support, benefits, services.
|The existence of automated decision making, including profiling and information about how decisions are made, the significance and the consequences
|The is no automated decision making, including profiling and information about how decisions are made, the significance and the consequences.
|When should information be provided?
|This information is provided on request within timescales considered reasonable for a small charity.
We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
LIA agreed by IHBC trustees, and applied to IHBC trading arm, IHBC Enterprises
If we process children’s data, we take extra care to make sure we protect their interests.