Data Protection Policy

BRLSI Data Protection Policy v.3 (2023)


Bath Royal Literary and Scientific Institution (BRLSI) is committed to ensuring that all personal and sensitive organisational information, however received, is treated as confidential. The procedures the BRLSI adopts are fully compliant with the Data Protection Act and guidance from the Information Commissioners Office.

This policy applies to all staff, including Directors, employees and volunteers.

All must comply with this policy during, and at all times after, their period of involvement, employment or volunteering with the Institution.
The BRLSI treats all personal and sensitive organisational information, however
received, as confidential with regard to the terms of the Data Protection Act 1998, the
Human Rights Act 1998 and the General Data Protection Regulation 2018 ( GDPR).

This includes:
a. Anything of a personal nature that is not a matter of public record about a
member, member of staff, volunteer, trustee or donor (individual and
b. Sensitive organisational information.

The BRLSI will comply with UK law in obtaining processing and using personal
information and in the protection and disclosure of that information, as defined in the
Data Protection Act 1998. The BRLSI does not sell personal information, or access to
personal information. There may however be times where the law requires us to make
limited disclosures tor example under the Companies Act 2007

The nine Data Protection Principles from the Data Protection Act 1998 (as amended
from May 2018) are that data is:
1. Processed fairly and lawfully
2. Obtained and processed for one or more specific and stated purpose(s)
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Held for no longer than necessary
6. Processed in accordance with the rights of the data subjects
7. Kept secure from unauthorised processing or disclosure
8. The right to be “forgotten”
9. Not transferred outside the UK unless the same safeguards apply


At the BRLSI, personal data is only collected when it is needed for a specific and legal
reason, for instance to keep a record of paid up members of BRLSI, their membership
numbers, forenames and surnames, their home and / or email addresses and their
joining and renewal dates.
2.1 The BRLSI Board is, for the purposes of the current legislation, the Data Controller.
Day to day activities have been delegated by the Board to Mr. Joe Houlihan who acts
on their behalf. It has also appointed a Data Protection Officer (currently Rob
Randall). The only people allowed to collect and process personal data act under the
Data Controller or Data Protection Officer’s direction. These are nominated as
Approved Persons and are formally approved by BRLSI Management Committee and
the Board. The list is limited and subject to annual review and updating.
2.2 The list of Approved Persons will be drawn up and signed off by the Chair of the
Management Committee (MC); this list would normally include the BRLSI paid office
staff, the Election Manager, the Chair of Membership Committee, Newsletter Editor
and any ad hoc persons who are asked by Management Committee to generate
distribution lists for post and / or email communication.
2.3 The Approved Persons will receive Data Protection Act training.
2.4 Access to Member information on the website is restricted to a few named
individuals who must also be Approved Persons                                                                      2.5 Access to the Register of Members (RoM) on the BRLSI server is restricted to the
Chair of the Board the Chair of the Management Committee, the Chair of the
Membership subcommittee, the BRLSI Membership Secretary and any other specifically named individuals approved by the Board. Downloads of the data base in whole or in part are subject to prior approval from the Data Controller and must be recorded.
2.6 No copies of the Members’ Database, either in its original or organised form must
be retained by Approved Persons on their personal computing devices for longer than
is necessary to undertake agreed processing; any files held for a short period must be
password protected.
2.7 Personal data shall be accurate and, where necessary, kept up to date. It will be
adequate, relevant and not excessive in relation to the purposes for which it is
processed. For instance, BRLSI membership details should include the fore names and
surname, email addresses, home address, date of receipt of membership payment,
joining, leaving and renewal dates, as appropriate. Depending upon the nature of the
information it will be subject to routine destruction after a prescribed period of time
as indicated below.
2.8 Personal data shall not be further processed in any manner incompatible with that
purpose or those purposes. No membership data will be shared with other bodies
outside BRLSI except where required by law.
2.9 The BRLSI will ensure that data is kept secure and private from unauthorised eyes,
taking appropriate technical and organisational measures against unauthorised or
unlawful processing of personal data, and against accidental loss or destruction of, or
damage to, personal data.

3. Personal data shall be accurate and, where necessary, kept up to date. Depending
upon its nature it will be subject to routine destruction after a prescribed period of
time as indicated below. Personal data processed for any purpose shall not be kept
for longer than is necessary for that purpose. Requests from individuals for a copy of
their data held by BRLSI will normally be met within 10 working days of the request.
Any subsequent request for amendment or erasure will be met within further 10
working days of notification.
3.1 The BRLSI shall ensure its staff are adequately trained and the training recorded.
New employees will receive Data Protection training to explain how they should store
and handle personal information. Refresher training will be provided at regular
intervals for existing staff.

4.The BRLSI will comply with the Data Protection Act 1998 and any amending

5.Those BRLSI Approved Persons will use strong passwords. All passwords will contain
upper and lower case letters, a number and ideally a symbol. This will help to keep
the information secure and follows established good practice.

6.Similarly the BRLSI Approved Persons should ensure that all portable devices
carrying such personal data are encrypted. All portable devices – such as memory
sticks and laptops – used to store personal information are to be encrypted and
password protected.

BRLSI has established retention periods on the basis that personal data records will be
kept only for as long as necessary; these periods are listed below:
7. 1A Valid Memberships shall be retained whilst the Membership remains valid (up to
6 months after subscription payment is due).
7.1B Such valid memberships, where the member is also a member of the Company
shall similarly be retained for a period of no less than 10 years from the expiry date
in compliance with the Companies Act 2007 irrespective of the conditions laid out in
7.2 Expired Memberships, shall be retained until one year after the Membership has
expired, a maximum of 2 years overall. Save that where the member is also a
member of the Company shall similarly be retained for a period of 10 years from the
expiry date.
7.3 Virtual members records shall be retained whilst the membership remains valid
and for up to 6 months after the subscription payment is due.
7.4 Employed staff during their employment and for a period of 3 years after staff
have left BRLSI employment, for reference purposes. Unless they are also members of
the Company in which case the records shall be retained for a period of 10 years for
reference purposes.
7.5 Volunteers during their work for the BRLSI and for 3 years afterwards, for
reference purposes, unless they are also members of the Company in which case
records shall be retained for a period of 10 years. Save that in the case of requests
to be removed from the BRLSI data base this shall be completed within 10 days of
any such request.
7.6 Directors during their term of office, and for 10 years thereafter from the date of
retirement or resignation, for reference purposes.                                                                  7.7 Information gathered on or in relation to courses for a maximum period of 2 years
from the start date of such course
7.8 CCTV recordings are wiped and re-used on a rolling basis of 30 day intervals.              7.9 General contacts, whether by post, email or noted from face to face contact
where any action is completed to be destroyed or deleted at the conclusion of any
necessary action.

Any paper or computer records of whatever type, including any accessible World
Pay and Pay pal records and any other records with names, addresses and other
personal information, including consent forms and photographs to be destroyed after
use and within1 year of the event for which they were obtained whether the event
was held in the main BRLSI building or at an external premises. Save and unless
express consent has been obtained from the individual concerned to extend this for a
further specified period.
At the end of these periods, those responsible for staff, members, volunteers and
trustees and others will, as appropriate, delete the personal information data from all
the relevant databases.


3.1 Data Controller
The Data Controller is the person or legal entity that determines the purposes and
means of the processing of personal data.
The key responsibility of the Controller is to be accountable; to take actions in line with
GDPR, and to be able to explain the compliance with GDPR to data subjects and the
Supervisory Authority, as and when required.
For the purposes of this Policy the Data Controller is the BRLSI Board. For day-to-day
oversight the Board has empowered Board member Mr. Joe Houlihan to act on their
3.2 Data Protection Officer
The Data Protection Officer is a leadership role required by the GDPR. This role exists
within companies that process the personal data of EU and GB citizens. The DPO is
responsible for overseeing the data protection approach, strategy, its implementation.
The key responsibility of the DPO is to ensure compliance with GDPR and advise
company management and staff on the right measures to take.
For the purposes of this Policy the Data Protection Officer is Mr Robert Randall.              3.3 Data Processors. A natural person or legal entity that processes personal data on behalf of the
controller (e.g., a call centres acting on behalf of its client) is considered to be a
processor.) At times, a processor is also called a third party.
The key responsibility of the processor is to ensure that conditions specified in the Data Processing Agreement signed with the controller are always met, and that obligations stated in GDPR are complied with.
A number of BRLSI staff act as Data Processors. These Approved Persons are
specifically approved, and reviewed on a regular basis, by the DPO and the Board,
and approved by the Management Committee.