Privacy policy - The RSA - RSA

Our privacy policy

RSA privacy policy

1. Purpose of the policy

This Privacy Policy outlines the lawful basis under which the Royal Society for the Encouragement of Arts, Manufactures and Commerce (Data Controller registration reference Z8052302) processes personal data in compliance with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). This describes the collection, use, transfer, and retention of personal data, as well as individuals' rights regarding their data.

This Policy also ensures transparency in how the RSA protects personal data and outlines the procedures for accessing, correcting, and controlling your data.

We may update this policy from time to time to reflect changes in the law and/or our privacy practices. We encourage you to review this Privacy Policy whenever you visit our website.

2. Who we are

The Royal Society for the Encouragement of Arts, Manufactures and Commerce ('RSA') is a Royal Charter Company and registered charity in England and Wales (charity number 212424) and in Scotland (charity number SC037784). It has two wholly owned trading subsidiaries (Adelphi Enterprises Limited, company number 002784581 and Shipley Enterprises Limited, company number 08716337).

For Fellows and supporters in the US, Canada, Australia, and New Zealand, we share data with RSA affiliates in those regions in compliance with international data protection laws.

This Privacy Policy applies to all the above entities. The RSA and its subsidiaries’ registered address is 8 John Adam Street, London, WC2N 6EZ.

3. The lawful basis for processing personal data

Our mission is to enable people, places and the planet to flourish. We envision a world that is resilient, rebalanced and regenerative, where everyone can fulfil their potential. The RSA has been at the forefront of significant social impact since 1754. With our proven change process, rigorous research, innovative ideas platforms and unique global network of changemakers, we unite people and ideas in collective action to create opportunities to regenerate our world.

The RSA processes personal data under the following lawful bases, ensuring we comply with the UK GDPR and other applicable data protection laws:

  • Legitimate Interests: We process personal data to conduct our core activities such as research, fundraising, and recruiting Fellows, maintaining records, accounts, and administrative services.
  • Performance of a Contract: We process personal data as necessary to perform or take steps to enter into a contract, such as employment or Fellowship applications.
  • Legal Obligations: We process personal data to comply with legal and regulatory obligations, including safeguarding, police investigations, and immigration requirements.
  • Consent: In some cases, we may process personal data based on explicit consent, such as participation in projects, events, or marketing communications.
  • Vital Interests: In rare cases, we may process data to protect an individual's vital interests, such as life-or-death situations.

Our website and charitable outputs are available to all, in line with our charitable obligations. Our Fellows also share their professional identities, engage with our network, exchange knowledge and find opportunities through our online platforms including MyRSA section of our website.

4. Processing ‘special categories of data’

Certain data, known as ‘special categories of data’, such as racial or ethnic origin, religious beliefs, sexual orientation, and physical or mental health, require additional protection under the law.

When we process special category data, we must meet one of the conditions in the data protection legislation (Article 9 of the UK GDPR). Usually, this will be with the explicit consent of the individual but other examples of situations where we process special category data include:

  • To meet our employment obligations, such as health and safety requirements;
  • For reasons of public interest in the area of public health
  • For reasons of substantial public interest, such as ensuring equality of opportunity or treatment, or protecting the public against dishonesty;
  • For research purposes, where such research is in the public interest; and
  • To manage legal claims and proceedings.

5. Personal information we collect

We collect personal information for specific purposes, based on your interaction with RSA, including: 

5.1 Applying for a job to work with us

We collect personal data via the employment application and recruitment process, and when you enter into a contract as an employee of the RSA. Data gathered during the recruitment process is used for shortlisting and interviewing purposes and for equality and diversity monitoring. The processing of employee personal data includes payroll and pension administration, management of absence records, performance management, and disciplinary and grievance procedures.

5.2 Attending events or involvement in our projects

We gather information on those who participate in projects or attend our events, including names and e-mail addresses. This enables us to record our campaigning actions and those of our supporters; to meet our wider legal obligations, such as those of our grant funders; to invite people to become involved in our work and projects; and to make offers of Fellowships.

5.3 Joining as Fellow

All Fellows who join the RSA are asked to give their name, date of birth, email address, postal address, contact numbers and give details of their occupation and reason for joining. This enables us to fulfil our contractual obligations and meet our charitable reporting duties, to keep a record of our Fellows their subscriptions, other donations and our communications with them. We also use the information to claim Gift Aid on donations.

5.4 Registration as part of MyRSA

To create an account, data gathered includes an individual’s name, email address and/or mobile number, and a password. This allows us to support Fellows and other volunteers to form networks, run events and projects, and collaborate.

5.5 Research

A range of personal data is collected through our research activities. This may include: details about a person, such as their name, family information and work details; a person’s thoughts or feelings; or their views or opinions on specific research areas. Data is collected in a variety of ways, such as through questionnaires, interviews and focus groups, and from individuals themselves or others.

We only collect personal data that is needed for research purposes and only keep the information in a way that enables individuals to be identified, for as long as is necessary.Individuals are provided with an information sheet relating to the specific piece of research they are participating in, which includes information on the collection, use, and retention of their personal data.

Our research may include special category data such as ethnicity, political or religious views, genetic data and health data. When we process special category data, we must meet one of the conditions in the data protection legislation (Article 9 of the UK GDPR). The use of special category data in our research activities is on the basis that ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’ (Article 9(2)(j) of the UK GDPR).

We ensure that it is in the public interest when we use personal data from people who have agreed to take part in research. This means that if you agree to take part in a research study, we will use your data in the ways needed to conduct and analyse the research study. Some of your rights, such as deletion of your data from the research project, may be limited, as we need to manage your data in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum amount of personal data possible.

5.6 Website use and social media interaction

We collect data related to your usage of our website. We use logins, cookies, device information and internet protocol ("IP") addresses to identify you and log your use. This helps us to understand your engagement with our content, and the preferences of our supporters, allowing us to improve the targeting of our marketing communications as detailed below in the section on Profiling. 

We may process personal data collected through this website or other electronic networks used by the RSA, for the purposes of advertising, marketing, public relations and general advice services.

5.7 Your device and location

When you visit or leave our website (including our plugins or cookies or similar technology on the sites of others), we receive the URL of both the site you came from and the one you go to next.

We also get information about your IP address, proxy server, operating system, web browser and add-ons, device identifier and features, and/or ISP or your mobile carrier. If you use our website from a mobile device, that device will send us data about your location. Most devices allow you to prevent location data from being sent to us and we honour your settings.

5.8 Messages

We collect information about you when you send, receive, or engage with messages in connection with our Service, including through MyRSA. Messages are stored for up to three years and are accessed only if we receive a complaint or to perform an aggregated analysis of usage.

5.9 Profiling

Profiling is a common technique used in direct marketing and involves analysing data to improve the targeting of communications. The RSA uses profiling techniques to help ensure our communications are relevant. Profiling allows us to target our resources effectively, which donors consistently tell us is a key priority for them. It enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would. The data may have been provided to the RSA by our supporters when responding to our marketing campaigns, or when using our website, or social media sites such as Facebook. It may also have been provided by external organisations as described below.

When building a profile, we may analyse geographic, demographic and other information relating to you, as well as your previous responses to our marketing campaigns. We do this in order to determine whether we believe a particular marketing campaign might be of interest. Some of the data is provided by external organisations and may be provided at an aggregate level (e.g. by postcode). This helps to maximise the effectiveness of our campaigns and to minimise the wastage that would result from sending marketing information where it is not of interest.

5.10 CCTV

The RSA processes personal data through the use of CCTV to monitor and collect visual records to provide a safe environment for staff and visitors to our House and for the purposes of security. 

Such personal data may be used for the prevention and detection of crime; for evidential purposes to support criminal, civil and internal proceedings, including disciplinary investigations; for assisting in traffic management and parking enforcement; and to assist in Health and Safety requirements and other legal or regulatory compliance obligations.

5.11 Other

Our charitable work is dynamic, and we often introduce new features, which may require the collection of new information. If we collect materially different personal data or materially change how we use your data, we will notify you and will also modify this Privacy Policy.

6. How we share information

6.1 Our charitable work

We do not share our data with third parties unless compelled to do so or in a strictly controlled way to certain Service Providers working on our behalf as set out below. 

The profiles contained on the MyRSA section of our website are shared with other Fellows. If you join an RSA network, we share the membership list with all members of that network as well as the organisation they represent or work for.

6.2 Service providers

We use others to help us provide our charitable work, including our website and other core online services, including our Customer Relationship Management System (CRM), Content Management System, single-sign-on (SSO) and mailing tools (e.g. for maintenance, analysis, audit, payments, fraud detection, marketing and development), printing and distribution of our journal and other postal mailings, and provision of catering services through our subsidiary RSA Adelphi Enterprises Limited. They will have access to your information as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes.

The RSA has contracted with Circle Co, Inc. to provide a community platform that helps bring users together for discussions, memberships, and content. As set out in Circle Co, Inc’s Data Processing agreement, the personal data to be transferred are:

  • Account information – email address, name and password. This information may be used by Circle to:

Set up and authenticate your account. This may include sharing this information with any enabled Single-Sign On provider.

Communicate with you, including sending service-related communications.

Deal with enquiries or complaints made by or about you relating to the Website, App or Services.

  • Identifiers – IP addresses, unique device identifiers, etc. Other than information you choose to provide to Circle, information about your precise location is not collected. However, your device’s IP address may help to determine an approximate location. Circle may use the information to:

o Monitor and detect fraud or suspicious activity relating to your account.

o Tailor how the Website, App, or Services are displayed to you (such as the language in which it is provided to you).

o Share with its sub-processors (AWS, Baremetrics, Bugsnag, Cloudflare, Google Analytics, Mixpanel, Segment, TrackJS) for the purposes of personalising Circle’s service and data analytics.

  • User-generated content (e.g. posts, comments, likes). This information is used by Circle to provide to you the features and functionality of the Website, App, or Services. Circle does not share this information with any third-party provider. However, other users of the Website, App or Services may view any content that you make public.
  • Cookies:

o Information about how you access and use Circle’s Website, App, or Services is collected automatically. For example: what time you accessed the Website, App or Services, the duration spent on the Website, App or Services, how frequently it is accessed, the site from which you came onto the Circle Website and the site to which you are going when you leave, the Circle Website pages you visit, the links you click, whether you open emails or click the links contained in emails.

o Log files and information about the device you use to connect to the Website, App, or Services is automatically collected. This information includes details about your device, unique device identifying numbers, operating systems, browsers and applications connected to the Website, App, or Services through the device, your mobile network, your IP address and your device’s telephone number (if it has one).

o The above information is shared with Circle’s sub-processors (AWS, Baremetrics, Bugsnag, Cloudflare, Google Analytics, Mixpanel, Segment, TrackJS) for the purposes of personalising Circle’s service and data analytics. 

If you contact Circle directly, e.g., by email or phone, they will record your comments and opinions. This information will be used to address your questions, issues and concerns. The information may also be used to improve the Website, App, and Services. Circle may also share this information with Help scout, the provider of Circle’s customer support platform, which processes customer support queries.

6.3 Legal disclosures

It is possible that we will need to disclose information about you when required by law, warrant, or other legal process or if we have a good faith belief that disclosure is reasonably necessary to (1) investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (2) enforce our agreements with you; (3) investigate and defend ourselves against any third-party claims or allegations; (4) protect the security or integrity of our Service (such as by sharing with companies facing similar threats); or (5) exercise or protect the rights and safety of the RSA.

6.4 Cross-border data transfers

We process data both inside and outside of the United Kingdom. Where we transfer data, we do so either within the EEA, under the ‘Adequacy Regulations’, ‘Appropriate Safeguards’ or under one of the exclusions permitted by the UK GDPR.

7. Data Retention

Personal data is stored in line with the RSA’s Data Protection and Records and Retention Management Policies. 

We retain the personal data you provide as needed to carry out our charitable work. If you are a Fellow or supporter who receives mailings, we keep your data to help us improve our charitable work. We keep data for three years for supporters and other contacts and seven years for Fellows. Our Fellowship Record is a historical record and we keep a minimum amount of data for posterity as part of our archive. All other data is deleted. 

We retain personal data even after a Fellow has ceased their membership or a supporter has stopped receiving mailings to comply with legal obligations (including law enforcement requests), meet our regulatory and financial requirements, resolve disputes, maintain security, prevent fraud and abuse, or fulfil your request to "unsubscribe" from further messages from us. The list of the Fellows of the RSA is a historical record which is maintained for posterity with the minimum amount of information we require to achieve this.

If you are a member of staff, should you cease working for the RSA we will retain your personal data for six years after you leave.

8. Your right to access and control your personal data

You have a number of rights under data protection legislation:

  • Information – where personal data is collected from you, you have the right to information about the collection and use of your personal data. This includes details about the purpose(s) for processing and retention periods for that personal data, and who it will be shared with;
  • Information – where your data is not obtained from you, you have the same right to the information above, as well as details about what personal data is collected and by whom;
  • Access – you have the right to confirmation of whether or not we are processing your personal data and to obtain a copy of your data. This is known as a subject access request;
  • Rectification – you have the right to rectify any inaccuracies in personal data concerning you;
  • Erasure – you have the right to be forgotten in some circumstances, i.e. to have your data erased;
  • Restriction – you have the right to restrict the processing of your personal data in certain ways; Where there is a request to rectify, erase or restrict the processing of data, we will let any recipients of that data know, where possible. You have the right to know who those recipients are;
  • Data portability – you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transfer your data to another controller;
  • Objection – you have the right to object to certain processing of your personal data by us, such as direct marketing;
  • Decision making – you have the right not to be subject to a decision based solely on automated processing, including profiling; and
  • Withdrawal of consent – where your consent is the legal basis for our processing, you have the right to withdraw your consent.

9. Other important information

9.1 Cookies

Our website uses cookies to collect information and improve user experience. For further details, please review our Cookies Policy. For further information about cookies you can visit Know Cookies and to find out more about how the RSA uses cookies, please refer to RSA Cookies.

9.2 Security

We use appropriate technical and organisational measures to protect personal data from unlawful processing, accidental loss, or damage. Our security measures are regularly reviewed to prevent vulnerabilities. 

9.3 Content provided by third parties published on our website

We often publish and link to reports, biogs and articles written by Fellows and others who are not members of staff at the RSA. We are not responsible for the accuracy of either the content or any personal data contained within such content.

10. Further information

If you would like more information, or have any questions about this policy, please contact our Data Protection team by emailing us at [email protected], calling us on 020 7930 5115 (Mon-Fri 9am-5pm), or writing to us at:

The Data Protection Officer

The RSA

8 John Adam Street

WC2N 6EZ

To make a formal complaint about the RSA's approach to data protection or raise privacy concerns directly with our Data Protection team, please contact us at the email address or postal address given above. The Data Protection Policy includes the process to be followed should a data breach occur.

You also have the right to make a complaint direct to the UK's data protection authority, the Information Commissioner's Office (ICO). The ICO can be contacted at: https://ico.org.uk/global/contact-us/

Concerns can also be logged via the ICO’s website.

11. Related policies and documents

11.1. Data Protection Policy

11.2. Records, Retention and Management Policy

11.3. Schedule of Personal Data

11.4. Our Website Cookies