1. Purpose of the policy
2. Who we are
The Royal Society for the Encouragement of Arts, Manufactures and Commerce ('RSA') is a Royal Charter Company and registered charity in England and Wales (charity number 212424) and in Scotland (charity number SC037784). It has two wholly owned trading subsidiaries (Adelphi Enterprises Limited, company number 002784581 and Shipley Enterprises Limited, company number 08716337).
Additionally, for Fellows and other supporters living in the US and Canada, we share our data with our affiliate RSA in the USA. For Fellows and other supporters and contacts living in Australia and New Zealand, we share our data with our affiliate RSA ANZ.
3. The lawful basis for processing personal data
Our mission is to enable people, places and the planet to flourish. We envision a world that is resilient, rebalanced and regenerative, where everyone can fulfil their potential. The RSA has been at the forefront of significant social impact for over 260 years. With our proven change process, rigorous research, innovative ideas platforms and unique global network of changemakers, we unite people and ideas in collective action to create opportunities to regenerate our world.
The RSA holds and processes personal data on the basis of legitimate interest. This includes undertaking fundraising and research; promoting the RSA and recruiting Fellows; maintaining our records, accounts, and commercial activities; and managing the overall running of the RSA, including the monitoring and evaluation of its performance and effectiveness. We also process personal data to provide administrative and support services to our Fellows, supporters and our staff. We track those who use our House either as customers, members of the public or Fellows, and also to ensure we do not send unwanted information to supporters or members of the public who have informed us they do not wish to be contacted.
Additionally, we process personal data because it is necessary for the performance of a contract or in order to take steps at an individual’s request prior to entering into a contract. For example, interacting with individuals before they apply to be a Fellow, or during the recruitment and hiring of staff.
We may also need to process personal data to comply with our legal obligations. This can include compliance and regulatory obligations, immigration obligations and safeguarding requirements, or to assist with investigations carried out by the police or other authorities.We may also process personal data for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings), for the purpose of obtaining legal advice, or when necessary for the purposes of establishing, exercising or defending legal rights.
We also process personal data in circumstances where we have specific consent to do so, for example to support Fellows and other volunteers to form networks, run events and projects, and collaborate. It also enables us to send marketing information about our projects, fundraising activities and appeals where we have the consent of Fellows or are otherwise allowed to.
In limited circumstances, we may also process personal data where it is necessary to protect a person’s vital interests (i.e. in matters of life or death).
Our website and charitable outputs are available to all, in line with our charitable obligations. Our Fellows also share their professional identities, engage with our network,exchange knowledge and find opportunities through our online platforms including MyRSA section of our website.
4. Processing ‘special categories of data’
Personal data may include ‘special categories of data’ as described in data protection legislation, such as information about an individual’s racial or ethnic origin, religious beliefs,sexual orientation, and physical or mental health.
When we process special category data, we must meet one of the conditions in the data protection legislation (Article 9 of the UK GDPR). Usually, this will be with the explicit consent of the individual but other examples of situations where we process special category data include:
- To meet our employment obligations, such as health and safety requirements;
- For reasons of public interest in the area of public health e.g. Covid reporting;
- For reasons of substantial public interest, such as ensuring equality of opportunity or treatment, or protecting the public against dishonesty;
- For research purposes, where such research is in the public interest; and
- To manage legal claims and proceedings.
5. Personal information we collect
Information is collected in different ways depending on your interaction with the RSA and personal data is processed for the purposes outlined below.
5.1 Applying for a job to work with us
We collect personal data via the employment application and recruitment process, and when you enter into a contract as an employee of the RSA. Data gathered during the recruitment process is used for shortlisting and interviewing purposes and for equality and diversity monitoring. The processing of employee personal data includes payroll and pension administration, management of absence records, performance management, and disciplinary and grievance procedures.
5.2 Attending events or involvement in our projects
We gather information on those who participate in projects or attend our events, including names and e-mail addresses. This enables us to record our campaigning actions and those of our supporters; to meet our wider legal obligations, such as those of our grant funders; to invite people to become involved in our work and projects; and to make offers of Fellowships.
5.3 Joining as Fellow
All Fellows who join the RSA are asked to give their name, date of birth, email address, postal address, contact numbers and give details of their occupation and reason for joining. This enables us to fulfil our contractual obligations and meet our charitable reporting duties, to keep a record of our Fellows their subscriptions, other donations and our communications with them. We also use the information to claim Gift Aid on donations.
5.4 Registration as part of MyRSA
To create an account, data gathered includes an individual’s name, email address and/or mobile number, and a password. This allows us to support Fellows and other volunteers to form networks, run events and projects, and collaborate.
A range of personal data is collected through our research activities. This may include: details about a person, such as their name, family information and work details; a person’s thoughts or feelings; or their views or opinions on specific research areas. Data is collected in a variety of ways, such as through questionnaires, interviews and focus groups, and from individuals themselves or others.
We only collect personal data that is needed for research purposes and only keep the information in a way that enables individuals to be identified, for as long as is necessary.Individuals are provided with an information sheet relating to the specific piece of research they are participating in, which includes information on the collection, use, and retention of their personal data.
Our research may include special category data such as ethnicity, political or religious views, genetic data and health data. When we process special category data, we must meet one of the conditions in the data protection legislation (Article 9 of the UK GDPR). The use of special category data in our research activities is on the basis that ‘processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes’ (Article 9(2)(j) of the UK GDPR).
We ensure that it is in the public interest when we use personal data from people who have agreed to take part in research. This means that if you agree to take part in a research study, we will use your data in the ways needed to conduct and analyse the research study. Some of your rights, such as deletion of your data from the research project, may be limited, as we need to manage your data in specific ways in order for the research to be reliable and accurate. If you withdraw from the study, we will keep the information about you that we have already obtained. To safeguard your rights, we will use the minimum amount of personal data possible.
5.6 Website use and social media interaction
We log usage data when you visit or otherwise engage in our charitable work, such as when you view or click on content or perform a search. We use logins, cookies, device information and internet protocol ("IP") addresses to identify you and log your use. This helps us to understand your engagement with our content, and the preferences of our supporters, allowing us to improve the targeting of our marketing communications as detailed below in the section on Profiling.
We may process personal data collected through this website or other electronic networks used by the RSA, for the purposes of advertising, marketing, public relations and general advice services.
5.7 Your device and location
When you visit or leave our website (including our plugins or cookies or similar technology on the sites of others), we receive the URL of both the site you came from and the one you go to next.
We also get information about your IP address, proxy server, operating system, web browser and add-ons, device identifier and features, and/or ISP or your mobile carrier. If you use our website from a mobile device, that device will send us data about your location. Most devices allow you to prevent location data from being sent to us and we honour your settings.
We collect information about you when you send, receive, or engage with messages in connection with our Service, including through MyRSA. Messages are stored for up to three years and are accessed only if we receive a complaint or to perform an aggregated analysis of usage.
Profiling is a common technique used in direct marketing and involves analysing data to improve the targeting of communications. The RSA uses profiling techniques to help ensure our communications are relevant. Profiling allows us to target our resources effectively, which donors consistently tell us is a key priority for them. It enables us to raise more funds, sooner, and more cost-effectively, than we otherwise would. The data may have been provided to the RSA by our supporters when responding to our marketing campaigns, or when using our website, or social media sites such as Facebook. It may also have been provided by external organisations as described below.
When building a profile, we may analyse geographic, demographic and other information relating to you, as well as your previous responses to our marketing campaigns. We do this in order to determine whether we believe a particular marketing campaign might be of interest. Some of the data is provided by external organisations and may be provided at an aggregate level (e.g. by postcode). This helps to maximise the effectiveness of our campaigns and to minimise the wastage that would result from sending marketing information where it is not of interest.
The RSA processes personal data through the use of CCTV to monitor and collect visual and audio records to provide a safe environment for staff and visitors to our House and for the purposes of security.
Such personal data may be used for the prevention and detection of crime; for evidential purposes to support criminal, civil and internal proceedings, including disciplinary investigations; for assisting in traffic management and parking enforcement; and to assist in Health and Safety requirements and other legal or regulatory compliance obligations.
6. How we share information
6.1 Our charitable work
We do not share our data with third parties unless compelled to do so or in a strictly controlled way to certain Service Providers working on our behalf as set out below.
The profiles contained on the MyRSA section of our website are shared with other Fellows. If you join an RSA network, we share the membership list with all members of that network as well as the organisation they represent or work for.
6.2 Service providers
We use others to help us provide our charitable work, including our website and other core online services, including our Customer Relationship Management System (CRM), Content Management System, single-sign-on (SSO) and mailing tools (e.g. for maintenance, analysis, audit, payments, fraud detection, marketing and development), printing and distribution of our journal and other postal mailings, and provision of catering services through our subsidiary RSA Adelphi Enterprises Limited. They will have access to your information as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes.
The RSA has contracted with Circle Co, Inc. to provide a community platform that helps bring users together for discussions, memberships, and content. As set out in Circle Co, Inc’s Data Processing agreement, the personal data to be transferred are:
- Account information – email address, name and password. This information may be used by Circle to:
o Set up and authenticate your account. This may include sharing this information with any enabled Single-Sign On provider.
o Communicate with you, including sending service-related communications.
o Deal with enquiries or complaints made by or about you relating to the Website, App or Services.
- Identifiers – IP addresses, unique device identifiers, etc. Other than information you choose to provide to Circle, information about your precise location is not collected. However, your device’s IP address may help to determine an approximate location. Circle may use the information to:
o Monitor and detect fraud or suspicious activity relating to your account.
o Tailor how the Website, App, or Services are displayed to you (such as the language in which it is provided to you).
o Share with its sub-processors (AWS, Baremetrics, Bugsnag, Cloudflare, Google Analytics, Mixpanel, Segment, TrackJS) for the purposes of personalising Circle’s service and data analytics.
- User-generated content (e.g. posts, comments, likes). This information is used by Circle to provide to you the features and functionality of the Website, App, or Services. Circle does not share this information with any third-party provider. However, other users of the Website, App or Services may view any content that you make public.
o Information about how you access and use Circle’s Website, App, or Services is collected automatically. For example: what time you accessed the Website, App or Services, the duration spent on the Website, App or Services, how frequently it is accessed, the site from which you came onto the Circle Website and the site to which you are going when you leave, the Circle Website pages you visit, the links you click, whether you open emails or click the links contained in emails.
o Log files and information about the device you use to connect to the Website, App, or Services is automatically collected. This information includes details about your device, unique device identifying numbers, operating systems, browsers and applications connected to the Website, App, or Services through the device, your mobile network, your IP address and your device’s telephone number (if it has one).
o The above information is shared with Circle’s sub-processors (AWS, Baremetrics, Bugsnag, Cloudflare, Google Analytics, Mixpanel, Segment, TrackJS) for the purposes of personalising Circle’s service and data analytics.
If you contact Circle directly, e.g., by email or phone, they will record your comments and opinions. This information will be used to address your questions, issues and concerns. The information may also be used to improve the Website, App, and Services. Circle may also share this information with Help scout, the provider of Circle’s customer support platform, which processes customer support queries.
6.3 Legal disclosures
It is possible that we will need to disclose information about you when required by law, warrant, or other legal process or if we have a good faith belief that disclosure is reasonably necessary to (1) investigate, prevent, or take action regarding suspected or actual illegal activities or to assist government enforcement agencies; (2) enforce our agreements with you; (3) investigate and defend ourselves against any third-party claims or allegations; (4) protect the security or integrity of our Service (such as by sharing with companies facing similar threats); or (5) exercise or protect the rights and safety of the RSA.
6.4 Cross-border data transfers
We process data both inside and outside of the United Kingdom. Where we transfer data, we do so either within the EEA, under the ‘Adequacy Regulations’, ‘Appropriate Safeguards’ or under one of the exclusions permitted by the UK GDPR.
7. Data Retention
Personal data is stored in line with the RSA’s Data Protection and Records and Retention Management Policies.
We retain the personal data you provide as needed to carry out our charitable work. If you are a Fellow or supporter who receives mailings, we keep your data to help us improve our charitable work. We keep data for three years for supporters and other contacts and seven years for Fellows. Our Fellowship Record is a historical record and we keep a minimum amount of data for posterity as part of our archive. All other data is deleted.
We retain personal data even after a Fellow has ceased their membership or a supporter has stopped receiving mailings to comply with legal obligations (including law enforcement requests), meet our regulatory and financial requirements, resolve disputes, maintain security, prevent fraud and abuse, or fulfil your request to "unsubscribe" from further messages from us. The list of the Fellows of the RSA is a historical record which is maintained for posterity with the minimum amount of information we require to achieve this.
If you are a member of staff, should you cease working for the RSA we will retain your personal data for six years after you leave.
8. Your right to access and control your personal data
You have a number of rights under data protection legislation:
- Information – where personal data is collected from you, you have the right to information about the collection and use of your personal data. This includes details about the purpose(s) for processing and retention periods for that personal data, and who it will be shared with;
- Information – where your data is not obtained from you, you have the same right to the information above, as well as details about what personal data is collected and by whom;
- Access – you have the right to confirmation of whether or not we are processing your personal data and to obtain a copy of your data. This is known as a subject access request;
- Rectification – you have the right to rectify any inaccuracies in personal data concerning you;
- Erasure – you have the right to be forgotten in some circumstances, i.e. to have your data erased;
- Restriction – you have the right to restrict the processing of your personal data in certain ways; Where there is a request to rectify, erase or restrict the processing of data, we will let any recipients of that data know, where possible. You have the right to know who those recipients are;
- Data portability – you have the right to receive your personal data in a structured, commonly used and machine-readable format, and to transfer your data to another controller;
- Objection – you have the right to object to certain processing of your personal data by us, such as direct marketing;
- Decision making – you have the right not to be subject to a decision based solely on automated processing, including profiling; and
- Withdrawal of consent – where your consent is the legal basis for our processing, you have the right to withdraw your consent.
9. Other important information
We implement security safeguards designed to protect your data and regularly monitor our systems for possible vulnerabilities and attacks.
9.3 Content provided by third parties published on our website
We often publish and link to reports, biogs and articles written by Fellows and others who are not members of staff at the RSA. We are not responsible for the accuracy of either the content or any personal data contained within such content.
10. Further information
If you would like more information, or have any questions about this policy, please contact our Data Protection team by emailing us at [email protected], calling us on 020 7930 5115 (Mon-Fri 9am-5pm), or writing to us at:
The Data Protection Officer
8 Johns Adam Street
To make a formal complaint about the RSA's approach to data protection or raise privacy concerns directly with our Data Protection team, please contact us at the email address or postal address given above. The Data Protection Policy includes the process to be followed should a data breach occur.
You also have the right to make a complaint direct to the UK's data protection authority, the Information Commissioner's Office (ICO). The ICO can be contacted at: https://ico.org.uk/global/contact-us/
Concerns can also be logged via the ICO’s website.
11. Related policies and documents
11.1.Data Protection Policy
11.2.Records, Retention and Management Policy
11.3.Schedule of Personal Data
11.4.Our Website Cookies