Data Protection Procedures

The General Data Protection Regulation (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission strengthens and unifies data protection for all individuals within the European Union (EU). It supersedes the Data Protection Act with effect from 25th May 2018. It aims to give people more control over their data and allows them to request to see the personal data held on them.

The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. 

All personal data must be processed lawfully, fairly and in a transparent manner.

BICA Trustees carried out a self-assessment with the Information Commissioner’s Office on 21st May 2018 and there is no requirement to register.

These procedures set out how BICA is complying with the GDPR. BICA Trustees must comply with these procedures when they are communicating with others in their role as BICA Trustees, as must anyone else acting in an official capacity on behalf of BICA.

Privacy Policy

This is available on our website and upon request. The Policy makes clear the purposes for which we keep personal data, how people can ask us to handle their data, where consents are required and how they can be changed. It also makes clear that BICA does not pass information on to other people or bodies without the individual’s consent, unless it is a legal or regulatory requirement to do so.

Trustees are responsible for abiding by the Privacy Policy and reviewing them regularly.

Handling of personal data by BICA

Prior to the introduction of the GDPR, BICA undertook an internal audit of what data is held where and by whom within BICA. BICA data is currently held by Trustees, Co-Chairs of Training Team, Accreditation Board xxxxxx all of whom hold or have access to names and contact details of Trustees, Minutes of Trustees meetings and Financial Statements prepared for Trustees’ meetings. It is only Officers that hold any data other than these. (to be fully completed once audit is back to aps)

All BICA electronic personal data must be stored on password protected electronic devices. Paper copies (including typed, handwritten etc) must be stored securely.

Personal information that is stored includes the following:

  • Names and contact details (where supplied) of members including lists of their payments to BICA (held by Membership Secretary and Chairperson) and details of their Gift Aid declarations where supplied (held by the Treasurer)
  • Names and personal details (including date of birth) of Trustees (held by Chair and Treasurer)

Obtaining consent to store personal data


There is no requirement to obtain consent from Members to store their personal contact information when it is to be used for membership purposes only, i.e. subscription and constitutional correspondences. BICA are satisfied that contact with members meets the GDPR legitimate interest condition and our contact with members is completely appropriate to membership of our organization.

BICA does not hold a mailing list and our database consists of members only. Whilst BICA does hold members “personal1” data we do not hold members “sensitive2” data and therefore explicit consent is not required.

Where a member fails to renew their membership, their details will be stored in a ‘Lapsed Members’ category for a minimum two years or, for those who completed Gift Aid declarations3, a minimum of six years. They will then be destroyed

There is no requirement to obtain consent from media people however when there is any official correspondence with them, BICA must make clear how their details were obtained.


There is no requirement to obtain consent from Parliamentarians but when there is any official correspondence with them, BICA must make clear how their details were obtained.

External Organisations:

There is no requirement to obtain consent from External Organisations but when there is any official correspondence with them, BICA must make clear how their details were obtained.

Additional personal data

BICA also keeps records of receipts and payments in electronic form and supporting paperwork for six years. These include records of suppliers i.e. for room hire, publication printing etc. and other items such as expenses.   This meets the requirements of our auditors, who work to the requirements of the Charity Commission and HMRC.

Withdrawal or alteration of consents. Your “right to be forgotten”.

BICA makes clear in its Privacy Policy that consents can be withdrawn at any time. Should anyone whose details are held on any of BICA’s list request such a withdrawal (but without requesting deletion of all their data) then this will be agreed to and noted by date on the relevant list, making clear whether consent is withdrawn for all correspondence or only some.

Should anyone request deletion of their details completely then this too will be complied with exception for anyone who remains a member as the retention of members’ details is a legal requirement. The request to delete details is called their ‘right to be forgotten’.

Such requests will be met within a maximum of 30 days from receipt of the request as per GDPR requirement.

Request from an individual to see that data that BICA holds on them

Any such requests will be met within 30 days from receipt of the request as per GDPR requirement.

BICA does not hold any data on children. Membership of BICA is adult only.

Data breaches

A data breach is a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. Should this occur, then the Data Controller will investigate and take remedial action. The Data Controller will also check to see if there is any duty on BICA to report the breach to the ICO or Charity Commission. This is usually only if the breach is likely to result in a risk to the rights and freedoms of individuals – if, for example, it could result in discrimination, damage to reputation, financial loss, loss of confidentiality or any other significant economic or social disadvantage. Where a breach is likely to result in a high risk to the rights and freedoms of individuals, BICA will also notify those concerned directly.

Review of Procedures

The Trustees will review these procedures annually and routinely include an item on our AGM Agenda to enable members to raise any issues or queries if they wish.

In addition the Chairperson, Membership Secretary and Treasurer will meet annually to check that their respective lists are accurate and up to date and amend any discrepancies.

Lead Trustee/Data Controller for GDPR Matters

As a Registered Charity, BICA Trustees hold responsibility for compliance with GDPR. BICA also has a Lead Trustee for GDPR matters from among the Trustees and that role is usually combined with the role of Data Controller for GDPR purposes. This role is currently held by Angela Pericleous-Smith