4.1
Icon collects personal data for specified, explicit and legitimate purposes. The Institute will not collect more personal data than is necessary for the purpose, nor will it retain data for longer than necessary.
4.2
Events
Icon collects personal data to process ticket sales and/or registrations for Icon events. The only details collected are those required to process the booking, and data is not stored for longer than required for this purpose.
As this information is required to book individuals on to events, the basis for processing this personal data is Performance of a Contract with the Subject.
4.2.1
Icon processes personal data to promote upcoming events to non-members who have previously registered for similar events in the past.
Those registering for events are provided with the option to receive communications about similar future events, and their agreement is not required to complete their registration for the event in question. The basis for processing this information is the data subject’s “soft opt-in”. Data subjects can withdraw their consent for their data to be used and processed in this way by clicking the link at the bottom of each email communication at any time.
4.3
Governance
Icon collects personal data to ensure legal and regulatory compliance. This includes contact details of Icon Trustees, who are required to be Icon members, and to be added to the corporate Register at Companies House as required by law.
Timeframes for retention of these personal details are set out below as part of 4.3.1 – Membership.
It is a legal requirement for personal contact details of Trustees to be registered at Companies House, and it is impossible for Trustees to withhold such details and remain a serving Trustee of the organisation. Therefore, the basis for the collection and processing of these personal details is Necessary to fulfil legal obligations.
4.4.1
Marketing
Icon collects personal data to market membership services to potential members; to promote campaigns, initiatives and other activities to the public: and to ensure Icon’s key messages have the strongest chance of reaching key stakeholders for whom they are intended. Icon clearly stipulates the bases under which personal details are collected and processed for each specific marketing purpose and ensures data subjects are aware of their rights in relation to the continued processing of this data each time the data is used to market the organisation to non-members. Where necessary, consent will be obtained by the data subject for processing of personal data for this purpose.
Where we have your consent or where there is a legitimate interest to do so we use your personal data to communicate with you in order to promote campaigns, initiatives and other activities of Icon including events, advocacy, fundraising and information about our membership programme and services as well as any other ways that you might be able to provide help and support to the Institute.
4.4.2
Icon collects personal data to provide an email newsletter to non-members who request to receive it via an e-form on Icon’s website. Data collected includes email addresses, names and organisations. Of these, as only an email address is required to deliver the newsletter to those who request it, so this is the only compulsory detail required, and those subscribing can provide further details only if they wish to do so.
Icon uses its CRM system Ready Membership to deliver the newsletter, to monitor statistics around open rates and website link click-throughs, in order to ensure the newsletter delivers on its aims and meets expectations of those who sign up to receive it.
As data subjects are under no obligation to subscribe to Icon’s newsletter, and do so of their own volition, the basis upon which this information is collected and processed is Consent.
To ensure Icon can demonstrate the provision of clear, freely given, unambiguous consent of data subjects who subscribe to the newsletter, Icon operates a ‘double opt-in’ process, whereby subscribers will be asked to provide their contact data, and then to click on a link in an email that will be sent to confirm their intentions. This will ensure that Icon can ensure that the intention of data subjects to subscribe was truly understood and affirmed.
Data subjects can withdraw their consent for their data to be used and processed in this way by clicking the link at the bottom of each email communication.
4.4.3
Icon collects personal data to monitor downloads and usage of Icon’s free resources, such as the ‘Caring For…’ series of leaflets outlining how individuals can ensure the preservation of cultural heritage in their possession.
Those non-members seeking access to Icon’s free resources have an evidenced interest in the organisation, and Icon could reasonably expect they would be interested to hear about other services and initiatives provided by the Institute. Icon also has a clear interest in identifying those likely to require conservation services in the future to provide them with targeted support around best-practice approaches to obtaining the conservation services they need.
The basis under which Icon collects and processes this data is therefore Legitimate Interest.
4.4.4
Icon processes personal data of non-members with an evidenced interest in the organisation, as indicated by their subscription to Icon’s external newsletter, or with an evidenced interest in Icon’s services, as indicated by their download of one or more of Icon’s free resources, to facilitate targeted advertising on social media via platforms such as Facebook, Twitter and Instagram. To achieve this, data is provided in encrypted format to social media partners and is deleted immediately after use.
As these individuals already have an evidenced interest in Icon’s services, activities, and objectives, Icon can reasonably expect they would be interested to receive information about how they can support Icon’s charitable objectives.
As Icon has a clear interest in ensuring such individuals can be reached with news and information on Icon’s cause, the basis under which this data is processed is Legitimate Interest.
4.4.5
Icon processes personal data to contact lapsed members with special offers and incentives to resume their membership.
Members with lapsed memberships who have not unsubscribed from communications nor contacted the office to resign can have a reasonable expectation that their data will be processed for direct marketing purpose offering them incentives to return.
As Icon has a clear interest in facilitating the return of former members who might be likely to rejoin, the basis for processing this data is Legitimate Interest.
As these individuals purchased a similar service in the past, and that incentives to do so again will be of direct value to them, Icon considers that there is no infringement upon the rights of these individuals.
4.5.1
Icon collects personal data to provide services to paying members of the organisation. Data collected include names, email and home or work addresses, and phone numbers. These details are required in order to deliver membership benefits, including Icon’s membership magazine and scholarly journal, dispatched through the post; and regular email bulletins, sent to the member’s registered email address. Phone numbers are required to resolve routine membership issues such as returned post or email bounce backs. Icon also collects bank details of members who wish to pay membership fees by Direct Debit, in order to provide these members with a direct debit payment collection service where they have so requested.
Icon uses a third party provider, GoCardless to handle Direct Debit Payments.
In order to ensure the Institute is always able to confirm the past or present membership status of an individual, and to facilitate the resumption of past membership by returning members who may wish to do so, these details are retained on file for a period of five years after last contact.
As members decide to join the organisation and pay the fee to receive advertised services – and are required to agree in writing to abide by the Institute’s Code of Conduct and Professional Standards as a condition of membership – the basis for the collection and processing of these personal details is their necessity for the performance of a contract with the subject.
Where is this information provided?
- On the Membership Application Form
- On the Membership Renewal Form
4.5.2
Icon collects personal data to administrate the concessionary membership rate and provide discounts on membership fees to those on low incomes. Members applying for the concessionary rate are required to provide proof that their total annual income is below the given threshold to qualify for the rate. Documentary evidence could include:
- HMRC self-assessment income calculation showing total income for the previous year
- Proof of receipt of Jobseeker’s Allowance or Housing Benefit
- Copy of employment contract signed within the last year
- Confirmation from your employer on business letterhead certifying your salary
- P45 or P60
Upon receipt of this information to confirm entitlement, Icon allocates charitable funds to subsidise the memberships of conservations on low incomes.
It is in the Institute’s legitimate interest to ensure those accessing the concessionary rates are entitled to do so, and therefore provide a measure to safeguard fairness in the allocation of Icon’s charitable funds. The Institute needs documentary evidence to achieve this aim, and seeks the minimum necessary to be satisfied of eligibility. The Institute does not consider that requiring this evidence causes any undue prejudice to the rights of the applicants seeking concessionary rates (and to the extent that there is any prejudice, that this can be justified by the need to safeguard Icon’s charitable funds).
As those applying for new memberships or renewing existing memberships do so on the concessionary rate only upon their request, and as it is necessary to determine whether they are eligible in order to safeguard the use of charitable funds, the basis for processing this data is the necessity for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
Icon also accepts proof of receipt of disability-related benefits to evidence entitlement for the concessionary rate – and thus will occasionally process special categories of personal data. As members are under no obligation to provide these types of evidence to access the concessionary rate, pursuant to Article 9 of the GDPR and Data Protection Bill, the basis for processing this data is explicit consent to the processing of those personal data for one or more specified purposes.
Some of the documentary evidence required to obtain concessionary membership may be particularly private (and could be distressing to members if lost or misused), so greater care is taken to ensure that it is kept safe. Data collected for this exercise remains confidential to the Institute and is not disclosed to any third parties, excepting Auditors who may have sight of the documents submitted as part of the annual auditing process. The benefit achieved by the processing will be to ensure that those members who are able to access lower membership fees will be entitled to do so, and therefore to ensure that the Institute’s charitable funds are allocated fairly to achieve this purpose. This will in turn reflect the ongoing relationship between the organisation and the individual, as processing will cease if the individual opts to renew on the standard rate, or leaves the organisation.
Documents submitted will remain on confidential file for a period of seven years, as statutory financial records evidencing a payment to the organisation alongside the allocation of charitable funds to subsidise that payment.
Where is this information provided?
- On the Membership Application Form
- On the Membership Renewal Form
4.6.1
Icon collects personal data to assess the professional skills of individuals who apply to become Accredited members of the Institute. This includes employment context, professional specialism, details on any disabilities required to facilitate reasonable adjustments to the Accreditation process in line with the Institute’s Reasonable Adjustments Policy, employment history, educational background, examples past previous work, and details on individual professional development forward plans. These details are required to enable an assessment to be made to determine whether the applicant has reached the ‘proficient’ level against Icon’s Professional Standards.
To ensure the Institute retains sufficient documentation to address questions of feedback, or to respond to a potential challenge of the outcome of an Accreditation assessment or other dispute, these details are retained on file for 6 years from expiry of membership.
As applicants apply to become Accredited and are under no obligation to do so, the basis for collection and processing of this data is Consent.
As the Institute may process data related to special categories of personal data in order to facilitate the enaction of reasonable adjustments, pursuant to Article 9 of the GDPR and Data Protection Bill, the basis for processing this data is explicit consent to the processing of those personal data for one or more specified purposes.
If consent were to be withdrawn by a subject, the subject’s application for Accreditation would be invalidated.
Where is this information provided?
- On the Icon Accreditation Application Form (e-document)
- In the PACR Handbook
- In the relevant sections of the Icon website
4.6.2
Icon collects personal data to administrate the Accredited standard. This includes detail provided in the course of the submission of Continuing Professional Development returns where requested, including the professional development plans of the Accredited members; details on recent training courses or qualifications; and reflections on career progress from individuals. These details are then shared with a designated Accredited peer, who will comment on the submission and provide supportive feedback. This process is required to ensure Accredited members continue to work to the highest professional standards, and are up-to-date with the latest advances and technical approaches in the sector. This is necessary for Institute to guarantee these professionals as “quality assured conservators”, indicated by their Accredited status.
To ensure the Institute retains sufficient documentation to address questions of feedback, particularly where a CPD return does not meet the required standard, and to retain evidence in the event of a complaint, these documents are retained on file for 6 years following termination of membership.
As the Accredited standard cannot be maintained without the requirement for Accredited members to submit evidence of their continuing adherence to quality standards, it is in the legitimate interest of the organisation to ensure Accredited members are doing so. The basis for collection and processing of this data is therefore Legitimate Interest.
Privacy Impact Assessment. A key function of the Institute underpinning its charitable status is to provide public access to quality assured conservators. This cannot be achieved without measures of regular assessment to confirm Accredited individuals are working to the highest professional standards and are keeping up-to-date with the latest advances and technical approaches in the sector. If the assessments were not compulsory, it would not be possible to provide this measure of quality assurance.
Those who are Accredited therefore expect some measure of compulsory regular professional review to maintain and defend the high standards of professional practice they have reached. It therefore adds clear value to their memberships, as they can demonstrate to clients, employers, funders and elsewhere that they are senior professionals with a conspicuous mark of quality assurance: as a condition of this it also points to the ongoing relationship between the organisation and the individual. If the scope of this processing were to be modified, the quality assurance provided as a key objective of the organisation could not be verified. Some of the accreditation data processed may be confidential and/or could cause detriment to members if lost or misused (eg by giving an advantage to competitors). As such, Icon takes particular care to ensure this data is kept confidential and safe.
Assessment of risk to data subjects and measures to address those risks. Icon recognises that sensitive details will likely be included in CPD returns – ranging from personal development plans to self-assessment of skills areas requiring refreshment – and that these details could, for example, provide an unfair advantage to competitors or dissuade potential clients from commissioning certain conservators if leaked or disclosed.
The CPD readers appointed to read the CPD return are not from the same conservation specialism as the member being reviewed or are known to them personally – limiting risk of competition. CPD readers indicate those they are unable to read to address any conflict of interest.
For these reasons CPD returns are not anonymised at point of reception by a member of Icon staff, but once the conflict issue has been processed, the reviews are anonymised and therefore CPD readers possess no information about the identity of those submitting this sensitive information. The identity of those submitting CPD returns is therefore strictly limited to members of Icon staff and not disclosed to other conservation professionals whatever their roles in the support of Icon’s Professional Development programmes. Once this processing has ended, CPD records are held by the Icon office with appropriate measures so as to ensure their security and confidentiality for the statutory period in which they are retained.
Where is this information provided?
- In the CPD Review Form (e-document)
- In the CPD Guidance for CPD Readers (e-document)
- In the CPD Policy (e-document)
4.6.3
Icon processes personal data to publish details of those conservators who have achieved the Accredited standard (ACR). This includes the name and an additional secondary identifier, such city of residence, along with the year in which they achieved their Accreditation. These details are published in a publicly-accessible online directory to ensure members of the public have direct means to confirm the veracity of accounts given by potential conservation service providers – and to ward against confusion between any two Accredited conservators who may share the same name (‘Mary Smith’).
It is a key charitable objective of the organisation to provide the means for members of the public to identify which professionals are Accredited and which not, and therefore to deliver public benefits in quality assurance for those seeking to commission conservation services. Icon publishes only the minimal details necessary for this purpose, and does not consider that doing so causes any prejudice to Accredited members. As it is in legitimate interests of the Institute to ensure no one is able to profess to be Icon-Accredited unless this were verifiably true, the basis for the processing of this data is therefore Legitimate Interest.
Privacy Impact Assessment. A key function of the Institute underpinning its charitable status is to provide public access to quality assured conservators, and so there are regular compulsory checks of Continuing Professional Development returns to confirm Accredited individuals are working to the highest professional standards and are keeping up-to-date with the latest advances and technical approaches in the sector.
This quality assurance is of no use to the wider public unless members of the public are able to access the means to confirm who is accredited and who is not – but equally, there is no reason members of the public would need data beyond the surname, first name and a general third identifier such as location or city of home base to confirm the status of a potential contractor, employee or grant funding recipient already known to them. For this reason, those seeking this information will first need to know the surname of the individual concerned.
Accredited individuals have long asked for a public directory to be deployed in such a way, and so they expect their information to be so processed and published.
Icon appreciates there may be a risk to conservators who are obliged to disclose their general location – particularly where this may be the location where priceless artefacts and artworks are stored during the course of conservation work. The risk is intensified by the potential for this general locator to be paired with other information gleaned from alternate sources that could pinpoint the location of such valuables. Icon considers this risk unacceptable.
For this reason, the listing will provide a flexible basis to ensure the Accredited conservator themselves can select an additional personal identifier to ensure clarity – ranging from general location, to headshot or middle name. By this means conservators will not be obliged to publicly disclose their location, while ensuring members of the public can distinguish between two Accredited conservators who may share the same name.
4.6.4
Icon processes personal data to enable members of the public to contact and commission the services of quality-assured conservators – but only where these conservators have so requested for their details to be provided in this way. In this case, details provided by the Institute include names, email address, and year of Accreditation, provided as part of a searchable ‘Enhanced Listing’ on Icon’s public directory of ACRs – in accordance with the processing pursued in accordance with the Legitimate Interest of the organisation.
As details are provided beyond what is published in accordance with the legitimate interest of the organisation, and only at the discretion of the Accredited member who must first apply to the Institute to be so listed, the basis for the processing of this ‘Enhanced Listing’ data is Consent.
If consent for the provision of an Enhanced Listing were to be withdrawn by a subject, the subject’s Enhanced Listing would be invalidated; leaving them with a Standard listing only.
4.6.5
Icon processes personal data to facilitate the assessment of CPD returns. This includes the name, email address and telephone numbers of CPD readers, which are shared with each co-reader to enable collaboration as they assess the CPD return for which they are paired as assessors.
As individuals are under no obligation to serve as CPD readers, and consent in writing to perform this role where requested by Icon management, the basis for the processing of this data is Consent.
If consent for the processing of contact details in this way were withdrawn by a subject, they would be removed from the register of CPD readers – although the Institute would need to retain the CPD assessments that had previously been submitted by the Reader. The basis for retaining and processing this data is therefore Legitimate Interest.
4.6.6
Icon collects personal data to administrate the Icon Internships programme. At the application stage, this includes current employment context, employment history, examples of past previous work, educational background, and details on any disabilities required to facilitate reasonable adjustments in line with the Institute’s Reasonable Adjustments Policy. These details are required to enable an assessment to be made to determine if the applicant possesses sufficient experience to be selected for the internship.
To ensure the Institute retains sufficient documentation to address questions of feedback, these documents are retained on file for 3 years.
Applicants must apply to become Icon Interns and have no choice but to provide this information, and they might not be able to reasonably withhold consent from processing if they view the internship as a necessary step in their professional career. As it is in the legitimate interest of the organisation to ensure a fair assessment of those who wish to apply for a limited number of internship places, the basis for retaining and processing this data is therefore Legitimate Interest.
Privacy Impact Assessment. This processing activity is compliant with prevailing standards for the management of interns, and those who have successfully applied, interviewed and won an internship would expect their data to be used this way. There is unlikely to be any significant prejudice to the rights and freedoms of the interns in relation to this processing.
The basis for processing special category data to facilitate reasonable adjustments for those with disabilities is its necessity in connection with employment.
Where is this information provided?
- In the Internship Application Form (e-document)
- In the Interns Handbook (e-document)
4.6.7
Icon collects personal data where this has been issued to facilitate the management of interns in their workplaces. This includes essays and reports submitted by Interns as part the programme, in order to support their professional development.
As some external funders require lengthy retention periods in compliance with rigorous auditing guidelines – particularly where public money has been invested – these documents are retained on file to a maximum of 20 years.
As it is in the legitimate interest of the Institute to comply with requirements of external funders, and to manage staff effectively, the basis for the collection and processing of this data is Legitimate Interest.
Privacy Impact Assessment. This processing activity is compliant with prevailing standards for the management of interns, and those who have successfully applied, interviewed and won an internship would expect their data to be used this way. There is unlikely to be any significant prejudice to the rights and freedoms of the interns in relation to this processing.
Where is this information provided?
- In the IIP contract agreement
4.7.1
Business and Finance
Icon collects the personal data to reimburse the organisation’s volunteers for expenses incurred in the course of their work on behalf of the organisation. This includes names, address, bank details to facilitate expenses payments, and evidence of personal activities such as receipts for train travel, sustenance and hotel stays needed to verify the expenses claim.
As financial documents, these are retained on file for seven years in compliance with auditing guidelines.
As it is in the legitimate interests of the organisation to reimburse the expenses of volunteers, the basis for the collection and processing of this personal data is Legitimate Interest.
Privacy Impact Assessment. Those submitting expenses claims would expect these claims to be settled in the fastest way possible, and the provision of this data in the course of processing such data is a prevailing standard at similar organisations elsewhere. There is unlikely to be any significant prejudice to the rights and freedoms of the interns in relation to this processing.
4.7.2
Icon may sometimes collect personal data to facilitate payment of external contractors, particularly where the contractors may be individual sole traders who use their home contact details to administrate their business. These details are then used to raise and pay invoices submitted by the contractor.
As financial documents, these are retained on file for seven years in compliance with auditing guidelines.
As collection and processing of this data is necessary to pay contractors for their services, the basis for collection and processing of this data is the necessity for the performance of a contract with the subject.
4.7.3
Icon processes personal data to complete the annual audit, in compliance with regulatory guidelines. This will include the sharing of a sample of personal and financial data relating to payments to the Institute, which will be reviewed by Icon’s external auditors to test internal financial procedures.
As it is a legal requirement for the Institute to comply with regulatory guidelines and complete with annual audit, the basis for the processing of this data is the necessity to fulfil legal obligations.
4.8.1
Human Resources
Icon collects personal data to recruit staff. This includes name, addresses, employment history, and educational background. This data is then assessed and measured against a set of defined published criteria in order to select applicants for a paid position.
In order to administrate the recruitment of staff, and to ensure hiring decisions can be justified in the event of any request for feedback, these details are retained on file until the recruitment cycle has been completed – and therefore to a maximum of 1 year.
As applicants are under no obligation to apply for a role at Icon, and are free to share as much personal information as they wish in their applications, the basis for collecting and processing this data is its necessity in order to take steps at the request of the data subject prior to entering into a contract.
Where is this information provided?
- In the Employment Application Form
4.8.2
Icon collects personal data to pay staff and administrate staff contracts, in compliance with employment regulations. This includes names, addresses, bank details and emergency next of kin contact details.
To justify expenditure for auditing purposes, and to retain sufficient documentation to confirm the past employment status of individuals, these records are retained on file for 7 years after the departure of the member of staff in question.
As these details are required to administrate staff contracts, the basis for collecting and processing this data is the necessity for the performance of a contract with the subject.
Where is this information provided?
4.8.3
Icon collects personal data to manage staff, comprised of performance records where applicable.
To ensure Icon can account for staff performance, facilitate the provision of staff references where requested, and defend any legal claims, these records are retained on file for 7 years after the departure of the member of staff in question.
As it is in the legitimate interests of the organisation to manage staff effectively, the basis for collecting and processing this data is Legitimate Interest. Although occasionally this processing may detrimentally affect individuals (for example, where disciplinary action is taken), any detriment is outweighed by Icon’s legitimate interest in managing its staff effectively and holding the information necessary to defend itself against any future legal claims.
Where is this information provided?
4.9
Fundraising and Marketing
Icon collects the personal data of non-members to enable the pursuit of fundraising and marketing objectives. This includes names, addresses and email addresses of people the Institute might wish to influence, from whom the Institute might wish to obtain feedback, or invite to an event. These communications are sent within the data subjects’ reasonable expectations, and data subjects are provided with transparency information required via the Institute’s privacy notice.
Unless you’ve already given us your email address or telephone number so that we can tell you about making donations to us or about the supply of goods and services including membership subscriptions, we must ask you to ‘opt-in’ to receive fundraising and marketing emails from us. You have the choice as to whether you want to receive or continue to receive these messages. You’re also able to select how you want to receive them (post, phone, email, text) and to change your preferences at any time. When you receive a communication from us, we may collect information about your response and this may affect how we communicate with you in future.
Retainment of records of consent. To ensure the Institute can manage consent, and particularly to retain an awareness of individuals who have previously refused or withdrawn their consent to be contacted, this data will be stored on Icon’s CRM system for a period of 20 years.
Icon will refresh consents biennially to ensure the maintenance of up-to-date details. If consent were to be withdrawn by a subject, the Institute would cease to contact them, and delete their personal data (except retaining a record that they have asked not to be contacted in this way).