SRA Privacy Notice

29 June 2021

The Social Research Association (SRA) holds basic personal data that is provided to the organisation, in order to respond to requests to:

  1. Create an account via the SRA website
  2. Join the SRA as a member, or renew membership
  3. Register for an SRA event, training course or other activity

Personal information held by the SRA
The online systems for individuals to register for training courses and events, to join the Association, and to sign up for mailing list updates, are self-service, with personal data entered online by an individual (or by a work colleague acting on their behalf). This information is held in a secure database and includes:

  1. Account holder data
    The information required to open a website account with the SRA:  Name, email, and region/country.  Account holders may if they wish add any of the data items listed below in item 2.
  2. Additional data provided when joining the SRA as a member
    Individuals who choose to join the SRA as a member will need to provide the information listed in item 1 above, and also:  organisation name and job title (where applicable), address (either organisation or home), employment status, employment sector, years in social research.
  3. Additional data when registering for activities such as training courses and events
    Account holders who wish to register for activities may need to provide an address to feature on the invoice, if they choose that payment option.
Why we need your data

The SRA needs this personal data in order to process and respond to requests from members and others and to provide a service to you.  Data on employment status and sector are required to determine the appropriate membership subscription fee.  Data on region is used to ensure that mailings about local events and courses are sent to the appropriate people (who choose to receive such mailings). Data on years in social research, and all data, may be aggregated and used to provide statistical information in reports to trustees and others.  Therefore the justification for processing personal data, under the Data Protection Act 2018 is the ‘legitimate interests’ of the SRA.

What we do with your data
 The personal data described above is processed in order to provide services to members and other holders of website accounts.  

How we hold your data
 The data that users provide is stored in a CRM (customer relations management) system and website, supplied by the international company Advanced Solutions International (ASI – the Data Processor). The CRM is password-protected. SRA staff use the CRM to provide the services, and two longstanding IT contractors also have access for technical purposes.  

It may occasionally be necessary to share your data with select individuals or agencies to process for your data on our behalf, such as a training provider. When necessary, these third parties will be authorised to see and use your information only in the ways required to fulfil their contractual obligations to us and will not be permitted to use it for any other purpose. We retain full responsibility for how your personal information may be used by authorised third parties.

We will never sell or swap your data and we will not share your personal data with other organisations for marketing or similar purposes.  

Financial processing
People who take out SRA membership or register on the website for activities (e.g. courses and events) may be required to pay a fee, and may choose to pay online with a credit/debit card.  The ASI website passes these online payment requests to iATS, a specialist card processing organisation, for completion.  No additional personal information arising from the purchase is available to the SRA.

Where your data is held
ASI stores CRM data on servers in the UK.  As an international company with offices and servers in the USA and other countries, in order to comply with General Data Protection Regulation (GDPR) rules on data transfers ASI and SRA have entered into a GDPR-compliant Data Transfer Agreement which includes UK and EU approved Standard Contractual Clauses describing the transfer of personal data, which will be updated from time to time as legislation evolves post-Brexit  
The card processing organisation iATS is based in Canada, and because it acts as a sub-processor for ASI, the Data Transfer Agreement, including the Standard Contractual Clauses, has also been applied to iATS.

Data Security
Your personal data is protected by HTTPS end-to-end encryption during transfer and is encrypted 'at rest' on the server. As a further precaution when you access the SRA website from outside of the European Economic Area, UK or Switzerland, we recommend that you use a secure modern browser, updated to the most recent version and set to the maximum security/privacy level. These browsers include - but aren't confined to - Firefox, Safari, Chrome and Edge. We'd also like to take this opportunity to remind all of our account-holders to remain vigilant against 'phishing' and other forms of social engineering (scams) that might seek to obtain your access credentials.

How long we keep your data
Data held in the CRM system will be held for at most 6 years, in order to comply with accountancy review requirements.

Your rights
Under GDPR you have certain rights with regard to your personal data. These are:

  • Your right of access: You have the right to ask us for copies of your personal information.
  • Your right to rectification: You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing: You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing: You have the right to object to the processing of your personal information in certain circumstances.

If you wish to exercise these rights you can do so by contacting the SRA at [email protected]

If at any point you believe the information the SRA has about you is incorrect you can either correct it by logging in to your account, or request to see this information and have it corrected or deleted by contacting the SRA as described above.

If you are not satisfied with the SRA’s response or believe we are not processing your personal data in accordance with the law you can make a complaint to the Information Commissioner’s Office: https://ico.org.uk/concerns/handling/

Website cookies
The SRA may use cookies, including analytic cookies provided by Google, to better understand which of our webpages are visited and for how long.  This information is intended to improve our service to you.  Our cookies do not contain personally identifiable information, other than your IP address, and will not be linked to any other personal data held by the SRA.