Data Protection Policy


This Data Protection Policy is intended to cover the storage and use of all personal data which is the subject of the General Data Protection Regulation (GDPR) 2018. 

Data we keep

We currently collect and process the following information:

·        For Members, prospective Members and persons who request to be on our mailing list: Names, honours and titles, contact details (addresses, email addresses, telephone numbers), year of birth and country of birth, whether deceased,

·        Data on those who have been awarded a Harkness Fellowship – country from which fellowship started, years, location, topic, mentor (if any),

·        For Members of the HFA, date and confirmation of payment, whether gift aid applies,

·        Lists of attendees at Events we hold, confirmation of payment,

·        Responses to surveys (if any).

Why we keep this data

We only collect and process personal information necessary to establish or maintain Membership or support and to provide or administer activities for persons who are Members of the organisation or have regular contact with it.


The information is used in the following ways:

·        To administer those who are Members and also those on our data base to receive our newsletter and notices of meetings and events,

·        To verify that persons are eligible for Membership; we cannot process applications without the information requested in the joining form,

·        To contact applicants with the outcome of their applications,

·        To collate statistics and to conduct research (although in these circumstances no information that could identify individuals will be published), and

·        To prepare accounting records and statutory corporate records.

Types of data to which the Policy applies

Policy applies to all personal information which we collect and hold.  This may be held in electronic format or in the case of statutory corporate records, such as the Register of Members, may be held in paper format.


This personal data may be stored and processed on the Company laptop by our Administrative Assistant, or by Directors on their personal computers in the course of their work for the Company.

Person(s) responsible for processing the data

Data may only be processed by our Administrative Assistant (currently Lizzie Clark) with whom we have a contractual agreement and such of our Directors and Trustees who have a genuine need to process it.  No access to our data is provided to third parties.

Main data risks we face

Possible hacking into our electronic devices by a malicious party. Possible loss of portable electronic devices on which the data is stored. 

Key precautions to keep data protected

Information in electronic form is stored securely in a structured filing system which is password protected and accessible only by our Administrative Assistant and a very limited number of our Directors.  Our electronic devices are protected with antiviral software from a leading supplier which is updated in real time.


Any electronic files containing personal information which are to be sent by email should be password protected.  Personal information should, in general, not be included in the body of an email.


Access to our email accounts is strictly limited to those responsible for processing the personal data which we hold, plus one third party IT contractor that provides support with whom we have a contractual relationship.


Passwords should be suitably difficult to guess, should be kept secure and individual passwords changed on a regular basis.


Any portable devices (laptops, flash drives) which are being transported from one location to another should be carefully guarded and not left unattended at any time.


Data in paper form such as the Register of Members is stored at a secure location.

How data should be stored and backed up

As stated above, the data in electronic form is stored securely in a structured filing system which is password protected.  It is backed up to the cloud in our Microsoft 365 OneDrive account.

How we ensure data is kept accurate

We try to ensure that data is kept accurate by timely recording of any changes notified to us or which appear in the public domain as well as by regularly reviewing and following up on bounce backs from emails which we send out. 


Membership lists are reviewed from time to time, at least twice annually.


Requests to unsubscribe from mailing lists or to have personal data deleted are actioned promptly.

When data should be deleted

Financial information (subscriptions, payment for events, gift aid records) is retained for six fiscal years plus the current fiscal year. 


Data for Members is retained throughout the period of Membership and then for 2 years from the date Membership expires.  An exception to this is data for Members who have served as Directors, Trustees and Committee Members; their data is retained indefinitely for record purposes.  If a person applies for Membership and is unsuccessful, their data is retained for 2 months from the date of the decision and then deleted.


For persons who have requested to be on our mailing list but who then decide to unsubscribe, their data is retained for 2 months from the date of the decision and then deleted.  


Electronic information which is deleted should be purged regularly from our electronic devices.


Hard copy information which is being deleted should be shredded.

How to handle a request for data from an individual and when we will turn down a Subject Access Request

Requests should be promptly referred to the Chair and Company Secretary who will be responsible for dealing with them.


All requests should be submitted in writing, by email or letter, and will not be accepted over the phone.  No personal information is to be disclosed over the phone.


The Chair / Company Secretary will determine whether the request comes from a legitimate source and whether it is a legitimate request in the context of GDPR.


A Subject Access Request will be turned down if it is not confined to personal data held on the individual making the request.

Under what circumstances should we disclose data and to whom

Data may be disclosed to an individual making a legitimate request in the context of GDPR, subject to the Chair / Company Secretary having verified the identity of the individual and that the request is legitimate.


In addition, data may be disclosed where there is a legitimate legal obligation for disclosure to a body acting within its legal powers.  The Chair / Company Secretary will verify the source of the request and the legal basis for the request before disclosing any information.  The person who’s data is the subject of the disclosure request will be informed of the information being disclosed, the body requesting it and the reason for the request in advance of the disclosure if at all possible.  Any such data disclosure will be strictly limited to the legal requirement to disclose.


Only the Chair / Company Secretary may make a data disclosure. Staff / Directors / Committee Members should refer all requests for data disclosure to them.


Records of all data disclosures will be kept, detailing the person/body making the request, the reason/legal basis for the disclosure, the information disclosed and the date. Similar records will also be kept of data requests which have been declined.

How we keep individuals informed about the data we hold

A list of the data which we currently collect and process is set out in the Privacy Policy on our website which may be updated from time to time. 

Person(s) responsible for reporting any breaches to the ICO and the Charity Commission

The Chair and Company Secretary are responsible for reporting breaches.


Any breaches of security which give rise to the possibility that personal information has been lost or stolen will be notified to the individuals whose data is the subject of the breach without delay.