Data Protection Policy
Forum for Access and Continuing Education (FACE)
Effective Date: March 2025

1. Introduction

This Data Protection Policy establishes the framework under which the Forum for Access and Continuing Education (hereinafter “FACE”) processes personal data in compliance with the General Data Protection Regulation (GDPR) and applicable UK data protection legislation. This Policy applies to all staff, volunteers, and third parties processing personal data on behalf of FACE, including data collected and managed via our WildApricot platform, Microsoft Teams, and third-party payment processors.

2. Scope and Purpose

The purpose of this Policy is to ensure that FACE processes personal data lawfully, fairly, and transparently. It sets out the principles and procedures designed to:

• Protect the rights and freedoms of data subjects;
• Demonstrate accountability and compliance with data protection law;
• Provide clear guidance for staff, members, and third-party processors; and
• Inform individuals about how their data is collected, used, stored, and, where applicable, shared through third-party platforms.

3. Summary of Data Collected

FACE collects and processes the following categories of personal data, as provided voluntarily by individuals:

• Identity Information: Full name
• Contact Information: Email address, telephone number, and postal address.
• Organisation information: Name of organisation, role within the organisation, organisation address, any other information relevant for receiving payments from the organisation.
• Membership and Participation Details: Membership status, event attendance, participation in educational programmes, and relevant interactions.
• Payment Information: Data necessary for processing payments, such as cardholder name, card details, and billing address.
• Marketing and Evaluation Preferences: Where individuals provide separate consent to receive marketing communications (such as newsletters, event updates, and promotional materials) and agree to participate in evaluation surveys aimed at improving FACE’s services.
• Additional Information: Data related to any other information required for the effective administration of FACE’s services.

Furthermore, when individuals consent to be added to a Microsoft Teams group, their basic personal data (such as name, email address, and profile picture) may be shared within the Teams environment to facilitate collaboration and access to resources.

4. Lawful Basis for Processing

FACE will only process personal data when a lawful basis for doing so has been identified and documented. The lawful bases include:

• Consent: Where the data subject has provided explicit, informed consent for specific processing activities (including membership, payment processing, marketing communications, and Microsoft Teams participation).
• Contractual Necessity: Where processing is required for the performance of a contract or to provide the services requested by the data subject.
• Legal Obligation: Where processing is necessary to comply with legal requirements imposed on FACE.
• Legitimate Interests: Where processing is necessary for the legitimate interests pursued by FACE, such as conducting evaluation surveys to gather feedback for service improvements, provided that such interests are not overridden by the rights and freedoms of the data subject.

FACE shall maintain records of all processing activities along with the applicable legal basis.

5. Transparency and Information Provision

FACE is committed to providing clear and comprehensive information to data subjects regarding the processing of their personal data. This is achieved through:

• Accessible and plain-language Privacy Notices on our website and within our membership communications;
• Regular updates to ensure that all information remains accurate and reflects current processing practices; and
• Detailed explanations of how and why personal data is processed, including any sharing of data through third-party platforms such as WildApricot, Microsoft Teams, payment processors, and for marketing or survey purposes.

Marketing communications are subject to separate consent, and individuals may opt in or out at any time. Evaluation or survey communications will be sent to members to gather feedback to improve FACE’s services.

6. Data Subject Rights

Data subjects have the following rights under the GDPR, which FACE is committed to facilitating:

• Right of Access: To obtain confirmation and details regarding the personal data held about them.
• Right to Rectification: To have any inaccurate or incomplete data corrected.
• Right to Erasure: To request the deletion of personal data, subject to applicable legal or contractual obligations.
• Right to Restriction of Processing: To request limitations on the processing of their personal data.
• Right to Object: To object to the processing of personal data in certain circumstances.
• Right to Data Portability: To receive personal data in a structured, commonly used, and machine-readable format and to transfer it to another data controller.

Requests to exercise these rights should be submitted to the Data Protection Officer using the contact details provided below.

7. Data Minimisation and Purpose Limitation

FACE shall adhere to the principles of data minimisation and purpose limitation by ensuring that:

• Only personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is processed is collected; and
• Personal data is processed solely for the explicit and legitimate purposes defined at the time of collection, and not further processed in a manner that is incompatible with those purposes.

8. Data Security

FACE is committed to protecting personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. To safeguard personal data, FACE implements:

• Technical Measures: Such as encryption, secure storage systems, and strict access controls;
• Organisational Measures: Including staff training, regular reviews of data protection practices, and internal policies that support data security.

9. Payment Information

FACE processes payment information as part of its service delivery. In relation to payment data:

• Security Measures: Payment information is stored securely using encryption and strict access controls. FACE utilises third-party payment processors that are PCI DSS-compliant and meet GDPR standards.
• Data Retention: Payment data is retained only for the period necessary to process transactions and to meet legal and financial reporting obligations. Once the retention period has expired, the data will be securely deleted or anonymised.
• Lawful Basis: Payment processing is conducted on the basis of contractual necessity and legal obligation.
• Transparency: Data subjects are informed via our Privacy Notice about how their payment information is handled, including any sharing with approved third-party payment processors.
• Third-Party Agreements: FACE maintains data processing agreements with its payment service providers to ensure compliance with both PCI DSS and GDPR requirements.

10. Data Breach Management

FACE has established procedures for the prompt detection, investigation, and resolution of personal data breaches. These procedures include:

• Immediate assessment and mitigation of any breach;
• Notification to the relevant supervisory authority (e.g., the ICO) within 72 hours where required;
• Communication with affected data subjects if the breach is likely to result in a high risk to their rights and freedoms; and
• A post-incident review to identify and implement corrective actions.

11. Data Retention

FACE will retain personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law. Data retention periods are determined based on:

• The nature and sensitivity of the data;
• The purposes for which the data is processed; and
• Any applicable statutory or regulatory retention requirements.

Once personal data is no longer required, it will be securely deleted or anonymised.

12. Data Protection by Design and Default

FACE adopts a ‘data protection by design and default’ approach by:

• Incorporating data protection considerations into the development of new systems, processes, and services;
• Ensuring that, by default, only the minimum necessary personal data is processed; and
• Regularly reviewing and updating our data protection measures to reflect emerging best practices and regulatory requirements.

13. Accountability and Documentation

FACE is accountable for its data processing activities and shall:

• Maintain comprehensive records of all processing activities, including the purposes, legal bases, and retention periods;
• Conduct and document Data Protection Impact Assessments (DPIAs) for high-risk processing activities; and
• Regularly review and update internal policies to ensure ongoing compliance with the GDPR.

14. Third-Party Processors

FACE utilises third-party platforms to support its operations. In doing so, FACE ensures that appropriate safeguards are in place:

14.1 WildApricot

• FACE uses WildApricot as its membership management system. WildApricot processes and stores personal data including, but not limited to, identity and contact information, membership details, and engagement records.
• WildApricot stores data on Amazon Web Services (AWS) servers in the United States, meaning data is transferred outside the EEA. FACE ensures compliance through Standard Contractual Clauses (SCCs) as per GDPR requirements.
• WildApricot is selected for its compliance with GDPR requirements and robust security measures.
• • WildApricot operates under a Data Processing Addendum (DPA), which includes Standard Contractual Clauses (SCCs) approved by the European Commission. These legal safeguards ensure that data transferred outside the EEA is subject to adequate protection.
  • FACE remains the data controller, while WildApricot acts as a data processor, handling data according to FACE’s instructions and applicable laws.

• ·        Further Information on WildApricot's Data Protection
• o   WildApricot’s GDPR Compliance Overview: https://www.wildapricot.com/data-protection
• o   WildApricot’s Data Processing Addendum (DPA): https://www.wildapricot.com/legal-center/data-processing-addendum
• o   WildApricot’s General Security Overview: https://www.wildapricot.com/security-overview

14.2 Microsoft Teams

• As part of our community engagement and resource-sharing initiatives, FACE may invite members to join a Microsoft Teams group. By providing consent, members agree to have their basic personal data (such as name, email address, and profile picture) shared within the Teams environment.
• This data sharing facilitates collaboration and access to resources and is governed by Microsoft’s privacy policies and terms of use. FACE advises members to review Microsoft’s policies to understand how their data is handled on that platform.

14.3 Payment Processors

Payments are securely processed using Stripe (https://stripe.com), which is PCI DSS-compliant and meets GDPR requirements.

Stripe Data Processing Details:

• Stripe processes payment data to facilitate transactions, including card details, billing addresses, and transaction records.
• Data is encrypted and stored securely, with limited access.
• Stripe complies with GDPR through data processing agreements (DPA) and the implementation of Standard Contractual Clauses (SCCs) for any data transfers outside the UK or EEA.
• Further details can be found in Stripe’s Privacy Policy: https://stripe.com/privacy.

FACE does not store payment details directly; all transactions are handled via Stripe’s secure platform.

14.4. Financial System – QuickBooks

FACE uses QuickBooks for financial record-keeping and transaction management. This system processes and stores personal data related to financial activities in compliance with GDPR and UK data protection laws.

• Purpose: QuickBooks is used for financial administration, invoicing, and tax compliance.
• Data Processed: Personal details such as name, organisation, billing address, invoice details, and payment records.
• Legal Basis: Processing is conducted under Legal Obligation (for tax/reporting) and Contractual Necessity (for transactions).
• Data Security: QuickBooks implements encryption, access controls, and secure storage to protect financial data.
• Data Transfers: QuickBooks may process data on servers outside the UK/EU under GDPR-compliant mechanisms such as Standard Contractual Clauses (SCCs).
• Retention: Financial records are retained for 6 years post-transaction in line with UK tax regulations.
• Subject Rights: Individuals can request copies of financial records, rectifications, or raise concerns about data processing.

15. Marketing Communications and Evaluation Surveys

FACE may send marketing communications and conduct evaluation surveys as part of our ongoing efforts to engage with members and improve our services:

• Marketing Communications:
• • Individuals may opt in to receive marketing communications (e.g. newsletters, event updates, promotional materials).
  • Consent for marketing communications is obtained separately, and recipients may withdraw their consent at any time without affecting their membership.
• Evaluation Surveys:
• • FACE may contact all members with evaluations or surveys designed to gather feedback and insight to enhance our services.
  • Participation in such surveys is voluntary, and responses will be used solely for the purpose of service improvement.

FACE ensures that both types of communications are managed in accordance with the GDPR and that data is processed on the basis of consent (for marketing) or legitimate interests (for evaluations), where applicable.

16. Data Protection Impact Assessments (DPIAs)

FACE shall conduct DPIAs for any processing activity that is likely to result in a high risk to the rights and freedoms of data subjects. DPIAs will:

• Identify potential risks associated with the processing activity;
• Evaluate the necessity and proportionality of the processing; and
• Recommend appropriate measures to mitigate identified risks.

17. International Data Transfers

In the event that personal data is transferred outside the European Economic Area (EEA), FACE will ensure that:

• Adequate safeguards are in place (e.g., standard contractual clauses or other recognised transfer mechanisms); and
• Data transfers are documented and compliant with the GDPR requirements.

18. Staff Training and Awareness

FACE recognises that informed and vigilant staff are essential to data protection. Accordingly:

• All staff and volunteers will receive regular training on GDPR requirements and data protection best practices;
• New personnel will be provided with induction training on data protection; and
• Continuous updates and refresher courses will be provided to ensure ongoing compliance.

19. Policy Review and Amendments

This Data Protection Policy shall be reviewed annually or in response to significant changes in data processing activities or legislative requirements. Any amendments will be approved by the appropriate governance bodies and communicated to all relevant parties.

20. Contact Information

For any queries regarding this Policy or to exercise your rights under the GDPR, please contact our Data Protection Officer (DPO) at:

• Email: admin@face.ac.uk

21. Conclusion

FACE is dedicated to maintaining the highest standards of data protection and ensuring full compliance with the GDPR. This Policy reflects our commitment to safeguarding the personal data of our members, donors, and stakeholders while utilising platforms such as WildApricot, Microsoft Teams, and secure payment processors to deliver our services effectively. Furthermore, by managing marketing communications and evaluation surveys in a transparent and consent-based manner, FACE continues to engage with its community in an accountable and secure way.