1. Who are we?
In this policy, whenever you see the words ‘we’, ‘us’, ‘our’, ‘PHES’, it refers to Professional HE Services Limited, a company limited by guarantee registered in England 08080702.
PHES is an umbrella company for membership organisations in Higher Education. Currently PHES is the corporate “parent” of five Special Interest Organisations (SIOs); the Association of University Directors of Estates (AUDE), the British Universities Finance Directors Group (BUFDG), the Council of Higher Education Internal Auditors (CHEIA), the Higher Education Strategic Planners Association (HESPA) and Universities Human Resources (UHR). BUFDG also includes the Higher Education Procurement Association (HEPA), although HEPA is not an SIO of the company.
2. What personal data we collect and how we use it?
What we need
We collect your name, job title, institution, contact details, photo and other profile related data if you are a member or customer. If you are booking onto an event, we may ask you for any special dietary or access requirements.
Why we need it
We collect your personal data to provide the best possible membership service to our member institutions, and to support the HE sector. If you choose to withhold requested information, we may not be able to provide you with certain services.
We will also hold information about you so that we can respect your preferences for being contacted by us.
We may combine data from our database, your interest areas (that you have told us about) and your browsing habits to the make our communications relevant to you.
You can of course change your contact preferences by visiting the MYCHEIA page on this site.
Any special dietary or access requirements are only used to provide you with the best experience at an event or meeting.
When do we collect your personal data?
We collect your personal information in a number of ways:
- When you provide it to us directly
- When you provide permission to other organisations to share it with us
- When we collect it as you use our websites or apps
- When you have given it to a third party and you have provided permission to pass your information on to us
- From publicly available sources (where possible) to keep your information up to date
3. What lawful bases will we use to process the data?
Under the new data protection law starting in May 2018 we have a number of lawful reasons that we can process your personal information. One of those lawful bases is Legitimate Interests, which means:
‘we can process your personal information if we have a genuine and legitimate reason and we are not harming any of your rights and interests’
This means when you provide your personal details to us, we use your information for our legitimate business interests to carry out our work supporting our members and the HE sector. Before doing this, though, we will also carefully consider and balance any potential impact on you and your rights.
Sometimes, with your consent, we will process your personal data to provide you with information about our work or our activities that you have requested or are expecting. You can control your interests and preferences from the MYSITE section of this website.
On other occasions, we may process personal data when we need to do this to fulfil a contract (for example, if you have booked a ticket from our website) or where we are required to do this by law or other regulations.
4. How do we protect your personal data?
Information system and data security is extremely important to us, to ensure that we are keeping our members, customers and employees safe. We will treat your data with the utmost care and take all appropriate steps to protect it.
By using strong encryption when your information is stored or in transit we minimise the risk of unauthorised access or disclosure; when entering information on our website, you can check this by right clicking on the padlock icon in the address bar.
We undertake regular reviews of who has access to information that we hold to ensure that your information is only accessible by appropriately trained staff.
Our staff complete mandatory data protection training on employment and annually thereafter to reinforce responsibilities and requirements set out in our information security policies.
We sometimes use external companies to collect or process personal data on our behalf. We do comprehensive checks on these companies before we work with them and put an agreement in place that sets out our expectations and requirements, especially regarding how they manage the personal data they have collected or have access to.
Some of our suppliers run their operations outside the European Economic Area (EEA). Although they may not be subject to same data protection laws as companies based in the UK, we will take steps to make sure they provide an adequate level of protection in accordance with UK data protection law. By submitting your personal information to us you agree to this transfer, storing or processing at a location outside the EEA.
We may need to disclose your details if required to the police, regulatory bodies or legal advisors.
We will only ever share your data in other circumstances if we have your explicit and informed consent.
5. How long will we keep your personal data?
Whenever we collect or process your personal data, we’ll only keep it for as long as is necessary for the purpose for which it was collected.
At the end of that retention period, your data will either be deleted completely or anonymised, for example by aggregation with other data so that it can be used in a non-identifiable way for statistical analysis and business planning.
If decide you no longer wish to be a member, we will keep some basic information in order to avoid sending you unwanted materials in the future and to ensure that we don’t accidentally duplicate information.
We will update your personal data such as job title, institution and contact details when you tell us they have changed, when we receive an automated email from you or when we find out from another source.
6. Who do we share your personal data with?
Where we use an external service provider to act on our behalf, we will disclose only the personal information necessary to deliver the service and will have an agreement in place that requires the provider to comply with our data protection and information security requirements.
We do not sell or share your personal information for other organisations to use.
7. How do we handle your direct debit or credit card information?
PHES uses external Payment Card Industry (PCI) compliant providers to collect this data on our behalf. We do not store PCI data on our own systems.
9. What are your rights
A new data protection law, starting in May 2018, gives everyone a number of very important rights. These are:
- Transparency over how we use your personal information (right to be informed).
- Request a copy of the information we hold about you, which will be provided to you within one month (right of access).
- Update or amend the information we hold about you if it is wrong (right of rectification).
- Ask us to stop using your information (right to restrict processing).
- Ask us to remove your personal information from our records (right to be 'forgotten').
- Object to the processing of your information for marketing purposes (right to object).
- Obtain and reuse your personal data for your own purposes (right to data portability).
- Not be subject to a decision when it is based on automated processing (automated decision making and profiling).
If you would like to know more about your rights under the data protection law, see the Information Commissioners Office website.
Remember, you can change the way you hear from us by using our MYCHEIA pages on this website.
11. How to contact us
Professional HE Services Ltd
3 Holywell Drive
If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the Information Commissioner’s Office (ICO).
This policy was last updated on 22nd May 2018.