Thank you to all institute council members who recently submitted questions relating to GDPR for our September Rep Council meeting.
These questions were answered by the CIIs In-House Counsel Ursula Burke who works as part of the Professional Standards team.
Why can we no longer communicate our events to neighbouring institutes?
All members have consented to receive marketing from a single institute. Sending communication about neighbouring institutes is unsolicited marketing.
Why do we need to go through the RMM team to promote our events to other institutes?
The RMMs are responsible for all membership and for that reason they can promote events to all members. This is a work around to the point raised in question one.
Why do local institutes have to register with the Information Commissioner; what are the implications for the individuals within each local institute as a result?
It is not clear cut whether local institutes must register or fall under the exemption. Our advice is that, given the low cost (£40) it is better to register just to be on the safe side. The ICO is unlikely to take much of an interest, but if an institute decides not to register, the reason for not doing so should be documented.
Has the CII contacted the Information Commissioner about the local institute network?
There is no need to do that.
Our Ed Secretary has received a letter from the CII regarding exam results. They view that as the result is attributed to an individual it is classed as personal data, unless consent is provided, the CII will be unable to release the data to us. This will make holding this event in the future difficult. There was a discussion around this and agreed that we should consider asking a GDPR / Data Protection expert for their opinion.
This letter was sent without our knowledge and the information is not correct. The exam report issued by DRD every six months contains no personal data, it only gives the number of passes/failures per unit, therefore it is already GDPR compliant.
In relation to award/prize giving events, this is a bespoke request based on an institute’s specific criteria and we only provide the names of the top 3 to 5 members that may qualify for an award. No additional consent is required in relation to this.
Please note earlier this year we developed an FAQ document for the local institute network around GDPR which can also be downloaded below.