About this policy
This policy was last updated on 20 September 2021.
Who we are
The BMA is the controller in relation to the processing activities described below. This means we decide why and how your personal information is processed. Our registered office is BMA House, Tavistock Square, London, WC1H 9JP.
If you have any queries relating to how we use your information, please contact our Data Protection Officer (DPO):
Name: Joel Henderson
Address: BMA House, Tavistock Square, London, WC1H 9JP
Email: [email protected]
Tel number: 020 3058 7415
How we collect your personal data
When you use our website, our products or services, interact with us online or by phone, email or otherwise, the categories of information that we collect about you are as follows:
You may give us your identity, contact and financial data and sensitive personal information (now called special category personal data) by filling in forms or by corresponding with the BMA by post, phone, email or otherwise. We may ask you to provide us with special category personal information such as your ethnic origin, details of any disabilities, your religion or belief and your sexual orientation.
If you are a member of the BMA, the fact of your membership is itself special category personal information, as trade union membership is included in the definition in the legislation. We will not share details of your membership of the BMA with third parties to use for their own purposes without your consent. We have additional obligations to treat special category personal information with appropriate care, taking into account the nature of that information.
We will also anonymise special category personal data in order to gather statistics and assess the demographics of our membership.
This includes, for example, personal data you provide when you:
- apply to join the BMA
- create an account on our website
- subscribe to our services or publications
- request marketing to be sent to you
- use our social media, eg Facebook, LinkedIn or Twitter
- enter a competition, promotion or survey
- give us feedback.
Cookies and similar technologies
Personal information we may receive from other sources
We may receive personal data about you from various sources such as:
- General Medical Council (GMC) data, such as status as a registered doctor from the GMC register
- technical data from analytics providers such as Google based outside the EU
- contact, financial, credit and transaction data from providers of technical, payment and delivery services
- identity and contact data from data brokers or aggregators
- identity and contact data from publicly available sources such as Companies House.
The BMA has a number of ‘affinity partners’ with whom we have an agreement to offer discounted, preferential or tailored products and services (such as independent financial advice) to BMA members. These benefits are advertised to our members through the BMA’s marketing communications. To qualify for these benefits, the member must state their BMA ID or GMC number when buying a product or service on the affinity partner’s website. Their name, BMA ID and GMC number is then verified using an online verification tool provided by us.
The affinity partner will provide personal data back to the BMA so that we can monitor take-up of products and services, and understand which offers are of interest to which of our members. The BMA needs to process this data in order to continue to provide useful and relevant services, and to instruct our partners on how to keep on improving them.
The data we collect about you
Personal data, or personal information, means any information about an individual from which they can be identified. It does not include data where the identity has been removed (anonymous data). We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- identity data – includes first name, maiden name, last name, BMA ID (membership number), GMC number, title, date of birth, gender, and photos where you have agreed to this, such as when attending a conference
- contact data – includes postal and billing address, email address, telephone number
- financial data – includes bank account and payment details
- transaction data – includes details about payments to and from you, and details of products and services you have purchased and used from us
- technical data – includes internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website
- profile data – includes your BMA ID and password, preferences, feedback, survey responses and opinions
- usage data – includes information about how you use our website, member benefits, products and services, attendance at events or conferences
- marketing and communications data – includes your preferences in receiving marketing and membership communications from us
- membership data – includes membership subscription, BMA ID, employment status (employed, not employed, self-employed etc), professional categories (branches of practice, grades and specialties) along with workplace(s), employer(s), start and end date
- GMC data – includes licensing registration status and dates, GMC number, qualification country, GP and/or specialist register dates
- case related data – includes information you give us about an employment or pensions related enquiry for which you seek our support and assistance.
If you fail to provide personal data
If you do not provide us with certain personal information (for example, if you do not provide personal information that is mandatory on the membership enquiry form/‘contact us’ page), we might not be able to provide certain services to you as we process your application.
Data anonymisation and use of aggregated information
The information you give us is confidential and protected by law. The confidentiality of personal information is a priority for the BMA. Your information may be converted into statistical or aggregated data in such a way as to ensure you are not identified or identifiable from it. Aggregated data cannot be linked back to you as a natural person. We may use this data for analytical and research purposes.
How we use your personal data
We use your personal data for several different purposes. We must have a ‘lawful basis’ (i.e. a reason prescribed by law) for processing your personal data. The table below sets out the purposes for which we process the different categories of your personal data, and the corresponding lawful basis for it. Most commonly, we use your personal data in these circumstances:
- where we need to perform the contract we are about to enter into or have entered into with you
- where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests
- where we need to comply with a legal or regulatory obligation
- where it is for our legitimate activities as a trade union and professional body, for instance when you contact the BMA for advice on an employment issue or take part in our trade union activities.
You have the right to unsubscribe from marketing at any time by contacting us: [email protected]
For some processing activities, more than one lawful basis may be relevant depending on the circumstances. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground is stated in the table below.
|Purpose / Activity||Legal basis for processing|
|Membership administration such as: registering you as a BMA member; processing your membership including: (a) managing payments, fees and charges (b) collecting and recovering money owed to us holding your data on our membership database; management and statistical analysis of our membership; confirming your identity when you contact us; contacting you about your membership||(a) Performance of a contract with you (b) In our legitimate interests (c) In the course of our legitimate activities as trade union and professional body|
|Trade union activities such as ballots, elections and campaigns to comply with our legal obligations||(a) To comply with our legal obligations (b) In our legitimate interests (c) In the course of our legitimate activities as trade union and professional body|
|Sharing your personal data within the BMA||Some of your personal data will be available to BMA's staff, committee members and elected officials and others formally instructed by BMA for the purposes of carrying out our legitimate activities as a trade union and professional body.|
|Collective and individual member representation||(a) In our legitimate interests (b) In the course of our legitimate activities as trade union and professional body|
|Employment advice, support and representation||(a) Performance of a contract with you (b) In our legitimate interests (c) In the course of our legitimate activities as trade union and professional body|
|Where we refer a member's case to external lawyers||(a) In our legitimate interests (b) For the establishment, exercise or defence of legal claims|
|Provision of member benefits (via our business partners) such as independent financial advice, insurance, legal and tax advice and learning and development. Verification of member's name, BMA ID and GMC number||(a) Performance of a contract with you (b) In our legitimate interests (c) In the course of our legitimate activities as trade union and professional body|
|To provide you with information and services that you request from us||(a) In our legitimate interests (b) in the course of our legitimate activities - to respond to your queries and provide any information requested in order to generate and develop business. To ensure we offer a good and responsive service, we consider this use to be proportionate and will not be prejudicial or detrimental to you.|
|To send you alerts, newsletters, bulletins, announcements, and other communications concerning the BMA or which we believe may be of interest to you||(a) In our legitimate interests (b) in the course of our legitimate activities to market our services. We consider this use to be proportionate and will not be prejudicial or detrimental to you. You can always opt-out of receiving direct marketing-related email communications or text messages by following the unsubscribe link.|
|To invite you to events, conferences or other functions we believe may be of interest to you.||(a) In our legitimate interests (b) in the course of our legitimate activities to market our services. We consider this use to be proportionate and will not be prejudicial or detrimental to you. You can always opt-out of receiving direct marketing-related email communications or text messages by following the unsubscribe link.|
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) In our legitimate interests (b) in the course of our legitimate activities (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (c) To comply with a legal obligation|
|To deliver relevant website content including social tools (such as BMA blogs) and measure or understand the effectiveness of the work we do||(a) In our legitimate interests and (b) in the course of our legitimate activities (to study how members use our products / services, to develop them, to grow our business and to inform our marketing strategy)|
|To use data analytics to improve our website, products/services, marketing, member relationships and experiences||(a) In our legitimate interests and (b) in the course of our legitimate activities (to define types of members for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about products or services that may be of interest to you||(a) In our legitimate interests (b) in the course of our legitimate activities (to develop our products / services and grow our business)|
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising.
Promotional offers from us
We may use your identity, contact, technical, usage and profile data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you have requested information from us or purchased products or services from us and, in each case, you have not opted out of receiving that marketing.
We will not share your data outside the BMA group of companies for marketing purposes without your consent.
You can ask us to stop sending you marketing messages at any time by logging into the website and unchecking the boxes to adjust your marketing preferences, by following the opt-out links on any marketing message sent to you, or by contacting us at [email protected]. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of you becoming a member, a product/service purchase, product/service experience or other transactions.
Others who may receive or have access to your personal data
We may have to share your personal data with other companies in the BMA Group acting as controllers, joint controllers or processors who are a part of providing our products and services (such as the BMJ). We may also share your personal data with:
- external service providers acting as processors who assist in the operation of our organisation and in the provision of services such as IT, system administration and support services, data storage, hosting and back-up services, back-office functions, mailing houses, call centre services (FPC) and trade union administration
- affinity partners and other business partners acting as processors, joint controllers or controllers in their own right who provide some of our member benefits
- professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services
- HM Revenue & Customs, regulators (such as the ICO) and other authorities acting as processors or joint controllers based in the United Kingdom who require reporting of processing activities in certain circumstances
- market research and survey providers acting as processors who help to develop and improve our services.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law.
We do not allow our third-party data processors and service providers to use your personal data (which we have shared with them) for their own purposes, and only permit them to process such personal data for specified purposes and in accordance with our instructions.
Please note, if you purchase a product or service (as a member benefit) from our affinity partners or other business partners you will become a client of theirs and will have a direct relationship with them. This means they will be a ‘controller’ and be responsible for the personal data they collect from you and for informing you of their use of your personal data, and they have their own responsibilities to comply with applicable data protection laws.
Where your personal data is transferred to
We will sometimes need to transfer your personal data outside the European Union or the United Kingdom. If we transfer your personal data outside of the European Union or the United Kingdom we will take steps to ensure appropriate security measures are followed, to ensure your privacy rights continue to be protected as outlined in this policy. These steps include imposing contractual obligations on the recipient of your personal information or ensuring the recipients are subscribe to international frameworks that aim to ensure adequate protection. Please contact us using the details at the end of this policy for more information about the protections we put in place.
How we keep your personal data secure
We have put in place appropriate security measures to prevent your personal data from unlawful or unauthorised processing and accidental loss, destruction or damage. However, please note that in relation to any personal data you submit to us online, we cannot guarantee the security of information transmitted over the internet or that unauthorised persons will not obtain access to personal data. Where we collect any special category personal information about your ethnic background, sexual orientation, political opinions, religion, trade union membership, or criminal record, we will apply additional security controls to protect that data.
Where we have given (or where you have chosen) a password which enables you to access an account, you are responsible for keeping that password confidential. We ask you not to share your password with anyone.
We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long we will use your personal data for
We keep personal data for as long as necessary to ensure we can deliver our services in line with our retention policy. This policy reflects legal requirements, our regulatory and compliance functions, and other applicable considerations to determine the appropriate retention period. We do not retain personal data in any identifiable form for longer than is necessary.
Your privacy rights and how you can exercise them
You have a number of rights in relation to your personal information under data protection law. In relation to certain rights, we may ask you for information to confirm your identity and, where applicable, to help us to search for your personal information.
Except in rare cases where additional time may be required, we will respond to you within one month from either
(i) the date that we have confirmed your identity, or
(ii) where we do not need to confirm your identity because we already have this information, from the date we received your request.
Accessing your personal information
Under data protection laws you have a legal right to ask to see a copy of the personal information we hold about you. Such requests are called subject access requests (SARs). If you would like to make a subject access request, please contact [email protected]. You will also need to provide one form of identification and proof of your address, eg staff pass, driving licence, utility bill, and if appropriate, any particulars about the source or location of the information you are requesting. Further information about subject access requests can be found on the Information Commissioner’s website: ico.org.uk
We may not provide you with a copy of your personal information if this concerns other individuals or if we have another lawful reason to withhold that information.
Correcting and updating your personal information
The accuracy of your information is important to us and we are working on ways to make it easier for you to review and correct the information we hold about you. In the meantime, if you change your name, address or email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us at [email protected].
Withdrawing your consent
Where we rely on your consent as the legal basis for processing your personal information, as set out under the section 'How we use your personal data' on how we use your personal information, you may withdraw your consent at any time by contacting us at [email protected].
If you would like to withdraw your consent or object to receiving direct marketing to which you previously opted in, you can do so using the unsubscribe link in that communication (if it is an email), by writing to us at [email protected] or using the contact details at bma.org.uk/contact. If you withdraw your consent, our use of your personal information before you withdraw is still lawful.
Objecting to our use of your personal information and automated decisions made about you
For any purpose(s) where we rely on our legitimate business interests as the legal basis for processing your personal information, as outlined in the section 'How we use your personal data' on how we use your personal information, you may object by emailing or writing to us at the address at the end of this policy.
Except for the purposes for which we are sure we can continue to process your personal information, we will temporarily stop processing your personal information in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise we will provide you with our justification for why we need to continue using your data.
You may object to us using your personal information for direct marketing purposes and we will automatically comply with your request. If you would like to do so, please email or write to us at the address at the end of this policy.
Erasing your personal information or restricting its processing
In certain circumstances, you may ask for your personal information to be removed from our systems by emailing or writing to us at [email protected]. Unless there is a reason that the law allows us to use your personal information for longer, we will make reasonable efforts to comply with your request.
You may also ask us to restrict processing your personal information where you believe it is unlawful for us to do so, you have objected to its use and our investigation is pending, or you require us to keep it in connection with legal proceedings. In these situations we may only process your personal information whilst its processing is restricted if we have your consent or are legally permitted to do so; for example, for storage purposes, to protect the rights of another individual or company, or in connection with legal proceedings.
Transferring your personal information in a structured data file (‘data portability’)
Where we rely on your consent as the legal basis for processing your personal information, or need to process it in connection with a contract we've entered into with you (as set out in the section 'How we use your personal data' on how we use your personal information), you may ask us for a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form, such as a CSV file.
You can ask us to send your personal information directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal information if this concerns other individuals or we have another lawful reason to withhold that information.
If you wish to exercise any of the rights set out above, please contact:
Records Officer, Technology Services Department, BMA House, Tavistock Square, London, WC1H 9JP. Email: [email protected]
If you are not satisfied with our response or believe we are processing your personal information in a way that is not in accordance with the law, you have the right to lodge a complaint with the supervisory authority in the UK responsible for the implementation and enforcement of data protection law, the Information Commissioner’s Office (the ICO).
You can contact the ICO via their website, ico.org.uk/concerns - or by calling their helpline – 0303 123 1113 – or write to them at ICO, Wycliffe House, Water Lane, Cheshire SK9 5AF.
Changes to this policy
We may review this policy from time to time and any changes will be notified by posting an updated version on our website. We recommend you regularly check for changes and review this policy whenever you visit our website. If you do not agree with any aspect of the updated policy, you must immediately notify us and cease using our services.
Please direct any queries about this policy or about the way we process your personal information to our DPO, Joel Henderson, located at BMA House, Tavistock Square, London, WC1H 9JP, email: [email protected] or phone: 020 3058 7415.