Privacy Policy

This combined GDPR and privacy policy sets out how The Association for Science Education (ASE) uses and protects any information that you share with ASE.

ASE Combined Data Protection and Privacy Policy

Introduction

This Combined Data Protection and Privacy Policy sets out how The Association for Science Education (ASE), a registered charity (number 313123, OSCR SC042473 and RC000805), manages personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).

It explains the principles ASE adheres to when processing personal data, how it collects and uses data through its website and services, the rights of individuals, and the safeguards in place to protect personal information.

This policy applies to all personal data ASE processes, whether collected through our website, through third party sites (eg for event bookings), or captured during face to face meetings or events.

The systems we use will be reviewed at least annually.

The Data Use and Access Act 2025 (DUAA) (https://ico.org.uk/about-the-ico/what-we-do/legislation-we-cover/data-us...) is coming into effect between June 2025 and June 2026. This does not replace previous legislation, but updates some digital information laws. It is expected that these changes will make some aspects of ASE’s work more streamlined, for example allowing us, as a charity, to ‘soft opt in’ contacts who express an interest in our work, and allow us to collect statistical information about website visitors without seeking ‘cookie opt in’ consent. We will be monitoring these changes as they are rolled out and the detailed guidance is made available, and will make appropriate updates to this policy.

1. Definitions

  • ASE: The Association for Science Education.
  • Data: Information which relates to an identified or identifiable individual.
  • Data Controller: ASE determines the purposes and means of processing personal data.
  • Responsible Person: The CEO, who is accountable for ASE’s data protection compliance.
  • Lawful Basis: The legal justification for processing personal data (e.g. consent, contract, legal obligation).
  • Personal Data: Any information relating to an identified or identifiable individual.

2. Our Data Protection Principles

ASE adheres to the seven key data protection principles:

  1. Lawfulness, Fairness, and Transparency
  2. Purpose Limitation
  3. Data Minimisation
  4. Accuracy
  5. Storage Limitation
  6. Integrity and Confidentiality (Security)
  7. Accountability

3. Your Data Rights

Under the UK GDPR, you have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request erasure of data ("right to be forgotten")
  • Restrict processing in certain circumstances
  • Object to certain processing (e.g. marketing)
  • Request data portability
  • Withdraw consent (where applicable)
  • Lodge a complaint with the ICO

You can exercise your rights by contacting info@ase.org.uk. Requests for access to personal data will be dealt with within one month and using ICO guidance. You can also opt out of receiving update emails from the ASE using the unsubscribe link within our emails (please note that we will still be required to send emails relating to your membership with us or any event registrations).

4. What Data We Collect

ASE may collect the following personal information:

  • Name and title
  • Contact information (email, phone, postal address)
  • Professional role, employer, and sector
  • Membership details
  • Interests and communication preferences
  • Survey responses and competition entries
  • Financial information (if paying for membership / events. Please note that credit card details are not stored by ASE, these details are passed directly to our payment provider using encryption)
  • Technical information (IP address, browser type, etc.) via analytics tools (e.g., Google Analytics)
  • We also gather DEI data - Diversity and inclusion data (e.g. gender, ethnicity, disability status) – collected on a voluntary basis for monitoring purposes, to help us understand how we are doing in this area and to improve our membership services and representation. This data is anonymised and used in aggregate wherever possible.

In adherence with the principle of data minimisation, we will ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

We rely on the information you provide to ensure our records are accurate and up to date. You can help us by letting us know if your details change. If you believe any of the information we hold about you is incorrect or outdated, please contact us and we will promptly correct or update it.

5. How We Use Your Data

We collect and use personal data for the following purposes:

  • Managing membership and delivering services such as journal subscriptions
  • Processing payments and subscriptions
  • Communicating updates, events, resources, or promotional offers Administering CPD, training, and events
  • Maintaining internal records and compliance
  • Operating and improving our website
  • Conducting research and surveys

We will not sell, lease or disclose your personal data to third parties unless required by law or with your explicit permission. When you first register for membership or an event with us, you have the option to opt in, if you are happy for your details to be shared with trusted third parties. You can opt out of communications from third parties at any time.

 

6. Lawful Bases for Processing

ASE processes personal data under the following lawful bases:

  • Consent: For example, when signing up to newsletters or events. The option for individuals to revoke consent is given clearly within our communications. Individuals can contact info@ase.org.uk to withdraw consent at any time.
  • Contract: To fulfil membership obligations  or event registration.
  • Legal Obligation: For tax or reporting requirements.
  • Legitimate Interest: To deliver member benefits or improve our services (balanced with your rights).

We document these bases in our internal register of systems which is contained in our ASE Register of Systems and Disposal and Retention Policy. If the purpose of holding information changes, new consent will be obtained. ASE will undertake Data Protection Impact Assessments if we undertake changes to our existing data processing systems which are likely to result in a high risk to the rights and freedoms of individuals.

7. Data Retention

ASE retains personal data only as long as necessary for the purpose for which it was collected. Our retention schedule includes:

  • Membership records: 6 years after last activity
  • CPD attendance: 6 years after event
  • Website registration: Active until account closure
  • HR records: As per legal requirements
  • Financial Information: As per legal requirements

Data is regularly reviewed and anonymised or deleted where appropriate.

8. Data Security

We implement appropriate technical and organisational measures to safeguard personal data. The level of security takes into account the assessed risks to the data and ASE’s size:

  • Secure access controls
  • Regular backups and encryption where necessary
  • Internal access limited to trained personnel
  • Safe deletion practices

We ensure third-party processors (which includes our IT providers, and mailing houses) meet our security standards.

9. Website Cookies and Analytics

Our website uses cookies to ensure secure access, improve user experience, and help us understand how our site is used.

Essential / Security Cookies

  • ADMIN – The admin cookie is used to hold security information about the currently logged in user to the administration site. The username is held in plaintext but is hashed using a session hash value. When the session is closed the hash value is no longer valid.
  • ASPFIXATION – The ASP Fixation cookie is a security mechanism to prevent the browser session being hi-jacked from the logged in user. The cookie holds a randomly generated string that changes upon user login.
  • TYPE & VERSION – The type and destination cookie stores redirect information to allow the user to return to the page originally requested where user validation is required. The white list function ensures the site does not re-direct outside permitted boundaries. The information stored in this cookie is stored in clear text.

Functionality Cookies

  • REMEMBER ME – The remember me cookie allows returning users to be automatically authenticated to the website.
  • LASTLOGIN – This cookie is used to maintain the user experience if the session times out. It contains a user reference with date of last session to be compared against current user information.

Analytics Cookies

  • Google Analytics cookies – These are used to collect information about how visitors use our website, helping us to improve site content and performance.

You can manage cookie preferences in your browser settings. Refusing cookies may affect site functionality.

10. Data Processors and Third Parties

Where ASE uses third-party services to process data (e.g., payment providers, IT platforms, mailing houses for our journals), we ensure contracts are in place to require GDPR compliance.

11. Data Breaches

In the event of a breach, ASE will assess the risk and notify the ICO and affected individuals where required. Staff must report any suspected breaches to the CEO immediately. In the absence of the CEO, data breaches should be reported to the Director of Communications. Staff training on data protection forms part of new staff onboarding and annual mandatory training.

12. Children’s Data

ASE services target professional adults. We do not collect children's data as part of our routine business. If there is a future need for collection of children's data, a Data Protection Impact Assessment would be completed to ensure that this is done with appropriate consent and safeguards.

13. Policy Review and Updates

This policy will be reviewed biennially or in response to changes in legislation, guidance, or ASE operations. The current version is published on our website.

Contact Information

For any data protection queries, please contact:
Email: info@ase.org.uk
Phone: 01707 283000
Post: ASE, 483 Green Lanes, London, N13 4BS 

 

Created

August 2025

Combined Privacy and GDPR policies, aligned with latest guidance and best practice. Aligned with Register of Systems and Retention and Disposal Policy.

Next due for update

July 2027