Privacy notice
This privacy notice lets you know what happens to your personal data when you give it to the Institution of Occupational Safety and Health (IOSH). It contains important information about your privacy rights and how we collect and use your personal data, so please read it carefully.
Who we are
The Institution of Occupational Safety and Health (IOSH) is a not-for-profit organisation and Registered Charity (No. 1096790 in England & Wales and Scotland SC043254).
References to “IOSH”, “we, “us” and “our” refers to IOSH.
For the purposes of the relevant data protection legislation, the “data controller” is the Institution of Occupational Safety and Health of The Grange, Highfield Drive, Wigston, Leicestershire LE18 1NN.
What types of personal data do we process?
We collect, use and are responsible for certain personal data about you. When we do so, we are subject to the Data Protection Act 2018 and UK General Data Protection Regulation (data protection laws).
The exact nature of the personal data we may process (in other words, collect and use) about you will depend on which aspect of our work you relate to. Personal data that we may process in connection with our work could, where relevant, include:
- personal and contact details – for example, title, full name, job title, e-mail address, telephone number, company details
- your date of birth
- gender
- your ethnicity
- your nationality
- photographs and videos of you, for example, taken at our events
- financial data, including bank account and payment card details
- transaction data, which comprises details about payments to and from you and other details of services you have purchased from us
- technical data, which comprises your IP address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the device(s) you use to access our website
- profile data, which comprises your username and password, your interests, preferences, feedback, and survey responses
- usage data, which comprises information about how you use our website or services
- marketing and communications data, which comprises your preferences in receiving marketing from us and third parties, and your communication preferences
- criminal convictions, including personal data relating to criminal convictions and offences, including personal data relating to criminal allegations and proceedings.
We do not collect any “special categories” of personal data about children.
We also do not use any automated decision-making processes.
Certain categories of personal data are treated as a special category (for example, information about your ethnicity and criminal convictions) to which additional protections apply under data protection laws.
We will only process these special categories of personal data if there is a valid reason for doing so and where data protection laws allow us to do so.
How is your personal data collected?
We may collect information on you from the following sources.
- Information that you provide to us directly.
- When you sign up for a membership. We collect information you give to us during the registration process for joining as a member, in the process or managing your membership account or your organisation’s account.
- Where you contact our customer service team by telephone or email.
- Where you contact us to request information about our services.
- Where you complete and submit forms on our website or non-IOSH-owned event registration platforms.
- Where you communicate with us in any way.
- You may be asked whether you have any unspent criminal convictions as part of your application to become a member. We will hold any information you give us relating to unspent criminal convictions until your application is determined.
- From information generated when you use our advice, research, products and services.
- Online or practical safety training assessments, including the feedback and analysis of your tutor(s), instructor(s) or examination bodies (if needed for the provision of a product or service).
- Video assessments, including feedback as carried out by our examination, qualifications, certification and official awards bodies (if needed for the provision of a product or service).
- from our partners or service providers
- technical data from analytics providers, advertising networks and search information providers
- contact details, financial and transaction data is collected from providers of technical, payment and delivery services
- names and contact details from publicly available sources such as Companies House.
Information that we collect automatically and use of cookies
When you visit our website(s), we may collect technical information such as your IP address. We also collect and use personal data via cookies – please see our cookies policy.
Information that we may collect from third parties
We will, from time to time, receive personal data about you from various third parties and public sources, including:
We use your personal data for the purposes specified in this notice, including:
- providing advice, guidance, consultancy, assessment, awards, qualifications, training, products and membership services
- for the purpose of IOSH membership registration when you enrol on a qualification
- updating your records
- to provide assessment and examination results for qualifications certification
- to carry out and/or test the performance of our products, services and internal processes
- to improve the operation of our organisation and that of our partners
- to follow guidance or comply with governmental and regulatory bodies
- for management and auditing of our operations, including accounting
- to monitor and to keep records of our communications with you and our staff
- for research and analysis and developing statistics to understand our membership database, how you interact with us, so we can make your experience better and more intuitive
- for marketing communications to help us offer you relevant membership advice, training products and services that we think may be of interest to you
- for the purposes of an event which you sign up to attend
- for publicity, for example, we may use a photograph or video of you attending one of our awards ceremonies
- to develop or improve our advice, membership offering, products and services
- to administer memberships, including processing membership fees and member benefits
- to administer our website(s) iosh.com and iosh.co.uk and associated domains
- for training and quality control
- for the establishment, defence and/or enforcement of legal claims.
Other purposes
We will only use your personal data for the purposes for which we collected it, unless we consider that we need to use it for another lawful reason and that reason is compatible with the original purpose. If you require an explanation of why we are using your personal data or the legal basis on which we are using it, please contact us. If we need to use your personal data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so. Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.
Marketing
You will receive marketing communications from us from time to time.
We may also analyse your personal data to form a view of which product, services and offers may be of interest to you, so that we can then send you relevant marketing communications.
You can ask us to stop sending you marketing communications at any time by following the opt-out links within any marketing communication sent to you or by contacting us by email at: data.protection@iosh.com.
If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purpose.
7. Lawful basis for processing your data
Data protection laws require us to rely on one or more lawful bases to use your personal information. We rely on the following legal bases.
- Where we have entered a contractual arrangement with you, which may often include where it is needed to provide you with your membership, advice, guidance, consultancy, training, qualifications, awards, products and customer services, for example:
- managing products and services, awards and qualifications you or your employer hold with us, or an enquiry about them
- updating your records
- sharing your personal data with partners and service providers when you or your employer requests advice, guidance, training, awards, qualifications, products or services
- all stages and activities relevant to providing safety advice or managing products or services, including enquiry, application, administration and management of accounts.
- Where it is in our legitimate interests to do so, provided our use is fair, balanced and does not unduly impact on your rights. Our legitimate interests generally include operating as a charitable entity in pursuit of our mission and, depending on the activity, include, for example:
- managing your products and services, updating your records, providing advice, guidance or carrying out research or safety-related campaigns
- to perform and/or test the performance of our products, services and internal processes
- to comply with government and regulatory bodies
- for management and audit of our operations, including accounting
- to carry out monitoring and to keep records of our communications with you and our staff
- for research and analysis and developing statistics
- for marketing communications to help us offer you relevant health and safety advice, products, membership, services and training
- to provide insight and analysis either as part of providing advice, products or services, helping us improve products or services, or to assess or to improve our operations
- where we need to share your personal data with people or organisations to run our organisation
- to publicise our activities to develop and grow our organisation, for example, we may use a photograph of you receiving a qualification from us on our website.
- To comply with our legal or regulatory obligations (for example, where we are obliged to share your personal data with regulatory bodies which govern our work and services).
- With your consent (for example, we may ask for your consent to receive communications by email) or, in some cases, your explicit consent (for example to collect special category data).
- In rare cases, to protect yours or another’s vital interests.
- Where there is a substantial public interest reason for us doing so, for example:
- processing of your special categories of personal data, for example, about your health or ethnicity where relevant to health and safety research or campaigns.
We require all third parties to respect the security of your personal data and to treat it in accordance with the data protection laws. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
We may share information with the following third parties for the purposes listed below.
- IOSH newsletter/magazine/marketing emails.
– We use a third-party provider to deliver our magazine and regular news update and careers site emails. We gather statistics around email opening and clicks using industry-standard technologies, including clear gifs, to help us monitor and improve our magazine email communications. - We use a third-party mailing house to fulfil and post hard-copy certificates, welcome packs, membership cards and other print items to our members worldwide.
- We use a third-party provider to deliver our Career Hub and regular learning recommendation emails.
- We use a third-party provider to supply member benefits (IOSH Extras). We gather statistics on benefits usage to monitor and improve our benefits.
- We use a third-party provider to deliver our marketing emails.
- Security and performance
– IOSH uses third parties to help maintain the security and performance of the IOSH websites. To deliver this service it processes IP addresses.
– IOSH moderators and IOSH staff can see your internet protocol (IP) address when you post a message on our forums. This information is for use by IOSH only and is only used to prevent misuse of the discussion forums. We will not disclose your IP address to anyone unless we are legally permitted or required to do so. - Online payments
– We use a third party to collect online payments on our main website. - E-learning platforms
– We use a third party to deliver, receive online payments for and resolve queries for our e-learning modules. This service requires delegates to enter name, address, email address, phone number, date of birth, comments and feedback, cookie information, and entry of payment details to facilitate one-off course payments. - Forums
– We use a third party to manage and facilitate our forums. This software requires members that want to post a comment to enter a name and email address. - Social media
– We use a third-party provider to manage our social media interactions. - Digital certificates and workbooks
– We use a third party to host an online platform for the virtual delivery of digital certificates and digital workbooks for IOSH courses. This service requires delegates to enter name and email address to facilitate delivery.
Service providers
We will share your personal data with service providers where this is necessary to provide you with services that you (whether in your own name or on behalf of your organisation) have ordered. Examples of service providers we use include payment processors, hosting services, suppliers, IOSH Services Ltd (ISL), sub-contractors and delivery services. We may also need to share your personal data with third-party software or IT support providers for system administration, data security, data storage, back up, disaster recovery and IT support.
We share your information with the following parties, for the following purposes.
Digital platforms
We use third-party services to collect standard internet log information and details of visitor behaviour patterns.
Information transfers
To transfer your information in the case of a sale, merger, consolidation, liquidation, reorganisation or acquisition.
To protect the rights, property or safety of our business and other customers
We reserve the right to disclose or share your personal data to comply with any legal or regulatory requirements, enforce our terms and conditions (or any other agreement we enter with you), or to protect the rights, property or safety of our business and other customers. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. We may also need to share information with HM Revenue and Customs, regulators and other authorities acting as processors based in the United Kingdom, who require reporting of processing activities in certain circumstances. We may also share your personal data with our professional advisers, including lawyers, bankers, auditors, accountants and insurers, who provide legal, financial and banking, audit, insurance, accounting, and consultancy services.
IOSH helpline
We use a third-party service to operate the IOSH technical helpline. When enquirers call the IOSH technical helpline, we collect the following personal information: name, IOSH membership number (if they are an IOSH member), IOSH membership category, email address, telephone details, country of residence, job title, organisation name, industry sector, number of employees within their organisation, and the enquiry itself.
Events registrations
IOSH uses third parties to take your registration details for events that we participate in or run ourselves.
Research fund application
Information collected may be used by the research department or advisory panel, its peer reviewers and internal committees/commissioning panels to administer the grant application process; to identify peer reviewers for grant applications, and to notify users about funding opportunities.
IOSH may pass on relevant data to internal committees and independent reviewers to perform tasks on its behalf to help make the funding process operate effectively. IOSH may also divulge information to its internal committees to make funding decisions and improvements.
In consultation with you, and if you have given us your permission in advance, IOSH may also wish to use some of the information you provide in your application to promote the research fund and research activities sponsored by IOSH. This could include articles on the research pages of the IOSH website, news stories and joint press releases, interviews, webinars, case studies, articles in IOSH magazine, or negotiated pieces in other media outlets.
Third party websites
Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website that you visit.
International transfers
Some of our external third parties may be based outside the United Kingdom (UK) from time to time, so their processing of your personal data will involve a transfer of data outside the UK.
Whenever we transfer your personal data out of the UK to our external third parties or otherwise, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented.
- We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal data by the Information Commissioner’s Office, ie the European Union.
- We use specific contracts approved by the Information Commissioner’s Office that give personal data the same protection that it receives in the UK, namely the International Data Transfer Agreement.
To find out further details of the safeguards we put in place, please contact us.
We are committed to keeping your personal data safe and secure and we have appropriate and proportionate security policies and organisational and technical measures in place to help protect your information.
Your personal data is only accessible by appropriately trained staff and contractors, and stored on secure servers with features enacted to prevent unauthorised access.
- in general, only for as long as it is required in connection with the purposes for which it was collected and/ or used – this will depend on the relevant activity
- for as long as we have reasonable organisational needs, for example, managing our relationship with you and managing our charitable activities or research
- for as long as we provide advice, products and/or services to you
- retention periods in line with legal and regulatory requirements or guidance and in some cases for as long as necessary in relation to legal disputes.
- personal data provided in relation to your membership shall be retained for six years following the end of your membership
- finance and transaction data in relation to credit card payments is retained for three years
- any personal data provided through enquiries received by our helpline service is retained for one year after the end of the enquiry
- personal data, including name and contact data provided to register and attend an event, shall be retained for one year after the date the event has taken place.
What should you do if your personal data changes?
You should tell us: members can update personal details via MyIOSH or call our Customer Service Centre. Non-members need to call the Customer Service Centre directly. Email communication preferences for members and non-members alike can be managed via our preference centre, links to which are included in the footer of all emails that we send you.
Do you have to provide your personal data to us?
We may be unable to provide you with some advice, guidance, awards, qualifications, consultancy, training, products or services if you do not provide certain information to us.
Do we do any monitoring involving processing of your personal data?
Monitoring means any: listening to, recording of, viewing of, intercepting of, or taking and keeping records (as the case may be) of calls, email, text messages, social media messages (and interactions in aggregated form), in person (face to face) meetings and other communications.
We may monitor where permitted by law and we’ll do this where the law requires it, or to comply with regulatory rules, to prevent or detect crime, in the interests of protecting the security of our communications systems and procedures and for quality control and staff training purposes. This information may be shared for the purposes described above.
How long will we keep hold of your personal data?
We hold your personal data based on the following criteria:
Different retention periods apply for different types of personal data, for example:
In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you. In some circumstances you can ask us to delete your data, please see below for further information.
Your rights
Under data protection laws you have rights we need to make you aware of. The rights available to you depend on our reason for processing your information.
- Right of access – You have the right to ask us for copies of your personal information.
- Right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Erasure – You have the right to ask us to erase your personal information in certain circumstances. We may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you, if applicable, at the time of your request.
- Restriction of processing – You have the right to ask us to suspend the processing of your personal data in one of the following scenarios: if you want us to establish the data’s accuracy; where our use of the data is unlawful but you do not want us to erase it; where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Data portability – This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent, or in talks about entering a contract and the processing is automated.
- Right to object to processing – You have the right to object to processing if we can process your information because the process forms part of our public tasks or is in our legitimate interests. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your right to object.
- Right to withdraw consent – You have the right to withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You can exercise any of the above rights by emailing us at data.protection@iosh.com. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
You are not required to pay any charge for exercising your rights. We try to respond to all legitimate requests within one month. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Complaints
If you are not happy with the way your information is being handled, or with the response received from us, you can seek resource through our internal complaints procedure by writing to us at:
Data Protection Officer
Institution of Occupational Safety and Health
The Grange
Highfield Drive
Wigston
Leicester
LE18 1NN
Email: data.protection@iosh.com
You also have the right to lodge a complaint with the Information Commissioner’s Office if you are unhappy in any way with how we have treated your personal information. We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner’s Office, so please contact us in the first instance.
Changes to this privacy notice
We keep our privacy notice under regular review. This privacy notice was last updated in June 2024.