CQI privacy policy - Members’ Notice of Personal Data Processing

Data Processing Notice

At the CQI we believe that it is important to be transparent about how we process your data. Consequently, we have prepared the below ‘notice of personal data processing’ that tells you what we are doing with your data and why. All personal data should be stored and deleted in alignment with the CQI’s Data Retention policy. Not all sections will be relevant, as this policy covers all the member and non-member data that we process. Please move to the section relevant to your stakeholder group.

1. General

1.1 Your rights under the regulation

The General Data Protection Regulation (GDPR) and Data Protection Act 2018 specifies a number of rights that you have with respect to our processing of your personal data. Some of these rights are new since 2018, others are existing rights that may have been modified or enhanced. Unless otherwise specified below, you can exercise any of your rights with respect to our processing of your personal data by writing to us privacy@quality.org or to DPO, The CQI, 90 Chancery Lane, Holborn, London WC2A 1EU. Please be aware that we may need to verify your identity before we can service your request.

We have appointed IT Governance Europe Limited to act as our EU representative. If you wish to exercise your rights under the EU General Data Protection Regulation (EU GDPR) or have any queries in relation to your rights or general privacy matters, please email our Representative at eurep@itgovernance.eu. Please ensure to include our company name in any correspondence you send to our Representative.

Your right to access

You are entitled to see the personal information that we hold about you. You can access much of this information yourself by logging in to the members’ section of www.quality.org. There is generally no charge for making a data subject access request should you choose to write to us at the address given above, or privacy@quality.org or directly with a specific team, whose details can be found here.

Your right to rectification

You have the right to ask us to rectify personal information you think is inaccurate or incomplete. You may correct some of your personal data by self-service as outlined above. Where it is not possible to change your personal data by self-service, please directly contact the function you are dealing with, whose details can be found here.

Your right to erasure

In certain circumstances you are entitled to ask us to delete the personal information we hold about you. Please note that we may not be able to delete all personal data that we hold about you, for example, because of our duties to meet regulations.

Your right to object to processing

In certain circumstances you are entitled to object to our processing your personal information. Please note that we may not be able to stop the requested processing, for example, because of our duties to meet regulations.

Your right to restriction of processing

In certain circumstances you are entitled to ask us to restrict our processing of your personal information. For example, you may ask us to do this if you dispute the accuracy of your personal information, if our processing is unlawful but you prefer restriction to deletion, if we no longer need the information but you need it to exist in our systems for legal reasons, or if you have objected to our processing and we are dealing with your objection.

Your right to data portability

In certain circumstances you are entitled to receive the personal information you have provided us in a structured, commonly used and machine-readable format. Over time we will be changing our systems to make it easier for you to receive your data in this way.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

You can also complain to the Information Commissioner's Office (ICO) who is responsible for making sure that organisations comply with the law when they handle your personal information: https://ico.org.uk/global/contact-us/.

2. How we process your personal information

2.1 Membership

2.1.1 Your member record

To apply, you will need to create an account to start an application. The details required to create an account include your name, date of birth, email address, postal address, contact number and a unique password to login to your account. You may supply us with your gender, job title, business address and further contact details if you wish but these are not required.

When an account is created, you will receive periodic emails to assist you with your application. You may opt out of any communications during this process by contacting applications@quality.org.

You may start an application at any time or come back to an application in the future. Your application for membership is stored in our database along with your personal contact information, and details of the grade and scheme of your membership. Your personal details may include your training, education, work and professional experience. You may also email applications@quality.org for any assistance or enquiries with the application process. We process all this data under the lawful basis of pre-contractual steps.

Should you choose to upgrade your membership you will need to submit a new online application meeting our requirements. Your application for a membership regrade is assessed utilising the information you supply in support of your application. This information may be shared with an external assessor who is under contract to the CQI. Your regrade application information and all documentation created during the regrade assessment process will be stored within your membership record indefinitely. If you are an IRCA member, your entry on the public IRCA register will be amended accordingly should your regrade be successful. We process all this data under the lawful basis of pre-contractual steps.

Your membership of CQI professional networks such as branches and special interest groups are also recorded on your member record.

Notes of telephone conversations, emails, and physical correspondence between you and the CQI and IRCA may be attached to your membership record for future reference. Feedback that you provide about the CQI and IRCA may be recorded in the interest of improving the products and services that the CQI & IRCA offer. We process this data under the lawful basis of legitimate interest.

External assessments of membership applications, regrades, recertification, transition, migration, or CPD evaluation are carried out by assessors under contract to the CQI. Comments generated by the assessor in the course of making an assessment are stored on your member record. We process this data under the lawful basis of performance of contract or precontractual steps.

Sometimes more than one record about you is created in our system. We periodically reconcile our records to identify duplicates and to maintain the accuracy of your information. Should we identify a discrepancy in your data, we may contact you to help us decide which record should be your main record, and to verify that your record is accurate. We process this data under the lawful basis legal obligation.

2.1.2 Managing your membership

All new members receive a series of welcome emails. The information provided is for the purpose of advising you of the services and benefits that we offer and how you can best make use of them.

We notify you in advance that your membership is due for renewal. You are given details of your scheme (IRCA only), grade, the fee payable, methods of payment available to you, and what to do if any information is incorrect. We send reminders both before and after the deadline if payment is not received. IRCA members who do not renew their registration are notified when they are removed from the IRCA register for non-payment of annual fees.

If you fail to renew your membership but do not explicitly advise us of your wish to cancel, we may contact you multiple times for up to one year following the expiry of your membership, with information about how you can resume your membership. We do this to ensure that you are aware of the situation and have the opportunity to reinstate.

You may inform us of your wish to resign your membership at any time. We will then amend your membership record and you will receive no further requests to renew your membership.

In line with the CQI retention policy member profile information will be held for two years and summary information for eighty years, respectively from the members lapse date.

If you actively choose to resign your membership, we will record the request and amend your membership record accordingly. Data relating to the nature and duration of your membership will remain stored on our database indefinitely. Other data will be deleted after 7 years. Your data will not be used by the CQI and IRCA for marketing purposes or disclosed to third parties unless there is a legal obligation to do so.

Notes of telephone conversations, emails and physical correspondence between you and the CQI and IRCA may be attached to your membership record for future reference.

Following payment of your annual membership fees, a receipt is automatically sent to you by email 1-2 business days after payment. This receipt only contains data directly related to the renewal of your membership.

We maintain financial records related to your membership. For example, we need to reconcile your payments for membership in order to maintain our relationship. These are kept in electronic format and hard copy for 7 years after the end of the financial year in which the transaction took place.

Upon admission to an eligible CQI membership grade, we create and send you a membership certificate containing your name, membership grade, membership number and date of admission. IRCA members may receive certificates upon request and payment of a fee. We do not keep copies of your certificates. Your certificate provides you with evidence of your membership.

CQI Chartered Members and Fellows, and IRCA Auditors, are required to maintain CPD records. The CQI can request CPD evidence from Chartered Members and Fellows at any time in accordance with our Royal Charter. IRCA Auditors are required to submit CPD evidence every five years as a part of the recertification process. Assessments of your qualifications and CPD evidence are stored in your member record on our database, indefinitely, in order to demonstrate your compliance with CQI and IRCA requirements. This is in keeping with our legal obligation to regulate the profession.

Information that you submit about training that you completed before January 2017, via the Record Your Certificate form on the CQI website, is added to your member record to evidence the training that you have undertaken.

In certain circumstances a member or an individual applying for membership may apply, by reason of on-going hardship circumstances, for a reduction of their membership fees. Should you request a concession and provide evidence to support your request your evidence will be held for up to six months to allow us to make a fair assessment of your concession request. After this period of time, all evidence will be deleted from your record.

All of the above data is processed under the lawful basis of performance of contract or legitimate interest.

2.1.3 Managing requests for information about you

NPS surveys

As a member of the CQI, it’s important that we garner your feedback on a regular basis to ensure we continue to improve. Once a year we will send an email to you with an NPS (Net Promoter Score) survey link. Essentially, we ask ‘how likely it is that you would recommend us and what we can do to improve. There is a chance to win a £25 voucher if you submit your name, email address, and phone number. We process this data under the lawful basis of consent.

Surveys

On occasion, we will ask for your feedback to help us improve communication, products and services, and content. We will send you an email with a survey link no more than four times a year. We process this data under the lawful basis of consent.

Third party requests

Sometimes, agencies or potential employers of CQI and IRCA members may contact us for information about you as part of their referencing process. If we receive a request from a third party about your membership status or record, we only disclose this information with your written consent, unless we are under a legal obligation to do otherwise.

If we share your data with a third party, we will record this against your record to allow us to inform you, should you ask for us to delete your record in the future.

2.1.4 Self Service

Upon joining the CQI, you are provided with unique login credentials for the members' self-service section of the website, www.quality.org. These credentials allow you to access your benefits, update your account with address changes, pay your fees, set your email preferences, and choose your branch and special interest groups.

If you are unable to reset your members' self-service section password/username, you can contact the membership team at membership@quality.org for support with the process. We process this data under the lawful basis legitimate interest.

2.1.5 Communications you receive as member benefits

We contact you periodically to inform you of our available membership grades and to advise you on how you can progress through our grades as you advance in your career. You can inform us if you would rather be excluded from this communication. We process this data under the lawful basis performance of contract.

We post your copy of Quality World to you quarterly. To do this, we pass your mailing address on to a third party, Warners, who handle the print and dispatch of the magazine. You may opt out of receiving a hard copy of Quality World at any time within the Subscriptions section of the members’ area.

We provide you with a monthly newsletter by email called Networks. This newsletter is sent to both IRCA and CQI members containing relevant news and articles from the CQI and IRCA. The newsletter may be split if information contained within is only relevant to one membership audience. This is a member benefit from which you may withdraw by clicking on the "unsubscribe" option at the bottom of the email (or by updating your preferences in the members' area).

2.1.6 IRCA Auditors only

When you join IRCA, you agree that your certification and some details about your identity are to be displayed in the online IRCA register. The register acts as a tool to display and verify your professional competence. Should you wish to edit the information shown in the register or for your details to be removed from the online register, you can make these changes under the Professional Profile section of the members’ area, or by contacting the Membership team by email at auditors@quality.org or by phone on +44(0)204 566 5156. We process this data under the lawful basis pre-contractual steps.

IRCA auditors are sent a certification card when they first join and every year thereafter at the point of renewal. The certification card includes your name, membership number, scheme, and grade and acts as a tangible piece of evidence to demonstrate certification should the auditor be required to do so on site visits.

2.1.6.1 Recertification

You are required to renew each certification that you hold every five years on the anniversary of joining. The information you supply is used to assess your professional skills and qualifications and ensure you continue to meet the requirements for the grade that you hold. We process this data under the lawful basis performance of contract. This information is stored indefinitely to ensure that we have records that support your inclusion on the public register, and to demonstrate our diligence in maintaining the accuracy and integrity of the register.

2.1.6.2 Transition / Migration

Changes to an ISO standard commonly lead to a requirement to complete a transition or migration process in order to maintain your IRCA status. In such cases you are required to provide evidence that you meet the transition or migration requirements. We process this data under the lawful basis performance of contract. Copies of evidence that you supply in your transition application are stored indefinitely against your record, in line with our retention policy, as proof that you are competent to carry out audits to this standard.

2.1.6.3 Organisations Employing Auditors (OEAs)

We check annually with your employer whether you remain in their employ. This is necessary to keep our auditor list up to date, to ensure that each company is billed the correct amount and to allow the company sufficient time to amend their records before invoices are issued. We process all data relating to OEAs under the lawful basis performance of contract or legitimate interest.

When you commence working for an OEA and wish to come under that scheme, your employer will provide us with your member ID, name, and any other relevant personal information to enable us to find your record on our database and allow us to link you to the OEA. While you are working for an OEA it may be necessary to disclose personal data to your employer in order to confirm your identity. Your IRCA Auditor card may be sent to your employer for distribution to you. The card states your name, membership number, scheme and grade.

A notice of the requirement to recertify is sent to you via your employer during the fifth year of your certification. Contact your employer should you wish to be excluded from this communication. Should you leave the employ of an OEA, your membership remains active until your next renewal date, at which time we contact you directly in order to renew your membership.

2.1.7 Third Party Suppliers

2.1.7.1 Annual Recurring Payments (Direct Debit, SEPA)

The CQI uses a company called GoCardless to manage your Direct Debit or SEPA payments. The CQI is informed by GoCardless that you have set up a mandate with them, but we do not receive any bank information. GoCardless shares a unique bank mandate reference with us that we store in our database. This allows us to inform GoCardless of how much money we want you to pay and when to collect it. GoCardless in turn informs us of whether the payment has been received, enabling us to update your membership record. You may cancel a Direct Debit or SEPA mandate at any time. All rights that you possess under the rules of the Direct Debit or SEPA schemes apply. Although direct debits are initiated on a consent basis by the member, we process your payment under the lawful basis of performance of contract.

2.1.7.2 IRCA Certification Cards

IRCA auditors are sent a digital certification card when they first join and every year thereafter at the point of renewal, they may also be sent if their membership details change. The certification card includes the member's name, membership number, scheme, and grade and acts as a tangible piece of evidence to demonstrate certification should the auditor be required to do so on a site visit.

Card data is shared with a third-party supplier, Synergy, via Secure File Transfer Protocol (SFTP) for processing. Synergy then email members a link to their digital membership pack which includes their card. The data is processed under the lawful basis legitimate interest.

2.1.7.3 Mentoring Platform

The CQI’s mentoring platform is provided on a separate website, run by PLD. No data will be passed to Abintegro unless you try to access the platform. In order to provide this service to you, we need to verify to PLD that you are a current member. Only then will PLD create an account for you and provide access to the platform. The data that will be processed is your name, email address and current membership status. No other personal data will be supplied to PLD by the CQI. Any data that you upload to the mentoring platform will be governed by PLD's Privacy Policy which you will have an opportunity to read and agree to before your account is created. In order to facilitate mentoring agreements between mentors and mentees, other users will have access to some personal information about you, and you will have full control over what that information is. We process this data under the lawful basis performance of contract.

2.1.7.4 Quality Careers Hub

The Quality Careers Hub is provided on a separate website, run by Abintegro. No data will be passed to Abintegro unless you try to access the Hub. In order to provide this service to you, we need to verify to Abintegro that you are a current member. Only then will Abintegro create an account for you and provide access to the hub. The data that will be processed is your name, email address and current membership status. No other personal data will be supplied to Abintegro by the CQI. Any data that you upload to the Quality Careers Hub will be governed by Abintegro's Privacy Policy which you will have an opportunity to read and agree to before your account is created. We process this data under the lawful basis performance of contract.

2.1.7.5 Quality Learning Hub

The Quality Learning Hub is provided on a separate website, run by D2L. No data will be passed to D2L unless you try to access the Hub. In order to provide this service to you, we need to verify to D2L that you are a current member. Only then will D2L create an account for you and provide access to the hub. The only data shared will be that which is required to support single sign on: name, email address and membership ID. Any data that you upload to the Quality Learning Hub will be governed by D2L's Privacy Policy which you will have an opportunity to read and agree to before your account is created. We process this data under the lawful basis performance of contract.