SPR Privacy & Data Protection Policy

About the Society for Psychical Research

The Society for Psychical Research, SPR, is a charitable company which was founded in 1882 for exclusively charitable purposes which are set out in our constitution which takes the form of a Memorandum & Articles of Association. The SPR is governed by the provisions of our constitution and by our Council, which is the Board of Directors of the company as far as the various Companies Acts are concerned. The Directors of the SPR are also Charity Trustees under Charity Law. The majority of members of the Council are elected by the membership of the Society at our Annual General Meeting, AGM. Membership of the Society is open, and anyone may apply to join the Society.

The SPR operates as a special form of learned scientific society in which the society brings together experts in the field, with members of the society who have an interest in the field, as well as members of the public for the specific purpose of the discussion of scientific theories and ideas. The full nature and extent of the SPR’s operation within the field of psychical research are set down in our aims and objectives which are set out in our constitution which forms our mission statement. The SPR operates as a valuable national and international resource for both current researchers in the field, as well as those who wish to research the history of the field and the development of scientific theories and thought within the field. The SPR has extensive data holdings in relation to this aspect of psychical research and a large archive held for us at Cambridge University. In addition to this the SPR also publishes three publications including an academic Journal. This Privacy & Data Protection Policy has been drawn up with these uses in mind.
 

Introduction

Here at the Society for Psychical Research (“SPR”, “we” or “us”), we take your privacy very seriously which is why we have as a matter of good practice fully implemented the requirements of the Data Protection Act 2018. Please take the time to read this privacy policy, which is part of our terms of use of our website and all our resources and facilities as well as a condition of membership. As a matter of law and good practice, other organisations and individuals working with the SPR, and who have access to personal information, will be expected to have read and comply with this policy. 

The purpose of the SPR’s Privacy & Data Protection Policy

The SPR is committed to a policy of protecting the rights and privacy of members, supporters, individuals, organisations, staff and volunteers in accordance with the Data Protection Act 2018 which controls how your personal data is used by organisations, businesses or the government. 
The Data Protection Act 2018 effectively took over from the existing provisions of the General Data Protection Regulation (GDPR) after the end of the Brexit Transition Period when the UK left the European Union. GDPR was originally a piece of European legislation that the UK signed up to and was indorsed by the UK Parliament as UK law in 2016 to come into effect on the 25th of May 2018. The other important piece of relevant data protection legislation is The Privacy and Electronic Communications Regulation, PECR, which sits alongside the UK Data Protection Act of 2018 and GDPR. All these major pieces of privacy and data protection legislation work together and will therefore be collectively referred to in this policy as the Data Protection Act 2018, or by an abbreviation of this as the DPA 2018.
The SPR will notify the UK Data Protection authority, The Information Commissioner’s Office (ICO), and any affected individual, of any breach of these laws and regulations, and they, and/or the SPR may take disciplinary action against anyone found to have caused that breach. The SPR is registered with the ICO with a Data Protection Number of ZA574485. For the purposes of the United Kingdom General Data Protection Regulation (UK-GDPR) and Data Protection Act 2018, the SPR as a Charitable Company is a data controller and processes personal data. Third parties the SPR may use on a regular or occasional basis for our operations will also be expected to comply with this Data Protection Legislation.

We would like to remind you that by using, or continuing to use, SPR resources and facilities and having, and or by continuing to have membership of the SPR, you are agreeing to be bound by the SPR’s Terms and Conditions including this Privacy & Data Protection Policy. This policy explains how we collect, use and store the personal information you provide to us. 'Personal Information’ is information which identifies you, or another person, or is capable of doing so.
This policy may change from time to time and, if it does, the up-to-date version will always be available on the SPR website, or on request from the SPR Office. Please note that by continuing to use the SPR website and or the SPR’s facilities and resources, you are agreeing to any updated versions.
 

Legal Requirements & Personal Data

The SPR is a Data Controller under the terms of the DPA 2018. The DPA applies to all ‘personal data’ which is any information relating to a living identifiable person who can be directly or indirectly identified by particular reference to the data itself or to other information which may be known as an identifier. In this context the ‘identifier’ is any piece of information that will enable an individual to be identified as a particular person or individual. This definition provides for a wide range of personal identifiers to constitute personal data, including name, membership or other identification number, location data or online identifier. GDPR and the DPA 2018 as well as the PECR were enacted to reflect changes in the use of modern information technology and the way organisations collect information about people. 
This legislation applies to both automated electronic systems which collect personal data and to manual computer-based ones as well as to traditional paper-based filing systems where personal data are collected and stored in an organised filing system. The data must be collected for certain specific legal purposes only and must only be retained for the purpose(s) for which it was legally collected and for no other purpose. 


There is a second type of personal data which is Special Category Data which is even more personal and therefore sensitive and relates to such matters as:
(a)    racial or ethnic origin of the data subject
(b)    political opinions
(c)    religious beliefs or other beliefs of a similar nature
(d)    trade union membership
(e)    physical or mental health or condition
(f)     sexual orientation    
(g)    criminal record 
(h)    proceedings for any offence committed or alleged to have been committed.
The SPR has decided that for general and administrative functions this data is not relevant and will not be collected as a matter of policy. Therefore you will not be asked to provide any data in the categories listed ‘a’ to ‘h’ above.
The only possible exception to this strict rule is data that may be collected when a person reports a potential case of current or historic psychic or paranormal activity to us and any subsequent elucidation or investigation of the individual case concerned as part of our ongoing brief to research and investigate Spontaneous Cases as per the objects, aims and objectives of the SPR.


Purposes for which the SPR holds data

The SPR will only hold data for the following purposes:

  • Realising the SPR’s Charitable objectives
  • Membership processing and administration
  • The staging of events such as our Annual Conference, Study Days and Lectures
  • Research & collaboration with other organisations about research
  • The awarding of research grants
  • The publication of our Journal, Proceedings, and Paranormal Review
  • Providing a strictly confidential Spontaneous Cases Service
  • Maintaining and extending our archives
  • Journalism & the media where necessary
  • Keeping legally required accounts & records
  • Staff administration
  • SPR Volunteers

Managing Data Protection

Many organisations and governmental bodies including some charities are required by the terms and conditions of The DPA 2018 to appoint a Data Protection Officer, DPO, to oversee the operation of this legislation within an organisation. The SPR does not fall within this category, but we have chosen to voluntarily appoint a Council member to act as our DPO.

The Principles of the DPA 2018 and how it applies to the SPR

The legislation lays out six key principles for processing of personal data. These are:

Lawfulness, fairness and transparency

This covers the primary areas of concern that data should be gathered and used in a way that is legal, fair and which is able to be understood by those who are subject to data being collected and held about them. 
Therefore informed consent to collect and use data for a certain specified purpose is required under The DPA 2018. The public have the right to know what information or data is being gathered and held about them as individuals by organisations and they have the right to have this data corrected or removed if it is wrong, misleading or inaccurate. 
The SPR will only seek to gather and collect the minimum of amount of information which is compatible with the SPR’s purposes. We will inform you of the purpose for which we will require data from you at the time we ask for information, and we will expressly ask for your permission to do so through informed consent. 
Where we already have had contact with you and or where what is required of us is to perform an administrative function implicit in our administration of your membership or the SPR or an event or other general administrative function we will proceed to record and retain the legally required data concerned for these purposes on the basis that we have a legitimate interest to do so. Any data collected for these purposes will only be retained for the minimum period required for us to discharge our administrative functions in relation to the reasons the data was collected in the first place.
The SPR will only use the information which is provided to us in this manner and for the purpose(s) for which we asked for your consent, and or have a legitimate interest to let us use that data. We will not use that data for any other purpose.
The SPR has a policy and procedure for correcting mistakes and errors and for making a Data Subject Access Request, SAR, so that SPR members, supporters, organisations, service users or members of the public, or anyone who has had contact with the SPR may apply for a copy of the data that the SPR holds on them. The SPR also has a policy to correct inaccurate information in relation to this. Please see below. 
 

Purpose limitation

Organisations should only use data for a legitimate purpose which is specified at the time of the collection of the data. This data should not be shared with third parties without permission. 
The SPR will only ask to collect the minimum of data in the form of information about members, supporters, organisations, service users and members of the public as and when we need it. We will always explain the purpose for which we need this information, and we will always ask for your permission for us to use the data you have provided to us bearing in mind that your consent may not always be requested where we have a legitimate interest to collect data from you and to use it for implicit administrative purposes which arise out of your contact with us. 
We will only use the data you have given to us for a given specific purpose, and only for that specific purpose. We will not use your data for any other purpose. We will not in general share your data with any third parties, and if we consider that there may be a need to do so, we will ask for your specific permission to allow us to do so. We will never share your data with third parties without your specific consent.
 

Data minimisation

The data collected by organisations should be limited only to what is required for the purpose stated. Organisations should not collect data en masse without a specific purpose and reason to do so under the law. 
The SPR will only ask for the minimum amount of data that is required for a given specific purpose, and we will always ask for your permission in order that you can provide us with this data. We may also collect and process data given to us by you where we have had contact with you and have a legitimate legal interest to do so.
We will always explain why we need the information we are requesting from you and the purpose we will be using it for when we ask you for any information about yourself or your organisation. This explanation may be implied from the contact you have had with us and the data collection and processing is required to carry out an agreed administrative or other process.
Some large companies and charities have caused problems to people as a result of their large bulk mailings by post or electronic means to their potential or actual customers, supporters and beneficiaries for commercial and fundraising purposes. The SPR does not carry out this sort of mailing exercise. We will only send to you communications that you have given us permission to send to you in connection with membership administration, and the general administration of the SPR, and to notify you of SPR events that you have expressed an interest in knowing about. We may from time to time send out information to our members, donors and supporters in relation to specific projects or appeals that may be of interest to them, and any such communications will be for legally permitted purposes. If we need to contact you about any other matter on a regular basis or through a general mailing, we will ask for your permission to do so. 
 

Accuracy

The personal data you hold should be accurate, kept up to date, and, if it is no longer accurate, should be rectified or erased. 
The SPR is committed to keeping accurate and up to date records, and we review our administrative records regularly to ensure their accuracy, and the necessity to hold the data we do. Any data that is no longer required for the specific purpose for which it was given will be deleted and erased.
The SPR collects and holds data generated through our lectures, conferences, study days and online or other events and the data gathered from these events is covered by our aims and objectives and our mission statement. This data is gathered and may be disseminated in a suitable form under our terms and conditions and retained for research and archive purposes where we have a legitimate interest in doing so and for which we may require consent as part of our terms and conditions for these events. 
The SPR recognises that despite our best efforts things can still go wrong. The SPR will put right any mistakes or errors in the data that the SPR holds about its members, supporters, service users, and organisations the SPR works with as well as members of the public. The SPR will do this when notified of the mistake or error by the member, supporter, person or organisation concerned.  
 

Storage limitation

Personal data should only be stored for as long as is necessary. Data can be archived securely and used for research purposes in the future. Where possible, the personally identifiable information should be removed to leave anonymous data. 
The SPR will only hold administrative and general records or data for the purposes for which the data was collected and we will only retain it until we have legally processed the data concerned. The data that is collected and processed in this way will be minimised, as above and its accuracy checked as above and when this data has served the purpose(s) for which it was collected, it will be finally reviewed and securely deleted.
The data that is collected as the result of our events which is covered by our aims, objectives and mission statement forms part of our legitimate interest under our terms and conditions for these events. This data will therefore be retained in a suitable form for research and archival purposes. This may include suitable anonymization for the retention of research based materials and other documents that form the core of the SPR’s brief to operate as a learned society as described in the about section above. Please also see the section data storage below.
 

Integrity and confidentiality

Personal data should be held in a safe and secure way that takes reasonable steps to ensure the security of this information and avoid accidental loss, misuse or destruction.
The SPR takes  the privacy, confidentiality, security and integrity of all personal data very seriously which are covered by our Data Storage & Risk Management policies ( please see below ), as well as our commitment to ensuring the accuracy of the data we hold. Please see the sections on Purpose Limitation, Data Minimisation and Accuracy above.
 

Data Storage

Information and records relating to SPR members and supporters and anyone the SPR may have contact with will be stored securely, and will only be accessible to authorised SPR personnel for certain specified tasks. This may include the retention of suitable data in a suitably anonymised form for research and archival purposes, for a suitable and appropriate time period which will be kept under review. Some data may be specifically held for an indefinite period of time for research and archival purposes where the required consent for these purposes has been given.
Any data or information given to us by you will only be stored for as long as it is needed for the authorised purpose(s) for which it was provided, and for which specific consent was given, or it is needed for legal & statutory purposes and or we have a legitimate interest to use the data which you have provided us with. When the reason for the collection and retention of the data given by you to us has been has been duly legally discharged and the data processed for our permitted legal purposes any and all data for which we do not have a specific legal reason through consent or otherwise to retain will be deleted in a secure and appropriate way. This will be achieved within the required the statutory timeframes. 
 

Risk Management

The consequences of breaching DPA as defined above can cause harm or distress to SPR members and supporters as well as members of the public if their data is released to inappropriate people, or they could be denied a service to which they are entitled. 
This policy is designed to manage and therefore minimise these risks and to ensure that the reputation of all concerned including the SPR are not damaged through inappropriate or unauthorised access and sharing.
The SPR operates a policy of regularly reviewing our Risk Management policies and procedures so that we can minimise or exclude risk and ensure that we keep your data safe and secure.
 

Data Subject Access Requests

Any SPR member or supporter or organisation, or anyone who has had contact with the SPR has a right to see what data the SPR holds about them by making a Data Subject Access Request under the DPA 2018 or GDPR Article 15 to the SPR. That person or organisation has the right to make a correction to the information held about them if that information is incorrect. The DPA states that a “Data Subject” who can submit such a request means the identified or identifiable living individual to whom the personal data relates.
This request does not necessary need to be made in writing and can be made by other means and nor does the request need to quote or reference the making of a SAR under the DPA by an individual who wants to make a legally valid Subject Access Request. These other means may include verbally over the telephone, or in person, or electronically in one way or another through direct electronic communication to the SPR or via the SPR’s portals and platforms. 
However for the purposes of good clear communication in order to avoid misunderstandings and doubt about the use of this process it is important to bear in mind the importance of speaking in specific terms to the extent one can do so when making a SAR. The request will be actioned provided it is clear that the individual making the request is asking for their own personal data which is about them as an individual.
We will process a SAR without any undue delay and the data will be provided to you within one month of the date of the SAR request having been made by you. The requested information may be provided in a suitable commonly used electronic form for our convenience, unless you request us to provide it in any other suitable form, for example on paper as a print out.
Members of the public may request certain information from certain governmental bodies under the Freedom of Information Act 2000. This Act does not apply to the SPR. However if at any time the SPR undertakes the delivery of services under contract with certain of these governmental bodies we may be required to assist them to meet the Freedom of Information Act request where we hold information on their behalf.
For any further information about data protection issues at the SPR please contact the Data Protection Officer C/O the SPR.

 

GDPR Definitions

Data subject This is a term used to refer an individual whose personal information is the data in question. 
Processing – This refers to the collection, storing and transferring of personal data. 
Profiling – This is something that is often done by larger organisations and involves automatic processing of personal information (often in large batches) to evaluate aspects of the individuals’ behaviour and make decisions or take actions. The SPR does not do this.
ICO – The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest. In the Republic of Ireland, the Data Protection Commissioner holds a similar position. 
Data Controller – This is the person within an organisation that decides what data is collected, used for and who it is shared with. 
Senior Information Rights Owner (SIRO) – This is usually a board level role to oversee data policies. 
Data Protection Officer – This role is required in certain circumstances, such as public authorities and those organisations dealing with sensitive data. The SPR has voluntarily chosen to appoint a Council member to serve as the Data Protection Officer.
Data Processor – This refers to anyone, sometimes a third-party organisation or business, for example a partner organisation, or the SPR’s printers.
 

Further information

If SPR members and supporters or organisations or members of the public have specific questions about information security and data protection in relation to the SPR please contact the Data Protection Officer C/O the Society for Psychical Research.
The Information Commissioner’s website (www.ico.gov.uk) is another source of useful information. For reference the SPR’s Data Protection Registration Number is ZA574485
 

Approved in Council, 12th April 2018
Version 1

Reviewed and revised 20th June 2024
Version 2