Privacy Policy
Updated 1 March 2024
This privacy notice sets out the data processing practices of The Chartered Governance Institute, operating as The Chartered Governance Institute UK & Ireland. We are a body operated under Royal Charter (RC000248). Our registered office is at Saffron House, 6-10 Kirby Street, London, EC1N 8TS.
Please note that all data thus captured will be used and held in accordance with the requirements of the Data Protection Act 2018 (DPA), the UK GDPR (General Data Protection Regulation), and the EU GDPR (General Data Protection Regulation).
We have notified the Information Commissioner’s Office (ICO) of our processing operations and our ICO registered number is Z656922X.
This notice explains:
- What The Chartered Governance Institute does
- How to contact us about our use of your personal data
- Why we process personal data and the legal basis for it
- How we use personal data for marketing purposes
- Recipients of personal data for processing on our behalf
- Our data retention periods
- Your rights as a data subject
- Cookie policy and use
- Third party websites
- The security of the personal data that we hold
- Changes to our policy and practice
What the Chartered Governance Institute does
The Chartered Governance Institute is the international qualifying and membership body for governance professionals. We train, qualify and support those who work in company secretarial and governance capacities across many industry sectors.
The Chartered Governance Institute UK & Ireland is one of the nine divisions of The Chartered Governance Institute. Based in the UK, its members, students, subscribers and customers work in 62 jurisdictions including those reflected in the name of our division; We have almost 40,000 students and members worldwide, of whom 14,500 are in the United Kingdom, the Republic of Ireland, the Crown Dependencies and associated territories, which include the Caribbean, sub-Saharan Africa, the Middle East, Mauritius and Sri Lanka.
Our membership services are supported by our trading companies, CGI Business Services Ltd and CGI Publishing Ltd which provide professional development resources to members, students and customers. These include training and conferences, books and online subscriptions and consultancy services.
How to contact us about your personal data
The Chartered Governance Institute is the data controller. If you have any requests about your personal data or queries with regard to how we handle your data you can contact the Information Manager by phone on 020 7580 4741, email do@cgi.org.uk, or write to us at Information Manager, The Chartered Governance Institute UK & Ireland, Saffron House, 6-10 Kirby Street, London, EC1N 8TS.
Why we process personal data
The Institute collects and processes personal data in order to provide its services. Our services include the provision of membership, qualifications, subscriptions, publications, events, an accreditation service for board performance reviewers, undertaking research and consultations, delivering job alerts, the provision of information and experiences to promote the governance profession, sponsorship and advertising.
In order to provide these services, we collect data directly from individuals through online enquiry forms, print and online applications, in email, over the phone and in person.
The table below shows our data processing activities in more detail.
| Activity | Purpose of Processing | Lawful basis |
|---|---|---|
| Studying for our qualifications |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Being a member of The Chartered Governance Institute |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Participating in research and advocacy as a non-member |
|
|
|
|
|
| Subscribing to our knowledge services |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Being a customer for events and publications |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Making an enquiry |
|
|
|
|
|
| Making a Complaint |
|
|
|
|
|
| Applicants for Board Performance Reviewer Accreditation |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| Applicants for Accedited Employer Scheme |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
The legal basis on which the Institute processes personal data
The Institute relies upon different legal basis for the processing of personal data according to the relationship and purpose for which it is collected, as explained below.
Contractual
We need to process personal data about members, students, subscribers, board peformance reviewer accreditation applicants, and those enquiring about our work, in order to deliver and administer the services that we provide.
The contract with members includes delivering invitations to vote at divisional and international AGMs and in the election of Honorary Officers, providing notification of updates to the Charter and byelaws, administering the renewal and progression of membership, providing knowledge services, supporting and monitoring the undertaking of continuing professional development and providing preferential access to events, and providing information about the networking and professional development events run by our branches. When necessary, personal data is used in the management of disciplinary matters.
The contract with students includes administering the renewal and progression of membership, supporting the student’s learning experience, providing learning support and content, providing exam entry and results, enabling progression and providing knowledge services and preferential access to events, and providing information about the networking and professional development events run by our branches. When necessary, personal data is used in the management of disciplinary matters.
The contract with subscribers includes administration and support in the delivery of knowledge services. For professional subscribers, this includes providing preferential access to events and access to the governance helpline.
Members, students and subscribers can opt out of their knowledge service emails by logging into the preference centre in MyCG and updating their preferences.
The contract with board performance reviewer accreditation applicants includes the initial assessment and certification, administration and support relating to their continuing subscription and maintaining their entry on the Accredited Board Reviewer Register on the Institute's website.
The contract with the the accrediteded employer scheme applicants includes the initial assessment and accreditation, administration and support relating to their continuing accreditation and maintaining their entry on the Accredited Employer Directory on the Institute’s website.
The contract with customers includes using personal data for the booking of delegate places on training and events or the delivery of content or training and consultancy services, pre service information and post-service evaluation. We may also send previous customers information about similar products and services that we think will be of interest to them. Customers can opt out of any of these communications at any time.
Legitimate interest
The Institute keeps members, students and subscribers informed of its networking and events activities and new publications via updates on the basis of legitimate interest. It is in both the individuals and the Institute's interest that its members, students and subscribers are aware of the activities and initiatives from which they can benefit. This kind of information is also a legitimate part of what anyone with a relationship with a professional body might reasonably expect to receive. These updates take place through monthly e-newsletters, G+C magazine, and the periodic distribution of event calendars or key date notifications via post and email.
We also undertake a variety of activities to support and champion the governance profession. This can involve surveys and research as well as making those in the profession aware of legal and regulatory developments. In many cases this will involve contact with members, students and subscribers, but it may also involve contact with non-members, including lapsed and resigned members, in roles that are part of, or are linked with the governance profession. This is also a legitimate interest as it is the kind of activity that might reasonably be expected of a professional body.
Members, students and subscribers can opt out of their monthly e-newsletters by logging into the preference centre in MyCG and updating their preferences.
Consent
The Institute seeks consent from members, students, subscribers, customers and anyone who enquires about our products and services to send them marketing information. Consent is sought for:
- Marketing information about Institute products and services to support good governance
- Marketing information from the Discover Governance Hub about entering the governance profession. This may include qualification routes, work experience opportunities, open days and related content such as case studies and the findings of wellbeing and salary surveys.
The Institute also seeks consent from subscribers and customers for:
- Marketing information about the networking and professional development events run by the Institute and our branches
For each of these areas of activity, marketing consent is sought by channel for email, telephone and post. Some additional optional information can be provided to help us deliver more relevant content.
Compliance with a legal obligation
The Institute operates as a membership and qualifying body on the basis of its Royal Charter and byelaws which set out how it fulfils its purpose and is accountable to its stakeholders. The byelaws require us to keep a register of members which, for transparency, is published online at, https://www.cgi.org.uk/directory-of-members. The register contains details of active Fellows, Associate and Affiliated members and Graduates of the Institute. Each entry comprises full name, membership grade, and date when the grade of membership was achieved. The full register maintains a records of current and former members. However, only information about active members is published online, and records of former members are not.
The Institute is also required to keep a register of students which is not published. If a member does not want to have their name published in the online register they can contact us in writing to request its removal.
Both registers can be consulted to verify an individual’s Chartered or student status. The member’s register can be consulted by the public at any time. The student register can only be consulted by request to the Institute. In the event that the Institute is contacted directly about either register by a prospective employer or client to verify the status of an individual, the Institute will seek the consent of the individual concerned before releasing any information. We may be required in some cases by law to disclose details without your consent e.g. on a request from the police.
How we use data for marketing purposes
Consent
We gain marketing consent from individuals in several ways:
- online through a self-registration process
- in person over the phone
- in person at an event
In accordance with the DPA, the Institute requires marketing consent to be freely given, specific and fully informed. It is revocable at any time and the Institute keeps a digital record of your consent in the Institute's CRM system, including when consent is given or withdrawn.
Marketing consent has to be given directly to us by the individual concerned and cannot be given by a third party. If your personal data is passed to us from a third party with your consent, such as a referral from a partner, employer or agent, consent for further marketing communication, if relevant, will be gained directly from you by the Institute.
For marketing consent to be fair and transparent, our privacy notice is available at the point at which consent is collected so that you understand what you are consenting to and how you can change it.
If you opt into receiving marketing communications, we will use your personal details to send you the information that you have consented to receive about services that will be most relevant to you. We will never pass your personal data on to third parties for marketing purposes.
If you opt into receiving marketing about branch networking and professional development events, the data that you provide will be maintained securely within our systems. For each event that takes place your name will be shared with the event organisers as part of a delegate list, but will not be stored on a local database. If you register for an event in The Isle of Man, events are managed locally through Eventbrite.
If at any point you would like to opt-out of receiving communications from us please visit the Preference Centre in your MyCG account, contact us at do@cgi.org.uk or write to the Information Manager at : The Chartered Governance Institute UK & Ireland, Saffron House, 6-10 Kirby Street, London, EC1N 8TS.
Recipients of personal data for processing on our behalf
In carrying out our business, including meeting our obligations to members, students, subscribers, customers and other stakeholders, the Institute uses specialist sub-contractors who process the personal data that the Institute holds on our behalf. These are:
- AGM@Convene for the provision of AGM services
- Certify for provision of online proctoring services for online examinations
- Chord UK for the provision of telemarketing services including membership renewal campaign
- ClearAccept for taking online payments
- ClearDebit for the provision of direct debit services
- Computershare for managing arrangements for Tom Morrison's Essay Prize Competition celebratory dinners
- Dotdigital for email broadcasting services
- Evocos for the provision of event booking services
- Goto for Cloud Telephony Services
- Haysmcintyre LLP for the provision of Audit services
- IT Governance for the provision of compliance assessment services
- Madgex Limited for managing the Jobs in Governance (jobs board) accounts, preferences and communications
- NBNi for the sale and despatch of books, including the IngramSpark print on demand service
- MICE Concierge Ltd for the provision of Events Management system including the EventsAIR platform for hosting virtual events
- Rogo for the provision of examination services
- SilverBear for the provision of CRM services
- St Austell for the delivery and fulfilment of mail
- StageClip for virtual graduation services
- Synergy for the printing and delivery of renewal letters and welcome packs and certificate
- Tars Technologies Inc. for the provision of using the chat bot
- Warners for the distribution of G+C magazine
We will ensure that all the suppliers that we work with are required to respect your privacy and abide by all data protection laws.
Retention periods
| Relationship | Retention period |
|---|---|
| Members and Graduates | Full contact and activity records are maintained whilst your membership is active. After your membership has ceased, your record is flagged as inactive and your contact details are omitted from routine Institute communications. When a membership record has been inactive for 36 months, the majority of the personal and non-personal data that we hold is deleted. A minimum core record of your membership is then maintained on the register of members in perpetuity, in accordance with the Institute’s Charter and byelaws. The minimum core record is comprised of your membership number, full name, membership grade, date of election to membership and date of exit. If your exit is the outcome of a disciplinary process, a note of this will also be retained. No other information is held about former members and the historical register is not published. |
| Students |
Full contact and activity records are maintained whilst your student membership is active. If you progress into membership, your student records become the basis of your membership record and continue to be maintained in full for the duration of your active membership. If you do not progress into membership, after your student membership has ceased, your record is flagged as inactive and your contact details are omitted from routine Institute communications. When a student record has been inactive for 36 months, the majority of the personal and non-personal data held is deleted. A minimum core record of your student membership is then maintained on the register of students in perpetuity, in accordance with the Institute’s Charter and byelaws. The minimum core record is comprised of your student membership number, full name, examinations passed and date on which they were taken, the date of your student membership commencing and date of your exit. If your exit is the outcome of a disciplinary process, a note of this will also be retained. No other information is held about former students and the student register is not published. Personal data, including all paper and electronic records, provided by students when appealing their examination result through the examination appeals process will be retained for a period of six months after a final decision has been reached for any future references or disputes. |
| Professional subscribers | When your professional subscription service ends your contact record will be marked as inactive for a period of 12 months after you exit and you will be excluded from routine marketing communication. After this time a basic core record of subscriber number, full name, entry and exit date will be maintained. This core record will be deleted at the end of a six year period, when financial records also expire. |
| Subscribers to free web services & Discover Governance Hub |
As a subscriber your data will be retained for as long as you have active communications preferences that give your consent to receive information from the Institute, or participate in activities such as events. When you unsubscribe, your account will be deleted. |
| Professional development services customers | We retain the data of customers of our training, event, content and consultancy services for 36 months after the last purchase, after which time contact records are deleted and only financial records are maintained for the statutory accounting period of a remaining 4 years before they are securely destroyed. |
| Enquirers |
We will use the personal data that you give us in the course of an enquiry about our membership and professional development services to answer your query and support any follow on actions that arise from it. If the enquiry progresses into a relationship with us your personal data will be held in accordance to our retention policy for that relationship. If the enquriy does not progress, your data is deleted 6 months after your last contact with us. |
| Research participants | If you are not an Institute member, graduate, student or subscriber, and participate in any of the research or consultations that the Institute undertakes, your personal data will be used throughout the course of the project as appropriate, and to advise you on the outcomes. Once the project is completed, a record of your participation is retained and you may be invited to take part in other projects in the future. Your data will be deleted within 36 months of your last contact with us. Before your data is deleted, we will send you a message so that you are aware of our actions and can reactivate your account if required. |
| Financial transactions | Records of all financial transactions (excluding payment details) are maintained for 7 years and then securely destroyed. |
| Complainants | We will retain the personal data provided by an individual making a complaint, including all paper and electronic records for a period of six months after a final decision has been reached. |
| Applicants for Board Performance Reviewer Accreditation | When your subscription ends your contact record will be marked as inactive for a period of 12 months after you exit, and you will be excluded from routine communications. After this time a basic core record of contact reference number, subscription number, full name, start and end date will be maintained, along with evidence of your qualifications/professional certificates, and references. This core reccord will be deleted at the end of a 7 year period, when financial records also expire. |
| Applicants for accredited employer scheme |
When your subscription ends your contact record will be marked as inactive for a period of 12 months after you exit, and you will be excluded from routine communications. After this time, a basic core record of contact reference number, subscription number, full name, start and end date will be maintained, along with evidence of your professional certificate. This core record will be deleted at the end of a 7-year period, when financial records will expire.
|
Data subject’s rights
You have the following rights in respect of your personal data. In order for you to exercise these rights we will need to confirm your identity. This may be by you providing your membership, student or subscriber number, date of birth or a form of ID such as a passport or driving licence so that we can verify that you are the data subject before releasing information to you.
The right to be informed – you have the right to be told about the collection and use of the personal data you provide. This privacy notice sets out the purpose for which we process your personal data, how long we will keep your data and with whom we will share your data. If you have any questions on how and why we process your data, please contact the Information Manager. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-be-informed/
Right of access – you have the right to know whether we are processing your personal data, and to a copy of that data. We would need as much information as possible to enable us to locate your data. We will respond to your request within one month of receipt of your request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-of-access/
Right to rectification – you have the right to have any incorrect personal data corrected or completed if it is incomplete. You can make this request verbally or in writing. We will need as much information as possible to enable us to locate your data. We will look at any request and inform you of our decision within one month of receiving the request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-rectification/
Right to erasure – this right, often referred to as the right to be forgotten, allows you to ask us to erase personal data where there is no valid reason for us to keep it. We will look at any request and inform you of our decision within one month of receiving the request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/
Right to restrict processing – you have the right to ask us to restrict processing of your data. We will look at any request and inform you of our decision within one month of receiving the request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-restrict-processing/
Right to data portability – you have the right to move, copy or transfer your personal data from one IT environment to another. This right applies to data that you have provided to us and that we are processing on the legal basis of consent or in the performance of a contract and where that processing is by automated means. We will respond to your request within one month of receipt of your request. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/
Right to object – you have the right to object to our processing of your personal data based on (i) legitimate interests, or for the performance of a task in the public interests/exercise of official authority (including profiling); (ii) direct marketing (including profiling); and (iii) for purposes of scientific/historical research and statistics.
- Legitimate interests/legal task – your objection should be based on your particular situation. We can continue to process the data if we can demonstrate compelling legitimate grounds which override your interests.
- Direct marketing – you have an absolute right to ask us to stop processing for the purposes of direct marketing. We will action your request as soon as possible.
- Scientific/historical research and statistics - your objection should be based on your particular situation. If we are conducting research where the processing is necessary for the performance of a public task, we can refuse to comply with your objection.
If you want to exercise this right, please contact the DO at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-object/
Rights relating to automated decision making including profiling – you have rights in respect of automated decision making, including profiling. Where we carry out solely automated decision making, including profiling, which has legal or similarly significant effects on you, we can only do this if it is in connection with a contract with you, we have a right under law or you have provided your explicit consent. We will tell you if this happens and tell you how you can request human intervention or challenge the decision. If you want to exercise this right, please contact the Information Manager at the contact details above. If you want to know more about this right, the ICO has more guidance on their website: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/rights-related-to-automated-decision-making-including-profiling/
Processing based on consent
Where the Institute processes your personal data based on your consent you have the right to withdraw that consent at any time without reason. You can opt-out by using the unsubscribe option in any marketing that we send you or by logging into the Preference Centre in MyCG and updating your preferences.
The right to lodge a complaint to a supervisory authority
If you are unhappy with any aspect of our handling of your data, you can make a complaint to the Head of Secretariat, who will consider the matter for you, you can submit your complaint to https://www.cgi.org.uk/making-a-complaint. If you are still not satisfied, you can make a complaint to the Information Commissioner’s Office - https://ico.org.uk/concerns/
Cookies
A cookie is a small piece of information sent by a web server to a web browser, which enables the server to collect information from the browser. Find out more about cookies on http://www.allaboutcookies.org/
We use cookies to identify you when you visit this website and to keep track of your browsing patterns and build up a demographic profile of our site users so that we can continue to improve it.
Our use of cookies also allows registered users to be presented with a personalised version of the site, carry out transactions and have access to information about their account.
Most browsers will allow you to turn off cookies. If you want to know how to do this please look at the menu on your browser, or look at the instruction on http://www.allaboutcookies.org/ Please note, however, that turning off cookies will restrict your use of our website.
The table below demonstrates which cookies we use, what they do and what disabling them will mean for your continued use of our online services.
| Cookie | What it does | The consequences of disabling the cookie |
|---|---|---|
| First party (Institute) session cookie | Session cookies enable you to move around the website and use its features, such as accessing secure areas. These cookies do not contain any personal information. | Without these cookies, services on the website may not function properly. |
| First party (Institute) Persistent cookie: dontShowCookieBar | This cookie records whether a user has accepted cookies on our website. | Without this cookie, the cookie information bar will continue to be displayed. |
|
Third party (Google analytics) persistent cookies |
These cookies collect information about how visitors use our site. This information helps us to improve our site performance. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. |
To disable: Download the Google Analytics opt-out browser here Consequences: Your visit to our website will not be recorded and reported by Google Analytics. Your web use will not be impaired. |
By continuing to use the Institute's website you agree to accept cookies on your device in accordance with this policy. This policy only relates to our website and does not cover links to third parties.
Third party websites
Our website may contain links to other websites that are outside our control and are not covered by this privacy notice. If you access other sites using the links provided, the operators of these sites may collect information from you that will be used by them in accordance with their privacy policy, which may differ from ours.
The security of the personal data that the Institute processes
The Institute protects the personal data that it holds with technical and organisational security measures. Our cyber security arrangements and framework of data protection policies, procedures and training are kept under regular review to ensure that we keep the data we hold secure.
Changes to the privacy notice
This privacy notice was first published on 18 May 2018. It is regularly reviewed and will be updated when necessary. If we make any significant changes we will communicate them to you.
Queries
If you have any queries about the policy and how it affects you, please contact the Information Manager via do@cgi.org.uk or in writing at The Chartered Governance Institute UK & Ireland, Saffron House, 6-10 Kirby Street, London, EC1N 8TS.