Privacy Policy

The Institute of Chartered Foresters is committed to upholding your privacy and taking the utmost care with your personal data as a valued member, customer and user of our website. This Privacy Policy explains the Institute’s approach to how we use and protect the information that you provide to us. The Institute complies with the UK Data Protection Act 2018 and the UK General Data Protection Regulation in managing personal data. This means that your personal data will be:

1. Processed lawfully, fairly, and in a transparent manner.
2. Collected for specified, explicit and legitimate purposes.
3. Only collected so far as required for our lawful purposes.
4. Kept as accurate and up to date as possible.
5. Retained for a reasonable amount of time, in accordance with retention policies.
6. Processed in a manner which ensures an appropriate level of security.

There are several ways in which we may collect personal data, including:

• Email and written correspondence
• Telephone discussions
• Visits to our website (e.g. behaviour tracking, E-News sign up form)
• Social media engagement
• Membership application forms
• Applications for the ICF Directory of Consultants
• Jobs Board submissions
• Feedback forms
• Our Members Area
• Application for ICF-hosted initiatives, (e.g. Emerging Leader Programme, Educational & Scientific Trust bursary applications)
• Trustee and volunteer information forms
• BACS and Direct Debit payment requests
• Expense claims for volunteers
• Information requests
• Event booking forms
• From our members’ employers (e.g., when employers pay for subscription fees)
• Direct contact at our offices and elsewhere
• Photography and videography at specific events

Please note that this is an indicative list, not exhaustive, and is kept under review.

In all instances it should be clear that we are collecting your personal data.

We collect personal data to fulfil our role as a professional membership body. This involves a range of data processing activities, and we collect only the information relevant to the purposes for which it is to be used. We take every precaution to ensure that your data is accurate, complete, up-to-date, and secure.

Members

The personal data collected and processed pertaining to our members may include:

• Personal identifiers – including name, date of birth, gender
• Contact details – including phone numbers, home and business address, email address
• Employment details – including current and previous employers
• Education and training – including academic achievements, training courses, professional certificates
• Records of Continuing Professional Development (CPD)
• Attendance records for our courses and events
• Information pertaining to investigation and disciplinary procedures
• Records of enquiries, meetings, complaints, and other forms of direct engagement
• Records of physical and electronic correspondence
• Payment information (e.g. bank account details for BACS and direct debit payments, debit/credit card details, records of membership and event payments)
• Assessment applications and resulting data (e.g. Professional Membership Entry (PME) and Technical Membership Entry (TME), SocEnv (CEnv) application forms, performance results)
• Information regarding other delegates in group event bookings
• Dietary/accessibility information
• Photography/videography at events
• Ethnicity

Non-members

Such individuals might include members of the public, business contacts, those interested in the work of the Institute, or individuals attending events we have organised. The personal data collected and processed from these individuals may include:

• Personal identifiers – including name, date of birth, gender
• Contact details (including address, email, telephone number)
• Employment details – including current and previous employers
• Education and training – including academic achievements, training courses, professional certificates
• Records of enquiries, meetings, complaints, and other forms of direct engagement
• Attendance records for our courses and events
• Information regarding investigation and disciplinary processes
• Records of physical and electronic correspondence
• Payment information (e.g. bank details for BACS payments, debit/credit card details, records of event payments)
• Information regarding other delegates in group event bookings
• Dietary/accessibility information
• Photography/videography at events

   

Note: We do not knowingly collect personal data from children under the age of 16. If we discover that we have collected such data, we will take steps to delete it promptly and, where appropriate, notify the parent or guardian.

When you use our website, we automatically collect certain information about your device and how you interact with our site. This helps us understand our visitors better and improve our services.

What we collect:

Technical details such as your IP address, browser type, operating system, and device information

Usage information such as pages you visit, how long you stay, the links you click, and the way you navigate through the site

Information provided by third parties, such as analytics providers, advertising networks, or social media platforms, when you interact with our content on their services

How we collect it:

Through cookies, pixels, and similar tracking technologies

Using analytics tools that track website performance and visitor behaviour (we use Google Analytics 4 currently for this purpose)

Why we collect it:

To operate, maintain, and improve the performance of our website

To keep our website secure and prevent misuse

To analyse traffic and trends so we can improve our communications and services

Your choices:

You can control or disable cookies through your browser settings. Some third-party services we use also provide opt-out options (for example, Google Analytics 4). Please note that disabling certain cookies may affect how the website functions.

While providing our services as a professional membership body, we may collect special categories of personal data about you (sensitive data) for event facilitation as appropriate. This may include:

• Evidence of medical conditions where reasonable adjustments have been put in place for assessment processes
• Special dietary or access requirements, for example, if you are attending an event hosted by the ICF
• Ethnicity, for example the work of the Institute’s Equality, Diversity and Inclusion working group

We will not use this information without prior agreement, and only where necessary. This information is collected to fulfil service obligations and only where necessary.

Our purpose for collecting this information is so we can facilitate our events and provide you with an acceptable service, and the continued diversification of the sector.

The lawful basis we rely on for processing your personal data is your consent under article 6(1)(a) of the UK GDPR. When we collect any information about dietary or access requirements, we also need your consent (under article 9(2)(a)) as this type of information is classed as special category data.

Sensitive data and Data Protection Impact Assessments (DPIAs): Where required, we will conduct a DPIA and notify affected individuals if the assessment identifies a high risk to their privacy.

Certain information is necessary for us to deliver our services and comply with the law. If you decide not to share required data, we may not be able to provide some (or all) of our agreed services to you.

The Institute will only process your personal data where we believe we have a lawful basis to do so. The basis for processing depends on the information provided and the context for processing.

We will only use your information where:

• We have your consent to do so
• We need to process your personal information to perform a contract, e.g. providing member services and event bookings
• We have a legitimate interest in processing your data e.g. using booking information to inform future event planning and monitoring sector trends

The six legal bases for the processing of personal data, as governed by UK GDPR and the Data Protection Act 2018, is as follows:

Consent
You have given clear consent to the Institute to process your personal data (e.g. for the provision of membership services, event administration, providing requested communications).

Contract
The processing is necessary for the performance of a contract.

Legal obligation
The processing is necessary for us to comply with the law.

Vital interests
The processing is necessary to protect your vital interests, including the protection of rights and freedoms.

Public interests
Where the processing serves the public interest.

Legitimate interests
The processing is necessary for the Institute’s legitimate interests or legitimate interest of a third party, unless the processing is overridden by the vital interests, including rights and freedoms.

We use and store the personal data we collect so that we can fulfil our obligations as a professional membership body. The personal data we collect will also enable us to contact you regarding important information pertaining to your membership.

Most commonly, we will use your personal data in the following circumstances:

• Where we need to perform the contract, we have entered with you
• Where we have obtained consent
• Where it is necessary for our legitimate interests (or those of a third party) in our role as a professional membership body
• Where we need to comply with a legal or regulatory obligation

This includes, but is not limited to:

Some of our processing activities in providing membership services require that we share personal data with third party service providers. Whenever we share personal data, we take all reasonable steps to ensure it will be handled appropriately and securely by the third party.

Data sharing agreements ensure that personal data is shared appropriately in a way that complies with the law, is fair, transparent, and in line with the rights and expectations of the data subjects. They also address security surrounding the transmission of or access to the data and establish rules for its security. ICF data sharing agreements include:

• Identification of all parties involved in the data sharing

Only the data necessary to complete the task is shared with third parties.

In some circumstances the disclosure of personal data to third parties may involve the transfer of data outside of the UK in accordance with the requirements of the applicable data protection legislation. As per this Privacy Policy, those signing up for any ICF services (member and non-member) acknowledge that personal data can be shared in this manner. We will only transfer personal data outside of the UK where we are satisfied that:

• The country has data protection laws similar to the laws in the UK and a sufficient adequacy decision
• The recipient has agreed through contract to protect the information to the same data protection standards as the UK
• We have obtained consent from relevant data subjects to the transfer (by means of this Privacy Policy)

The main third parties with whom the Institute shares personal data include (but are not limited to):

ICF Governance

• Trustees
• Professional & Educational Standards Committee
• Professional Complaints Panel
• Examinations Board
• Finance and Audit Committee
• PME/TME assessors and Moderators
• People and Culture Committee
• Any other sub committees as required by council
• Member Network Chairs, Secretaries and event organisers
• ICF Representatives/Volunteers

Financial/ HR/ IT/ Administration

• HR providers and Payroll solutions
• IT Services e.g. Microsoft and Managed IT solutions, Website management etc
• Accounting and Financial solutions and software e
• Banks and merchant services

Membership

• CRM provider – membership, events database, Directory of Consultants
• Members Area host
• Journal publishers Oxford University Press
• Professional membership bodies
• E-learning platform, hosts and training providers
• Accreditation bodies
• Digital mailer distribution platform
• Mailing houses – for the distribution of the physical TREES magazine
• Social media (pictures and videos of specific events)
• Analytics platform

Events

• Events platforms and services, e.g. Zoom Events, event venues and catering services (where applicable)

Occasionally we may engage with event services providers to, for example, provide personalised event materials. If this is the case, relevant delegates will be made aware and will be able to opt out if necessary.

Please note that this is an indicative list, not exhaustive, and is kept under review.

We regularly review and update our data handling procedures and ensure that appropriate technical security measures are in place to safeguard your information.

We strive to minimise, wherever possible, the amount of data we hold and ensure that our devices are secure and well protected to the latest industry standards.

Member records: Member records are retained by ICF for an indefinite period.

Non-member records: Active non-members records are retained by ICF until an individual opts-out and so becomes inactive. Inactive non-members are deleted from the database three-years after becoming inactive.

Ex-member records: Ex-member files are retained for a 15-year period on site, before being destroyed. Minimum information like name and date of birth and membership history are retained indefinitely to identify the individual should they wish to re-join at a later date.

The periods for which the ICF retains personal data is governed by the purpose for which the data has been obtained. In general terms, we will retain personal data for so long as required by law, or as may be required for record keeping, legal purposes, or our obligation as a Royal Chartered professional membership organisation.

Please note that we are required to retain certain information about our members indefinitely, such as the period of membership, qualifications, level of membership, financial records, and any records relating to member conduct.

If you would like more information about our retention timelines, please contact the Institute’s Data Protection Officer by email: mark.goodwin@charteredforesters.org

Individuals can access the data held about them at any time. Responses to request for information will be made promptly and, in any event, within 30 days. If the Institute refuses a request, ICF will inform the individual why. Individuals have the right to complain to the supervisory authority and to a judicial remedy. The Institute will respond without undue delay and at the latest, within one month. In some circumstances ICF may be unable to provide you with your personal data (e.g. we are unable to provide candidates with copies of their marked examination scripts without compromising the confidentiality of a third party. ICF offers a comprehensive examination feedback service. Contact our Member Operations team for full details).

Right to be informed

Individuals have the right to be informed about the collection and use of their personal data.

Right of access

Individuals have the right to access and receive a copy of their personal data, and other supplementary information.

Right to rectification

The UK GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.

Right to erasure

The UK GDPR introduces a right for individuals to have personal data erased.

Right to restrict processing

Individuals have the right to request the restriction or suppression of their personal data.

Right to data portability

The right to data portability allows individuals to obtain and reuse their personal data for their own purposes across different services.

Right to object

The UK GDPR gives individuals the right to object to the processing of their personal data in certain circumstances.

The UK GDPR has provisions on:

• automated individual decision-making (making a decision solely by automated means without any human involvement); and
• profiling (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.

Currently, the Institute does not engage in automated profiling or automated decision-making, and only basic, manual analysis of membership data is conducted for marketing purposes (e.g. mailers to specific members associated with Member Networks).

To find out more, visit the Information Commissioner’s Office website for further details.

The Institute, by law as a Royal Chartered professional membership body, must publish the names and membership status of all its members. This information will be publicly available both in print and on the ICF website.

Our website may include links to third-party websites, plug-ins, embedded content and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

If a member of any grade is subject to a disciplinary hearing in which the complaint is upheld, the complaints and its outcome will be reported in ICF’s TREES magazine. The member’s name may also be published. If a member is expelled from the Institute, their name may also be made publicly available – decisions to be made on a case-by-case basis.

If you wish to raise a concern or make a complaint about how your personal data is being processed by the ICF (or third parties as described above) or are concerned about how your data has been handled, you have the right to lodge a complaint with us or directly with the Information Commissioner’s Office (ICO).

You can raise a concern or lodge a complaint with the ICF in the following ways:

• By emailing the Data Protection Officer directly at mark.goodwin@charteredforesters.org
• By writing to the Data Protection Officer at Institute of Chartered Foresters, Scott House (Mull Office, Sixth Floor), 10 South St Andrew Street, Edinburgh, EH2 2AZ.

You can raise a concern or lodge a complaint with the ICO in the following ways:

• Via the ICO website: https://ico.org.uk/concerns
• By writing to the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We keep this Privacy Policy under regular review and will place any updates on our website. Paper copies of the privacy notice may also be obtained by emailing icf@charteredforesters.org or in writing to our office at Institute of Chartered Foresters, Scott House (Mull Office, Sixth Floor), Edinburgh, EH2 2AZ.

By consenting to this privacy notice you are giving us permission to process your personal data specifically for the purposes identified.

In circumstances where consent is required for the Institute to process personal data, it must be explicitly given. For sensitive personal data, we will always tell you why and how the information will be used.

If you have any questions which are not covered in this notice, we suggest that you contact our Data Protection Officer by emailing mark.goodwin@charteredforesters.org

To help us deal with your query as quickly as possible, we recommend that you include the following in the email subject ‘FAO Data Protection Officer’.