Standards & Ethics

Privacy and Confidentiality Policy

How the Society processes personal data as a data controller, and the confidentiality duties owed by members in their capacity as BPS members.

Document: Privacy and Confidentiality Policy
Status: Adopted and in force
Version: 1.0
Adopted by: The Management Committee
Effective date: 1 January 2020
Last reviewed: January 2026 (reaffirmed without amendment)
Next review due: January 2027
Review cycle: Annually
Governing law: UK GDPR, Data Protection Act 2018, Privacy and Electronic Communications Regulations 2003

1. Purpose and Scope

1.1 This Policy sets out how the British Polygraph Society processes personal data in its capacity as a data controller, and the confidentiality duties owed by members in their capacity as BPS members.

1.2 This Policy does not replace any data protection notice or duty of confidence owed by a member to their own examinees, clients, or employers. Members act as data controllers (or processors) in respect of their own practice and shall maintain their own compliance with the UK GDPR and the Data Protection Act 2018.

2. The Society as Data Controller

2.1 The Society is a data controller for the personal data it holds about applicants, members, complainants, and persons participating in Society activities.

2.2 Data protection queries to the Society should be addressed to the Secretary, either by email to [email protected] or by post to the Society’s correspondence address:

The Secretary
British Polygraph Society
Oxford Centre for Innovation
Blue Boar Court, Alfred Street
Oxford OX1 4EH, United Kingdom

3. Categories of Data Processed by the Society

3.1 The Society processes:

  1. applicant and member identification and contact data (name, address, email, telephone, date of birth);
  2. professional data (APA membership number, training history, qualifications, references, insurance details, specialisms, DBS disclosure information);
  3. financial data (subscription payments, fees paid and owed);
  4. complaints data (allegations, responses, panel findings, sanctions);
  5. directory data (information published in the BPS public directory); and
  6. website and communications data (including IP addresses and email engagement data).

4. Purposes and Lawful Bases

4.1 The Society processes personal data for the following purposes and on the lawful bases indicated:

  1. administration of membership (contract with the member; legitimate interests of the Society in operating as a membership body);
  2. operation of the public directory (consent of the member, recorded in the Member Undertaking);
  3. complaint handling and discipline (legitimate interests of the Society and the public in the proper functioning of the professional body; where special category data is involved, processing is necessary for the establishment, exercise, or defence of legal claims, or for reasons of substantial public interest within the meaning of Schedule 1 to the Data Protection Act 2018);
  4. legal and regulatory compliance (legal obligation);
  5. communication with members and applicants (legitimate interests; for marketing to non-members, consent under PECR).

5. Retention

5.1 Data is retained for no longer than is necessary for the purposes for which it was collected. Indicative retention periods:

  1. membership records: during membership and for six years after termination;
  2. complaints records: six years after final determination;
  3. financial records: six years from the end of the financial year to which they relate;
  4. directory records: during the member’s listing; archive of prior listings retained for two years.

6. Disclosure

6.1 The Society may disclose personal data to:

  1. members of the Committee and panels, for the purposes set out in this Policy;
  2. the independent examiner of accounts;
  3. professional advisors (legal, accounting, IT);
  4. service providers operating on the Society’s behalf (for example, web hosting, email, payment processing), under written data processor terms;
  5. courts, regulators, and other public bodies where required or permitted by law; and
  6. the APA, where necessary to verify a member’s APA certification status.

6.2 The Society does not sell personal data.

7. International Transfers

7.1 Where personal data is transferred outside the United Kingdom, the Society relies on a permitted transfer mechanism under the UK GDPR (for example, the UK adequacy regulations, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses).

8. Data Subject Rights

8.1 Data subjects have the following rights in respect of their personal data held by the Society:

  1. to be informed about processing (Article 13/14 UK GDPR);
  2. of access (Article 15);
  3. to rectification (Article 16);
  4. to erasure in certain circumstances (Article 17);
  5. to restrict processing (Article 18);
  6. to data portability for data processed by automated means on consent or contract (Article 20);
  7. to object to processing based on legitimate interests (Article 21); and
  8. rights in relation to automated decision-making (Article 22).

8.2 Requests should be made in writing to the Secretary. The Society will respond within one month, extendable by two further months where the request is complex.

8.3 Data subjects have the right to complain to the Information Commissioner’s Office (ico.org.uk) if they consider that their rights have been infringed.

9. Security

9.1 The Society takes appropriate technical and organisational measures to secure personal data against unauthorised access, loss, or disclosure, including:

  1. role-based access to systems;
  2. encryption of data in transit;
  3. multi-factor authentication for administrative accounts;
  4. written data processor terms with service providers;
  5. incident response procedures; and
  6. breach notification to the Information Commissioner’s Office and to data subjects where required.

10. Confidentiality Duties of Members

10.1 Members shall maintain the confidentiality of information obtained in the course of polygraph examinations, in accordance with paragraph 6 of the Code of Ethics.

10.2 Members shall process examinee personal data in accordance with the UK GDPR and the Data Protection Act 2018 and, where acting on the instruction of a retaining party, in accordance with that party’s lawful instructions.

10.3 Members shall, where acting as data controllers in their own right, provide examinees with a privacy notice compliant with Article 13 UK GDPR.

11. Breach Notification

11.1 Members shall notify the Secretary, in writing, of any personal data breach affecting data held on behalf of the Society within 24 hours of the member becoming aware of it.

11.2 The Society shall notify the Information Commissioner’s Office of any notifiable breach within 72 hours of becoming aware of it, and shall notify affected data subjects where the breach is likely to result in a high risk to their rights and freedoms.

12. Changes to this Policy

12.1 This Policy is reviewed annually. Material changes shall be notified to members and published on the Society’s website.

Published by

British Polygraph Society
Oxford Centre for Innovation
Blue Boar Court, Alfred Street
Oxford OX1 4EH, United Kingdom
[email protected]

This document is published by the British Polygraph Society, a professional body for polygraph examiners constituted by its members in 2017 and governed by a written Constitution under the law of England and Wales. For corrections or queries, contact the Secretary at the address above.

© 2026 British Polygraph Society. All rights reserved. This is a governing document of the Society. It may be quoted briefly for commentary, reporting, or study in accordance with fair-dealing exceptions under the Copyright, Designs and Patents Act 1988. It may not be reproduced in full, adapted, or redistributed — whether online or in print — without the Society's prior written permission. Requests for permission should be addressed to the Secretary at the correspondence address above.