Privacy policy

Updated April 2026

Contact information

Post  
Bride House, 18-20 Bride Lane, London, EC4Y 8EE, GB  

Telephone  
02078420900  

Email  
BSR@rheumatology.org.uk  

This privacy policy explains what happens to any personal data that is provided to BSR. 

The type of information we collect and hold about you will depend on your interaction with us.  

If for any reason you give us personal information on behalf of or about someone else, you should ensure that you have the right to provide us with that information, and direct that person to this policy to inform them how we will process their data.  

Our National Early Inflammatory Autoimmune Disease Audit (NEIAA) has its own privacy policy. You can find this here: https://myarthritisaudit.org.uk/pagesMYPatientPortal/patprivpolicy  

How do we receive your data?  

Most of the personal information we process is provided to us directly by you for one of the following reasons:  

• You have begun or completed a membership application 
• You have registered with MyBSR 
• You have enquired, been interested in or booked to attend an event, webinar or education course or you may have booked or registered someone else 
• You have registered for a product or service 
• You have completed a customer survey 
• You have provided feedback or made a complaint 
• You have taken part in a competition or applied for an award or bursary 
• You have enquired about or applied for a job or volunteering opportunity at BSR
• You have worked or volunteered for BSR as staff, a contractor or volunteer within the last 6 years
• You have submitted a general enquiry or question  
• You have worked with us as a partner or stakeholder  
• You have submitted your details to one of our patient registers or audits 
• You have used our website or portals  

We also receive personal information indirectly, in the following scenarios: 

• Someone makes a booking or registered you for a BSR product on your behalf 
• One of our service partners has provided us with your data as per their data agreements with you 
• An employee of ours gives your contact details as an emergency contact or a referee 
• From other public authorities, regulators, law enforcement bodies and stakeholders 
• An agency recruiter shares your data with us (with your advance permission) for a role they have been engaged by us to work on 

What information do we collect about you? 

• Personal data that is provided to us; this may include names, your age, job details, addresses, contact details and other identifying information. 
• Depending on your interaction with BSR, we may also have collected the below special categories of personal data: 
  • race; 
  • ethnic origin; 
  • political opinions; 
  • religious or philosophical beliefs; 
  • trade union membership; 
  • health data; 
  • sexual orientation. 
• Information about your use of our websites including details of your visits such as pages viewed and the resources that you access.   
• Website usage information is collected using web server logs, cookies, or other website tracking tools.   
• CCTV footage, photographs or other recordings.  

Our website contains links to other websites.  This privacy policy only applies to BSR’s website so when you link to other websites you should read their own privacy policies.   

How will we use the information about you?  

We use the information we collect from you according to the UK General Data Protection Regulation (UK GDPR).  

We will use your personal information for the purposes for which you provided us with it, any associated purposes described at the point that information was collected, and any legitimate interest purposes. This includes the following purposes:  

• To help us identify you, both for our own purposes and for approved providers.  
• To enable you to receive the service you have requested.  
• If you are a member, to administer your membership record. 
• To inform you of campaigns, discounts and offers, provide services and fulfil our obligations to you (including billing).  
• If you are a member, to add your details to our member directory which is searchable by all existing members. You can opt out of this service at any time. 
• To provide you with information about services or opportunities offered by the BSR or its carefully selected partners. You can opt out of non-transactional mailing lists at any time. 
• If you are a member of staff or volunteer, including applicants, we will use your data to progress your application, or to fulfil legal or regulatory requirements. 
• Research, survey completion and profiling.  
• Statistical analysis and behavioural analysis.  
• To improve the services provided by the BSR. 
• To personalise your repeat visits to our website.
• To enforce our Privacy Policy.  
• To comply with our legal obligations.  

If you are a member, we also collect and process your data in accordance with the notices provided to you when you join and during your membership; however, this policy also applies to your data.  

BSR will only use your information in accordance with your mailing preferences. Please contact the membership team at 

membership@rheumatology.org.uk to opt out or amend your mailing preferences or log in to your BSR member account and manage your own mailing preferences in ‘My BSR’.  This can be done at any time, and we will stop contacting you.   

What are our lawful bases for processing your data? 

The lawful basis for processing your data depends on your interactions with us. Below we have outlined which bases are relevant across the organisation. We follow GDPR guidance in ensuring all data that we process falls within one of these lawful bases. For more information about a specific service, you can contact us using the details at the top of this document.  

(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose. 

(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract. 

(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations). 

(d) Vital interests: the processing is necessary to protect someone’s life. 

(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law. 

(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.  

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:  

• Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for.  Read more about the right of access.  
• Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete.  Read more about the right to rectification.  
• Your right to erasure - You have the right to ask us to delete your personal information.  Read more about the right to erasure.  
• Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information.  Read more about the right to restriction of processing.  
• Your right to object to processing - You have the right to object to the processing of your personal data.  Read more about the right to object to processing.  
• Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you.  Read more about the right to data portability.  
• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time.  Read more about the right to withdraw consent.  

If you make a request, we must respond to you without undue delay and in any event within one month.  

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.  

Who will we share your data with? 

We will share your details with third parties that BSR are contracted with to enable you to receive the BSR services relevant to you which varies depending on who you are, what data you have shared and what services we are providing to you.  

We will share your data with: 

• Suppliers and data processors  
• Government bodies (e.g HMRC)  
• Professional consultants  
• Project partners and stakeholders, this can include project sponsors 
• IT support contractors   

How long will we retain your data for?

We retain your data as per our data retention and disposal policy. Below is a guide for how long we retain key data for, but if you would like further information, please contact us using the details at the start of this document. 

Patient data in our registries 

Alongside the above information in this policy, we are also a data controller for patient data in our patient registers. Additional information for these projects can be found below. 

The British Society for Rheumatology and our academic partners, the Universities of Manchester & Aberdeen, are the data controllers for the BSR patient registers and are responsible for the way in which your data is processed.  

We work together to ensure that your data is processed fairly and lawfully in accordance with the requirements of UK Data Protection legislation.  

There are a number of rigorous procedures in place to protect your personal data and keep it secure:  

• Information that might identify individuals (such as name and address) is kept separate from other information about participants  
• Computer security is in place to block unauthorised access to computers/systems that hold personal information and individual records are password protected.  
• Approved data processors (who have appropriate security measures in place) may have access to your personal information for data processing purposes only. The data processing will only ever be for the purposes of this study and contractual agreements will be put in place for this purpose to ensure the safety of your data.  
• If your information is provided as part of a larger dataset to researchers outside of the Registers study teams in a dataset, we will not include any information that could identify you.  

A number of pharmaceutical companies who manufacture rheumatology therapies will have access to some study data for further safety monitoring but this will not include directly identifiable information such as name or NHS or CHI number in Scotland. It will include your initials, gender and month and year of birth. This is for the purpose of updating records with the UK Medicines and Healthcare products Regulatory Agency (MHRA) and the US Food and Drug Administration (FDA). As the pharmaceutical companies are international, there is a possibility that medical information may be sent outside of the UK and outside of the European Union for analysis. By signing the consent form you are agreeing to this transfer.  Any study results or published reports using the data will not include your name.  

Your medical records will state that you are participating in a BSR Register and by signing a participant consent form, you are allowing Rheumatology health care professionals or approved data processors to have access to information from your medical records relevant to the study for the purposes of capturing the data.   

In certain circumstances your medical records or study data may be looked at by a government drug regulatory agency such as the Medicines and Healthcare products Regulatory Agency (MHRA) or by authorised members of the Registers study team, the Data Monitoring and Ethics Committee or a hospital.  This is for the purpose of checking that the data is correct or checking that the study is being carried out properly.  

We are collecting and storing this personal identifiable information in accordance with data protection law which protects your rights. These state that we must have a legal basis (specific reason) for collecting your data. For the registers study, the specific reason is that it is “a public interest task” and “a process necessary for research purposes”.   

How can you complain? 

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.  

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.  

The ICO’s address:             
Information Commissioner’s Office  
Wycliffe House  
Water Lane  
Wilmslow  
Cheshire  
SK9 5AF  

Helpline number: 0303 123 1113  

Website: https://www.ico.org.uk/make-a-complaint