MHRA and data protection law

The Modern Humanities Research Association (‘the Association’) needs to collect and use certain types of information about individuals who come into contact with the Association in the course of its publishing and grant-giving activities, and in the course of servicing its membership. Any personal information, whether collected and stored in electronic or paper form, must be appropriately dealt with. The Association fully complies with the General Data Protection Regulation, or GDPR, which is EU legislation replacing and strengthening the UK’s Data Protection Act 1998.

Because the Association is not a public authority, and its core activity does not involve large-scale monitoring of data subjects, or large-scale holding of protected personal data as defined in Articles 9 or 10, GDPR does not require us to employ a Data Protection Officer (see Article 37.1). As a small organisation with relatively little data, we have therefore chosen not to do so.

In the interests of good charity governance, however, we have designated a Trustee to take responsibility for data protection issues as they arise, and to oversee the work of our data controllers and processors. The Data Protection Trustee can be contacted at data-protection@mhra.org.uk and is happy to respond to any concerns or questions from data subjects or employees of the Association.

In particular, the Data Protection Trustee oversees implementation of measures to ensure compliance with GDPR, and ensures that trustees, staff, contractors, volunteers and others acting in the Association’s name are handling data in accordance with the Principles of Data Protection laid out in Articles 5 to 11 of GDPR.

This policy will be periodically reviewed and updated to reflect best-practice developments and to comply with amendments made to GDPR post-Brexit, when the Data Protection Bill currently before Parliament becomes law.

Your rights as a data subject

In general we hold as little data as possible that could cause any harm if breached, and most of what we store is in the public domain (for example, the contents pages of our publications) or relatively harmless (for example, email addresses of academics already published online). Unless you have signed up for our mailing list, worked for us, published with us, or done commercial business with us, you are not likely to be one of our ‘data subjects’, that is, somebody on whom we hold data.

1. Under GDPR Article 15 you have the right to ask us if we do hold data on you, and if so, what, and on what basis. Any such enquiries should be made to data-protection@mhra.org.uk. We will reply within 30 calendar days.

Should it prove that data on you is mistaken, under Article 16 you then have a right to ask us to correct such an error.

2. Under GDPR Article 17 you have the ‘right to be forgotten’: to require us to delete data which is no longer needed, or held only by your consent.

Except for our occasional news mailing list, which is easy to unsubscribe from, we hold little or no data by consent, so the scope for Article 17 is limited. For example, if you published an article in one of our journals, and we have a copyright form which you signed at the time, we are required to keep that form.

However, we will look at any Article 17 request case by case to ensure that your rights are fully upheld. Such a request should be made to: data-protection@mhra.org.uk.

3. Under GDPR Article 13 you have the right to know what we keep, why, and for how long, whenever you provide us with data on yourself.

Article 13.1 requires the Association to declare the Data Controller for our data: we are a small organisation, and the Data Controller is the Association itself (as it was also under the terms of the Data Protection Act 1998).

Article 13.2 provides that you may, if not satisfied with our response, complain to the regulator. Since the Association is based in the UK, this is the Information Commissioner’s Office or ICO.

Our full policies as they affect you are available in response to an Article 15 request (see above), but in brief:

(a) If you join the Association, which is both a charity and a company limited by guarantee, we are required to keep membership records by law. If you then leave, or your subscription lapses, your contact details will be kept for a reasonable period in case the lapse was accidental, since many members do forget to renew but then rejoin. After this period, the record of your membership will be deleted.

(b) If you make a grant application, or propose a book or article for publication, then we need to store contact details on you, and will in general keep your application form or proposal on file while it is being considered. We will then retain it for a period in case of any dispute or reconsideration, because it is not unknown for an abandoned proposal to be revived some years later in a new form.

(c) If you publish with us, and sign a book contract or chapter/article copyright form, we will keep that indefinitely, since we may later need to prove ownership of the copyright.

(d) If you place a commercial order with us (for example, by buying books from us directly, rather than from a bookshop), or if you work for us as a freelance or permanent employee, we keep records of this in line with normal business practice.

(e) If you choose to sign up for our email news list, we store your email address; you can unsubscribe at any time using the link on each email sent.

Third parties

The Association does not sell your data, and in general data is only passed on to third parties in small quantities and for clearly necessary purposes. The most common example is that if you buy a book from us, or you are an author and we send you copies of your book, then we need to give your address to a shipping company.

If you live outside Europe, this may mean giving postal addresses to bodies which are also outside Europe, such as our printers in the USA, or the US Postal Service, or UPS. We do this only as necessary to keep our side of a contract with you: see GDPR Article 49 for the lawful basis, but we hope most people will agree that this is unavoidable.

In general, if we need to send data outside the jurisdiction of GDPR, we will aim to do so either (a) to countries which the EU considers to have similar protections, or (b) to companies with certified safeguards on privacy, such as those in the EU-US Privacy Shield agreement.

The website

We routinely collect statistical information about access to and use of this website through our server logs, but this information is not reported or used in such a way as to reveal personal information about you, nor would such information be shared with a third party.

www.mhra.org.uk uses no cookies, either for tracking or analytics.

www.bibliographia.net which hosts the UTREES bibliography runs on WIKINDX software that uses PHP sessions/cookies to store temporary data (for its navigation and environment). Personal information about users is not stored.