1. INTRODUCTION
This policy outlines how AQLR collects, uses, stores, and protects personal data in accordance with the UK GDPR and the Data Protection Act 2018. AQLR is committed to ensuring that personal data is processed lawfully, fairly, transparently, and securely.
2. SCOPE
2.1. This policy applies to:
2.1.1. All members of AQLR
2.1.2. Volunteers and contractors acting on behalf of AQLR
2.1.3. Officers of the AQLR Executive Committee
2.1.4. All data subjects whose personal data is held or processed by AQLR, including members, trainees, volunteers, and service users
3. DEFINITIONS
3.1. Personal Data: Any information relating to an identified or identifiable person
3.2. Processing: Any operation performed on personal data (e.g., collection, storage, use, transmission)
3.3. Data Subject: The individual whose personal data is processed
3.4. Data Controller: AQLR, which determines the purposes and means of processing personal data
4. LEGAL BASIS FOR PROCESSING
AQLR processes personal data under the following lawful bases:
4.1. Contractual necessity: To fulfil obligations associated with AQLR membership or event participation
4.2. Legal obligation: To comply with legal requirements including statutory reporting
4.3. Legitimate interests: To manage the membership body, respond to inquiries, and support professional standards
4.4. Consent: Where specific consent is obtained, e.g., for publication in directories or email notifications
5. CATEGORIES OF PERSONAL DATA COLLECTED:
AQLR may collect the following data:
5.1. Name, contact details, and professional title
5.2. QLR status, regulatory affiliation, and membership ID
5.3. Court appointment records and training history
5.4. Payment and transaction records for membership fees
5.5. Communication records including emails and form submissions
5.6. Sensitive data (e.g., health declarations or safeguarding disclosures) is collected only where strictly necessary and processed with explicit consent or legal basis.
6. DATA COLLECTION METHODS:
Data is collected through:
6.1. Membership registration forms (paper or digital)
6.2. Website contact forms and event sign-ups
6.3. Email communications and feedback forms
6.4. Legal appointment records where applicable
7. DATA USE:
Personal data is used for:
7.1. Membership administration
7.2. Event coordination and training delivery
7.3. Communications regarding AQLR updates and professional opportunities
7.4. Statutory and regulatory compliance
7.5. Internal policy development and governance
8. DATA SHARING
AQLR does not share personal data with third parties unless:
8.1. Required by law or regulation (e.g., with HMCTS or the Legal Aid Agency)
8.2. Necessary for secure payment processing
8.3. Explicit consent is provided by the data subject
8.4. All third-party processors are required to comply with data protection
legislation and AQLR’s standards.
9. DATA STORAGE AND RETENTION
9.1. Data is stored securely on password-protected systems or encrypted cloud services
9.2. Paper records are kept in locked storage and securely disposed of when no longer needed
9.3. Personal data is retained only for as long as necessary for the purposes for which it was collected
9.4. Membership records: 6 years after last activity
9.5. Financial data: 6 years (per HMRC requirements)
9.6. Event and training attendance: 2 years
9.7. Emails and communications: reviewed annually
10. DATA SUBJECT RIGHTS
Under the UK GDPR, individuals have the right to:
10.1. Access their personal data
10.2. Rectify inaccurate or incomplete data
10.3. Request erasure (“right to be forgotten”)
10.4. Restrict or object to processing
10.5. Data portability (where applicable)
10.6. Lodge complaints with the Information Commissioner’s Office (ICO)
10.7. Requests should be made in writing to admin@aqlr.org.uk.
11. SECURITY MEASURES.
AQLR implements:
11.1. Access controls and two-factor authentication where possible
11.2. Encrypted communications for sensitive matters
11.3. Regular data audits and compliance reviews
11.4. Confidentiality agreements with committee members and contractors
12. DATA BREACH MANAGEMENT
In the event of a data breach:
12.1. AQLR will assess the severity and notify the ICO within 72 hours if required
12.2. Affected individuals will be informed if there is a high risk to their rights or freedoms
12.3. An incident log will be maintained and reviewed by the Executive Committee
13. TRAINING AND COMPLIANCE
All officers, volunteers, and those handling personal data will:
13.1. Be provided with data protection awareness training
13.2. Follow procedures set out in this policy
13.3. Be subject to disciplinary procedures in case of non-compliance
14. POLICY REVIEW
This policy will be reviewed annually or earlier if:
14.1. Legislative changes require it
14.2. A major data breach occurs
14.3. There are significant organisational changes