Members

Privacy Policy

HEDG Privacy Policy

The Heads of Educational Development Group (“HEDG”, “we”, “us”, “our”) is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share personal information when you use our website, contact us, or interact with our members’ area. Under UK data protection law, the organisation that decides how and why personal data is used is the data controller.

1. Who we are

Heads of Educational Development Group (HEDG)
Woburn House
20–24 Tavistock Square
London
WC1H 9HF
United Kingdom

Email: info@hedg.ac.uk
Telephone: 020 7380 6769

HEDG is a registered charity, number 1181610. These contact details are published on the HEDG website.

2. The personal data we collect

We may collect and process personal data that you provide directly to us, including when you contact us by email, phone, or through the website contact form. Based on the public contact page, this may include your name, contact number, email address, how you heard about us, the nature of your enquiry, and the content of your message.

If you register for the HEDG website or members’ area, we may collect account information such as your username, email address, first name, last name, password, and related account administration details. The public registration and password-reset pages show that the site collects these details to create and manage user accounts.

We may also collect technical information when you use the website, such as IP address, browser type, device information, pages visited, and cookie or similar technology data, where relevant for website operation, security, and performance. Any use of cookies and similar technologies should be explained alongside your cookie settings and cookie policy.

3. How we use your personal data

We may use your personal data to:

  • respond to enquiries and provide information about HEDG
  • administer website accounts and access to the members’ area
  • manage relationships with members, prospective members, partners, and contacts
  • send important service or administrative communications
  • maintain the security and operation of the website
  • keep records and comply with legal, regulatory, accounting, or governance obligations

UK GDPR requires organisations to identify a lawful basis before processing personal data, and privacy notices should explain those uses clearly.

4. Lawful bases for processing

Depending on the reason we are using your information, we may rely on one or more of the following lawful bases:

  • Legitimate interests — for the ordinary administration of HEDG, responding to enquiries, operating the website, maintaining security, and managing member access, where those interests are not overridden by your rights and interests.
  • Contract — where processing is necessary to take steps at your request or to provide membership-related services or website account access.
  • Consent — where you have given clear permission, for example in relation to optional communications or non-essential cookies.
  • Legal obligation — where we need to keep or disclose information to comply with the law, charity obligations, taxation, or regulatory requirements.

The ICO states that at least one lawful basis under Article 6 UK GDPR must apply whenever personal data is processed.

5. Who we share personal data with

We may share personal data only where necessary and proportionate with:

  • authorised HEDG officers, committee members, staff, or volunteers who need it for administration
  • website hosting, IT support, email, security, form, and similar service providers acting on our instructions
  • professional advisers such as legal, accounting, or audit providers
  • regulators, law enforcement, courts, or other authorities where required by law

We do not sell personal data. Where third parties process personal data on our behalf, UK GDPR requires appropriate contractual and security arrangements.

6. International transfers

Some service providers may process personal data outside the UK. Where that happens, we will ensure that any restricted transfer is protected by an appropriate legal mechanism, such as UK adequacy regulations or appropriate safeguards required under UK GDPR.

7. External websites and third-party services

The HEDG website includes links to third-party platforms including Twitter/X, LinkedIn, and Eventbrite. If you follow links to external websites or services, their own privacy policies and terms will apply. We are not responsible for the privacy practices of third-party sites.

8. Cookies

Our website may use cookies and similar technologies to operate the site, remember preferences, and understand how the site is used. Where cookies are not strictly necessary, they should only be set with your consent. Please see our Cookie Policy for more information. ICO guidance requires clear information about cookies and, in most cases, consent for non-essential cookies or similar technologies.

9. How long we keep personal data

We will keep personal data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting, regulatory, security, and record-keeping requirements. ICO guidance says privacy information should explain how long data is kept, or the criteria used to decide this.

Suggested standard retention periods for HEDG to review before publishing:

  • contact enquiries: up to 12 months after the enquiry is resolved
  • members’ area account data: for as long as the account remains active, and up to 12 months after closure unless a longer period is needed
  • governance, financial, and audit records: up to 6 years where required
  • technical logs: for as long as reasonably necessary for security, troubleshooting, and system administration
  • cookie data: according to the durations set out in the Cookie Policy

10. How we protect personal data

We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, or disclosure. ICO guidance explains that organisations must implement security measures appropriate to the risk.

11. Your data protection rights

Depending on the circumstances, you may have the right to:

  • be informed about how your personal data is used
  • request access to the personal data we hold about you
  • ask us to correct inaccurate or incomplete information
  • ask us to erase your personal data in certain circumstances
  • ask us to restrict how we use your data in certain circumstances
  • object to processing based on legitimate interests
  • request portability of data where applicable
  • withdraw consent at any time where consent is the lawful basis

The ICO’s guidance confirms these rights under the UK GDPR and explains that privacy notices should tell people which rights apply and how they can complain.

To exercise any of these rights, please contact us at info@hedg.ac.uk. We will respond in line with applicable data protection law. ICO guidance notes that requests to exercise data protection rights should usually be handled without undue delay and within one month.

12. Complaints

If you have concerns about how we handle your personal data, please contact us first and we will try to resolve the issue. You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The latest version will always be published on this page with the revised “Last updated” date.

cookie By using this website, you agree to our cookie policy. Close