This Privacy Notice will help you understand your privacy rights, how and why we need to process your personal data, and how you can get in touch with us if you need to. Processing personal data involves any activity to do with that data, for example collection, storage, editing and deletion.

We have presented this information in different sections so you can access the information you need more easily.

Who we are

BCS is made up of over 70,000 members in 150 countries, and a wider community of business leaders, educators, practitioners and policy-makers all committed to our mission. As a charity with a royal charter, our agenda is to lead the IT industry through its ethical challenges, to support the people who work in the industry, and to make IT good for society.

At BCS, we're ensuring the digital journey is safe and positive for everyone, by raising standards of competence and conduct across the IT industry and tackling the ethical challenges we face along the way.

This document applies to BCS, The Chartered Institute for IT. For the purpose of this document BCS, The Chartered Institute for IT will be referred to as we, us, our.

Privacy and data protection laws

We take your personal data privacy very seriously and we’re committed to protecting your personal data by complying with the relevant privacy legislation. We encourage you to read each section thoroughly.

If you are accessing our Site and/or Services from a location outside of the UK or the European Economic Area (EEA), please refer to the section “Additional information for international users (outside of the UK or EEA)” at the end of this document for important additional information.

Legal Basis and purpose for processing your personal data (UK and EEA residents only)

We’re required by law to always have a permitted reason called a “lawful basis” or “legal basis” for processing your personal data.

The law allows for six ways to process your personal data. Depending on the processing activity, we will process your personal data where:

  • Consent: You have given consent to the processing of your personal data for one or more specific purposes.
  • Contract: It is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering a contract.
  • Legal Obligation: It is necessary for compliance with a legal obligation to which we are subject.
  • Vital Interests: It is necessary in order to protect your vital interests;
  • Public Task: It is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
  • Legitimate Interest: It is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
We may process the following types of data

Personal Data – Information that can be used to identify an individual, either directly on its own or in combination with other information such as a name, an identification number, location data, an online identifier.

Special Categories of Personal Data – Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Criminal conviction related data (about allegations, offences or sentencing) is also treated in a similar way.

Pseudonymised – Personal data that has been processed in such a way that it can no longer be attributed to a specific person without the use of additional information. Such additional information must be kept carefully separate from personal data.

Anonymised – Data in a form that does not identify individuals. Personal data, once it is anonymised, is no longer personal data.

Aggregated – Statistical data about several individuals that has been combined to show general trends or values without identifying individuals within the data.

Categories of personal data you may give to us

Personal data, or personal information, means any information about you which could be used to identify you.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, data concerning health and gender;
  • Contact Data includes billing address, delivery address, email address and telephone numbers;
  • Financial Data includes bank account and payment card details;
  • Transaction Data includes details about payments to and from you and other details of products and services you have purchased from us;
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website;
  • Profile Data includes your username and password, your interests, preferences, feedback and survey responses;
  • Usage Data includes information about how you use our website, products and services, engage and interact within your MyBCS account;
  • Marketing and Communications Data includes your preferences in receiving information and marketing from us and our third parties and your communication preferences;
  • Behavioural / Conduct Data when dealing with Disciplinary matters;
  • Educational, School, Organisational and Career Data when processing scholarship applications, or joining our Computing at School community.
How we collect your personal data

We are committed to protecting your personal information and respecting your privacy. We may collect and process personal data about you in a number of different ways, depending on the nature of our relationship with you.

Some of the ways that we commonly collect, and process personal data include:

  • Applying for our products or services such as membership, professional registrations, event or exam registrations, exam and learning platforms, 3rd parties such as our training providers;
  • When you provide your personal data directly to us while accessing our site and/or Services;
  • Viewing or subscribing to our websites and social media functions;
  • Corresponding with us using services such as phone, email, live chat, or written letter;
  • Entering competitions or participating in discussion boards;
  • Applying for a job vacancy, including personal data collected from third parties as part of reference checking;
  • Volunteer to support BCS in all aspects;
  • Access resources, including videos and podcast recordings;
  • Participate in surveys, or providing feedback.
  • We may record oral exams for use in the event of an appeal or complaint.

We also use web and mobile analytics technologies for our Sites and/or Services, which automatically collect certain types of Device information and Log Information about your usage (please see the section “Your Device Information” below).

We use your personal data in the following ways

When we ask you to supply us with personal data, we will make it clear whether the personal data we are asking for must be supplied so that we can provide the products and services to you, or whether the supply of any personal data we ask for is optional. We may use your personal data to fulfil a contract or take steps linked to a contract:

  • Provide you access to membership benefits, where you have registered as a BCS member;
  • Provide you with information about your membership and your chosen products and services;
  • to provide you with administrative support such as account creation, security and responding to issues;
  • Fulfil payments for BCS products and services;
  • Provide you with newsletters, which include information about events, services or products that we may offer, that we feel may interest you or where you have consented to such communications;
  • Carry out our obligations from any contracts you may have entered into with us;
  • User/membership satisfaction surveys and market research;
  • Respond to your enquiries and complaints;
  • Notify you about changes to our terms of service;
  • to provide an improved customer experience by recording calls and using them for training purposes and;
  • to work with you and support you as you volunteer your time for us;
  • Provide you with access to location, property and other appropriate data where you have agreed terms and conditions of use.
Our Legitimate interests

There are times when we will rely on legitimate interests to process personal data, particularly when it is not practical to obtain consent. We will always consider if it is fair and balanced to do so and if it is within your reasonable expectations. We will balance your rights and our legitimate interests to ensure that we use your personal information in ways that are not unduly intrusive or unfair. Examples are: –

  • Reporting criminal acts and compliance with law enforcement agencies;
  • Internal and external audit for financial or regulatory compliance purposes;
  • Statutory reporting;
  • Performing analytics on sales or marketing data, determining the effectiveness of promotional campaigns;
  • Where Organisational Membership is held through your employer, aggregated data may be shared with them to assess if their organisations members are utilising their membership benefits;
  • Operate our platforms and communicate with you as necessary when providing our services to you for our legitimate interest;
  • Use analytics data collected when you consent to the use of Cookies and other tracking technologies;
  • Improving the quality of experience when you interact with our products or services, including testing the performance and customer experience of our website;
  • To enhance our offering, by identifying your interactions through our website, so that we can produce more relevant and engaging content;
  • Physical and Network security;
  • Financial Management and Control;
  • General Administration.
Your Device information

Each time you visit or use our BCS Sites and/or Services, we may automatically collect the following information:

  • Technical information, including the type of mobile device you use, a unique device identifier (for example, your Device's IMEI number, the MAC address of the Device's wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, and/or time zone setting;
  • Details of your visits to any of our Sites and Services including, but not limited to, Internet protocol (IP) address used by your Device, traffic data, weblogs and other communication data, whether this is required for our own billing purposes and/or the resources that you access (Log Information);
  • URL click stream information showing how users have reached our Site and Services and whether they access other third-party sites via any external links.
We use the device information in the following ways
  • To administer our BCS Sites and/or Services for troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • To improve our BCS Sites and/or Services to ensure that content is presented in the most effective manner for you and for your Device;
  • To allow you to participate in interactive features of our site or services, when you choose to do so;
  • As part of our efforts to keep our BCS Sites and/or Services safe and secure;
  • To determine which features your Device supports which assists our development strategy.
Information we pass to Third Parties and other Data Sharing

We may also share your personal data with trusted third parties including:

  • Service providers contracted to us in connection with the provision of the products and services; this includes the service provider which runs election and voting at our annual general meeting;
  • Relevant Regulators such as Ofqual, CCEA Regulation; Department for Education (DfE), Ofsted, Qualifications Wales, ESFA, NSAR and BSI;
  • Learning Records Service (LRS) who process data on behalf of DfE;
  • Other Awarding Bodies such as ISTQB, APMG and EXIN;
  • Disciplinary Investigation Panels and Appeals Panels; *
  • Complainants;
  • Our insurers;
  • External and internal lawyers and/or specialist advisors;
  • BCS may also be bound to share data with the police or other law enforcement agencies in the event of a crime;
  • Fulfilment houses.
*Further information can be found in the Disciplinary Regulations which is available upon request.


We will ensure there is a contract in place with the categories of recipients listed above which include obligations in relation to the confidentiality, security and lawful processing of any personal data shared with them. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Data transfers to third countries

Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country (and, in some cases, may not be as protective).

Specifically, our website servers are located in the UK, and some of our third party service providers and partners operate in the UK, EEA or outside of the EEA. This means that when we collect your personal information, we may process it in any of these countries.

However, we have put in place appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice. We have implemented appropriate safeguards with our third-party service providers and partners and further details can be provided upon request.

Data security and how we store personal data

We store personal data as: secure physical records; electronically on our internal IT systems; in cloud storage, and in some cases, records on third party servers, which may be located in various countries (please see the “Data transfers to third countries” section above for more details).

Once data is within our control, we will do our utmost to ensure your personal data is processed in a way that ensures appropriate security from unauthorised or unlawful processing, accidental loss, destruction or damage.

Your personal data is held in secure systems with controlled access and subject to cyber security measures, whether we’re processing it in our offices, sites or working from home. We also apply strict physical security at all our sites and offices.

We only choose third party service providers in line with company protocol, procedures and checks, and when we use them, we disclose only the personal information that is necessary to deliver the service provided.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so. All of our employees must complete annual data protection training.

How long will we keep your personal data?

We will retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. We may also retain your personal data for a reasonable period afterwards to allow us to respond to any follow up enquiries or complaints, or for as long as you remain a registered user of our products and services.

To determine appropriate retention periods for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal requirements.

In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use or store this information indefinitely without further notice to you.

In some circumstances you can ask us to delete your data: see Right to Erasure below for further information.

Data protection rights for UK and EEA Data Subjects

If you are a resident of the UK or EEA, you have the following data protection rights:

Withdraw Consent - Where we are using your personal information based on your consent, you have the right to withdraw that consent at any time.

Right to be Informed – You have the right to be told how your personal information will be used. This Privacy Policy document, and shorter summary statements used on our communications, are intended to be a clear and transparent description of how your data may be used.

Right of Access – You can write to us asking what information we hold on you and to request a copy of that information. This is called a Subject Access Request. We will have 30 days to respond to you once we are satisfied you have rights to see the requested records and we have successfully confirmed your identity. Details on how to submit a Subject Access Request if you are in the UK or EEA can be found on our data protection page.

Individuals cannot use a Subject Access Request to obtain examination papers, examination answers to questions, or scripts, as this is exempt under the Data Protection Act Schedule 2 Part 4 Clause 25.

Right of Erasure – You have the right to be forgotten (i.e. to have your personally identifiable data deleted). However, we may not always be able to comply with your request of erasure for specific legal reasons, which will be notified to you. In some cases, we may recommend we suppress you from future communications, rather than data deletion, particularly if you have purchased an item from our e-commerce shop which comes with a warranty. Our Customer Services Team will be happy to advise you.

Right of Rectification – If you believe our records are inaccurate you have the right to ask for those records concerning you to be updated. This enables you to have any incomplete or inaccurate data we hold about you corrected. We may need to verify the accuracy of the new data provided to us.

Right to Restrict Processing – In certain situations you have the right to ask for processing of your personal data to be restricted because there is some disagreement about its accuracy or legitimate usage.

Right to Data Portability – Where we are processing your personal data under your consent, the law allows you to request data portability from us to another service provider. This right is largely seen as a way for people to transfer their personal data from one service provider to another. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Right to Object - You have an absolute right to stop the processing of your personal data for direct marketing purposes. Simply contact our Customer Service Team and they will amend your contact preferences or alternatively if you have an OS Maps or shop account you can update your details in your Preference Centre.

Right to object to automated decisions – In a situation where a data controller is using your personal data in a computerised model or algorithm to make decisions “that have a legal effect on you”, you have the right to object. This right is more applicable to mortgage or finance situations. We do not undertake complex computerised decision making that produce legal effects.


We use cookies to distinguish you from other users of our Sites and Services. This helps us to provide you with a good experience when you use our Sites and Services and allows us to improve them. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For detailed information on the cookies, we use and the purposes for which we use them, please see the our cookie policy here 

Additional information for international users (outside of the UK or EEA)

If you are accessing our Sites and/or Services from outside the UK or EEA, you may have rights under your residing countries privacy laws.

Nothing in this Privacy Notice purports to exclude, modify or restrict your rights under those laws.

Changes to this document

Any changes we may make to our Privacy Notice in the future will be posted on this page and, where appropriate, notified to you. The new terms may be displayed on-screen, and you may be required to read and accept them to continue your use of any Services.

Contact us

If you would like to contact us about the use of your personal data, or exercising your personal rights then please contact us at:

Email: for any requests to stop processing your data
Email: for any Data Subject Access Requests
Phone: + 44 (0) 1793 417 417
Lines are open Monday to Friday, 08:30 to 17:15 BST (UK Time) Live Chat: This service is available Monday to Friday, 09:30 to 16:30 BST (UK Time).

Your Right to Complain

If you believe that your data protection rights have been breached and we have been unable to resolve your concern, you have the right to report your concern to your local data protection supervisory authority. In the UK this is the Information Commissioner’s Office (ICO) and you can raise your concerns by going to

We do ask that you please attempt to resolve any issue with us before contacting the ICO.