AuditBoard Live Webinar banner advert Diligent One Platform World tour ad April 2024 TeamMate ESG advertising banner 2023

Privacy policy

Who are we?

The Chartered Institute of Internal Auditors (IIA) is part of a global network of institutes affiliated to IIA Global. When you join the Chartered IIA you automatically become a member of IIA Global. IIA Global are separate data controllers, and their privacy notice is available at: Privacy Policy (

Our Registered address is

Unit 14 Abbeville Mews

88 Clapham Park Road



Telephone: 020 7498 0101

The Chartered IIA is a ‘data controller’ under the UK General Data Protection Regulation. We are notified as data controllers with the Information Commissioner’s Office and our registration number is Z238811.

The Chartered IIA takes the privacy of its students, members, customers, regional committee members, stakeholders, business leaders, civil servants, auditors, suppliers and subcontractors and other contacts extremely seriously and is committed to protecting your personal information and complying with all current data protection legislation.

How do we collect information from you?

We use any personal information that you provide to us online or via:

  • membership applicaton forms
  • examination applications
  • CVs
  • telephone conversations
  • emails
  • letters
  • any other type of correspondence
  • the delivery of products and services which we provide, including awards

Membership applications are only accepted from you as an individual regardless of who is paying. The Chartered IIA will act as the data controller for all membership related data collection and processing. We may also receive your data from third party professional bodies with whom we undertake joint projects.

We do sometimes receive personal data from third parties, such as through publicly available sources and employers.

Data protection principles

The Chartered IIA will comply with the data protection principles, which are that personal data will be handled with:

  • Lawfulness, fairness, and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)
  • Accountability

What type of information is collected from you?

When you participate in or sign up to any of the Chartered IIA’s services such as events, training, membership or online newsletters, we will collect and store personal information about you. We will also collect information about you if you supply the Chartered IIA with goods and services.

This information can consist of, but is not limited to:

  • name and designation
  • email address,
  • postal address,
  • contact phone number
  • job title and organisation
  • CV
  • Username and passwords
  • Exam results and course progression
  • date of birth,
  • membership number
  • we may collect special category personal data, for instance: (i) health information, if you are attending an event, exam or training; and (ii) equality data, if you wish to provide this

What personal data we collect will depend on how you are engaging with us.

By submitting your details, you enable us to provide you with the products or services that you have selected and agreed we will

How is your information used?

We will use your personal information for a number of processing purposes including:

  • providing you with the information you have asked for about our products, services and activities and ensuring any requests or enquiries you may have made from us are dealt with in a manner that is sufficient for both you and the Chartered IIA
  • we may need to contact you for reasons related to the service or activity you have signed up to for example, changing the details about a course you have booked We call this “Service Administration”
  • we may need to contact you about an application that you have made or a service that you supply
  • Undertaking surveys
  • Renewing memberships
  • Delivery of training
  • Marketing
  • Relationship building with external stakeholders
  • Liaising with members
  • Arranging events

What is the Lawful Basis for the Chartered IIA to process your Personal Data?

The Chartered IIA’s legal basis for collecting and using your personal data is usually due to the processing being necessary for a contract between yourself and the Chartered IIA.

On occasions we will process your data to comply with our legal obligations.

We may also process your personal data based on the Chartered IIA’s legitimate interests as long as your fundamental rights and freedoms do not override that legitimate interest. When we process your data based on our legitimate interest, we always identify such interest, make sure the processing is necessary to achieve it, and carefully consider your interests, rights, and freedoms against our legitimate interest in a balancing test. Our legitimate interests include member services (eg. renewals), policy and external affairs senior networking, conducting surveys with key stakeholder groups, data sharing with Regional Committees, soft opt-in for marketing, and data sharing with third party professional membership organisations for the purpose of joint projects.

We may also process your personal data based on consent, vital interests and in connection with the performance of a public task and / or with official authority.

Special categories of data require higher levels of protection. This is data which reveals race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, sexual life and sexual orientation.

We may process special categories of information in limited circumstances, and this will normally be with your consent.

How long will the Chartered IIA keep your Personal Data?

We only keep your information for as long as it is necessary to fulfil the purposes for which the personal information was collected. This includes for the purpose of meeting any legal, accounting, or other reporting requirements or obligations. The Chartered IIA retention policy sets out the minimum retention timescales.

As a general rule, we keep your personal data for the duration of your membership and 6 years thereafter.

If you do not wish to provide your personal data

If you do not wish to provide your personal data, we may not be able to enter into enter into an agreement with you, such as membership, or provide the services which you have required.

Who has access to your information?

If you are joining the Chartered IIA, we will share your name, membership number and email address data with our Global Body which is based in the United States of America. The only reason for this is to make sure you can access the content of our Global Website by means of a password issued by us.

We do not sell or rent your information to other organisations.

We may pass your information to third parties, such as data processors who enable us to perform our tasks. Where the sharing of personal data takes place, this is done in accordance with the legal requirements of the UK GDPR.

When we do this, we disclose only the personal information that is necessary to deliver the service and we have an agreement in place that requires them to keep your information safe and secure and not to use it for any other purpose.

We will not release your information to other organisations unless in exceptional cases when we are required to do so by law, for example, by a court order or for the purposes of prevention of fraud or other crime. In all other instances, we would only share your information with another party if you have given your explicit permission to do so.

Any personal data we share with third party controllers or processors outside the UK only occur where we have ensured that these are subject to appropriate safeguards, as set out in Chapter V of the UK General Data Protection Regulation.

Social Media Platforms

If you engage with the Chartered IIA on any of our social media channels (Facebook, YouTube, X and LinkedIn) you should know that we do not collect your personal information from these sources. It remains within the platform that we are using and so you should familiarise yourself with their privacy notices and policies.

The Chartered IIA may use information you provide to share updates, news and events, in the form of customised online advertising. If you send us a direct message, your information still remains within the platform unless we ask you to provide us with your contact details to continue the conversation offline or privately, and you consent to do that.


Many websites use 'cookies' which are small pieces of information sent by an organisation to your computer and stored on your hard drive to allow that website to recognise you when you visit.

We use some unobtrusive cookies to store information on your computer. We also use some non-essential cookies to (anonymously) track visitors and help to enhance user experience of the Website. These all expire when the browsing session ends.

The Chartered IIA website occasionally contains hyperlinks to websites owned and operated by third parties. These third-party websites have their own privacy policies, and are also likely to use cookies, and we therefore urge you to review them. We do not accept any responsibility or liability for the privacy practices of such third-party websites and your use of such websites is at your own risk.

For more information on cookies, see our cookie policy Cookies | IIA

Your Data Subject Rights

You have a choice about whether you wish to receive marketing information from us. If you give permission to receive communications about the work of the Chartered IIA and our products, services and events, you can select your choices when we collect your information. If you wish to make any changes to your preferences, please let us know and we will update our records.

You have the right at any time to:

  • ask for a copy of the information about you held by us in our records;
  • require us to correct any inaccuracies in your information;
  • in certain situations, make a request to us to delete your personal data;
  • request we restrict processing your personal data;
  • object to us processing your personal data; and
  • right to portability

Requests can be made in a number of ways, including in writing or verbally.  You will need to provide:

  • Adequate information for example full name, address, date of birth, that your identity can be verified, and your personal data located.
  • An indication of what information you are requesting to enable us to locate this

You should direct your request to the Head of Governance and HR or the Data Protection Officer – (details of whom can be found below).

We aim to comply with requests for access to personal data as quickly as possible. We will ensure that we deal with requests within 30 days of receipt unless there is a reason for a delay that is justifiable.

What if the data we hold about you is incorrect?

It is important that the information which we hold about you is up to date. It is important that you let us know about any changes by contacting us using the contact details at the end of this Privacy Policy. If you do not keep your personal data up to date, we will continue to communicate with you using your existing details.

Security precautions to protect loss, misuse or alteration of your information

We take our duty to protect your personal information and confidentiality very seriously and we are committed to taking all reasonable measures to ensure the confidentiality and security of personal data for which we are responsible, whether computerised or on paper.

We will only transfer your personal data outside of the UK where this is authorised by law.

In order to make sure that your rights and freedoms are not put at risk and relevant laws and regulations are observed, we have implemented appropriate technical and organisational measures are in place to ensure a sufficient level of security to the personal data processing. These measures include:

  • Regular training and testing of our employees and contractors
  • Introduction of relevant internal policies and processes which are regularly reviewed and updated under the supervision of our Data Protection Lead; and
  • Carefully assessing our suppliers to ensure they adhere to data protection requirements.

We have a Data Protection Officer who is responsible for the Chartered IIA data protection compliance and who liaises with the executive committee and Board.

Processing Card Payments

Where you use your credit or debit card to purchase from us, we will ensure that this is carried out securely. We do not store your card details for use in future transactions.

Links to other Organisations’ Websites

Our website may contain links to other websites run by other organisations. This privacy notice applies only to our website‚ so we encourage you to read the privacy statements on the other websites you visit. We cannot be responsible for the privacy policies and practices of other sites even if you access them using links from our website.

In addition, if you linked to our website from a third-party site, we cannot be responsible for the privacy policies and practices of the owners and operators of that third-party site and recommend that you check the policy of that third-party site.

Questions and complaints

Please contact us if you have any questions about our privacy notice or the information, we hold about you. You can contact our Company Secretary at

Alternatively, you can contact our Data Protection Officer by email: or by telephone 0131 222 3239.

Under Article 27 of the GDPR, we have appointed EU Representative Ltd, who can be contacted by email: or by telephone +353 15 549 700.

If you are concerned or unhappy with how we have dealt with your query/complaint you can contact the Information Commissioner’s Office:

Information Commissioner’s Office

Wycliffe House

Water Lane,


SK9 5A

Make a complaint | ICO

Alternatively, you can contact the equivalent national privacy authority in your country, if outside the UK.

Privacy Notice Review

We review this notice as and when changes in legislation or internal procedures require it. This notice is reviewed by the Data Protection Officer. Please ensure that you visit our website from time to time, so as to check for any updates to this Privacy Policy.

Page last updated: 5 April 2024