Data Protection Policy 

Policy Number:       PL09006  

Policy Title:           Data Protection Policy  

Date Adopted:        29th March 2021 

Next Review Date:   28th February 2022 

Accountable Person:  Raine Williams, Company Director  

Cimera Community Interest Company (CIC) is made up of seven Directors, a range of freelance employees and reaches a diverse audience around North Wales and beyond.   

To Whom the Policy Applies: 

All directors and freelance employees and volunteers involved with Cimera CIC.  

Overview 

Cimera CIC (the data controller) need to collect, store and use (data processing) information (personal data) about individuals (data subjects) in order to effectively deliver our organisational aims, commitments and legal obligations. Some of this data might be sensitive data for example about an individual’s ethnicity or religion (special category data). We may also need to pass on data to other organisations for specific purposes (data processors).  

This may include information on our audiences, participants, staff or other organisations with whom we work or funding bodies who have funded a project.  

This policy sets out how we will do this in a way which ensures we comply with current data protection legislation and protects the rights and privacy of the individual.  

 

Organisational Responsibilities  

Under the General Data Protection Regulation (GDPR) 2018 we have a legal responsibility to ensure that data is processed lawfully, fairly and in a transparent manner in relation to individuals.  

We must ensure that personal data we hold is:  

• Collected for specific, clear and legitimate purposes and only used in the ways which were specified when the data was originally collected.  
• Relevant and limited only to the data that we need. 
• Accurate as far as is reasonable and kept up to date where required.  
• Only kept for as long as is necessary and securely destroyed afterwards.  
• Processed securely.  

And that as an organisation we can demonstrate compliance with these principles.  

Staff Responsibilities and Training  

The Data Protection Officer – Raine Williams (Company Director) is the lead for data protection, but all staff have a responsibility to ensure that the processes laid out in this policy are observed.  

All staff should read this policy carefully and raise any questions with the Data Protection Officer to ensure they are clear on their responsibilities.  

To ensure an effective whole-organisation approach to data protection the Data Protection Officer will:  

• Provide a data protection briefing on induction and detailed training on any aspects relevant to a particular role for staff and trustees, for example within marketing. 
• Provide briefings to volunteers collecting or handling data, for example mailing list sign ups or evaluation forms.  
• Provide whole staff training every three years in line with policy updating dates. 
• Keep up to date on legislation and provide briefings when there are significant updates or changes to legislation. 
• Include data protection on board agendas where appropriate. 

 

Recording and Reviewing Data Processing and Compliance  

We will carry out a data audit which will be reviewed bi-annually. This details:  

• What personal data we process. 
• Why we process it. 
• How we have communicated this information to the data subject. 
• Whether this is special category data. 
• A confirmation that this is the minimum data required to complete the task – how the data is kept securely. 
• How long the data is held for. 
• How the data is checked for accuracy and kept up to date. 
• Any actions required. 

The GDPR sets out 6 reasons why data may be processed. These are: 

• Consent – when a data subject gives consent. 
• Contract – so we are able to deliver or enter into a contract. 
• Legal obligation – where the law requires it. 
• Vital interests – to protect someone’s life. 
• Public task – to perform a task in the public interest or for official functions. 
• Legitimate interests – necessary for your legitimate interests unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. 

Where consent is given, the data audit will also record for that particular type of data:  

• How consent is given and where this is recorded.  
• How people can as easily withdraw their consent, for example by unsubscribing  

After each review, individual staff members will then be briefed as to their responsibilities and the actions needed relating to different data.  

In addition to the above, where we are collecting sensitive data, we must also meet one or more additional criteria to have a reason to process the data. Those that are relevant to our work include:  

• The individual whom the sensitive personal data is about has given explicit consent to the processing.  
• The processing is necessary so that you can comply with employment law.  
• The processing is necessary for monitoring equality of opportunity and is carried out with appropriate safeguards for the rights of individuals.  

We will also carry out an audit of third-party processors which details:  

• The type of data shared. 
• The reason for sharing it. 
• How data is transferred securely. 
• How we know the processor complies with data protection law. 
• That the processor does not transfer data outside of the European Economic Area (EEA) and if so that their data protection is at least equal to that of companies inside the EEA (e.g. IOS Certificate or US Security Shield) and how data subjects are informed of this. 
• Any actions needed. 

GDPR compliance should be demonstrated through contracts with third-party processors, for example specifying how data will be kept securely included in terms and conditions for mailing list software used or specific data protection clauses included in contracts with external payroll companies.  

Actions and Compliance  

The data audit details actions specific to individual types of data processing. The following actions for compliance underpin this but should not be seen as exhaustive. Staff should take responsibility for ensuring a data audit is carried out, with the support of the Data Protection Officer, when new forms of data are collected, and new technologies are implemented.  

Marketing  

• Ensure privacy and cookie policies are up to date and compliant.  
• Ensure mailing list sign-up statements follow requirements for unambiguous, specific and, where possible, granular options e.g. choosing what they receive information on and by what methods – phone, email etc.  
• Ensuring an audit is carried out for any third-party processors used e.g. mailing software.  
• Ensuring the legal basis for direct marketing, either by legitimate interest or consent, is clearly established, recorded and appropriate actions taken.  

Participation  

• Ensure young people’s data is only processed with their guardian’s consent. 
• Ensure young people’s data is only shared on a need-to-know basis e.g. medical information with workshop tutors.  
• Ensure all freelancers, tutors and volunteers are briefed regarding their data protection responsibilities regardless of how short their contract is.  
• Ensure young people’s data is kept securely during practical sessions e.g. permission forms during a workshop.  

 

Operations  

• Ensure website privacy policy and cookie policy is clear and compliant and online providers have been audited.  
• Ensure audits, staff training and briefings are carried out.  
• Ensure IT policies are in place and compliant and staff are briefed. 
• Ensure IT software and hardware is audited and offers sufficiently robust security. 
• Ensure procedures are in place for responding to data breaches, subject access requests, data portability and requests for the right to be forgotten and to support staff in responding to such requests. 

All staff  

• Ensure data is updated as soon as inaccuracies are discovered e.g. if you receive an email bounce back.  
• Ensure unnecessary duplicates of data are not created e.g. multiple versions of a mailing list – ensure copies of personal data are not made on personal computers. 
• Use strong passwords and password protect files and lock screens for computers that contain personal data.  
• Ensure only relevant staff have access to data eg teacher running a workshop / class, marketing admin for sending updates on events etc. 

Storing Data Securely  

The data audit will include an audit of how each type of data is secured.  General practice should include: 

• Use of locked filing cabinets or similar where data is stored on paper, memory sticks or other physical items. 
• Shredding of paper data that is no longer required.  
• Computer log in passwords that are strong, not shared and changed regularly. 
• Restrictions on access levels and use of passwords where data is stored on a cloud-based system or network.  
• Only using third-party processors, which includes cloud-based systems, where this has been audited and agreed.  
• Not saving data to personal computers, mobile phones or similar devices.  

Where data held is special category data, this should be noted in the data audit and security measures interrogated to ensure they are sufficient.  

Breaches

In the event of a security breach, the Data Protection Officer must be informed immediately. Depending on the circumstances of the breach action will include: 

• Completing an incident report.   
• Taking action to address the cause of the breach.  
• Taking action to minimise the damage that may be caused by this data not being kept securely – possible disciplinary action. 

If the breach is likely to result in a risk to people’s rights and freedoms, for example discrimination, damage to reputation or financial loss, it is mandatory to report a personal data breach to the Information Commissioner’s Office (https://ico.org.uk) within 72 hours. The Data Protection Officer will make this report and also report to the Board of Directors.  

If a member of staff realises that they have been processing data in a way not compatible with the data audit or with the way in which it was originally collected they must also inform the Data Protection Officer as soon as possible so a plan of action can be agreed.  

 

Individual Rights  

Individuals can withdraw their consent to their data being processed at any time. They can also request to restrict processing e.g. that we can use their data to send them information about one type of activity but not another. They should also be able to quickly and easily request that the data we hold about them is updated and any corrections made.  

In instances where consent was actively given and used as the legal basis for processing, it must be as easy to withdraw consent and this must be acted on immediately.  

Individuals also have the right to be forgotten e.g. all data held about them removed, and the right to data portability e.g. for us as an organisation to provide their data in a format which is then suitable to be transferred to another organisation or that we undertake that transfer for them.  

If the data is being processed by any other purposes, for example, legal obligation, then we as an organisation may reject this request but this should be referred to the Data Protection Officer.  

Individuals can also submit a subject access request, whereby we as an organisation would provide all of the data we hold on that individual. This must be done free of charge and within one month of the request.  

As an organisation we can extend the period of compliance by a further two months where requests are complex or numerous and we will inform the individual within one months of this and explain the reasons why.  

If a request is excessive or clearly without relevant purpose, in particular where it involves repetitive tasks we can choose to charge a reasonable fee, proportionate to the administration incurred or refuse the request. In the event that a request is refused we will respond within one month to explain the reasons for this decision and inform the individual of their right to complain to a supervisory authority or take legal action.  

 

About this cookie policy

This Cookie Policy explains what cookies are and how we use them, the information we collect using cookies and how that information is used, and how to control the cookie preferences.

Your consent applies to the domain cimera.co.uk.

What are cookies?

Cookies are small text files that are used to store small pieces of information. They are stored on your device when the website is loaded on your browser. These cookies help us:

• make the website function properly
• make it more secure
• provide better user experience
• help us understand how the website performs
• help us analyse what works well and where it needs improvement

How do we use cookies?

As most of the online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.

The third-party cookies used on our website are for:

• understanding how the website performs and keeping our services secure
• helping us understand how users interact with our website
• providing you with a better user experience
• to help speed up your future interactions with our website

How can I control the cookie preferences?

You can at any time change or withdraw your consent from the Cookie Declaration on our website.

Should you decide to change your preferences later through your browsing session, you can click on the link below. This will display the consent notice again enabling you to change your preferences or withdraw your consent entirely. In addition to this, different browsers provide different methods to block and delete cookies used by websites.