Responsible person: Raine Williams
Role Title: Data Protection Officer
Policy Number: PL09007
Date Adopted: 29 March 2021
Next Review Date: 28 February 2022
The type of personal information we collect
We currently collect and process the following information:
- Personal identifiers, contacts and characteristics (for example, name and contact details).
- Information relating to you, or your child’s health. This information will only be collected from those who are participating in classes / workshops. This is for Health & Safety purposes and will not be shared with anyone outside of Cimera CIC unless there is a threat to the safety of the child / person or other person(s). See our Health and Safety Policy and Safeguarding Policy for more information.
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- To subscribe to our mailing list.
- When enrolling for a class or workshop
We also receive personal information indirectly, from the following sources in the following scenarios:
- Project partners – when collecting workshop / class attendee details.
We use the information that you have given us in order to:
- Send you information about upcoming classes / workshops or events
- Safeguard you or other people participating in activities run by Cimera CIC.
We may share some of this information with:
- Project partners.
- Funding bodies who have provided funding for Cimera CIC to run the activities.
Under the General Data Protection Regulation (GDPR) and depending on the information we have collected from you, the lawful bases we rely on for processing this information are:
- Your consent. You are able to remove your consent at any time. You can do this by emailing Raine Williams, Data Protection Officer – firstname.lastname@example.org
- We have a contractual obligation – if a project partner requires the information in order to run their workshops / classes.
- We have a legal obligation – if a funding partner requests the information for monitoring purposes.
- We have a vital interest – if there is a danger to the safety of an individual(s) participating in one of our activities, or another individual(s) who may or may not be participating in one of our activities.
We will never use or share your data without your permission.
How we store your personal information
Your information is securely stored at Cimera CBC, Isfryn, Rhosgadfan, Caernarfon, Gwynedd, LL54 7EU.
We keep your name and contact details for 24 months. We will then dispose your information by permanently removing your details from our electronic records and shredding any paper records containing your personal information.
Your data protection rights
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing – You have the the right to object to the processing of your personal information in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact us at email@example.com if you wish to make a request.
How to complain
If you have any concerns about our use of your personal information, you can make a complaint to Raine Williams, our Data Protection Officer at firstname.lastname@example.org.
You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk
Data Protection Policy
Policy Number: PL09006
Policy Title: Data Protection Policy
Date Adopted: 29th March 2021
Next Review Date: 28th February 2022
Accountable Person: Raine Williams, Company Director
Cimera Community Interest Company (CIC) is made up of seven Directors, a range of freelance employees and reaches a diverse audience around North Wales and beyond.
To Whom the Policy Applies:
All directors and freelance employees and volunteers involved with Cimera CIC.
Cimera CIC (the data controller) need to collect, store and use (data processing) information (personal data) about individuals (data subjects) in order to effectively deliver our organisational aims, commitments and legal obligations. Some of this data might be sensitive data for example about an individual’s ethnicity or religion (special category data). We may also need to pass on data to other organisations for specific purposes (data processors).
This may include information on our audiences, participants, staff or other organisations with whom we work or funding bodies who have funded a project.
This policy sets out how we will do this in a way which ensures we comply with current data protection legislation and protects the rights and privacy of the individual.
Under the General Data Protection Regulation (GDPR) 2018 we have a legal responsibility to ensure that data is processed lawfully, fairly and in a transparent manner in relation to individuals.
We must ensure that personal data we hold is:
- Collected for specific, clear and legitimate purposes and only used in the ways which were specified when the data was originally collected.
- Relevant and limited only to the data that we need.
- Accurate as far as is reasonable and kept up to date where required.
- Only kept for as long as is necessary and securely destroyed afterwards.
- Processed securely.
And that as an organisation we can demonstrate compliance with these principles.
Staff Responsibilities and Training
The Data Protection Officer – Raine Williams (Company Director) is the lead for data protection, but all staff have a responsibility to ensure that the processes laid out in this policy are observed.
All staff should read this policy carefully and raise any questions with the Data Protection Officer to ensure they are clear on their responsibilities.
To ensure an effective whole-organisation approach to data protection the Data Protection Officer will:
- Provide a data protection briefing on induction and detailed training on any aspects relevant to a particular role for staff and trustees, for example within marketing.
- Provide briefings to volunteers collecting or handling data, for example mailing list sign ups or evaluation forms.
- Provide whole staff training every three years in line with policy updating dates.
- Keep up to date on legislation and provide briefings when there are significant updates or changes to legislation.
- Include data protection on board agendas where appropriate.
Recording and Reviewing Data Processing and Compliance
We will carry out a data audit which will be reviewed bi-annually. This details:
- What personal data we process.
- Why we process it.
- How we have communicated this information to the data subject.
- Whether this is special category data.
- A confirmation that this is the minimum data required to complete the task – how the data is kept securely.
- How long the data is held for.
- How the data is checked for accuracy and kept up to date.
- Any actions required.
The GDPR sets out 6 reasons why data may be processed. These are:
- Consent – when a data subject gives consent.
- Contract – so we are able to deliver or enter into a contract.
- Legal obligation – where the law requires it.
- Vital interests – to protect someone’s life.
- Public task – to perform a task in the public interest or for official functions.
- Legitimate interests – necessary for your legitimate interests unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
Where consent is given, the data audit will also record for that particular type of data:
- How consent is given and where this is recorded.
- How people can as easily withdraw their consent, for example by unsubscribing
After each review, individual staff members will then be briefed as to their responsibilities and the actions needed relating to different data.
In addition to the above, where we are collecting sensitive data, we must also meet one or more additional criteria to have a reason to process the data. Those that are relevant to our work include:
- The individual whom the sensitive personal data is about has given explicit consent to the processing.
- The processing is necessary so that you can comply with employment law.
- The processing is necessary for monitoring equality of opportunity and is carried out with appropriate safeguards for the rights of individuals.
We will also carry out an audit of third-party processors which details:
- The type of data shared.
- The reason for sharing it.
- How data is transferred securely.
- How we know the processor complies with data protection law.
- That the processor does not transfer data outside of the European Economic Area (EEA) and if so that their data protection is at least equal to that of companies inside the EEA (e.g. IOS Certificate or US Security Shield) and how data subjects are informed of this.
- Any actions needed.
GDPR compliance should be demonstrated through contracts with third-party processors, for example specifying how data will be kept securely included in terms and conditions for mailing list software used or specific data protection clauses included in contracts with external payroll companies.
Actions and Compliance
The data audit details actions specific to individual types of data processing. The following actions for compliance underpin this but should not be seen as exhaustive. Staff should take responsibility for ensuring a data audit is carried out, with the support of the Data Protection Officer, when new forms of data are collected, and new technologies are implemented.
- Ensure privacy and cookie policies are up to date and compliant.
- Ensure mailing list sign-up statements follow requirements for unambiguous, specific and, where possible, granular options e.g. choosing what they receive information on and by what methods – phone, email etc.
- Ensuring an audit is carried out for any third-party processors used e.g. mailing software.
- Ensuring the legal basis for direct marketing, either by legitimate interest or consent, is clearly established, recorded and appropriate actions taken.
- Ensure young people’s data is only processed with their guardian’s consent.
- Ensure young people’s data is only shared on a need-to-know basis e.g. medical information with workshop tutors.
- Ensure all freelancers, tutors and volunteers are briefed regarding their data protection responsibilities regardless of how short their contract is.
- Ensure young people’s data is kept securely during practical sessions e.g. permission forms during a workshop.
- Ensure audits, staff training and briefings are carried out.
- Ensure IT policies are in place and compliant and staff are briefed.
- Ensure IT software and hardware is audited and offers sufficiently robust security.
- Ensure procedures are in place for responding to data breaches, subject access requests, data portability and requests for the right to be forgotten and to support staff in responding to such requests.
- Ensure data is updated as soon as inaccuracies are discovered e.g. if you receive an email bounce back.
- Ensure unnecessary duplicates of data are not created e.g. multiple versions of a mailing list – ensure copies of personal data are not made on personal computers.
- Use strong passwords and password protect files and lock screens for computers that contain personal data.
- Ensure only relevant staff have access to data eg teacher running a workshop / class, marketing admin for sending updates on events etc.
Storing Data Securely
The data audit will include an audit of how each type of data is secured. General practice should include:
- Use of locked filing cabinets or similar where data is stored on paper, memory sticks or other physical items.
- Shredding of paper data that is no longer required.
- Computer log in passwords that are strong, not shared and changed regularly.
- Restrictions on access levels and use of passwords where data is stored on a cloud-based system or network.
- Only using third-party processors, which includes cloud-based systems, where this has been audited and agreed.
- Not saving data to personal computers, mobile phones or similar devices.
Where data held is special category data, this should be noted in the data audit and security measures interrogated to ensure they are sufficient.
In the event of a security breach, the Data Protection Officer must be informed immediately. Depending on the circumstances of the breach action will include:
- Completing an incident report.
- Taking action to address the cause of the breach.
- Taking action to minimise the damage that may be caused by this data not being kept securely – possible disciplinary action.
If the breach is likely to result in a risk to people’s rights and freedoms, for example discrimination, damage to reputation or financial loss, it is mandatory to report a personal data breach to the Information Commissioner’s Office (https://ico.org.uk) within 72 hours. The Data Protection Officer will make this report and also report to the Board of Directors.
If a member of staff realises that they have been processing data in a way not compatible with the data audit or with the way in which it was originally collected they must also inform the Data Protection Officer as soon as possible so a plan of action can be agreed.
Individuals can withdraw their consent to their data being processed at any time. They can also request to restrict processing e.g. that we can use their data to send them information about one type of activity but not another. They should also be able to quickly and easily request that the data we hold about them is updated and any corrections made.
In instances where consent was actively given and used as the legal basis for processing, it must be as easy to withdraw consent and this must be acted on immediately.
Individuals also have the right to be forgotten e.g. all data held about them removed, and the right to data portability e.g. for us as an organisation to provide their data in a format which is then suitable to be transferred to another organisation or that we undertake that transfer for them.
If the data is being processed by any other purposes, for example, legal obligation, then we as an organisation may reject this request but this should be referred to the Data Protection Officer.
Individuals can also submit a subject access request, whereby we as an organisation would provide all of the data we hold on that individual. This must be done free of charge and within one month of the request.
As an organisation we can extend the period of compliance by a further two months where requests are complex or numerous and we will inform the individual within one months of this and explain the reasons why.
If a request is excessive or clearly without relevant purpose, in particular where it involves repetitive tasks we can choose to charge a reasonable fee, proportionate to the administration incurred or refuse the request. In the event that a request is refused we will respond within one month to explain the reasons for this decision and inform the individual of their right to complain to a supervisory authority or take legal action.
Your consent applies to the domain cimera.co.uk.
What are cookies?
Cookies are small text files that are used to store small pieces of information. They are stored on your device when the website is loaded on your browser. These cookies help us:
- make the website function properly
- make it more secure
- provide better user experience
- help us understand how the website performs
- help us analyse what works well and where it needs improvement
As most of the online services, our website uses first-party and third-party cookies for several purposes. First-party cookies are mostly necessary for the website to function the right way, and they do not collect any of your personally identifiable data.
The third-party cookies used on our website are for:
- understanding how the website performs and keeping our services secure
- helping us understand how users interact with our website
- providing you with a better user experience
- to help speed up your future interactions with our website
The below list details the cookies used in our website.
|_ga||This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.|
|_gat_gtag_UA_193715139_1||This cookie is set by Google and is used to distinguish users.|
|_gid||This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.|
How can I control the cookie preferences?
You can at any time change or withdraw your consent from the Cookie Declaration on our website.
Should you decide to change your preferences later through your browsing session, you can click on the link below. This will display the consent notice again enabling you to change your preferences or withdraw your consent entirely. In addition to this, different browsers provide different methods to block and delete cookies used by websites.