Community Solutions Ulverston CIC (Legal)

Data Protection Policy

 

for Community Solutions Ulverston CIC

 

1. Policy Statement

 

  • Community Solutions Ulverston CIC is committed to protecting the privacy and security of personal data. We are dedicated to upholding the principles of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018).
  • This policy outlines our commitment to data protection, details how we handle personal data, and explains the rights of individuals whose data we process.
  • We aim to be transparent about our data processing activities and ensure that personal data is collected, used, and stored lawfully, fairly, and securely.

2. Scope

 

  • This policy applies to all employees, volunteers, trustees, contractors, and anyone else who processes personal data on behalf of Community Solutions Ulverston CIC.
  • It applies to all personal data, however collected, stored, or processed, including electronic and manual records.

 

3. Key Definitions (UK GDPR Terms)

 

  • Personal Data: Any information relating to an identified or identifiable living individual (data subject). This can include names, addresses, email addresses, phone numbers, identification numbers, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  • Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for unique identification), data concerning health, or data concerning a person's sex life or sexual orientation. This data requires extra protection.
  • Processing: Any operation or set of operations performed on personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • Data Subject: The identified or identifiable living individual to whom personal data relates.
  • Data Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (Community Solutions Ulverston CIC is generally the Data Controller).
  • Data Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
  • ICO: Information Commissioner's Office, the UK's independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

 

4. Data Protection Principles

 

Community Solutions Ulverston CIC adheres to the seven key principles of the UK GDPR:

 

  • Lawfulness, Fairness, and Transparency:
    • Personal data will be processed lawfully, fairly, and in a transparent manner in relation to the data subject.
    • Individuals will be informed about how their data is being used.
  • Purpose Limitation:
    • Personal data will be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data Minimisation:
    • Personal data collected will be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy:
    • Personal data will be accurate and, where necessary, kept up to date. Every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
  • Storage Limitation:
    • Personal data will be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and Confidentiality (Security):
    • Personal data will be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  • Accountability:
    • Community Solutions Ulverston CIC is responsible for, and must be able to demonstrate compliance with, the other principles. We will maintain records of our processing activities, conduct Data Protection Impact Assessments where necessary, and have appropriate measures in place.

 

5. Lawful Basis for Processing

 

We will only process personal data when we have a valid lawful basis under UK GDPR. The most common bases we may rely on include:

  • Consent: The individual has given clear consent for us to process their personal data for a specific purpose.
  • Contract: The processing is necessary for a contract we have with the individual, or because they have asked us to take specific steps before entering into a contract.
  • Legal Obligation: The processing is necessary for us to comply with the law
  • Vital Interests: The processing is necessary to protect someone's life.
  • Public Task: The processing is necessary for us to perform a task in the public interest or for our official functions, and the task has a clear basis in law.
  • Legitimate Interests: The processing is necessary for our legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (We will always balance our interests against the individual's rights and freedoms).

 

For Special Category Data, we must have an additional condition for processing, such as explicit consent, for reasons of substantial public interest, or for the provision of health or social care.

 

6. Individual Rights (Data Subject Rights)

Individuals have the following rights regarding their personal data:

 

  • The right to be informed: About how their data is being used.
  • The right of access: To obtain a copy of their personal data.
  • The right to rectification: To have inaccurate personal data corrected.
  • The right to erasure ('right to be forgotten'): To request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  • The right to restrict processing: To block or suppress the processing of their personal data in certain circumstances.
  • The right to data portability: To obtain and reuse their personal data for their own purposes across different services.
  • The right to object: To processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling); direct marketing (including profiling); and processing for purposes of scientific/historical research and statistics.
  • Rights in relation to automated decision making and profiling: Not to be subject to a decision based solely on automated processing (including profiling) which produces legal effects concerning them or similarly significantly affects them.

 

Requests to exercise these rights should be submitted in writing to Alasdair Wilkinson-Marsh, Director of Governance and Finance, Community Solutions Ulverston CIC, The Hive, Market Hall, Ulverston, LA12 7LJ, community.solutions@outlook.com. We will respond to legitimate requests within one month.

 

7. Data Security and Storage

 

  • We will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
    • Access Control: Limiting access to personal data to only those who need it for their job role.
    • Password Protection: Requiring strong, unique passwords for all systems containing personal data.
    • Encryption: Encrypting sensitive data where appropriate (e.g., laptops, external drives).
    • Pseudonymisation/Anonymisation: Using these techniques where appropriate to protect data.
    • Physical Security: Securing physical records (e.g., locked cabinets, secure offices).
    • Network Security: Using firewalls, anti-virus software, and regular security updates.
    • Data Backups: Regularly backing up data and ensuring backups are secure and recoverable.
    • Secure Disposal: Securely disposing of physical and electronic data when no longer required.
  • All staff and volunteers who handle personal data will receive appropriate training on data protection and their responsibilities.
  • We will use reputable third-party service providers (Data Processors) who can demonstrate their commitment to data protection and have appropriate contracts (Data Processing Agreements) in place.
  • Personal data will only be stored for as long as necessary to fulfil the purposes for which it was collected, or as required by law or regulatory guidance (e.g., Charity Commission, HMRC). Our [Data Retention Policy/Schedule] provides further details.

 

8. Data Breaches

 

  • A personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed.
  • All data breaches, however minor, must be reported immediately to [Insert Designated Contact Person/Role, e.g., The Data Protection Lead].
  • We will have a robust data breach response plan to:
    • Contain the breach.
    • Assess the risk to individuals.
    • Notify the ICO where required (within 72 hours if there is a risk to individuals' rights and freedoms).
    • Notify affected individuals where there is a high risk to their rights and freedoms.
    • Investigate the cause and implement measures to prevent recurrence.

 

9. International Data Transfers

 

  • We will not transfer personal data outside the UK or the European Economic Area (EEA) unless adequate safeguards are in place, as required by UK GDPR. This includes using approved mechanisms like standard contractual clauses or ensuring the recipient country has an adequacy decision.

 

10. Responsibilities

 

  • Overall responsibility for data protection lies with the Board of Trustees/Directors of Community Solutions Ulverston CIC.
  • The Director for Governance and Finance is responsible for overseeing compliance with this policy and data protection legislation, handling data subject requests, and managing data breaches.
  • All employees, volunteers, and contractors are responsible for understanding and adhering to this policy in their day-to-day activities and for reporting any potential data protection issues or breaches immediately.

 

11. Privacy Notices

 

  • We will provide clear and concise privacy notices to individuals at the point of data collection, explaining:
    • Who we are.
    • What data we collect.
    • Why we collect it (purpose).
    • Our lawful basis for processing.
    • Who we share it with.
    • How long we keep it.
    • Their rights as data subjects.
    • How to complain to the ICO.
  • Separate privacy notices will be maintained for different groups, e.g., service users/beneficiaries, volunteers, staff, donors.

 

12. Data Protection Impact Assessments (DPIAs)

 

  • We will conduct DPIAs when a new project, system, or activity is likely to result in a high risk to the rights and freedoms of individuals (e.g., processing special category data on a large scale, using new technologies, or systematic monitoring).

 

13. Training and Awareness

 

  • All relevant staff and volunteers will receive regular training on data protection principles, their responsibilities under this policy, and procedures for handling personal data and data breaches.

 

14. Review of this Policy

 

  • This policy will be reviewed every 2 years and updated as necessary to reflect changes in legislation, ICO guidance, or organisational practices.

 

15. Contact Information

 

  • For any questions or concerns regarding this Data Protection Policy or our data processing practices, please contact:
    • Alasdair Marsh
    • Community Solutions Ulverston CIC
    • The Hive, Ulverston Indoor Market, LA12 7LJ
    • admin@communitysolutionsulverston.co.uk

 

  • If you are unhappy with how we have handled your data, you have the right to complain to the Information Commissioner's Office (ICO):
    • Information Commissioner's Office
    • Wycliffe House
    • Water Lane
    • Wilmslow
    • Cheshire
    • SK9 5AF
    • Helpline number: 0303 123 1113
    • ICO website: www.ico.org.uk
Print | Sitemap
© Community Solutions CIC

Web ViewMobile View

Logout | Edit page