This sets out how Community and Business Partners uses and protects personal data and our approach to individuals’ rights in relation to that data.

The General Data Protection Regulations (GDPR) apply to how we store and use all personal data including that on our clients, customers, volunteers, mentors, donors, employees and applicants. Personal data is defined by the GDPR as any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. This could be single elements or a combination e.g. names, addresses, occupation, date of birth etc.

Our data storage and use procedures conform to the principles and responsibilities laid on us by the GDPR.

Our reasons for holding and using personal data

Under the terms of the GDPR, we have a lawful legitimate interest in using and storing individual’s personal data for recording and measuring the impact of the services we provide to improve services to the communities we serve and in order to monitor and demonstrate effectiveness.

We have conducted a Legitimate Interest Assessment in conformance with the requirements of the GDPR. In accordance with the GDPR and the Information Commissioner’s Office (ICO) checklist, we have taken the following steps to arrive at this decision:

• We have reviewed the purposes of all our different uses of personal data and selected the most appropriate basis for each activity.
• We understand our responsibility to protect the individual’s interests.
• We have conducted a legitimate interests assessment (LIA) and kept a record of it, to ensure that we can justify our decision.
• We have identified the relevant legitimate interests.
• We have checked that our use of personal data is necessary and there is no less intrusive way to achieve the same result.
• We have done a balancing test, recorded in our LIA and are confident that individual interests do not override our legitimate interests in using and storing personal data.
• We only use individuals’ personal data in ways they would reasonably expect unless we have a very good reason.
• We are not using people’s data in ways they would find intrusive or which could cause them harm unless we have a very good reason.
• If we process children’s data, we take extra care to make sure we protect their interests.
• We have considered safeguards to reduce the impact where possible.
• We offer an opt-out option on communication.
• If our LIA identifies a significant privacy impact, we have considered whether we also need to conduct a DPIA.
• We keep our LIA under review, and repeat it if circumstances change.
• We include information about our legitimate interests in our privacy notice.

What Special Categories of personal data do we hold and use?

Articles 9 &10 of GDPR classify the following personal information as requiring additional considerations in how it is held and used:

That revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, criminal offences or convictions. We believe that the vast majority of the information we hold does not fall within the special category. Where it is held, it is within our lawful legitimate interests, as detailed below:

1. For Volunteers/doers

1.1. Health information for purposes of responding to medical emergencies on the premises.

1.2. Ethnicity & Disability information for purposes of monitoring and meeting obligations for disability adjustments under the Equality Act

1.3. (Criminal convictions for purposes safeguarding)

2. For Business Growth Mentors

2.1. Ethnicity & Disability information for purposes of monitoring and meeting obligations for disability adjustments under the Equality Act

3. For Beneficiaries of our programmes, events and services

3.1. Ethnicity & Disability information for purposes of monitoring and meeting obligations for disability adjustments under the Equality Act

3.2. (Criminal convictions for purposes safeguarding)

4. For employees, and job applicants

4.1. Health information for purposes of responding to medical emergencies on the premises, to monitor and control sickness absence and ensure payment of sick pay.

4.2. Ethnicity & Disability information for purposes of monitoring and meeting obligations for disability adjustments under the Equality Act

4.3. Criminal convictions:

1. for purposes of meeting our duty of care under safeguarding legislation
2. those disclosed in the application for a job with the Company (and which are not exempt from disclosure under the Rehabilitation of Offenders Act)
3. data created in the thankfully infrequent event of allegations being made against employees that involve or could involve a criminal offence, such as theft.

In compliance with GDPR requirements, the Company will obtain individual’s explicit consent to hold and process data in the special categories, with the exception of 4.3.3.

Without this consent, the Company may not be able to meet its objectives to run the company efficiently and effectively, within regulatory and statutory requirements, for the benefit of the community.

How do we protect personal data?

Whether in paper or electronic form, personal data is securely held and only accessible to CBP staff authorised for specific purposes in relation to our Legitimate Interests. All our staff members have been subject to vetting through the DBS and are bound by contractual confidentiality requirements.

In the case of electronic records, on some occasions, our ICT support company may have access to electronic records held on our secure server and that data sharing is subject to GDPR regulation and contractually agreed.

Emails containing personal data are encrypted and the identity of the recipient verified.

We only share personal data where consent has been given or on occasions where occasions where we have a legal duty, for example in relation to criminal activity.

Members of our business growth mentor network give a signed commitment to holding and using personal data contained in client company details to our standards of confidentiality and security.

How long do we hold records containing personal data?

We will only hold personal data as long as legally or contractually required. Where there is no specified retention period, we will follow best practice in the sector. At the end of the retention period, paper records will be confidentially destroyed and electronic records deleted.

Individuals’ rights to access and amend the personal data we hold on them

The GDPR gives individuals the right to access, review and request corrections or even deletion of their personal data (commonly referred to as subject access).

If we receive a subject access request verbally or in writing, we will follow our Standard

Operating Procedure on Data Access Requests to confirm the request as coming from a legitimate source then provide the requested data in 28 days

We will seek to comply with requests to have incorrect information amended or deleted and to notify the data subject of the outcome and implications this might have on our ability to provide services.

Questions or concerns should be directed to our Data Controller on dataprotection@cbpartners.org