Catesbi Community Interest Company
Introduction and aim
Catesbi is a social enterprise, operating from Dundee. Our main services are theory and hands on training in understanding and improving behaviour. Our work does require holding personal information Catesbi can process your information because you have given consent. Catesbi regards the lawful and correct treatment of personal information as very important to successful working, and to maintaining your confidence.
Catesbi will ensure that your personal information is treated lawfully. We never sell your personal data. In this guide we aim to help you understand what steps we take to protect your privacy and your personal data.
This policy also describes how we will achieve our aim.
Catesbi is fully committed to process (collect, store and use) the information you provide in a manner compatible with the EU’s General Data Protection Regulation (GDPR). We will keep your information secure, accurate, up to date, and not keep it for longer than is necessary. We are required to retain information in accordance with the law and other legal requirements.
Our managing director is responsible for ensuring that the policy is implemented whilst delivering high quality service to our clients and customers. All employees and volunteers have a responsibility in their area to ensure that the aims and objectives of the policy are met
We aim to:
- keep your personal information secure
- be accountable for what we do with it
- be transparent about what personal data we collect, how and why we process it
- tell you about your rights and where you have control
- tell you what to do if you are unhappy with how we use and protect your personal data.
It is important to us that you continue to have trust and confidence in Catesbi. We have created new, policy telling you what personal information we collect, how we use it and your rights, to reflect the General Data Protection Regulation (GDPR) which is a set of European Union laws that come into force on the 25th May 2018.
Your rights under GDPR
Under GDPR there are 8 specific rights which an individual can expect in respect of their personal data:
- The right to be informed (Article 14)
- A right of Access (Article 15)
- The right to rectification (Article 16)
- The right to erasure (the right to be forgotten) (Article 17)
- The right to restriction of processing (Article 18)
- The right to data portability (Article 20)
- The right to object (Article 21)
- Rights in relation to automated decision making, including profiling. (Article 22)
These Rights are at the core of the GDPR, and we will explain in this policy how they apply to the personal data CATESBI collects and holds.
What is personal data
For the purposes of GDPR this is any information which relates to a real, living person from which that person (or data subject) can or could be identified. Typical identifiers include: a name, identification number, address or other location data, an online identifier such as email address, ‘cookies’ or an IP address (the unique identifying code used by a specific computer or other device to access the internet).
Other things which could allow a person to be identified include genetic make-up (your DNA), health, economic circumstance or social, cultural, religious or political identity.
To achieve our aims, we have set ourselves the following targets:
The parties may at times acquire information that is confidential. The parties must not disclose confidential information. This applies for:
- Commercial advantage
- To disadvantage or discredit other parties or anyone else
- Without prior agreement from the individual
The only time a confidential information is disclosed is when a child or a person is in danger to self, others or there is a possibility of a Child protection issue, i.e. in order to comply with the law or with police investigations.
We follow child protection guidelines and therefore will share information with the Social Work department or Police Scotland where there are any child protection concerns and we do not need your consent to do so.
There are circumstances where the law allows Catesbi to disclose data (including sensitive data) without the data subject’s consent.
- Carrying out a legal duty or as authorised by the Secretary of State
- Protecting vital interests of an Individual/Service User or other person
- The Individual/Service User has already made the information public
- Conducting any legal proceedings, obtaining legal advice or defending any legal rights
- Monitoring for equal opportunities purposes – i.e. race, disability or religion (in the form of statistics and not in any way that identifies you.)
∙ Any personal data obtained or used shall be processed in accordance with GDPR.
∙ The only personal data held by any party will be data which is relevant to prior agreement/contract. Personal data will be collected with informed consent form the outset. Informed consent will normally include a signed consent form. The consent can be withdrawn at any time. This might affect our contract for services, which will be discontinued.
What personal data we collect and why we collect it:
As a part of our operations CATESBI needs to collect the personal details of all people who are proposing to act as volunteers, members, friends and service users, which are important information relating to the running of our company, or useful information such as news about CATESBI policies or events we are running.
We are a social enterprise and we required to collect this information either by law or by contract with our funders. Without these details we would be unable to run our company or apply for future funding.
These are the main reasons why we collect data –
- To provide individuals with the services they have requested or was requested on their behalf.
- Administering membership records including the balloting of members and potential members
- Providing and organising activities and events
- Representation and legal services
- Monitoring for equal opportunity purposes
- Promoting our services
- Maintaining our own accounts and records
- In order to comply with Catesbi’s legal obligations.
- In order to protect the Catesbi’s contractual and other rights.
We collect information in a number of ways. These are the most common ways we collect your data-
- when you make an enquiry
- when you attend our training
- when you sign any contract with us.
You can find more about each below:
If you have said or contacted us to say that you are interested in our activities then we will contact you to update you on this and store your name and contact details such as email address and telephone number, employer or website in order to do so. We would keep a track of this in a folder “for future contact”. This is not considered personal data, although there may be cases where you use a personal home address. Which we won’t keep and why we want to be explicit about this information. We might contact you to tell you about other opportunities we think will be of interest to you such as a new service being offered by another agency. We carefully select what we share with you. Your data will be stored in a Dropbox folder.
If you have been to our conferences or other theory trainings. It is likely that you might book our training through Eventbrite. We would use your details only to contact you for the particular training you booked and would not use your data for any other purpose. When you attend our training you will be given a register with 4 Yes/No questions/options about how you want your data to be stored or if you want your data to be stored. The data then will be stored in Tresorit file.
If you are a part of Individualised Behaviour Intervention and Hands on Training. In order for us to provide a child/family with a service we need to collect personal data. It’s required to work effectively with the child/family/school/nursery or other organisations and to keep them informed of our services. We collect the names of child, his or her family members, professionals with whom we work. We also collect the child’s address and other contact details, whether English is a second language and if a child lives in a single parent family, ethnicity and religion in order to best tailor our services towards your families’ needs. For children we support we collect additional information; their gender, date of birth, the school they attend, and details of other professionals involved in wraparound services. We then also have records of the assessments carried out and details of the work completed with you and your family. This often includes photos and videos.
We also collect information from what are considered ‘special categories’ because they relate to information that is considered more sensitive and so needs more protection. This includes medical diagnoses and medical reports.
We will need to store sensitive personal data. For children under 16 we require consent from parents/guardians.
As another layer of security, to ensure that we do not disclose child’s name we edit the child’s name and the case name. When working with children we use Tresorit (encrypted file service).
Personal data and sensitive personal information might be shared outside EU when we work with a behaviour analysist oversees. In this case all personal data are stored safely and HIPPA complaint.
We do not collect personal data through:
Social media – When visitors leave comments on FB we do not collect the data shown in the post bar.
Website – We do not collect visitors’ IP address or Cookies.
Who we share your data with
CATESBI does not use personal data for any statistical information even if required by external agencies, government bodies for example local authority, Health organisations, other voluntary agencies or prospective and existing funders, unless this is agreed with you in writing. Personal data will, where necessary, be grouped together and anonymised to ensure that no identification of individuals is possible. This is so we can tell our funders about the population we work with and demonstrate the outcomes we achieve. We are committed to ensuring that the information we collect, and use is appropriate for these purposes, and does not constitute an invasion of your privacy.
How long we retain your data
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time Website administrators can also see and edit that information.
What rights you have over your data
If you have ever signed a consent form for us to keep your details, you can request for these to be erased from our database. We will remove any personal data we hold about you, including any data you have provided to us within 2 working days. This does not include any data we are obliged to keep for administrative, legal, or security purposes for example some financial records & child protection concerns which we’re legally obliged to retain for a set period. At the end of the set period, the information will be reviewed and subsequently deleted.
How we send data
When there is a reason to send data we do this through sending links. When sending special categories information we use password protected link. Password is sent through message or over the phone.
Monitoring and auditing
Progress against these objectives will be monitored through management meetings. If you wish to raise a complaint on how we have handled your personal data, you can contact us to discuss this
What we do with your information
When we receive your personal data, we then store the information securely within our electronic management records system (as volunteer file, governance and training files). Your personal data will be securely held on a secure password-protected Dropbox folder and shall be retained for a maximum of three (3) years. Dropbox servers are held in the United States and a privacy shield in place that complies with EU regulations in order to protect your data.
Information displayed on online platform
If you are our board member or a volunteer and consider that your name or address should not be displayed on the Register or our website, please let us know and explain why.
Will my data be secure?
We are required by Article 5(f) of the GDPR to ensure the ‘Integrity and Confidentiality’ of data. This means that we must process personal data with suitable security to stop any unauthorised access to the data; making sure it’s safe from accidental loss or damage by ensuring we have sufficient technical safeguards and codes of conduct for our staff in place.
We take security very seriously in CATESBI. We aim that by the end of 2018
- All staff take annual Data Protection training;
- we have regular cyber security checks and
- we have strong security covering our systems from all points of access.
- All our work Laptops, tablets and mobile phones are encrypted to stop any unauthorised access, particularly if they are lost or stolen.
What happens to my data when you collected it?
If you have provided your information in paper form then we scan this into our electronic system before shredding the paper copy. When we have scanned the information, or if we have received it electronically we keep it until the agreed retention period for the information is reached. We carry out regular checks to ensure that we do not keep information for longer than we need it. Any photos will be deleted after transferring them to a file.
If you find the information we hold about you is not correct then you can tell us and ask us to correct it. We must do this as soon as possible and in any case within a month. If we realise we do not have a correct information. In this case we will try to contact you another way. Occasionally this might include asking other party/person to help us to get in touch with you.
*Please, let us know if your personal data or sensitive information about your child change so we can refresh the existing consents.
What if I don’t want you to use or hold my information anymore?
Often called the ‘Right to be forgotten’ there are a number of reasons that you can ask for the information we hold about you to be erased. These are
(a) We no longer need the information,
(b) You have withdrawn consent and our legal grounds are no longer relevant,
(c) You have successfully objected under Article 21
(d) The processing was unlawful
(e) We have a legal obligation to erase it
(f) The information was processed online with parental consent.
We may not always need to comply with your request. For instance, when we still have official authority to keep the data or we are holding the information because you are bringing a legal action against us, and we need to retain it to defend the action.
When we receive a request we consider it carefully and during that time we will make your information ‘unavailable’ for use until we have made a decision. We will keep your contact details (name, address, telephone number and email address) on a Suppression List to ensure that you are not contacted by us in the future. This file will be kept securely in our electronic records management system with limited accessibility.
Can I get a digital copy of my information?
We will always try to provide the information electronically, unless you specifically asked for it in another format, such as paper. This doesn’t include the right to data portability automatically as not all data held will be included in that right, we may simply hold copies of paper forms and other letters or emails which cannot be converted into the portable formats talked about in the next section.
What happens if you lose my information?
All organisations which process data are required to report any losses or incidents to the relevant authority, in the case of the UK this is the Information Commissioner, if you need more information about what they do, the website is here at; https://ico.org.uk/. The report must be made within 72 hours of us finding out about the loss or incident. Depending on the circumstances of the incident a Civil Monetary Penalty (fine) could be given to the organisation responsible for the incident.
Can I complain to the ICO if I think you are using my information illegally?
Yes. We would ask you to contact us first so we can resolve the issue informally as per our Complain policy. You can find information about complains to ICO at their website https://ico.org.uk/concerns/.
Will I get Compensation if my data is lost or misused?
The new Data Protection Act will allow a person to sue for compensation if they “suffer financial loss, distress and other adverse effects”. Generally this would be more likely to happen if we had committed an offence under the new act or had been reckless in our approach to data security.
This confidentiality, privacy and data protection policy is available on request. If you wish to obtain a copy, would like to discuss our progress against our objectives, questions, comments or queries please email firstname.lastname@example.org
This policy is relevant to: