Data Protection Policy

This policy sets out our commitment to protecting personal data under the General Data Protection Regulations (GDPR) and how we will implement that commitment in our role as data controller.

Any queries relating to this policy should be sent to the Data Protection Officer at the CLC at privacy@clc-uk.org.

As a data controller under GDPR, the CLC is committed to:

• Ensuring personal data is processed fairly and lawfully;
• Ensuring personal data is processed only for the specified and lawful purpose;
• Taking steps to ensure personal data is adequate and relevant to the purpose(s) for which they are being processed;
• Taking steps to ensure personal data is accurate and up to date;
• Ensuring personal data is only retained for a necessary period;
• Providing individuals with access to their data;
• Providing adequate security measures to protect personal data;
• Ensuring a nominated officer is responsible for data protection compliance;
• Providing adequate training for all staff responsible for handling personal data;
• Regularly reviewing data protection policies and guidelines within the CLC.

We are committed to ensuring that we comply with the data protection principles of GDPR as outlined at the end of this policy and we will protect personal data in the following ways:

Collecting personal data – our privacy note explains what personal data we are gathering and for what purpose(s). We will only collect personal data that is necessary for the purpose(s) declared. We will obtain the appropriate consent where it is required.

Safeguarding personal data – we will not hold data for longer than is necessary. In particular,

• Disclosure and Barring Service (DBS) certificates (previously CRB checks) obtained by the CLC will be securely deleted no later than 3 months after they have been received, unless it is satisfied that there are regulatory reasons (such as a disciplinary investigation) not to do so. Such certificates will be securely deleted no later than 3 months after any such regulatory reason has ceased to apply.

Where data has been destroyed, appropriate measures are taken to ensure that the data cannot be reconstructed and processed by third parties. Adequate measures are taken to safeguard data to minimize the risk of loss, destruction or unauthorised disclosure.

CLC employees will not disclose any information about an individual to a third party unless they are clear they have the appropriate authority to do so. Personal data will not be disclosed to public authorities unless authorised by the CLC’s Data Protection Officer.

Any ‘personal data breach’ by CLC staff will be treated seriously and may lead to disciplinary action, up to, and including dismissal.

Processing personal data – Management Information Systems used to obtain and process personal data are reviewed to ensure they are as secure as possible. Personal data will not be processed except for the purpose(s) for which they were collected. We will obtain consent from the individual to process their personal data if the purpose changes.

Individuals have extended rights over their data under GDPR. These include the right to object to their data being processed and the right to have their personal data deleted in some circumstances.

Transferring and disclosing personal data – we will not transfer or disclose personal data outside of the CLC to any third parties except in line with the CLC privacy notice.

Accessing personal data – individuals have a right to access their personal data. They can request the information by completing a Subject Access Request form. The individual will also need to submit supporting documentation to establish their identity and confirm the data refers to them.

The request will be determined by or with the authority of the Data Protection Officer, or, in their absence, by a member of the CLC Senior Management Team.

The GDPR Data Protection Principles

Article 5 GDPR requires that personal data shall be:

1. processed lawfully, fairly and in a transparent manner in relation to individuals;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Any queries relating to this policy should be sent to the Data Protection Officer at the CLC at privacy@clc-uk.org.