Privacy Policy

1. Data Protection

Cultivate-EM Ltd and its subsidiary Cultivate2 Ltd (henceforth CULTIVATE) needs to process certain types of personal data about the data subjects who come into contact with it in order to carry out its work. This personal data must be collected and dealt with appropriately - whether on paper, in a computer, or recorded using other media - and there are safeguards to ensure this personal data under the EU's General Data Protection Regulation (henceforth GDPR).

CULTIVATE regards the lawful, fair and transparent treatment of personal data as very important to successful working, and to maintaining the confidence of those with whom we deal. CULTIVATE intends to ensure that personal information is treated lawfully and correctly.

To this end CULTIVATE will adhere to the principles of data protection, as detailed in the GDPR.

Specifically, the principles require that personal data is:

(a) processed lawfully, fairly and in a transparent manner in relation to individuals;

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes;

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Article 5(2) of the GDPF requires that 'the controller shall be responsible for, and be able to demonstrate, compliance with the principles.'

Personal data

This is any information that can directly or indirectly identify a natural person, and can be in any format. Examples of personal data are:

• Name
• Address
• Email address
• Financial details
• Photographs
• IP address
• Location data
• Online behaviour
• Profiling and analytics data

The GDPR refers to sensitive personal data as special categories of personal data. Examples of this type of personal data are:

• Race
• Religion
• Political opinions
• Trade union membership
• Sexual orientation
• Health information
• Biometric data
• Genetic data

Data Controller

CULTIVATE is the Data Controller under the GDPR. The Data Controller determines the purposes and means of processing personal data.

Responsibility

The trustees / directors of CULTIVATE have ultimate responsibility for ensuring CULTIVATE's compliance with the GDPR.

Although it does not necessarily have a statutory obligation to do so, CULTIVATE will appoint a Data Protection Officer (DPO) from the staff team to carry out the following duties:

• To inform and advise the organisation and its employees about their obligations to comply with the GDPR and other data protection laws.
• To monitor compliance with the GDPR and other data protection laws, including managing internal data protection activities, advise on data protection impact assessments; train staff and conduct internal audits.
• To be the first point of contact for supervisory authorities and for individuals whose data is processed (employees, clients, members etc).

CULTIVATE will ensure that:

• The DPO reports to the highest management level of the organisation (i.e. Board of Trustees).
• The DPO operates independently and will not be dismissed or penalised for performing their task.
• Adequate resources are provided to enable the DPO to meet their GDPR obligations.

Data Subjects

Data subjects of CULTIVATE are likely to include the following:

• Employees and volunteers of CULTIVATE
• Trustees and Directors of CULTIVATE
• Members of CULTIVATE
• Clients of projects and services of CULTIVATE
• Employees, trustees, directors and volunteers of other organisations with whom we have a working relationship
• People who are interested in the work of CULTIVATE, and wish to subscribe to any newsletters and attend meetings and events organised by CULTIVATE

A full analysis of CULTIVATE' data sets, and how these are processed appears at Annex A.

Data processing

Processing data means obtaining, recording or holding the data or carrying out any operation or set of operations on the data, including:

• organisation, adaptation or alteration of the information or data.
• retrieval, consultation or use of the data.
• disclosure of the data by any means.
• alignment, combination, blocking, erasure or destruction of the data.

Lawful bases for processing

The lawful bases for processing personal data are:

• Direct consent from the individual.
• The necessity to perform a contract.
• Protecting the vital interests of the individual.
• The legal obligations of the organisation.
• Necessity for the public interest.
• The legitimate interests of the organisation.

Most of CULTIVATE's data processing takes place on the basis of legitimate interest. However, there may be other occasions when CULTIVATE processes data on a basis other than legitimate interest as listed above. On such occasions the data subject will be informed that their data is to be processed on this basis through an appropriate privacy statement.

Where consent is used as a basis for processing, CULTIVATE will follow these guidelines:

• Consent must be freely given, specific, informed and unambiguous.
• A request for consent must be intelligible and in clear, plain language.
• Consent will not be inferred from silence, pre-ticked boxes and inactivity.
• Consent can be withdrawn at any time.
• CULTIVATE must be able to evidence consent, even when this is given orally.

Retention of data

CULTIVATE will retain data for only as long as there is a clear legitimate interest, statutory obligation, or business reason in doing so. We have strict protocols about retention of data. The details of these can be seen at Annex A of this policy.

Data storage, security and safe disposal

CULTIVATE takes the security of the personal data it processes very seriously, and will take every reasonable measure to ensure against theft or misuse of personal data, and the accidental loss or disclosure of personal data. We aim to ensure this by following these guidelines:

Storage

CULTIVATE keeps personal data in electronic format.

• Electronic personal data is kept primarily in our contacts database. Some personal data is also held our e-mail system Microsoft Outlook within the body of e-mails, or as attachments to e-mails. Other items of personal data may be present in electronic copies of documents stored on our systems (e.g. someone's name and address may appear on a letter, their details may be present on a referral form, or we may have a photograph of them.) Our systems are backed-up daily to the cloud with MS Office's Sharepoint. We use malware and firewall software on all of our systems. Our systems are password protected using appropriate levels of password complexity and our passwords are changed regularly. Our computer hardware is kept in locked, alarmed locations.
• Paper ('hard copy') documents containing personal data are immediately scanned to our online system then destroyed. We only have a virtual office so we treat any paper we need to keep in this way, whether it has personal data on it or not. Retention of paper documents of any kind is kept to an absolute minimum; only those documents that we are required to keep in paper format by law are kept in paper format, such as our company registration documents.

Security guidelines for staff

• Keep passwords secure and change regularly as instructed. Do not disclose passwords to anyone without first consulting the Data Protection Officer or a senior manager.
• Passwords must contain at least eight characters, and must contain the following three character classes: alphabetic (e.g. A or a); numeric (e.g. 0-9); punctuation or other characters (e.g. ! or &).
• Lock / log off computers when away from your desk.
• Prevent breaches of cyber security by taking care when opening emails and attachments or visiting new websites.
• Work on a 'clear desk' basis by immediately scanning, uploading and destroying any paper documentation that comes into your possession. On no account should personal data be left out on an unattended desk or printed from the cloud.
• Position computer screens away from windows to prevent accidental disclosures of personal data.
• Laptops, mobile phones, tablets and external storage devices (such as data sticks) must have been approved by CULTIVATE. Data sticks will be issued to staff when there is a compelling reason to use one. Data sticks must be returned when the task for which they were issued has been completed.
• Photographs taken will be transferred to the CULTIVATE system as soon as possible, and removed from the device once this has been done.
• Only use electronic diaries and notebooks to record people's details.

Safe disposal

When data is removed from our systems, it will securely disposed of using the following guidelines.

• All personal data kept on paper must be destroyed using DIN 66399 level 3 compliant cross shredder provided by CULTIVATE.
• Employees are responsible for ensuring that paper-based records that they have taken to the shredder been have properly destroyed. They should not leave papers for shredding unattended at the side of the machine, and ensure that no intact sheets or parts of sheets remain in the shredder, for example due to jamming or power failure.
• General paper waste should be checked carefully before disposal to ensure that it does not contain personal data.
• Where high volumes of paper-based personal data require destruction, CULTIVATE will arrange to have this professionally destroyed by an organisation with BS EN 15713 certification.
• As far as is practicable, electronic data will permanently deleted from our IT systems so it cannot be viewed or reused.
• Redundant computer hardware will be destroyed professionally. All redundant computer hardware will be destroyed, and will not be sold-on to third parties.

Data access and accuracy

All Data Subjects have the right to access the data CULTIVATE holds about them. CULTIVATE will also take reasonable steps ensure that this data is kept up to date by asking data subjects whether there have been any changes.

In addition, CULTIVATE will ensure that:

• it has a Data Protection Officer with specific responsibility for ensuring compliance with the General Data Protections Regulation 2018.
• everyone processing personal data understands that they are contractually responsible for following good data protection practice,
• everyone processing personal data is appropriately trained to do so,
• everyone processing personal data is appropriately supervised,
• anybody wanting to make enquiries about handling personal data knows what to do,
• it deals promptly and courteously with any enquiries about handling personal data,
• it describes clearly how it handles personal data,
• it will regularly review and audit the ways it hold, manage and use personal data,
• it regularly assesses and evaluates its methods and performance in relation to handling personal data,
• all staff are aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them.

This policy will be updated as necessary to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to the General Data Protection Regulation, or any subsequent legislation relating to the processing of personal data.

In case of any queries or questions in relation to this policy please contact the CULTIVATE Data Protection Officer. This is currently Bev Shephard.

2. Confidentiality

CULTIVATE is aware of the importance of confidentiality and will ensure that all staff, volunteers and Board members are aware of the confidentiality policy. The confidentiality policy applies to all staff, volunteers and Board members. Any personal or organisational information held by CULTIVATE will remain confidential within CULTIVATE, and this also applies to any information learned in the course of an individual duties within the organisation.

CULTIVATE recognises that volunteers, staff members and Board members gain information about individuals and organisations during the course of their work or activities. In most cases this information may not be specifically defined as confidential and individuals may have to exercise common sense and discretion in identifying whether information is expected to be confidential.

Breach of confidentiality

No confidential issue is to be discussed with, or revealed to, any person or organisation outside CULTIVATE except where the individual or organisation the issue relates to has given express permission. Staff, volunteers and Board members should avoid discussing any confidential issue unless it is relevant to their work.

Staff, volunteers and Board members should avoid exchanging personal information or comments about individuals with whom they have a professional relationship, and they should also avoid talking about organisations or individuals in social settings.

Any member of staff or volunteer found to have breached the confidentiality policy will become subject may be subject to disciplinary action. Any Board member who discloses confidential information or knowledge gained at Board meetings may be asked for their resignation.

Under certain circumstances the organisation has a legal duty, or a duty of care to disclose information. These circumstances include, for example, child protection issues, protection of vulnerable adults, and financial management. If a situation occurs where confidentiality is legally required to be breached, the relevant parties will be informed of action being taken.

Annex A CULTIVATE summary data set

ANNEX B

Handling requests from individuals for their personal data ('data subject access

requests')

• People have a right to have a copy of the personal data CULTIVATE holds about them. This is called a 'subject access request'. Such requests must be made in writing, ideally using the standard form provided by CULTIVATE.
• The organisation has a maximum of 40 days to respond to such a request.
• A fee is not normally charged for such a request.
• Guidelines for dealing with subject access requests are attached at ANNEX B

ANNEX C

CULTIVATE - Subject Access Request Form and Guidance Notes

1. Personal details

If you have lived at the above address for less than two years (see guidance notes)

2. Details of the information you require

3. Proof of identification - Please list documents/identification supplied (See note in guidance section):

Data Protection Officer, Cultivate, 3 Haywood View, S32 2HJ.

Signature (of applicant) …………………………………..……………… Date ………………….

Guidance notes for Data Subject Access Requests

Personal details: Please complete your personal details as requested. Please tell us if you have been previously known by any other name and if you have lived at your present address for less than two years, your previous address. If you are requesting historical data then provide as many details as possible; for example, previous addresses with dates. Use a separate sheet of paper if required.

Details of the data you require: You should give as much assistance as you can about particular areas to search so that we can give you what you require without further correspondence. These details are required to assist location of your data so you can be given a copy of everything held about you, as required by the Act.

Proof of identification: Proof of name and address is required to ensure we only give data to the correct person. We require two original pieces of documentation, for example, a recent utility bill, bank statement (photocopies are not acceptable) showing your name and address. In some cases additional details such as a passport or photo ID driving licence may be required due to the sensitive nature of data held.

Keep your documents secure: Always send important documents by recorded / special / registered delivery as appropriate. Cultivate cannot be held liable for items lost in the post.

Payment: A fee is not normally charged for a data access request. However, we may charge a reasonable fee when a request is manifestly unfounded or excessive, particularly if it is repetitive. We may also charge a reasonable fee to comply with requests for further copies of the same information, but not for subsequent access requests. The fee will be based on the administrative cost of providing the information.

Timescale: Any Subject Access Request will be dealt with as quickly as possible. All requests will be dealt with within 40 days of receipt.

If you have any questions relating to identification requirements or any other aspect of a subject access request, you can email us at bev@cultivate-em.com.

Further information about your rights as a Data Subject can be obtained from the Information Commissioner's Office on 08456 30 60 60 or 01625 54 57 45, or by visiting the ICO website www.ico.gov.uk