POLICIES & PROCEDURES
The Centre for Global Equality (CGE) is a charity based in Cambridge, UK. We are a Registered Charity (number 1121067) and a Company Limited by Guarantee in England and Wales (number 6080896).
CGE takes data protection and privacy seriously, and complies with the new General Data Protection Regulations (GDPR) that come into effect on the 25th of May 2018.
The Centre for Global Equality commits to:
- comply with both the law and good practice;respect individuals’ rights;
- be open and honest with individuals whose data is held;
- provide training and support for staff who handle personal data, so that they can act confidently and consistently;
- take appropriate technical and organisational measures to demonstrate that we comply with GDPR law.
The CGE Board of Trustees has overall responsibility for ensuring that the organisation complies with its legal obligations. Our GDPR policy will be reviewed every three years by the CGE Board of Trustees and will be compliant with current UK law and legislation.
Personal information is any information that can be used to identify an individual. We will only collect and process the personal information that has been provided with express consent from the individual.
CGE ensures individuals are aware that their data is being processed and
- the purpose for which it is being processed,
- the types of disclosure likely, and
- how to exercise their rights in relation to the data.
If you are CGE newsletter subscriber, have registered to attend a CGE event, or communicate with us in relation to our innovation or academic programmes, this personal information may include
- your name
- your personal or work email address.
If you are a CGE Member, this personal information may include:
- your name
- the name of the organisation you work for and your position there
- your work or personal email address
- your telephone number
the registered address of the organisation you work for (organisation members only)
- details on the work you do, the places you work in and the projects you work on.
CGE’s lawful basis for the personal data we hold adheres to the principal of consent from the individuals about whom we collect data. We do not process special category data. CGE will ensure that data subjects are given the opportunity to opt-out of having their data used in particular ways. We also acknowledge that, once given, consent can be withdrawn.
CGE ensures that consent under the GDPR must be freely given, specific, informed and unambiguous of the individual’s wishes. We meet the GDPR standard of consent being specific, granular, clear, prominent, opt-in and properly documented and stored in a GDPR compliant database.
Data obtained by CGE is collected by consent and, most frequently through online forms on the CGE website. Infrequently, data is collected over the phone, in which case, CGE employees will ensure that data has been recorded accurately by reading the data back to the individual. If data is passed onto a third party, details will be copied directly, ensuring data is accurate.
CGE endeavours to record, update and discard old data. Data will be checked annually at the beginning of each financial year. CGE recognises and adheres to the fact that there are separate requirements for the data we hold and discard data respectively.
CGE transfers and stores data securely, and protects it with encrypted passwords where possible to ensure only authorised access. The systems used by CGE to securely store data are recognised internationally as being GDPR compliant. Particular considerations are taken about where specific information is stored.
Data is destroyed manually by CGE upon request and once the retention period has ended.
For different types of data, CGE has different retention periods
- CGE members (individual and organisational) – CGE members are expected to renew their membership annually. This includes updating their contact information. Data that is not renewed will be discarded after six months of the renewal date deadline. However, the member’s name and email address will be retained for a further five years on the CGE contact list and data inventory.
- CGE employees – CGE retains employee details for five years after the termination of their contract. CGE does not retain CVs for more than six months unless we have express permission from candidates.
- CGE newsletter subscribers – CGE retains names and email addresses of newsletter subscribers for five years using a third party newsletter management platform. CGE is willing to remove individuals from the subscriber list if the individual submits an access request or manually opts-out from the newsletter subscribers’ list.
Right of Access
CGE respects the rights of the individuals we work with and complies with GDPR law by responding within one month to all access requests. If you would like to submit a right of access request, please email firstname.lastname@example.org. You have the rights to:
- Access to your personal information;
- Raise an objection to the processing of your personal information;
- Raise an objection to automated decision-making and profiling;
- Restrict the processing of your personal information;
- Restrict your personal data portability;
- Rectify your personal information;
- Erase your personal information.
We will not charge for complying with a right of access request, however a reasonable fee may be charged when a request is manifestly unfounded or excessive, in which case the fee will be based on the administrative cost of providing the information.
Where the CGE staff member managing the access procedure does not know the individual personally, provisions will be taken to check the identity of a person making a request before offering any information. If a subject access request is made to any CGE employee, the request will be forwarded to the person tasked with responding who will reply within one month.
All CGE employees are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work. Employees who have access to any kind of personal data will have their responsibilities outlined during their induction procedures and, on signing their staff contracts, CGE employees will accept CGE data protection policies.
If there is a notifiable breach of GDPR, CGE will report the breach to the relevant supervisory authority within 72 hours of becoming aware of it. CGE has an internal breach reporting procedure, and on induction CGE employees are made aware of what constitutes a data breach.