The following document provides the general policies and guidelines for the collection, processing and storage of data and is drafted in compliance with the GDPR rules and the Data Protection Act 1998.
STORM CIC is committed to maintaining and respecting the privacy of all individuals.
The information contained within this privacy notice sets out the guidelines for the data we collect, how it is used and how it is kept.
This notice applies to all data collected whether electronically or via a manual form.
Please read this policy carefully and if you have any questions or concerns, please contact us at [email protected]
Who we are?
STORM CIC is a Community Interest Company which provides services for vulnerable people. To learn more about our privacy policies you should contact our designated data controller Croesus Delta at the above email address.
What information do we collect?
In the course of providing subjects and beneficiaries with services and programs, STORM CIC may collect data such as your name, postal address, email address, date of birth, gender and details of your issue or specific case.
This information is generally collected via a manual paper form by an authorised volunteer or staff worker or electronically via a web form.
Data is only collected with the consent of the individual or group and is only for use as agreed.
In the main the data is collected either manually or electronically and will only include an individual’s name, address, date of birth and gender identifier.
We do not in general collect data from third parties, but where this may occur it will be with the specific consent of the subject or beneficiary.
Any data deemed as sensitive will be treated as confidential and accessible only to those operatives who require this information to carry out their work in providing an agreed service.
Sensitive data is defined as information that is protected against unwarranted disclosure and which is safeguarded against unnecessary sharing or access.
How do we use personal information?
Data collected is generally used for:
• personalisation of content, business information or user experience
• account or file set up and administration
• delivering marketing and events communication
• carrying out polls and surveys
• internal research and development purposes
• providing goods and services
• legal obligations (eg prevention of fraud)
• meeting internal audit requirements
What legal basis do we have for processing your personal data?
Data is collected and processed on a contractual legal basis.
Data collection and processing is needed to properly process cases and address individual subject or beneficiary issues. It can also be used to prevent fraud and to identify the individual or subject.
Where special category data such as racial or ethnic information is to be collected, this information will also be safeguarded and processed anonymously. It will not be used to influence decisions in cases or the treatment that a subject or beneficiary receives unless it is specific and relevant to their issue and again with consent.
When do we share personal data?
Data collected is not generally shared with any third party without consent. Where it is shared it will only be with authorised organizations that can provide relevant support or service to the subject or individual and with the individual’s consent.
This may include social services departments, legal representatives or medical practitioners. STORM CIC will always gain the consent of the subject or beneficiary before sharing any data with a third party.
Where do we store and process personal data?
All data is only available on a restricted access basis as it affects the case or issue and for the benefit of the subject.
How do we secure personal data?
STORM CIC stores data both electronically where it is password protected to prevent unauthorised access or manually in an appropriate file storage containers by an approved practitioner.
Data is generally sent to the central administrator for appropriate storage and filing as a back-up and protection against loss.
This information is also provided to all relevant data processors as appropriate to ensure safeguarding of any collected data.
STORM CIC endeavours to manage any collected data:
• to protect data against accidental loss
• to prevent unauthorised access, use, destruction or disclosure
• to ensure business continuity and disaster recovery
• to restrict access to personal information
• to conduct privacy impact assessments in accordance with the law and our business policies
• to train staff and contractors on data security
How long do we keep your personal data for?
Collected data is kept for periods in line with the GDPR and Data Protection Act 1998. regulations. Any collected data that is no longer relevant or needed to provide services for the individual may be deleted or safely disposed of.
STORM does not maintain personal data for any other purpose than those agreed with the beneficiary or subject.
Your rights in relation to personal data
A subject or beneficiary can access any data collected by STORM CIC at any time by request.
They can update their data, withdraw consent, file corrections or restrict its use.
Individuals have a right to make a formal complaint at any time if they believe that their data has been used inappropriately and STORM CIC will immediately investigate the matter and take steps to correct to problem to the individual’s satisfaction.
If the individual is still not satisfied with the outcome they may also contact the Information Commissioner’s Office for further assistance.
Restrictions to these provisions and policies will only occur where STORM CIC is required to keep data by law.
Use of automated decision-making and profiling
We do not currently utilise automated data processing or decision making systems.
How to contact us?
If you have any questions or concerns regarding this privacy notice or data collections or processing, you should contact STORM CIC at the email address provided. [email protected]