Ambigo data control policy
Ambigo CIC's data control policy outlines how we are compliant with data protection legislation. We may use your information in two ways:
- If you have asked us to continue to support your ambition.
- To keep you up-to-date with our exciting news and nice stories through our newsletter.
The General Data Protection Regulation (GDPR) gives you certain rights that allow you to request a review of your data, make alterations to it or to erase it.
FULL Data contROL POLICY
This policy sets out guidance for handling of data and complying with Data Protection legislation in the context of normal practice.
It includes requirement on Ambigo CIC for how we provide best practice with regard to our use of data, in particular personal data and provides guidance for the implementation of the same.
Facts and statistics collected together for reference or analysis.
This is any information which relates directly to an individual and can be linked directly to them. For example, this includes: name, phone number, email address, photographs, genetic and economic data.
Data which has been anonymised properly cannot be traced back to the original individuals in any way.
Coded Data (Pseudononymous Data):
Data, which can only be connected back to an individual using a specific ‘key’ or code. This can be an extra layer of security but the data is still treated as Personal Data in this policy.
This policy applies to directors, employees, contractors and volunteers in the organisation.
Ambigo recognises Data usage and Data protection in the workplace is governed by the following principal pieces of legislation:
The General Data Protection Regulation (GDPR) was passed in
2016 and comes into force after a two-year preparation period on 25 May 2018.
Data Protection Act of 1998
Data Protection Act of 1984
Scope of the law:
Data protection about all personal information, including that which is recorded or stored in paper copies as well as in digital form. Information of a corporate nature, such as name, job title and professional contact details may be processed for legitimate purposes without explicit consent.
GDPR, like previous legislation, is aimed at protecting individuals, not organisations.
Named individuals in the workplace are also covered if their personal information is concerned.
GDPR requires that organisations establish a lawful basis for the processing of data.
Following data use audit, and legal basis assessment (see appendices 1&2), Ambigo CIC has elected to assign legal basis as follows:
In all cases: participant right to request withdrawal of personal data from use to be upheld.
The directors have responsibility for implementing this policy and expect all employees and volunteers to abide by the policy and help create the equality environment, which is its objective.
In order to implement this policy, the directors undertake to:
Communicate the policy to employees, job applicants and volunteers
Ensure that adequate resources are made available to fulfil the objectives of the policy.
GDPR requires best practice for:
How we gather information
How securely we store information
How we comply with reasonable requests for the information we hold
How we can evidence any of the above in the event of an audit.
As an indication of how Data Control is to be implemented, the following table sets out key examples to core operational aims:
The data controller for Ambigo CIC is Andy Cheng, executive director.
The Senior Information Rights Officer for Ambigo CIC is Adam Bates, executive director.
Requirement for registration with Information Commissioner’s Office (ICO):
Following self-assessment carried out on 19th April 2018
Ambigo CIC concludes there is no current requirement for registration with the ICO
(See appendix 3)
Policy date & review schedule
This draft 19th April 2018
Review as required, or by 19th April 2019, whichever is the soonest.
Appendix 1: Record of Data Use Audit
Summary of use:
Appendix 2: Record of Legal basis assessment:
Summary of argument for Legitimate Interest use as legal basis:
Evaluation of Impact, effectiveness, efficiency, CQI and service development
Processing of personal data about:
“ambitions” and associated concerns
suggestions and comments
outcome(s) and impact(s) thereof
retained and new benefits over time
feedback from participant where used to improve specific service to participant
Thereafter either coded or made anonymous.
Summary of argument for Consent as legal basis:
Promotional use of photos from which the participant can be identified
Mailing list (not associated with participant support (above)
Processing of personal data about:
image of participant (engaged in Ambigo CIC activity)
area of pertinent interests(s) informing what decisions about promotional material dispatched
No other use expected..
Appendix 3: record of registration self-assessment ICO