Ambigo data control policy


Ambigo CIC's data control policy outlines how we are compliant with data protection legislation. We may use your information in two ways:

  1. If you have asked us to continue to support your ambition.
  2. To keep you up-to-date with our exciting news and nice stories through our newsletter.

The General Data Protection Regulation (GDPR) gives you certain rights that allow you to request a review of your data, make alterations to it or to erase it. 



This policy sets out guidance for handling of data and complying with Data Protection legislation in the context of normal practice.


It includes requirement on Ambigo CIC for how we provide best practice with regard to our use of data, in particular personal data and provides guidance for the implementation of the same.




Facts and statistics collected together for reference or analysis.


Personal Data:

This is any information which relates directly to an individual and can be linked directly to them. For example, this includes: name, phone number, email address, photographs, genetic and economic data.


Anonymous Data:

Data which has been anonymised properly cannot be traced back to the original individuals in any way.


Coded Data (Pseudononymous Data):

Data, which can only be connected back to an individual using a specific ‘key’ or code. This can be an extra layer of security but the data is still treated as Personal Data in this policy.



This policy applies to directors, employees, contractors and volunteers in the organisation.


Legal underpinning

Ambigo recognises Data usage and Data protection in the workplace is governed by the following principal pieces of legislation:


The General Data Protection Regulation (GDPR) was passed in

2016 and comes into force after a two-year preparation period on 25 May 2018.


This supersedes:

Data Protection Act of 1998

Data Protection Act of 1984


Scope of the law:

Data protection about all personal information, including that which is recorded or stored in paper copies as well as in digital form. Information of a corporate nature, such as name, job title and professional contact details may be processed for legitimate purposes without explicit consent.


GDPR, like previous legislation, is aimed at protecting individuals, not organisations.

Named individuals in the workplace are also covered if their personal information is concerned.


GDPR requires that organisations establish a lawful basis for the processing of data.

Following data use audit, and legal basis assessment (see appendices 1&2), Ambigo CIC has elected to assign legal basis as follows:



Screen Shot 2018-05-23 at 14.44.17.png

In all cases: participant right to request withdrawal of personal data from use to be upheld.



The directors have responsibility for implementing this policy and expect all employees and volunteers to abide by the policy and help create the equality environment, which is its objective.


In order to implement this policy, the directors undertake to:

  • Communicate the policy to employees, job applicants and volunteers

  • Ensure that adequate resources are made available to fulfil the objectives of the policy.


GDPR requires best practice for:

  • How we gather information

  • How securely we store information

  • How we comply with reasonable requests for the information we hold

  • How we can evidence any of the above in the event of an audit.


As an indication of how Data Control is to be implemented, the following table sets out key examples to core operational aims:

Screen Shot 2018-05-23 at 14.45.50.png
Screen Shot 2018-05-23 at 14.46.04.png
Screen Shot 2018-05-23 at 14.46.16.png
Screen Shot 2018-05-23 at 14.46.30.png

The data controller for Ambigo CIC is Andy Cheng, executive director.

The Senior Information Rights Officer for Ambigo CIC is Adam Bates, executive director.


Requirement for registration with Information Commissioner’s Office (ICO):


Following self-assessment carried out on 19th April 2018

Ambigo CIC concludes there is no current requirement for registration with the ICO

(See appendix 3)


Policy date & review schedule

This draft 19th April 2018
Review as required, or by 19th April 2019, whichever is the soonest.


Appendix 1: Record of Data Use Audit

Screen Shot 2018-05-23 at 14.49.59.png


Summary of use:

Appendix 2: Record of Legal basis assessment:


Summary of argument for Legitimate Interest use as legal basis:


Participant support

Evaluation of Impact, effectiveness, efficiency, CQI and service development


Processing of personal data about:

  • “ambitions” and associated concerns

  • suggestions and comments

  • outcome(s) and impact(s) thereof

  • retained and new benefits over time

  • feedback from participant where used to improve specific service to participant


Thereafter either coded or made anonymous.


Summary of argument for Consent as legal basis:


Promotional use of photos from which the participant can be identified

Mailing list (not associated with participant support (above)


Processing of personal data about:

  • image of participant (engaged in Ambigo CIC activity)

  • contact information

  • area of pertinent interests(s) informing what decisions about promotional material dispatched

No other use expected..


Appendix 3: record of registration self-assessment ICO

Screen Shot 2018-05-23 at 14.53.55.png