Policies and Statements

Privacy Policy

This Privacy Notice sets out how we collect, use and store your personal information (this means any information that identifies or could identify you).

The Green Rose CIC Privacy Notice may change so please remember to check back from time to time. Where we have made any changes to this Privacy Notice, we will make this clear on our website or contact you about any changes.

This Privacy Notice covers the following:

1. Who we are
2. How we collect information about you
3. Information we collect and why we use it
4. Fraud prevention and identity checks
5. Profiling: making our work more unique to you
6. Legal basis for using your information
7. Marketing
8. Sharing your information
9. Keeping your information safe
10. How long we hold your information for
11. Your rights
12. Photographs and video
13. Cookies

1. Who we are

Here at Green Rose CIC we are committed to protecting your personal information and making every effort to ensure that your personal information is processed in a fair, open and transparent manner.

We are a “data controller” for the purposes of the Data Protection Act 2018 and the EU General Data Protection Regulation 2016/679. This means that we are responsible for, and control the processing of, your personal information.

2. How we collect information about you

We collect information from you in the following ways:

When you interact with us directly: This could be if you ask us about our activities, register with us for training or an event, make a donation to us, ask for information or advice on suppliers, apply for a job or volunteering opportunity, enquire about or apply for grants or otherwise provide us with your personal information. This includes when you phone us, visit our website or get in touch through the post, or in person.

When you interact with us through partners or suppliers working on our behalf: This could be if you access a service such as home energy advice visits which are delivered through trusted contractors working on our behalf and always under our instruction.

When you interact with us through third parties: This could be if you provide a donation through a third party such as People’s Fundraising or one of the other third parties that we work with and provide your consent for your personal information to be shared with us.

When you visit our website: We gather general information which might include which pages you visit most often and which services, events or information are of most interest to you. We also use “cookies” to help our site run effectively. There are more details below – see ‘Cookies’.

From other information that is available to the public: In order to tailor our communications with you to your background and interests we may collect information about you from publicly available sources or through third-party subscription services or service providers (we have provided further details about this below – see ‘Profiling: Making our work unique to you’).

3. Information we collect and why we use it

Personal Information

Personal information we collect includes details such as your name, date of birth, email address, postal address, telephone number and credit/debit card details (if you are making a donation), as well as information you provide in any communications between us. Sensitive personal information we collect may include health and income details, ethnicity and religion. You will have given us this information whilst making a donation, registering for an event or any of the other ways to interact with us.

If you contact us about or apply for a grant, we will collect personal data about you and other people connected to your organisation. We may do this through conversations, at events or during visits to your organisation, or if you call our staff to discuss funding applications. If your organisation applies for funding, we will also collect personal data on application forms. Sometimes our grant holders and evaluators also send us information about individuals who benefit from projects funded by our grants.

If you provide us with personal data of people who benefit from your project’s work, we will treat this in the same way. You must tell the individuals and if they have any questions about this, you must refer them to this notice.

We will only use this information:

  • To provide the services or goods that you have requested.
  • To process your donations, to claim Gift Aid on your donations and verify any financial transactions.
  • To update you with important administrative messages about your donation, an event or services you have requested.
  • To keep a record of your relationship with us.
  • Where you volunteer with us, to administer the volunteering arrangement.
  • Where you are contracted or employed with us, to administer any contractual agreement.
  • To administer grant funding. For example, we may use your personal data to help your organisation apply for grants and to assess its applications.
  • If a grant is awarded, we use your personal data to manage and monitor the grant and to check the money is being used appropriately.
  • We may also use your personal data to evaluate and research the impact of our grants and to let you know about our grants and other activities. The results of our evaluations and research may be published but we won’t publish your personal data without your agreement.
  • To report back to our funders and partners where required.

If you do not provide this information, we may not be able to process your donation, sign you up for a particular event, make a grant or provide services you have requested.

Where permitted we may also use your personal information:
• To contact you about our work and how you can support Green Rose CIC (see section 7 on ‘Marketing’ below for further information).
• To inform you of events and services that may be of interest to you
• To carry out targeted fundraising activities

We may also occasionally use publicly available information about individuals, such as media reports or information on Companies House about business interests, or information available from internet searching, to inform our communications.

We may aggregate and anonymise personal data before we analyse it so that it can no longer be linked to an identifiable person.

4. Fraud prevention and identity checks

If you apply for a grant or receive a grant from us, we may undertake checks for the purposes of preventing fraud and money laundering and to verify your identity. These checks require us to process personal data you have provided about you and your nominated representatives and data we have received from third parties.

We and fraud prevention agencies may also enable law enforcement agencies, regulators, Government, Lottery distributors and other funders to access and use your personal data to detect, investigate and prevent crime.

Fraud prevention agencies can hold your personal data for different periods of time. If you are considered to pose a fraud or money laundering risk, your personal data can be held for up to six years.

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to award a grant and we may withdraw existing grants.

A record of any fraud or money laundering risk will be retained by us and the fraud prevention agencies and may result in others refusing to provide you with services, financing or employment. If you have any questions about this, please contact us on the details below.

5. Profiling: making our work more unique to you

We want to improve how we talk to you and the information we provide through our website, services, products and information. To do this we sometimes use profiling and screening methods so that we can better understand our supporters, your preferences and needs to provide a better experience for you. For example, we might send you details about an event we think you’d be interested in, based on Green Rose CIC events you’ve been to in the past – if you’ve given us permission to do so when you signed up for our newsletters.

We may carry out targeted fundraising activities using profiling techniques based on the information that we hold about you – for example, whether you’ve donated to Green Rose CIC in the past.

We do not use any third-party services to acquire additional information about you.

6. Legal basis for using your information

In some cases, we will only use your personal information where we have your consent or because we need to use it in order to fulfil a contract with you.

However, there are other lawful reasons that allow us to process your personal information and one of those is called ‘legitimate interests’. This means that the reason that we are processing information is because there is a legitimate interest for Green Rose CIC to process your information to provide you with a service.

Whenever we process your personal information under the ‘legitimate interest’ lawful basis we make sure that we take into account your rights and interests and will not process your personal information if we feel that there is an imbalance.

7. Marketing

We will only contact you about our work and how you can support Green Rose CIC by email, phone or letter if you have given us permission to contact you in this way.

We may occasionally send you information about the activities of third parties which we consider to be directly relevant to our social objectives.

You can update your choices by clicking on the ‘Update Profile’ link at the bottom of our email newsletters, or if you’d like us to stop sending you these communications, click the unsubscribe link.

If you have applied for and received a grant from us, we may keep in contact with you throughout the life of your grant and we will send you regular advice about your grant. These will contain useful information on a range of things including how to publicise your grant, information on other funding available and project ideas and tips from other grant holders.

We do not subject your data to any automated decision-making.

8. Sharing your Information

The personal information we collect about you will mainly be used by our staff (and volunteers) at Green Rose CIC so that they can support you. Where we are the Data Controller, we will never sell or share your personal information with organisations so that they can contact you for any marketing activities. Nor do we sell any information about your web browsing activity.

Green Rose CIC may however share your information with our trusted partners and suppliers who work with us on or on our behalf to deliver our services, but processing of this information is always carried out under our instruction. We make sure that they store the data securely, delete it when they no longer need it and never use it for any other purposes.

We enter into agreements with these service providers that require them to comply with Data Protection Laws and ensure that they have appropriate controls in place to secure your information.

We currently use:

  • Acuity Scheduling (Appointment scheduling)
  • Agency For Good (Web Design)
  • BrightPay (Payroll processing software & support)
  • Google (E-mail, calendar, file storage and other related services)
  • People’s Fundraising (Donations)
  • Quickbooks (Finance processing software & support)Starling Bank (Banking)
  • Third Sector Accountancy Coop Ltd (Accountancy Support)
  • Zoom (Online meeting and webinar hosting)
  • Various local contractors – you will be advised when appointments are made (Energy Audits and Installation of Measures)

Where we are contracted to do work for another organisation

When we act under instruction from another organisation we are the Data Processor. In these cases there will be a contract in place which will tell us what to do with the information and you will be given a different privacy notice by them which will tell you about it. Your rights are unlikely to be affected if your information is used in this way.

If you apply for a grant

If you apply for a grant we might share your information with:

  • Members of the assessment panel as part of the process for assessing your application and making a decision
  • The funding body for their monitoring and review processes and for their promotion and publicity of the fund
  • Our monitoring and evaluation contractors for the purposes of evaluating the impact of the grant

Legal disclosure

We may disclose your information if required to do so by law (for example, to comply with applicable laws, regulations and codes of practice or in response to a valid request from a competent authority).

9. Keeping your information safe

We take looking after your information very seriously. We’ve implemented appropriate physical, technical and organisational measures to protect the personal information we have under our control, both on and off-line, from improper access, use, alteration, destruction and loss.

We only transfer data outside of the EEA if it is to a country considered to have adequate data protection legislation as decided by the European Commission

Unfortunately, the transmission of information using the internet is not completely secure. Although we do our best to protect your personal information sent to us this way, we cannot guarantee the security of data transmitted to our site.

Our websites may contain links to other sites. While we try to link only to sites that share our high standards and respect for privacy, we are not responsible for the content or the privacy practices employed by other sites. Please be aware that advertisers or websites that have links on our site may collect personally identifiable information about you. This privacy statement does not cover the information practices of those websites or advertisers.

Any debit or credit card details which we receive are passed securely to Quickbooks (our accountancy provider) and Starling Bank (our payment processing partner), according to the Payment Card Industry Security Standards. We also use trusted partners People’s Fundraising for some transactions, and they also adhere to these standards.

10. How long we hold your information for

We only keep it as long as is reasonable and necessary for the relevant activity, which may be to fulfil statutory obligations (for example, the collection of Gift Aid). More details can be found in our Retention Policy.

11. Your rights

You have various rights in respect of the personal information we hold about you – these are set out in more detail below.

  • Access to your personal information: You have the right to request access to a copy of the personal information that we hold about you, (known as a ‘Subject Access Request’) free of charge. This can include information on what personal information we use, why we use it, who we share it with and for how long we keep it. We may charge a fee of £10 if a Request is manifestly unfounded or excessive, particularly if it is repetitive. We will need to ask you to confirm your identity by getting in touch.
    • Right to object: You can object to our processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
    • Consent: If you have given us your consent to use personal information (for example, for marketing), you can withdraw your consent at any time.
    • Rectification: You can ask us to change or complete any inaccurate or incomplete personal information held about you.
    • Erasure: You can ask us to delete your personal information where it is no longer necessary for us to use it, you have withdrawn consent, or where we have no lawful basis for keeping it.
    • Portability: You can ask us to provide you or a third party with some of the personal information that we hold about you in a structured, commonly used, electronic form, so it can be easily transferred.
    • Restriction: You can ask us to restrict the personal information we use about you where you have asked for it to be erased or where you have objected to our use of it.
    • Profiling: You can ask us not to use your data to profile you.
    • Automated-decision making: Green Rose CIC does not use any of your personal data to make automated decisions.

Please note, some of these rights only apply in certain circumstances and we may not be able to fulfil every request.

If you wish to exercise any of these rights, you can do so by contacting us on 0800 702 2528 or info@greenrose.org.uk

If you are unhappy about how your personal data has been used please refer to our complaints policy. You also have a right to complain about our use of your data to the Information Commissioner’s Office – which regulates the processing of personal data. You can contact the Information Commissioner’s Office on 0303 123 1113 or via email https://ico.org.uk/global/contact-us/email or at Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

12. Photographs and video

We often take images of multiple participants at our public events. It is our legitimate interest to do so for publicity purposes and as a record of our work. We will ensure that people participating in our group events are given advance notice of our intention to collect images and reminders on the day. They will have the right to object to our use of them.

In the event that we are taking specific, close-up images of individuals whose names may be included in our use of those images, we may secure and retain the individual’s written consent.

If we are taking readily identifiable images of children, we will take extra care to ensure their privacy rights are respected. If under 16 years of age, we will secure written parental consent for the taking and use of the photograph or video. If 16 to 18 years of age, we secure consent from the child. Consent can be withdrawn at any time.

13. Cookies

‘Cookie’ is a name for a small file, usually of letters and numbers, which is downloaded onto your device, like your computer, mobile phone or tablet when you visit a website.
They let websites recognise your device, so that the sites can work more effectively, and also gather information about how you use the site. A cookie, by itself, can’t be used to identify you.

How do we use cookies?

We use cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you come to our website and also allows us to improve the user experience.

The cookies we use

We use the categorisation set out by the International Chamber of Commerce in their UK Cookie Guide.

We use all four categories of cookies:

  • ‘Strictly necessary’ cookies are essential for you to move around our website and to use its features, like your account.
    • ‘Performance’ cookies collect anonymous information about how you use our site, like which pages are visited most.
    • ‘Functionality’ cookies collect anonymous information that remember choices you make to improve your experience, like your text size or location. They may also be used to provide services you have asked for such as watching a video or commenting on a blog.
    • ‘Targeting or advertising’ cookies collect information about your browsing habits in order to make advertising relevant to you and your interests. As such if you visit the Green Rose CIC website you may then be more likely to see adverts about our work on other websites as your browsing suggests that this is an area of interest.

No cookies, please

You can opt out of all our cookies (except the strictly necessary ones). Find out how to control and delete cookies in your browser.

But, if you choose to refuse all cookies, our website may not function for you as we would like it to.

If you have any questions about how we use cookies, please contact us at info@greenrose.org.uk  

 

Version: 1

Last Updated: 18.04.21

Modern Slavery Statement

This Modern Slavery Statement sets out our corporate commitments to ethical operations and communicating transparently about these commitments.

The Green Rose CIC Modern Slavery Statement may change so please remember to check back from time to time. Where we have made any changes to this Modern Slavery Statement, we will make this clear on our website or contact you about any changes.

This Modern Slavery Statement covers the following:
1. Organisation Structure and Supply Chains
2. Policies in Relation to Slavery and Human Trafficking
3. Due Diligence Processes
4. Key Performance Indicators to Measure Effectiveness
5. Training on Modern Slavery and Trafficking
6. Statement Approval

Organisation Structure and Supply Chains

Green Rose Sustainability is a Community Interest Company (CIC) based in Lancashire, UK, dedicated to promoting sustainable practices and supporting communities in transitioning to a low-carbon future. We provide services including energy advice, community engagement, and environmental education.

Our supply chains primarily consist of UK-based partners, including contractors, consultants, and technology suppliers. In some cases, these suppliers may source goods or services globally, which could increase exposure to modern slavery risks.

 

Policies in Relation to Slavery and Human Trafficking

We are committed to ensuring that there is no modern slavery or human trafficking in any part of our business or supply chains. Our relevant policies include:

  • Code of Conduct – applicable to all staff, volunteers, and contractors, emphasizing respect for human rights.
  • Whistleblowing Policy – encouraging employees and third parties to report concerns related to unethical conduct, including potential instances of modern slavery.

Due Diligence Processes

To identify and mitigate modern slavery risks, we:

  • Assess new suppliers based on their ethical practices and transparency.
  • Require relevant suppliers to confirm compliance with the Modern Slavery Act 2015.
  • Maintain open communication with partners to raise awareness and foster ethical working relationships.
  • Periodically review our supplier list to identify potential high-risk areas.Risk Assessment and Management

We recognize that certain areas of our supply chain, particularly where goods or components are sourced internationally, may pose higher risks. To manage these risks:

  • We categorize suppliers based on the type of product or service provided and the geographic origin.
  • High-risk suppliers may be subject to additional scrutiny, including requests for documentation
    regarding labour practices.

We are developing a formal risk assessment framework to be integrated into procurement and partnership processes.

 

Key Performance Indicators to Measure Effectiveness

To track our progress in tackling modern slavery, we monitor the following indicators:

  • Percentage of suppliers who have confirmed compliance with modern slavery policies.
  • Number of staff and volunteers trained on modern slavery awareness.
  • Number of reported concerns or incidents related to modern slavery (internally or via whistleblowing).
  • Frequency and outcome of supplier reviews or audits.

 

Training on Modern Slavery and Trafficking

We are committed to educating our staff and volunteers on the risks of modern slavery. Our training approach includes:

  • Induction training for all new staff covering basic awareness of modern slavery and how to
    report concerns.
  • Annual refresher training or updates for relevant teams, particularly those involved in procurement or community work.
  • Providing access to external training resources and guidance from reputable organisations.

 

Statement Approval

This statement has been approved by the Board of Directors of Green Rose Sustainability CIC and will be reviewed annually.

Signed,
Georgina Sommerville
Director
April 2025

 

Data Protection and GDPR Policy

Introduction to Data Subject Rights under GDPR

The General Data Protection regulation (“GDPR”) gives Data Subjects certain rights in terms of the information which we hold about them. In brief these rights are:
• The right to be informed;
• The right of access;
• The right to rectification;
• The right to erasure;
• The right to restrict processing;
• The right to data portability;
• The right to object; and
• Rights in relation to automated decision making and profiling.

Much of the information relating to the right to be informed is contained in our website privacy notice and any other areas where we may provide privacy information e.g. our terms and conditions of service.

The other Data Subject Rights you may be asked about directly. The most common right you will encounter is the right of access, which is also known as a Subject Access Request or SAR.

Not all of these Data Subject Rights apply in every circumstance, and not all of them can be fully complied with if requested. For example, the right of erasure is not absolute and we may have to hold information on a Data Subject for legal reasons e.g. for submission to HMRC.

Where you receive a request for information from a Data Subject, please read the information below on that specific right before going on to read the section Data Subject Rights: How to Respond.

 

Common Provisions in Relation to the Rights

Timescales
The rights must be responded to without undue delay and this must be no later than within one month of receiving the request from the Data Subject. The Information Commissioner’s Office (ICO) has set out very detailed explanations of what constitutes within ‘one month’ on their website, but as best practice we will reply to all requests as soon as possible, and in no event later than 28 days.

It may be possible to extend the time to respond by a further two months if the request is complex or we have received a number of requests from the same individual. In this case, we must let the
individual know of our intention to extend the time to respond the right in question. We must do this without undue delay and within one month of receiving their request, explaining why the
extension is necessary.

Fees
We do not charge a fee for responding to requests, unless the request is manifestly unfounded or excessive, taking into account whether the request is repetitive in nature.

Where we consider that a request is manifestly unfounded or excessive we can:
• request a “reasonable fee” to deal with the request; or
• refuse to deal with the request
In either case, The Directors will make this decision, which will need to be justified and the reason for such decision communicated to the Data Subject.

Any ‘reasonable fee’ charged for the administrative costs of complying with the requests must be promptly communicated to the Data Subject, but we do not need to comply with the request until we have received the fee.

 

Where Green Rose CIC Refuses a Request

In the event we refuse a request, we must inform the Data Subject without undue delay and within one month of receipt of the request, including:
• the reasons we are not taking action/granting their request;
• their right to make a complaint to the ICO; and
• their ability to seek to enforce this right through a judicial remedy.

Where we request a reasonable fee or need additional information to identify the individual, we will also provide this information to the Data Subject.

 

How to Identify Requests

Requests may be made verbally or in writing. The Data Subject may not use the language of GDPR and ask for rectification or erasure. The ICO recommends checking with the Data Subject that we have understood their request, as this can help avoid later disputes about how we have interpreted the request. You should always log all requests (including verbal ones) and
follow the procedures set out below in Data Subject Rights: How to Respond to a SAR.

 

SARs and Green Rose CIC as Data Controller

As Data Controller, Green Rose CIC holds quite considerable Personal Data on the individuals it works with, including special categories of Personal Data, for example health conditions. Green Rose CIC has in place comprehensive employee training on GDPR, which includes security awareness training and simulated phishing attacks resulting in targeting training. Front line employees that will in the main deal with any SARs also receive basic training on what a SAR is and how to respond to
one, as set out in the SAR Response Document below.

 

The Eight Rights of Data Subjects Under GDPR

The Right to be Informed
Data Subjects must be provided with information about the collection and use of their data. We do this at the time we collect personal data from them: this is the sort of information we provide in our website privacy notice and also in our terms of business.

Where we collect data about a Data Subject from another source, for example from a local authority, we must provide the Data Subject with our privacy information no later than one month from our receipt of their details.

The Right of Access
Introduction to the Right of Access Recital 63 of the General Data Protection Regulation (‘GDPR’) allows EU residents the opportunity to verify the lawfulness of any data which may be held on them. In order to facilitate this Recital, Articles 12 and 15 give individuals a right of access to their information.

A right of access request will typically include the following:
a) A request for confirmation from the Data Controller that the individual’s data is being processed by them;
b) A request for the information held on the individual by the Data Controller; and
c) A request for any supplementary information.

This is by virtue of Article 15 and roughly corresponds to the information contained within the Controller’s Privacy Notice.

When replying to a request for the right of access, when considering point (c) above, the privacy notice checklist includes:
• The name and contact details of Green Rose CIC;
• The contact details of our data protection officer (if applicable).
• The purposes of the processing.
• The lawful basis for the processing.
• The legitimate interests for the processing (if applicable).
• The categories of Personal Data obtained (if the Personal Data is not obtained from the individual it relates to).
• The recipients or categories of recipients of the Personal Data.
• The details of transfers of the Personal Data to any third countries or international
organisations (if applicable).
• The retention periods for the Personal Data.
• The rights available to the Data Subject in respect of the processing.
• The right to withdraw consent (if applicable).
• The right to lodge a complaint with a supervisory authority.
• The source of the Personal Data (if the Personal Data is not obtained from the individual it relates to).
• The details of whether the Data Subject is under a statutory or contractual obligation to provide the Personal Data (if applicable, and if the Personal Data is collected from the individual it relates to).
• The details of the existence of automated decision-making, including profiling (if applicable).

Right to Rectification
The right to rectification is contained in Article 16 of GDPR and allows the Data Subject the right to have inaccurate Personal Data rectified without undue delay. Depending on the purposes of the processing, the Data Subject shall have the right to have incomplete Personal Data completed. This right will most commonly be exercised when the Data Subject has either been contacted using incorrect details, or where a SAR has been obtained and the Data Subject notices that details about them are wrong.

Requests for rectification should not be problematic, but as a matter of good practice we will automatically restrict processing while an investigation is carried out. This may be requested by the
Data Subject when asking for rectification, but it may not. You should always follow the procedure below in the section Data Subject Rights: How to Respond to a SAR.

The Right to Erasure
The right to erasure (the right to be forgotten) is contained within Article 17 of GDPR, which provides that a Data Subject shall have the right to have Personal Data erased without undue delay, where one of these grounds applies:
a) The Personal Data is no longer necessary for the purposes for which it was collected;
b) The Data Subject withdraws consent and there is no other lawful right of process;
c) The Data Subject objects to processing, with reference to public interest or legitimate interest of Controller/third party, AND there are no legitimate grounds for processing, or where the Data Subject objects to processing in relation to direct marketing;
d) The Personal Data has been unlawfully processed; or
e) Erasure is required for the Data Controller to be in compliance with an EU or Member State law.

Most of the conditions set out above make reference to the lawful right of process – that is the basis on which Green Rose CIC processes the information of the Data Subject. The most common lawful right of process which Green Rose CIC may hold Personal Data would be contractual, consent or legitimate interest.

Lawful Right of Process is Contractual.

Where we have entered into a contract with the Data Subject, points (a) to (c) do not apply, and you should not agree to erase data for the following reasons:
• Some of the data will be required to comply with UK law e.g. records for taxation;
• As we operate in a highly regulated industry, it is essential that we can account for our actions and that all contact with the Data Subject is recorded in detail.
Provided the contact is valid, point (d) will not apply and it would be very rare for point (e) to apply.
In both these cases significant investigation would need to be carried out before we would agree to erase data.

Lawful Right to Process is Consent.

This would most commonly be the case where a Data Subject has been in contact with us e.g. filling in a contact form on our website, but who has not yet signed a contract and is not yet a client. In this case, points (a), (b) or (d) may apply. The data we hold is likely to be minimal and restricted to contact details, though this may not always be the case. Where the
lawful right of process is consent, the Data Subject may have a strong case for erasure

Lawful Right to Process is Legitimate Interest
This is rarely a lawful right to process Green Rose CIC would use in relation to Personal Data, however it may exist as regards contact details used for marketing where no other right of process has been identified. Where this is the case, points (c) and (d) may apply and the Data Subject may be entitled to erasure.

The right to erasure is complex and if data is erased we cannot get it back should we need it. Before you respond to this request you must always check with The Directors, following the procedures out below in Data Subject Rights: How to Respond to a SAR.

The Right of Restriction of Processing
Green Rose CIC may be restricted from processing Personal Data where:
a) The accuracy of the Personal Data is contested: we must then restrict processing until the accuracy of the data has been verified by the Data Subject;
b) Processing is unlawful, but instead of requesting erasure, the Data Subject requests processing to be restricted instead;
c) We no longer need the data for the purposes of processing but the Data Subject requires us to keep it for the establishment, exercise or defence of legal claims; or
d) The Data Subject has objected to processing their data under the right to object (Article 21(1)), and we are considering whether our legitimate grounds to use the data overrides the
rights of the Data Subject.

This is not an absolute right and it only applies in the circumstances set out above. Where it does apply (and where we are investigating a request for this right), we are able to store data, but not to use it e.g. we cannot use an e-mail address for marketing but it can remain on our CRM system where it should be marked as restricted and its use prohibited.

Where a request for this right has been investigated and we have decided that it is not valid, we must justify our decision and we must tell the Data Subject of our decision before we resume processing the data.

Where a right to restriction is successful, we must inform any third parties who we have shared that data with, as they will also need to restrict access to that data. This must be done unless it is impossible or involves disproportionate effort.

This right is very closely aligned with the right to rectification and the right to object.

The Right to Data Portability
Data portability means that where the Data Subject provided Green Rose CIC with Personal Data, they then have the right to receive their Personal Data from us in a commonly used, machine readable format. The Data Subject can also ask us to transmit their Personal Data directly to another Data Controller. This right applies where:
• Lawful right of processing is gained by consent or for the performance of a contract; and
• The processing is carried out by automated means (i.e. excluding paper files).

This right only applies to information provided to us, not to additional data we may have created from that e.g. a user profile. It also applies to raw data e.g. meter readings.

The Right to Object
Data Subjects have the right to object to:
a) processing based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
b) direct marketing (including profiling); and
c) processing for purposes of scientific/historical research and statistics.

Where we receive an objection to processing Personal Data as regards point (a) we must stop processing unless we can demonstrate compelling legitimate grounds for the processing (which override the interests, rights and freedoms of the individual) or the processing is for the establishment, exercise or defence of legal claims.

Where we receive an objection to processing Personal Data as regards point (b) we must stop processing data as soon as we receive an objection: there are no exemptions or grounds to refuse.

We ensure that in all our marketing materials there is the option to opt out of/object to direct marketing, in addition to being in our privacy notice.

We only use legitimate interest as a legal right to process in limited circumstances, therefore the most common right to object we will receive will be as regards direct marketing.

Rights in relation to Automated Decision Making and Profiling
Automated decision making is defined as being where decisions are made with no human involvement. Profiling is the automated processing of personal data to evaluate certain things about an individual.

At Green Rose CIC we do not carry out profiling or automated decision making therefore we do not need to consider the GDPR provisions applicable to them.

 

Data Subject Rights: How to Respond to a SAR

Although unusual, as Green Rose CIC acts as a Data Controller, you may at some point encounter one or more of the Data Subject Rights listed above. The most common right will be the Right of Access and this may be the starting point for the Data Subject going on to request other rights. Data Subject Rights are commonly called subject Access Requests or as SARs, but when responding it is important that within the SAR you identify the correct rights which have been requested.

The correct procedure for dealing with a SAR is as follows:
1. Notify the Directors that a SAR has been received and document the date and time of the SAR and its details in the SAR Log-sheet. SAR’s must be responded to within one month of receipt and it is essential that the SAR is not ignored or forgotten about.
2. The identity of the Data Subject issuing the SAR must be confirmed using reasonable means. Please check with the Directors for confirmation of what is ‘reasonable’ in each individual circumstance, but this could for example include contacting the Data Subject (using the contact details provided by them and which we have stored on our CRM system) to request confirmation that they sent a SAR to us.
3. Using the CRM system, confirm that we do indeed hold information on the Data Subject and that we are processing their data. The CRM system should indicate where to find the information we store on the Data Subject, for example the CRM system itself for contact details or the finance system for payment processing. Check for any supplementary information on the Data Subject, such as information which may be contained in e-mails, including attachments.
4. You should always contact the staff member in Green Rose CIC who has had the most recent contact with the Data Subject. This can provide you with valuable information that may not be obvious from the CRM system, such as whether there is indeed supplementary information contained in e-mails, or if the Data Subject seemed unduly upset or has special needs.
5. Remember that due to our compliance with the data minimisation requirements of GDPR, in addition to technological restrictions, we do not store certain information for longer than required to meet our statutory or regulatory obligations. If a SAR cannot locate information on an individual, even if they exist in the CRM and/or finance system, it may be that all other
information on them has been deleted in compliance with data minimisation.
6. If it appears that the information requested in a SAR is excessive or manifestly unfounded, or that there are SARs which are repetitive in nature from the same Data Subject, discuss with The Directors on how to proceed. It may be that the SAR is refused or that we charge a reasonable fee that reflects the administrative costs of supplying the information requested in the SAR.
Where the request is denied, this must be done within one month, providing reasons for the decision to deny the request and informing the individual of their right to complain to the supervisory authority (the ICO) and also their right to a judicial remedy.
7. Where the individual makes the SAR electronically, unless otherwise requested, return the information by e-mail in a commonly used electronic format e.g. a CSV file.
8. Always request that the individual confirms to us receipt of the information we provide and log the confirmation received in the SAR Log-sheet.
9. Every Data Subject Right is different in nature. The SAR we most commonly anticipate is the right of access, which can involve quite a lot of detail where there is a request for supplementary information. The right to restrict processing and the right to erasure require more complex decisions which will be undertaken by The Directors.

 

Data Subject Rights Log-sheet

Request Type
Date request received & date it must be responded by
Do we hold information on this individual?
Name, email & Confirm ID checked
Departments holding information
Request Excessive– Fee or Refuse
Type of response
Date of response & confirm receipt
Comments
[SAR]
[Rectification]
[Erasure]
[Restrict Processing]
[Data Portability]
[Object]
[Automated Decision] [Date] & [Date] [yes/No]
[Name]
[E-mail] [yes/No]
[CRM]
[Finance] [yes/No]
[Fee]
[Refuse]
[Electronic/Mail] [Date] & [Yes/No] on [Date]
[e.g. only contact details held on CRM. No finance as did not sign on as client]
[e.g. Rectification of wrong postcode]
[e.g. Erasure [complied with][not complied with because…….]]

 

Introduction to Green Rose CIC’s Data Breach Policy & Response Plan

At Green Rose CIC we take data protection very seriously. All staff and volunteers are trained in how to recognise and respond to a suspected Data Breach and are required to adhere to our data protection policy at all times, the details of which form part of our employment and volunteering handbook.

 

Nominated Person Contact Details in the Event of a Data Breach

Name: James Sommerville
E-Mail: info@greenrose.org.uk
Telephone: +44 (0)7792 395 985

 

Information Commissioner’s Office Contact Details

Name: ICO
E-Mail: casework@ico.org.uk
Telephone: +44 303 123 1113

 

Green Rose CIC Data Breach Policy for Employees

In the event that you suspect there has been a Data Breach, it is important that that this policy is followed so that we can deal with the breach in the appropriate way. We believe in working in an open and honest manner, with a ‘no blame’ culture. We will investigate all suspected Data Breaches thoroughly in order to (a) be compliant with the General Data Protection Regulation (‘GDPR’); (b) uphold the rights of the individuals and organisations we hold Personal Data on; and (c) learn from
our mistakes.

If you do not understand any parts of the policy, please contact the Directors for clarification.

How to recognise a Data Breach
A Data Breach may not always be obvious. The UK regulator – the ICO – has issued a useful definition of a Data Breach as follows: a Data Breach can be ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.’

Therefore a Data Breach can include:
• access by an unauthorised third party;
• deliberate or accidental action (or inaction) by a Data Controller or Data Processor;
• sending Personal Data to an incorrect recipient;
• computing devices containing personal data being lost or stolen;
• alteration of Personal Data without permission; and
• loss of availability of Personal Data.

Reporting a Data Breach
Where you suspect a Data Breach it must be reported to the Directors, no matter how small or insignificant the breach may appear. Once it has been confirmed that a Data Breach has occurred, then it will be logged in the Data Breach Register and you then may be asked to help investigate how the breach occurred. Reporting is important, not only to comply with the relevant legislation, but also because if even seemingly insignificant Data Breaches are reported and recorded, this may then help identify how we can improve our data security, systems and procedures overall.

 

Data Breach Response Plan for GDPR

The supervisory authority for Green Rose CIC is: The ICO
ICO Tel: +44 303 123 1113 (open 9-5 Mon – Fri (Wed 9-1))

Further details of what to do will be provided on the answer phone outside office hours. You can also use the ICO Security Breach
Notification Form. The ICO web address is: https://ico.org.uk/for-organisations/report-a-breach/personal-data-breach/

Once a Data Breach is reported to the Directors, the steps of the response plan for Green Rose CIC are as follows:
1. The Directors in addition to any other applicable parties, form a Breach Assessment Team (‘BAT’).
2. BAT will take immediate steps to fix or mitigate the problem while the potential Data Breach is being investigated, in order to safeguard all data which Green Rose CIC holds.
3. The BAT will immediately begin a preliminary investigation into the potential Data Breach, bearing in mind the time limits for breach notification: for GDPR this is 72 hours from when Green Rose CIC became aware of the breach.
4. The Breach will be logged in Green Rose CIC’s Record of Data Breaches and the BAT will determine whether a Data Breach has actually occurred and if so, the type of breach, severity of the breach and the next steps to take;
5. Where the BAT considers the breach is not minor and constitutes a Data Breach under GDPR, BAT will immediately and within 72 hours of Green Rose CIC becoming aware of the Data Breach:
a. Contact the client whose data is involved in the Data Breach (where applicable); and
b. Report the Data Breach to ICO, either by telephone or electronically.
6. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, Green Rose CIC must inform those individuals without undue delay.

Informing the ICO by Telephone
BAT will gather the preliminary information required by the ICO and will provide this both to the ICO and any clients whose data is involved in the Data Breach. The ICO will ask the following questions:
• what has happened;
• when and how you found out about the breach;
• the people that have been or may be affected by the breach;
• what you are doing as a result of the breach; and
• who they should contact if they need more information and who else has been told.

As the investigation of the breach progresses and more information is available, it should be communicated to the ICO and any other interested parties. Under the GDPR Green Rose CIC will need to provide the ICO with the following details in conjunction with any other interested parties:
• a description of the nature of the personal data breach including, where possible:
– the categories and approximate number of individuals concerned; and
– the categories and approximate number of personal data records concerned;
• the name and contact details of the data protection officer (if your organisation has one) or other contact point where more information can be obtained;
• a description of the likely consequences of the personal data breach; and
• a description of the measures taken, or proposed to be taken, to deal with the personal data breach, including, where appropriate, the measures taken to mitigate any possible adverse effects.

James Sommerville, as a Director of Green Rose CIC, will be responsible for leading the investigation into the breach and for informing interested third parties such as the police, insurers, bank or credit card companies in order to mitigate the effects of the breach.

Where the ICO does NOT need to be Informed
Where the Data Breach is not severe and does not involve the data of clients e.g. the internal employee telephone list has been deleted, then the ICO does not have to be informed. However the breach should still be logged in Green Rose CIC’s Record of Data Breaches and steps taken to minimise human error and reduce the possibility of the same type of breach occurring again.

 

Record of Data Breaches

This is an Excel file. James Sommerville, as a Director of Green Rose CIC, holds up to date copies and will provide the file if a minor Data Breach needs to be logged as set out above.

Click Here