Privacy Policy

The Collective

Data Protection Policy

July 2019


  • The Collective (the Business) collects and uses certain types of personal information about staff, Members and other individuals who come into contact with the Business. The Business may be required by law to collect and use certain types of information to comply with statutory obligations related to employment and this policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the General Data Protection Regulation and other related legislation. This policy is intended to ensure that personal information is dealt with properly and securely and in accordance with the General Data Protection Regulations and other related legislation.
  • The GDPR applies to all computerised data and manual files if they come within the definition of a filing system.


  • ‘Personal data’ is information that identifies an individual. A sub-set of personal data is known as ‘personal sensitive data’.  This special category data is information that relates to a persons:
    • race or ethnic origin;
    • political opinions;
    • religious or philosophical beliefs;
    • trade union membership;
    • physical or mental health;
    • an individual’s sex life or sexual orientation;
    • genetic or biometric data for the purpose of uniquely identifying a natural person.
  • Personal sensitive data is given special protection, and additional safeguards apply if this information is to be collected and used.
  • The Business does not intend to seek or hold sensitive personal data about staff or Members except where it has been notified of the information, or it comes to light via legitimate means (e.g. a grievance) or needs to be sought and held in compliance with a legal obligation or as a matter of good practice.


  • Article 5 of the GDPR sets out six data protection principles which must be followed at all times:
    • personal data shall be processed fairly, lawfully and in a transparent manner;
    • Personal data shall be collected for specific, explicit, and legitimate purposes, and shall not be further processed in a manner incompatible with those purposes;
    • personal data shall be adequate, relevant and limited to what is necessary for the purpose(s) for which it is being processed;
    • personal data shall be accurate and, where necessary, kept up to date;
    • personal data processed for any purpose(s) shall not be kept for longer than is necessary for that purpose / those purposes;
    • personal data shall be processed in such a way that ensures appropriate security of the data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
  • In addition to this, the Business is committed to ensuring that at all times, anyone dealing with personal data shall be mindful of the individual’s rights under the law (as explained in more detail in paragraphs 7 and 8 below).
  • The Business is committed to complying with the principles in 3.1 at all times. This means that we will:
    • inform individuals as to the purpose of collecting any information from them, as and when we ask for it and will identify who we will share the information with and how long we intend to retain the information;
    • be responsible for checking the quality and accuracy of the information;
    • regularly review the records held to ensure that information is not held longer than is necessary, and that it has been held in accordance with the data retention policy;
    • ensure that when information is authorised for disposal it is done in accordance with our disposals policy;
    • ensure appropriate security measures to safeguard personal information whether it is held in paper files or on our computer system, and follow the relevant security policy requirements at all times;
    • share personal information with others only when it is necessary and legally appropriate to do so;
    • set out clear procedures for responding to requests for access to personal information known as subject access requests;
    • report any breaches of the GDPR.


  • The individual has given consent that is specific to the particular type of processing activity.
  • The processing is necessary for the performance of a contract, to which the individual is a party, or is necessary for the purpose of taking steps with regards to entering into a contract with the individual, at their request.
  • The processing is necessary for the performance of a legal obligation to which we are subject.
  • The processing is necessary to protect the vital interests of the individual or another.


  • The Business collects and uses certain types of personal information about staff and other individuals who come into contact with the Business. In each case, the personal data must be treated in accordance with the data protection principles as outlined in paragraph 3.1 above.
  • Any wish to limit or object to use of personal data should be notified to the Business in writing. If in the view of the Business, the objection cannot be maintained, the individual will be given written reasons why the Business cannot comply with their request.


  • The personal data held about staff will include contact details, employment history, information relating to career progression and photographs.
  • The data is used to comply with legal obligations placed on the Business in relation to employment. We may pass information to other regulatory authorities where appropriate.Personal data will also be used when giving references.
  • It should be noted that information about disciplinary action may be kept for longer than the duration of the sanction. Although treated as “spent” once the period of the sanction has expired, the details of the incident may need to be kept for a longer period.

Other Individuals:

  • The Business may hold personal information in relation to other individuals who have contact with the Business, such as Members volunteers and guests. Such information shall be held only in accordance with the data protection principles, and shall not be kept longer than necessary.


  • The Business will take reasonable steps to ensure that members of staff will only have access to personal data where it is necessary for them to carry out their duties.All staff will be made aware of this Policy and their duties under the GDPR.  The Business will take all reasonable steps to ensure that all personal information is held securely and is not accessible to unauthorised persons.


  • The following list includes the most usual reasons that the Business will authorise disclosure of personal data to a third party:
    • To give a confidential reference relating to a current or former employee;
    • for the prevention or detection of crime;
    • for the assessment of any tax or duty;
    • where it is necessary to exercise a right or obligation conferred or imposed by law upon the Business (other than an obligation imposed by contract);
    • for the purpose of, or in connection with, legal proceedings (including prospective legal proceedings);
    • for the purpose of obtaining legal advice;
  • The Business may receive requests from third parties to disclose personal data it holds about staff or other individuals. This information will not generally be disclosed unless one of the specific exemptions under data protection legislation which allow disclosure applies; or where necessary for the legitimate interests of the individual concerned or the Business.
  • All requests for the disclosure of personal data must be sent to the Business, who will review and decide whether to make the disclosure, ensuring that reasonable steps are taken to verify the identity of that third party before making any disclosure.


  • Anybody who makes a request to see any personal information held about them by the Business is making a subject access request. All information relating to the individual, including that held in electronic or manual files should be considered for disclosure.
  • A subject access request must be made in writing. The Business may ask for any further information reasonably required to locate the information.
  • All requests will be handled in line with the Subject Access procedural note.


Right to restrict processing

  • An individual has the right to object to the processing of their personal data and to block or suppress the processing.
  • Where such an objection is made, it must be sent to the Business who will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights and freedoms of the individuals, or whether the information is required for the establishment, exercise or defence of legal proceedings.
  • The Business shall be responsible for notifying the individual of the outcome of their assessment within 20 working days of receipt of the objection.Right to rectification
  • An individual has the right to request the rectification of inaccurate data or incomplete data without undue delay. Where any request for rectification is received, it should be sent to the Business and where adequate proof of inaccuracy is given, the data shall be amended as soon as reasonably practicable, and the individual notified within 20 days.
  • Where there is a dispute as to the accuracy of the data, the request and reasons for refusal shall be noted alongside the data, and communicated to the individual. The individual shall be given details of how to appeal to the Information Commissioner.
  • An individual also has a right to have incomplete information completed by providing the missing data, and any information submitted in this way shall be updated without undue delay. Right to erasure
  • Individuals have a right, in certain circumstances, to have data permanently erased without undue delay. This right arises in the following circumstances:
    • where the personal data is no longer necessary for the purpose or purposes for which it was collected and processed;
    • where consent is withdrawn and there is no other legal basis for the processing;
    • where an objection has been raised under the right to object, and there is no overriding legitimate interest for continuing the processing;
    • where personal data is being unlawfully processed (usually where one of the conditions for processing cannot be met);
    • where the data has to be erased in order to comply with a legal obligation.
  • The Business will make a decision regarding any application for erasure of personal data, and will balance the request against the exemptions provided for in the law.Where a decision is made to erase the data, and this data has been passed to other data controllers, and/or has been made public, reasonable attempts to inform those controllers of the request shall be made.Right to object
  • An individual has the right to object to:
    • processing based upon legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling);
    • direct marketing (including profiling);
    • processing for purposes of scientific /historical research and statistics.
  • Where such an objection is made, it must be sent to the Business who will assess whether there are compelling legitimate grounds to continue processing which override the interests, rights and freedoms of the individuals, or whether the information is required for the establishment, exercise or defence of legal proceedings.Right to portability
  • If an individual wants to send their personal data to another organisation they have a right to request that the Business provides their information in a structured, commonly used, and machine readable format. This right is limited to situations where the Business is processing the information on the basis of consent or performance of a contract. If a request for this is made, it should be forwarded to the


  • Any and all breaches of the GDPR, including a breach of any of the data protection principles shall be reported as soon as it is discovered, to the
    Once notified, the Business shall assess:

    • the extent of the breach;
    • the risks to the data subjects as a consequence of the breach;
    • any security measures in place that will protect the information;
    • any measures that can be taken immediately to mitigate the risk to the individuals.
  • Unless the Business concludes that there is unlikely to be any risk to individuals from the breach, it must be notified to the Information Commissioner’s Office within 72 hours of the breach having come to the attention of the Business.
  • The Information Commissioner shall be told:
    • details of the breach, including the volume of data at risk, and the number and categories of data subjects;
    • the contact point for any enquiries;
    • the likely consequences of the breach;
    • the measures proposed or already taken to address the breach
  • If the breach is likely to result in a high risk to the affected individuals then the Business shall notify data subjects of the breach without undue delay unless the data would be unintelligible to those not authorised to access it, or measures have been taken to mitigate any risk to the affected individuals.
  • Data subjects shall be told:
    • the nature of the breach;
    • who to contact with any questions;
    • measures taken to mitigate any risks.
  • The Business shall then be responsible for instigating an investigation into the breach, including how it happened, and whether it could have been prevented. Any recommendations for further training or a change in procedure shall be reviewed by the Business and a decision made about implementation of those recommendations.