The Board has overall responsibility for the implementation and monitoring of this Data Protection Policy. Suggestions for improvement or complaints should be addressed to the Chair of the Board. For further information, please visit the Information Commissioner’s Office website.

---

Why do we collect personal information?

We collect personal information depending on the service we are offering to you; this could be as a participant, audience member, supporter, or business contact. We also collect information about visitors to our website and social media pages.

Data Protection Principles

We process all data lawfully, fairly and transparently. There are several grounds on which data may be collected, including consent.

• Our collection of data is legitimate, and we have obtained consent where appropriate.
• We are open and honest about how and why we collect data; individuals have the right to access their data.
• All data is collected for specified, explicit and legitimate purposes and not used for any other purpose.

How we collect and manage data

• We are clear on what data we collect and why.
• We only collect what is necessary and use it solely for the stated purpose.
• We do not use data for any other purpose without consent.

Adequate, relevant and limited

We collect only what is needed and nothing more.

Accurate and up to date

We ensure data accuracy through regular checks and correct mistakes promptly.

Retention and deletion

Data is retained only as long as necessary. Some data (e.g. accounting, health & safety records) must be kept for set periods. We periodically review and securely delete unnecessary data, including removing inactive Mailchimp contacts every four years.

Held Securely

• Data is held securely and only accessible by authorised personnel.
• Paper documents are locked away; digital data is password protected.
• Third-party storage (Mailchimp) is used only for marketing with user consent.
• All IT systems have up-to-date anti-virus and firewall protection.
• We maintain data back-up and recovery procedures.

Individual Rights

Individuals have rights to be informed, access, rectify, erase, restrict processing, transfer, or object to data use. To exercise these rights, please contact: info@peoplespeakup.co.uk.

Use of Imagery and Video

• All imagery is protected by copyright and cannot be used without the owner’s consent.
• We obtain consent for photography and video wherever possible.
• Images are only used for the purpose originally intended and with appropriate consent.
• When using images of children or vulnerable people, consent is obtained from their carer and used only when safe to do so.

Third-Party, Website and Social Media

Our website may contain links to third-party websites and applications (e.g. Google Analytics, YouTube, Facebook, X, Instagram). We do not control these sites and recommend reading their privacy policies. You control your own social media settings.

IP Addresses and Cookies

We use cookies and analytics tools to collect anonymous statistics about site usage such as page visits, locations and device types. This helps us understand engagement and improve delivery. This data does not personally identify users.

Data Protection Impact Assessment (DPIA)

We maintain an up-to-date DPIA with oversight procedures to ensure data protection risks are identified and managed effectively.

Data Breach

A breach is any unauthorised access, loss, or disclosure of personal data. We will investigate and act promptly, including notifying the ICO within 72 hours if a risk to individuals exists.

• Investigate all breaches and take remedial action.
• Notify the ICO if there is a risk to rights and freedoms.
• Take action to prevent recurrence, including training or procedural changes.

Complaints to the ICO

If you have concerns about how we process your data, you can contact the Information Commissioner’s Office (ICO) or call 0303 123 1113.

Policy last updated: 1 July 2024. Those who have consented to receive email information will be notified of future updates.