Join Our Network

Privacy Policy

About Community Action Suffolk

Community Action Suffolk is a Registered Charity (No 1150501). A company limited by guarantee and registered 08316345.

Our registered address is; Brightspace, 160 Hadleigh Road, Ipswich, Suffolk, IP2 0HH, 01473 345400, [email protected] 

Community Action Suffolk’s subsidiary companies are; Business Services at CAS Ltd (03332778), DBS At CAS Ltd (02919237) and IT Services At CAS Ltd (04281770), also residing at Brightspace, 160 Hadleigh Road, Ipswich, Suffolk, IP2 0HH.

The Privacy Notice

This notice sets out how we will collect, process and use the information we hold about you across Community Action Suffolk as a whole. Some services have their own notices that provide more detail and these can all be found on their websites and pages.

Community Action Suffolk is committed to ensuring that your privacy is protected. We will be clear about how we use personal information that we hold. We understand that you are entitled to know that your personal data will not be used for any unintended purpose.

Community Action Suffolk may update this policy from time to time by posting a new version on this page. If the update significantly changes how we use your personal information, we will use reasonable efforts to bring these changes to your attention where we have your contact details. Otherwise, we recommend you periodically review this privacy notice to be aware of any other revisions. This policy is effective from 02/01/2024.

“We” is defined as Community Action Suffolk throughout this policy.

“Partners” are defined as all Community Action Suffolk staff and our subsidiaries listed above in the “Who We Are” section.

How we get your personal information and why we collect it

Most of the personal information we process is provided to us directly by you. For example, personal information you provide when you refer to one of our services or when you sign up to our email newsletter. The also includes any personal data that you share with us when you communicate with us in person, email, phone or post.

We also receive personal information indirectly, from third party sources. This includes our partners, and funders or when you visit our website. Here we use cookies to improve our website. Please see our Cookies Policy for more details.

What we collect

We may collect, store and process the following kinds of personal information:

  • Name, job title, address, telephone number, email address, newsletter preferences
  • Date of birth, gender, disability, sexual orientation, faith or religion, employment status
  • Volunteering interests, skills and experience, photographic image
  • Service needs and information about the services we have provided to you
  • Information about your computer or mobile device and your visits and use of this and other Community Action Suffolk related websites, for example, IP address and geographical location; social media identity, proxy server, operating system, web browser and add-ons, device identifier and features, and/or ISP or your mobile carrier.
  • Personal information included in a application form, cover letter; details of your qualifications and skills, experience, work history with previous employers.
  • Information provided on appointment as an employee or volunteer or a learner or service participant.
  • Data to process payroll, including: bank account, marital status, National Insurance number, tax details, benefit and allowance status, student loan details, emergency contact details
  • Occupational health, sickness absence and medical records data, including data around making reasonable adjustments

Lawful Basis for Processing

Under the General Data Protection Regulation the lawful bases we rely on for processing your information and consider relevant are listed below:

Consent
Where you have provided your consent for us to use your personal information in a certain way, for example sending you our e-newsletter, or us to use cookies on our website.

Legal obligation
Where the processing of your personal information is necessary for us to comply with a legal obligation to which we are subject, for example where we must share your personal information with regulatory bodies which govern our work.

Contractual relationship
Where it is necessary for us to process your personal information in order to perform a contract (or to take steps at your request before entering a contract), for example, if you are employed or volunteer for us.

Legitimate interests
The law also allows us to use personal information it is reasonably necessary for our legitimate interests. We may rely on this ground to process when we believe that it is more practical or appropriate than asking for your consent.

For instance, we rely on the legitimate interest when we receive external emails we will scan such emails for any threats, based on a legitimate interest assessment.

Special categories of data
Certain categories of personal information are sensitive, and therefore require more protection. These categories of data include information about your health, ethnicity and sexual orientation.

We may process special categories of data but will only process this data if there is a valid reason for doing so.

We will seek your explicit consent to use such data, unless:

  • for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  • for the purposes of the assessment of the working capacity of an employee or the provision of health or social care
  • for reasons of substantial public interest whilst safeguarding the fundamental rights and the interests of the data subject.

How We Use Your Data

We will ensure that your personal information is only used for the purposes requested and specified in this privacy policy.

Community Action Suffolk may use your personal information to:

  • provide you with services, products or information that you have requested
  • provide updates about our work, services, or activities (where necessary, and only where you have provided your consent to receive such information)
  • answer your questions/ requests and communicate with you in general
  • analyse and improve our services, activities or information (including our website)
  • process your application for a job or volunteer role
  • audit and/ or administer our accounts
  • satisfy legal obligations, for example regulatory, government and/ or law enforcement or due diligence checks before entering into contracts or agreements
  • the prevention of fraud or misuse of service
  • to investigate, respond and resolve complaints and service issues
  • the use of Google Analytics for the further development of our Services in order to provide you with a better, more intuitive and personalised experience, drive network growth and engagement of our Services.

How We Share Your Information

We will not sell, rent, disclose or lease your data or information to any third parties. We however may share it with our suppliers who we work with to provide you the services you are requesting or that enable Community Action Suffolk to operate on a daily basis. They will have access to your information as reasonably necessary to perform these tasks on our behalf and are obligated not to disclose or use it for other purposes.

Any use of third parties will be obligated under a formal contract to use any personal data they receive in accordance with our instructions and to protect it as we would.

Related Services – We may share your information within Community Action Suffolk to process any payment information, develop the service and to provide the service on a day to day basis. We may also share it within Community Action Suffolk’s subsidiary companies (as detailed at the top of this policy) for marketing purposes.

Legal Disclosures – It is possible that we will need to disclose information about you when required by law.

How we protect your data

We implement security safeguards designed to protect your data, such as HTTPS on our websites, hardware and software firewalls, username and password based permission systems as well as a variety of physical security methods on buildings that host your data. We regularly monitor our systems for possible vulnerabilities and attacks.

Physical Security – All Community Action Suffolk IT Services are provided in a locked, secured and alarmed building which is monitored by an external security company outside office hours. Servers hosted in the building are also stored in an air conditioned, locked room within the building to provide additional protection.

Server Locations and Data Transfers – Wherever possible we will store your data in the UK, the European Economic Area (EEA) or a jurisdiction that complies with the GDPR.

However we sometimes use third parties to process personal information, it is therefore possible that personal information we collect from you will be transferred to and stored in a location outside the UK or the European Economic Area (“EEA”).

When this is the case we will take all reasonable steps to ensure that the recipient implements appropriate security safeguard measures to protect your personal information.

If you use our services while you are outside the EEA, your information may be transferred outside the EEA to provide these services.

Software Security – Community Action Suffolk has a hardware firewall on it’s router to protect users against online threats. All computers within the Community Action Suffolk network are protected with business class Internet Security Software.

Any sensitive client data that Community Action Suffolk stores i.e. login passwords to systems are stored in password and credential based systems which only the IT team has access to.

Wifi Security – Community Action Suffolk enforces WPA2 password security methods to protect it’s wireless networks against threats.

Website Security – This website and all websites owned by Community Action Suffolk are protected with a “SSL” encrypted certificate.

How we store your personal information and for how long

We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal information; we store all personal information on secure servers.

We will remove your personal information from our records six years after the date that it was collected unless;

  • We are required to hold it for longer to comply with legal or regulatory purposes
  • It is still required in connection with the purpose for which it was collected and/or processed, for example you are still using our services.

However, we will remove your personal information from our records before this date if we become aware that;

  • Your personal information is no longer required in connection for what it was collected for
  • We are no longer lawfully entitled to process it
  • You exercised one of your rights of erasure

Your data protection rights

Under data protection law, you have rights including:

Your right of access – You have the right to ask us what information we hold about you and request copies of your personal information. We will need to be satisfied that you have a legal entitlement to see this personal information, and that we can confirm your identity.

Your right to rectification – You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure – You have the right to ask us to erase your personal information where we are legally required to do so

Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal information if there is accuracy or legitimacy disagreements.  

Your right to object to processing – You have the the right to object to the processing of your personal information where we: process on the basis of the legitimate interests; use the personal information for direct marketing; or use the personal information for statistical purposes.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

To request a copy of your personal data please contact our Data Officer using the details at the end of this policy. At any point you can request to unsubscribe from our e-newsletter by simply clicking on the “Unsubscribe” link at the bottom and follow any on screen instructions. Alternatively you can request that your personal information is removed from our databases by contacting us at [email protected] 

How to complain?

If you have any concerns about our use of your personal information, you can make a complaint to us at:

Community Action Suffolk
Louise Bradshaw

Head of HR
Brightspace
160 Hadleigh Road
Ipswich
IP2 0HH
[email protected]
01473 345400

You can also complain to the ICO if you are unhappy with how we have used your data.

The ICO contact details are:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk