The Lawful Basis for Holding and Using Your Personal Information
The GDPR states that Cascade SciArts C.I.C. (henceforth ‘the company’) must have a lawful basis for processing your personal data. There are different lawful bases depending on the stage at which the company is processing your data. These are explained below:
If you have signed-up for any of our services or products the company will use legitimate interest as our lawful basis for holding and using your personal information.
If you are currently using one of our services or products, the company will process your personal data where it is necessary for the performance of our agreement(s).
The GDPR also makes sure that the company looks after any sensitive personal information that you may disclose to the company appropriately. This type of information is called ‘special category personal information’. The lawful basis for the company processing any special categories of personal information is that it is for provision of education, entertainment and self-help (in this case non-medical and non-pharmacological products and services) and necessary for an agreement with a you in order to access our services and products. Additionally, this condition applies to research agreements and waivers.
How we use your information
When you contact the company with an enquiry about our services or products, we will collect information to help us satisfy your enquiry. This will include your contact details and any biographic information you share with us (such as age, gender identity, etc.).
Alternatively, your primary carer (if you are under age 18 / considered a vulnerable adult), or your GP or other health professional may send us your details when making an enquiry on your behalf or a referral to our services or products via the social prescribing route.
If you decide not to proceed with our services, products or research projects the company will ensure all your personal data is deleted within 7 days. If you would like the company to delete your information sooner, just let us know.
After a research project has ended.
Once a research project has ended your records will be kept for 5 years from the end of our research agreement. Your anonymity will be maintained meaning data collected will be securely stored separately from any personal data. After 5 years your personal information will be securely destroyed. If you want the company to delete your information sooner than this, please tell us.
Third party recipients of personal data
The company sometimes shares personal data with third parties, for example, where we have contracted with a referring agency to carry our particular tasks or provide specific activities (e.g. NHS IAPT services). In such cases the company will have carefully selected which partners we work with. We take great care to ensure that we have a contract with the third party that states what they can do with the data we share with them. The company will endeavour to make sure that they do not use your information in any way other than the task for which they have been contracted.
The company tries to be as open as possible in terms of giving people access to their personal information. You have a right to ask us to delete your personal information, to limit how we use your personal information, or to stop processing your personal information. You also have a right to ask for a copy of any information that we hold about you and to object to the use of your personal data in some circumstances. You can read more about your rights at ico.org.uk/your-data-matters.
If we do hold information about you we will:-
give you a description of it and where it came from,
tell you why we are holding the information,
tell you how long we will store your data and how that decision was made,
tell you who If and how your information may be shared,
let you have a copy of the information in an intelligible form.
You can also ask us at any time to correct any mistakes there may be in the personal information we hold about you.
To make a request for any personal information we may hold about you, please put the request in writing addressing it to [firstname.lastname@example.org].
We welcome any suggestions for improving our data protection procedures. If you have any complaint about how we handle your personal data please do not hesitate to get in touch with us by writing or emailing us via the contact details given above.
If you want to make a formal complaint about the way the company have processed your personal information you can contact the ICO, which is the statutory body that oversees data protection law in the UK. For more information go to ico.org.uk/make-a-complaint.
The company takes the security of the data we hold about you very seriously and as such make every effort to ensure it is kept secure. e.g., we use encrypted devices, locked filing cabinets etc.