Data Protection Policy
Be Well HKers CIC
Definitions
CIC: Means Be Well HKers CIC, a Community Interest Company limited by guarantee, registered in England and Wales.
GDPR: Means the UK General Data Protection Regulation and the Data Protection Act 2018.
Responsible Person: Means the Director or appointed Data Protection Lead of Be Well HKers CIC.
Register of Systems: Means a register of all systems, platforms, and contexts in which personal data is processed by the CIC.
1. Data Protection Principles
The CIC is committed to processing personal data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
- Processed lawfully, fairly, and transparently
- Collected for specified, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Accurate and kept up to date where necessary
- Retained only for as long as necessary
- Processed securely to protect against unauthorised or unlawful access, loss, or damage
2. General Provisions
- This policy applies to all personal data processed by tthe CIC, including data relating to adult participants, volunteers, partners, donors, and staff.
- The Responsible Person has overall responsibility for ensuring ongoing compliance with this policy.
- This policy will be reviewed annually or sooner if required by changes in law or organisational practice.
3. Lawful, Fair, and Transparent Processing
- The CIC will maintain a Register of Systems documenting how and why personal data is processed.
- The Register will be reviewed at least annually.
- Individuals have the right to access their personal data. Any such requests will be handled promptly and in line with GDPR timescales.
4. Lawful Purposes
All data processed by the CIC will be based on one or more lawful bases, including:
- Consent
- Contract
- Legal obligation
- Vital interests
- Legitimate interests
The applicable lawful basis will be recorded in the Register of Systems.
Where consent is relied upon:
- Clear opt-in consent will be obtained
- Individuals will be informed of their right to withdraw consent
- Systems will ensure consent withdrawal is actioned promptly
5. Data Minimisation
The CIC will ensure that the personal data collected is:
- This policy applies to all personal data processed by tthe CIC, including data relating to adult participants, volunteers, partners, donors, and staff.
- The Responsible Person has overall responsibility for ensuring ongoing compliance with this policy.
- This policy will be reviewed annually or sooner if required by changes in law or organisational practice.
6. Accuracy
- Reasonable steps will be taken to ensure personal data is accurate and up to date.
- Individuals may request corrections where data is inaccurate or incomplete.
7. Retention, Archiving, and Removal
- Personal data will not be retained longer than necessary.
- Retention periods will be defined for different data categories and reviewed annually.
- Data retained for reporting or statistical purposes will be anonymised where possible.
8. Security
The CIC will ensure that:
- Personal data is stored securely using up-to-date software and systems
- Access is restricted to authorised personnel only
- Secure deletion methods are used when data is no longer required
- Appropriate back-up and recovery measures are in place
9. Data Breaches
In the event of a data breach involving personal data:
- The Responsible Person will assess the risk to individuals' rights and freedoms
- Where required, the breach will be reported to the Information Commissioner's Office (ICO) without undue delay.
- Affected individuals will be informed where appropriate