HEALTH GAP CIC

GDPR POLICY

1. Purpose and Scope

Health Gap CIC (“the Organisation”) collects, stores, and processes personal data about staff, volunteers, service users, and partners in order to deliver our public-interest mission of improving health and wellbeing through outreach and education.

This policy explains how we handle personal data responsibly and lawfully under the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

This policy applies to all directors, employees, volunteers, contractors, and partners who collect or process personal data on behalf of Health Gap CIC in any format ; digital, paper, image, or audio.

2. Definitions

  • Personal data: Any information that can identify a living individual.

  • Special category data: Information about health, ethnicity, beliefs, or genetic/biometric identifiers.

  • Processing: Any operation carried out on data-collection, recording, storage, sharing, deletion, etc.

  • Data subject: The individual whose data is being processed.

  • Controller: Health Gap CIC, determining the purpose and means of processing.

  • Processor: Any third party processing data on behalf of Health Gap CIC.

3. Our Commitment

Health Gap CIC is committed to protecting personal data through compliance with the seven data-protection principles:

  • Lawfulness, fairness, transparency: We process data only when we have a clear legal basis, tell people what we collect and why, and use it fairly.

  • Purpose limitation:  Data is collected for specific, explicit purposes and not reused incompatibly.

  • Data minimisation: We collect only what we genuinely need.

  • Accuracy: We keep data accurate and up-to-date.

  • Storage limitation: Data is retained only for as long as necessary for legitimate reasons.

  • Integrity and confidentiality:  We protect data with appropriate security and access controls.

  • Accountability:  We document decisions, training, and measures proving compliance.

4. Legal Bases for Processing

Depending on context, Health Gap CIC relies on one or more lawful bases under Article 6 of the UK GDPR:

  • Consent:  individuals have freely given clear consent.

  • Contract:  processing is necessary to perform a contract or pre-contract steps.

  • Legal obligation: required by law (e.g. employment, safeguarding).

  • Vital interests:  to protect someone’s life.

  • Public task / legitimate interest: processing is necessary for our community-benefit objectives or a third party’s legitimate interest without overriding individual rights.

Special category (sensitive) health data is processed only under Article 9 (2) conditions,  such as explicit consent, employment and social protection law, or reasons of substantial public interest in health promotion.

5.  Individual Rights

People whose data we hold have the right to:

  • Be informed about processing activities

  • Access their data.

  • Request rectification of errors.

  • request deletion (“right to be forgotten”).

  • Restrict or object to processing.

  • Data portability.

  • Withdraw consent at any time (where consent is the legal basis).

Requests should be emailed to the Data Protection Lead (dpo@healthgap.co.uk).
We aim to respond within one month.

6. How We Collect and Use Data

We may obtain personal data through:

  • event and workshop registrations

  • referrals and health-improvement programmes

  • employment and volunteer applications

  • surveys, feedback forms, or newsletter sign-ups

  • legitimate partner data-sharing agreements

We use data to:

  • administer services and outreach programmes

  • monitor effectiveness and equality of access

  • keep people informed about activities (where consent is given)

  • comply with safeguarding, HR, and legal obligations

We never sell or rent personal data.

7. Consent  Management

When consent is our legal basis:

  • it must be freely given, specific, informed, and unambiguous

  • recorded and stored securely

  • reviewable or revocable;  withdrawal stops future processing

For children under 13, parental consent is required.

8. Data Type & Typical Retention Period

  • Employee and volunteer records: 6 years after leaving

  • Safeguarding and incident records: 15 years (minimum statutory guidance)

  • Event registrations/ programme data: Up to 3 years post project

  • Marking communications (consented): Until consent withdrawn

  • Financial records: 7 years (statutory requirement)

Secure deletion or shredding is used once the retention period expires.

9. Data Security

  • Electronic data stored on encrypted, password-protected systems.

  • Hard-copy data held in locked cabinets with controlled office access.

  • Regular security updates and anti-virus protection.

  • Access granted only to authorised personnel with role-based privileges.

  • All staff and volunteers receive data-protection and confidentiality training.

10. Data Sharing and Third Parties

We may share limited personal data with:

  • NHS or public-health partners for joint programmes

  • Local authorities and funders for reporting (anonymised wherever possible)

  • Payroll and HR services, cloud storage, or  IT support providers under GDPR-compliant contracts

No data is transferred outside the UK without equivalent safeguards.

No commercial disposal to third parties.

Health Gap CIC shall not sell, rent, distribute or otherwise make user data commercially available to any third party, except as described above or with prior permission.

11. Data Breaches

A data-breach log is maintained.
Any accidental loss, theft, or unauthorised disclosure must be reported immediately to the Data Protection Lead.
Serious incidents will be:

  • investigated and mitigation steps recorded

  • reported to the ICO within 72 hours when required

  • communicated promptly to affected individuals

12. Roles and Responsibilities

  • Board of Directors: Overall accountability for data protection governance.

  • Data Protection Lead (DPO): Develop policy, monitor compliance, handle requests and breach reporting.

  • Mangagers & Coordinators: Implement controls within teams and projects.

  • All Staff/ Volunteers: Follow policies, report concerns, keep data secure.

13. Complaints and Further Information

Data subjects may raise concerns with the Data Protection Lead.If unresolved, they may complain to the:

Information Commissioner’s Office (ICO) ico.org.uk  |  0303 123 1113