CPR Privacy Policy

Introduction
CPR is committed to best practice in the handling of personal and sensitive data and careful compliance with requirements of GDPR (General Data Protection Regulations), which comes into force on 25 May 2018.

We take your privacy seriously and will only use your personal information to administer your transactions with us (online and offline) and to provide information about the events, resources and services you have requested. All data is collected and is currently processed in accordance with the Data Protection Act (1998) and GDPR.

Our priority is to avoid causing harm to individuals by:

  • Keeping all information securely
  • Holding accurate information only as long as we need it.

We aim to be open and transparent in the way we use personal data to give individuals as much choice as possible, within reason, over what data is held and how it is used.

Areas of work
This data protection policy covers all CPR activities, including the activities of its subsidiary the Performance Research Journal, in relation to marketing, bookshop sales, membership of CPR, CPR and Performance Research projects and HR. We define these activities as:

  • E-Marketing – activities that inform individuals about our work and invite them to be involved.
  • Bookshop sales – fulfilling orders placed online or by direct email, phone or in-person contact.
  • Membership – fulfilling requests to become a CPR member that may include a Performance Research Journal subscription placed online or by direct email, phone or in-person contact.
  • Projects – collecting information from participants who take part in projects, including contributors to the Performance Research Journal.
  • HR – the recruitment and management of information about applicants and employees.

The personal data that we process and store

For E-marketing

  • A maximum of name, email and country of residence.

For Bookshop customers, CPR members, Performance Research subscribers and Project participants:

  • Name, address, email and telephone number.

For Employees:

  • Name, address, email and telephone number
  • National Insurance Number & tax code
  • Employment references & history
  • Employment contract & pay rate
  • Personal ID
  • Absence details – annual leave, sickness, maternity/paternity leave, compassionate leave, lateness
  • Details of accidents and incidents at work
  • Education and qualifications
  • Disciplinary action
  • Termination of employment

How we collect, process, protect and dispose of data

How we collect data

  • We collect data via email, post and phone.
  • We collect data automatically via the CPR and Performance Research websites for E-marketing and on the CPR website in the form of online bookshop orders. A short statement about how your information will be used and a link to our privacy statement will be visible at data collection point.

Cookies
A cookie is a small data file that is downloaded on to ‘terminal equipment’ (like a computer or smartphone or other device) when you access a website. It allows the website to recognise that user’s device and store some information about the user’s preferences or past actions.

You can change your browser settings to remove, block or withdraw your consent for cookies at any time. But in some cases this may impact on your ability to use our website. Browsers recognise different types of cookies and allow you to treat them differentially, as desired. There are two main types of cookies, first and third party: First Party Cookies are those set by the website you are viewing. Third party cookies are set by other sites; for example if a video has been embedded from YouTube, YouTube may set a cookie of its own.

Cookies can also last for different durations. Session cookies last until you leave the site, others may last for days or months so the site can recognise you and your preferences on subsequent visits.

We use a small number of third party service providers on our websites, some of which may set cookies on your computer when you use the facility. Each provider has their own privacy policy:

  • Facebook
  • YouTube

How we process and protect personal data

  • We store and process personal data, consisting of names and emails, on Mailigen and Sharpspring, secure, cloud-based Marketing Automation Services. We may occasionally export this data to be stored securely on our server in a password protected document.
  • We store the details – name, address, email, telephone number – of customers who have purchased items in the CPR online shop in our secure website data management system. This system is also accessible by our web developers for the purposes of updating the website to ensure continued security and for repair and redesign. Information about their system and privacy policy can be found at www.scl.co.uk. We also print off orders and store them in paper files in our office.
  • We store our employee’s application information, contract information and emergency contacts securely on our servers.
  • Any personal data relating to finance is held in our password-protected accounting software, payroll software and pension provider website and in paper files.
  • After projects we may analyse data and share anonymised data with third parties and trusted partners and funders for reporting purposes.
  • Staff and freelancers who use their own devices for work purposes and connect to our server are informed of our Data Management Policy. We assess the security of these devices, use encryption where necessary and give staff training on how to ensure they are secure.
  • Our IT systems are regularly monitored and updated by our web developers to ensure maximum security. Staff are trained to identify suspicious emails or attachments and must always use virus software.

How we dispose of data
We will keep the majority of personal information only for as long as is reasonably necessary for the purposes set out in this privacy notice and to fulfil our legal obligations. We will not keep more information than we need. The retention period will vary according to the purpose, for example:

  • Inactive or bounced email addresses are removed from Mailigen and Sharpspring through automated data cleansing.
  • Every email we send to individuals via Mailigen and Sharpspring includes details on how to unsubscribe from future communications.
  • Customer information remains on file until accounts are prepared for the financial year in which the transaction took place. Bookshop records are then destroyed. For membership and project information some personal information is destroyed and some is placed into the CPR archive to record the individual’s association with the organization. This archive is currently private, stored in a locked storage facility and accessed only by core CPR staff.
  • We delete all unsuccessful applications for jobs for 6 months after the application deadline.
  • We delete unsolicited CVs sent to us by email or by post.
  • We keep minimal contacts on freelancers with whom we have a business relationship with as long as is reasonably necessary.
  • We keep employee records and payroll information in line with our statutory and legal obligations.

Personal data breaches
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A breach could be accidental and deliberate.

CPR holds a small amount of personal information on individuals that should not cause harm to an individual should it be compromised. However, CPR will take any breach seriously and inform individuals if their information has been compromised and outline how it may affect them.

Third Parties

CPR does not share the information it collects on individuals with any Third Parties with two exceptions:

1. Name and address details collected from contributors to the Performance Research Journal and subscribers to the Performance Research Journal are shared with the publisher Routledge, Taylor & Francis for the purpose of hard copies of the issue being despatched to them on publication. The publisher has just updated their own privacy policy which governs how such data is used, and the new info can be found here: http://taylorandfrancis.com/customer-privacy.

2. Whilst not actively shared, the contact details of customers (but no financial information) who have purchased items in the CPR online shop in our website data management system are accessible by our web developers, who need access for the purposes of repair and updating the website. CPR has worked with the same developers for many years and judges the risk that this will lead to information being compromised is extremely low. Information about the developers’ system and privacy policy can be found at www.scl.co.uk.

Roles and responsibilities

CPR’s Board of Trustees recognises its overall legal responsibility for data compliance. Day-to-day responsibility for Data Protection is delegated to a nominated Data Protection Officer, currently Helen Gethin.

Subject Access Request Forms
Subject access request refers to the right that individuals have to see a copy of the information an organisation holds about them.

Anyone who wishes to know what information CPR holds about them should write to info@thecpr.org.uk with the email subject line “Subject Access Request”. In line with GDPR:

  • CPR will respond within 14 days of the date on which the request is received.
  • We can refuse or charge for requests that are manifestly unfounded or excessive.
  • If we refuse a request, we will explain to the individual why, without undue delay and at the latest, within one month, and that they have the right to complain to the supervisory authority and to a judicial remedy.
  • We will charge up to £10 to administer Subject Access Request Forms to cover any overheads such as staff time, printing and postage.
  • We will need to verify your identity before the request will be considered and acted upon. We require level 2 identity proofing for any subject access requests – such as a passport and driving license as well as a utility bill.

For more information on right of access, please refer to the ICO website.

The Right to be Forgotten
Individuals have the right for their personal data to be erased; it is also known as ‘the right to be forgotten’. Individuals can make a request for erasure verbally or in writing. CPR will have one month to respond to a request.

We will implement The Right To Be Forgotten if the data subject requests it and will provide evidence of deletion where possible.

Updates to this policy and further information
This policy was last updated on 24 May 2018. We review our policy annually and any updates are posted on this page. We may inform you about any changes that are relevant to you.

You can find further information on data protection regulations and laws here: