Data Protection & GDPR Policy

Organisation: Think Cre8tive Group CIC

Date Adopted: 1 October 2025

Review Date: 1 October 2026

Responsible Officer: Melanie Cossins, Finance Director (Data Protection Lead)

1. Policy Statement

Think Cre8tive Group CIC is committed to protecting the privacy and security of personal data. We ensure that all data is handled responsibly, lawfully, and transparently in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We only collect and use personal data necessary for delivering our services, and we respect the rights of individuals at all times.

2. Scope

This policy applies to:

  • All staff, facilitators, directors, and volunteers handling personal data.
  • All personal data collected from participants, staff, volunteers, funders, and partners.
  • All systems, whether paper or digital, used to process data.

3. Data Protection Principles

We will process personal data according to the following principles:

  1. Lawfulness, fairness, and transparency – data will be collected and processed lawfully, fairly, and openly.
  2. Purpose limitation – data will only be used for specific, legitimate purposes.
  3. Data minimisation – only data necessary for the purpose will be collected.
  4. Accuracy – data will be kept accurate and up to date.
  5. Storage limitation – data will not be kept longer than necessary.
  6. Integrity and confidentiality – data will be kept secure.
  7. Accountability – we will demonstrate compliance with these principles.

4. What Data We Collect

We may collect:

  • Participants: names, contact details, emergency contacts, health/disability information (where relevant to participation), demographic data (voluntary).
  • Staff & Volunteers: names, contact details, DBS checks, references, payroll/expenses information.
  • Partners/Funders: contact details, project data, reporting information.

5. Lawful Basis for Processing

We will process data only where one of the following applies:

  • Consent (e.g. photo/video consent).
  • Contract (to deliver services agreed with participants/funders).
  • Legal obligation (e.g. safeguarding, employment law).
  • Vital interests (to protect life in an emergency).
  • Legitimate interests (for organisational reporting, monitoring, evaluation).

6. Special Category Data

Where health, ethnicity, or other sensitive data is collected:

  • Explicit consent will be obtained.
  • Data will be anonymised where possible.
  • Access restricted to staff who need it.

7. Data Storage & Security

  • Paper records stored in locked cabinets in secure office locations.
  • Digital records stored on password-protected systems with access controls.
  • Backups stored securely and encrypted.
  • Data shared externally (e.g. with funders, NHS) will be anonymised wherever possible.

8. Data Retention

  • Participant data: retained for 1 year after last activity, then securely destroyed.
  • Staff/volunteer records: retained for 2 years after leaving, then securely destroyed.
  • Financial records: retained for 6 years (HMRC requirement).

9. Individual Rights

Individuals have the right to:

  • Be informed about how their data is used.
  • Access their data.
  • Correct inaccuracies.
  • Request deletion (“right to be forgotten”).
  • Restrict or object to processing.
  • Data portability (where applicable).

Requests should be made to the Data Protection Lead (Finance Director) and will be responded to within one month.

10. Data Breaches

  • All suspected data breaches must be reported immediately to the Data Protection Lead.
  • Serious breaches will be reported to the Information Commissioner’s Office (ICO) within 72 hours.
  • Affected individuals will be notified if there is a high risk to their rights and freedoms.

11. Training & Awareness

  • All staff and volunteers will receive GDPR and data protection training at induction.
  • Refresher training will be provided annually.

12. Review

This policy will be reviewed annually by the Board of Directors and updated in line with changes in legislation or best practice.

Scroll to Top