Introduction

This policy outlines how Evergreen Active CIC collects, stores, uses, and protects personal information relating to staff, volunteers, and participants. It ensures that all data is managed lawfully, fairly, and transparently, in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Evergreen Active CIC is committed to protecting the privacy and security of everyone we work with. This policy provides clear guidance on how personal data should be handled and sets expectations for all staff and volunteers.

Policy Statement

Evergreen Active CIC values the trust placed in us by participants, employees, and volunteers. We collect and process personal data only for legitimate purposes connected to our activities, such as health and safety, programme delivery, volunteer management, and communication.

We will:

  • Collect only the information necessary for operational and legal purposes.
  • Store data securely and protect it from unauthorised access, loss, or misuse.
  • Retain personal data only for as long as it is required.
  • Never sell, share, or transfer personal data to third parties without consent or a lawful basis.

Purpose of the Policy

The purpose of this policy is to:

  • Ensure compliance with UK data protection law.
  • Clarify how Evergreen Active CIC handles personal information.
  • Provide transparency to individuals about their data rights.
  • Support all staff and volunteers to manage information responsibly.

This policy supports the organisation’s wider commitment to confidentiality, safeguarding, and good governance.

Scope of the Policy

This policy applies to:

  • All employees, directors, and volunteers of Evergreen Active CIC.
  • All personal data relating to participants, employees, volunteers, and partners.
  • All systems and platforms used to store, process, or communicate personal information, including the Run Together app, Messenger, and cloud storage (e.g. OneDrive, Google Drive).

It covers data collected in any form, paper, electronic, verbal, or photographic.

Implementation of the Policy

All staff and volunteers must:

  • Follow Evergreen Active CIC’s Data Protection and Confidentiality procedures.
  • Store participant information securely and only access it when necessary for legitimate work purposes.
  • Use official Evergreen Active systems and avoid transferring data to personal devices or unauthorised platforms.
  • Report any suspected data breach or loss immediately to the Director responsible for Data Protection.

Evergreen Active CIC will:

  • Provide induction and refresher training on data protection.
  • Maintain appropriate security measures, including password protection and encryption where necessary.
  • Ensure that third-party suppliers (e.g. online systems) comply with UK GDPR standards.

Individual Rights

Under UK GDPR, individuals have the right to:

  • Access their personal data.
  • Request correction of inaccurate data.
  • Request deletion where lawful.
  • Object to processing in certain circumstances.
  • Withdraw consent at any time where processing is based on consent.

Requests should be submitted in writing to [email protected], and Evergreen Active CIC will respond within 28 working days.

Monitoring and Review of the Policy

This policy will be reviewed annually by the Director responsible for compliance and updated as required to reflect changes in legislation or operational practice. All staff and volunteers will be informed of updates and must confirm they have read and understood the revised policy.

Who we are and how to contact us

Evergreen Active CIC (“Evergreen Active”, “we”, “our”, “us”) is a UK Community Interest Company that delivers programmes to improve mental, physical, nutritional and social health and wellbeing.

Controller: Evergreen Active CIC
Registered office: Suite 4, Milner House, Milner Way, Ossett, Wakefield, WF5 9JE
Contact (privacy): [email protected] / 01924 677123
ICO registration number: exempt
Data Protection Lead: Andrew Freeman / [email protected]

What this policy covers

This policy explains what personal data we collect, why we collect it, our lawful bases, how long we keep it, who we share it with, international transfers, your rights, and how to complain. It applies to: service users (children, young people, adults and parents/carers), participants in groups and events, website users, referrers/partners, volunteers, applicants and staff.

The data we collect

  • We only collect what we need for our services and to run our organisation.
    Identity and contact: name, date of birth, address, email, phone, parent/carer details.
  • Participation data: programme enrolments, attendance, progress notes, goals, feedback.
  • Health and wellbeing information (special category): relevant health/medical info.
  • Education/setting data: school or organisation, role, SEND flags where provided.
  • Safeguarding information: concerns, referrals and outcomes.
  • Marketing preferences: your choices about receiving updates.
  • Technical data: IP address, cookies, device identifiers.
  • Recruitment/HR data: CVs, references, DBS checks, payroll and training records.

Why we use your data and our lawful bases

We use your data for:

  • Delivering services and safeguarding participants (contract, legitimate interests, legal obligation, vital interests).
  • Monitoring, evaluation and reporting (legitimate interests, contract).
  • Training, governance and finance (legal obligation, legitimate interests)
  • Communications (legitimate interests, contract).
  • Direct marketing (consent).
  • Recruitment and HR (contract, legal obligation, legitimate interests).

Children and young people

We design our services with children’s privacy in mind. We comply with the ICO’s Children’s Code and UK GDPR age-13 consent rule. Parental consent is required for under-13s.

Who we share data with

We share data only when necessary and lawful with delivery partners, schools, NHS/local authority teams, funders (anonymised where possible), professional advisors, and processors such as Microsoft 365. We never sell data.

 How long do we keep data

We retain data only as long as necessary:

  • Programme records: up to 7 years.
  • Safeguarding: in line with statutory guidance.
  • Marketing: until consent withdrawn.
  • HR: 6 months (unsuccessful) or statutory periods (staff).
  • Financial: 6 years plus current year.

Your rights

You have rights to access, rectify, erase, restrict, object, and port your data; to withdraw consent; and to complain to the ICO.

Keeping your data secure

We use encryption, access controls, staff training, and secure suppliers. Data breaches are reported to the ICO and affected individuals where required.

Cookies and similar technologies

We use necessary cookies for functionality and only with consent, analytics or marketing cookies. You can manage preferences via our cookie banner.

How to complain

Contact us first via the details above. You can also contact the ICO: www.ico.org.uk / 0303 123 1113 / Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

Changes to this policy

We update this policy when needed and will display the latest version and date of update on our website.

Scroll to Top