PRIVACY POLICY FOR CLIENTS, POTENTIAL CLIENTS AND CUSTOMERS

 

 

We appreciate the trust you place in use when sharing your personal data.  The security of that data is very important to us.  In this document, we explain how we collect, use and protect your personal data. We will explain what rights you have with regards to your personal data and how you can exercise those rights.

 

 

Who we are

CNLR is a limited company and trades under the name of CiC. We provide employee assistance programmes to organisations which includes services to be utilised by employees, such as 24/7 AdviceLine and counselling support. We offer international services such as global trauma support and peer and professional support programmes and critical incident support. We also offer mediation, training and coaching sessions.

 

 

COLLECTION OF PERSONAL DATA

 

Definitions:

For the purposes of this policy CiC is the Data Controller and:

  • A client is the legal entity we contract with;
  • A customer includes the employee, partner of an employee or family member of an employee belonging to the client we contract with;
  • An affiliate is a contractor who delivers our counselling and support services on our behalf;
  • Third party professional services are a third party that we share your data with in order to deliver critical services to you e.g. GPs and other medical professionals or legal advisors;
  • Third party processors are a third party service provider who undertake data processing activities on our behalf e.g. IT support services.

 

We collect personal data from you for one or more of the following purposes:

 

  • To provide you with information that you have requested or which we think may be relevant to a subject in which you have demonstrated an interest;
  • To initiate and complete commercial transactions with you, or the entity that you represent, for the purchase of products and/or services;
  • To fulfil a contract that we have entered into with you or with the entity that you represent;
  • To ensure the security and safe operation of our websites and underlying business infrastructure, and
  • To manage any communication between you and us.

Table 1 below provides more detail about the data that we collect for each of these purposes and the lawful basis for doing so.

Lawful basis for processing of personal data

The table below describes the various forms of personal data we collect and the lawful basis for processing this data. We have processes in place to ensure that only those people in our organisation who need to access your data can do so. A number of data elements are collected for multiple purposes, as the table below shows. Some data may be shared with third parties and, where this happens, this is also identified below.

When we process on the lawful basis of legitimate interest, we apply the following test to determine whether it is appropriate:

The purpose test – is there a legitimate interest behind the processing?

Necessity test – is the processing necessary for that purpose?

Balancing test – is the legitimate interest overridden, or not, by the individual’s interests, rights or freedoms?

 

 

TABLE 1

Data processedPurpose for processingLawful basisData is shared with
Clients and potential clients: Company name

Address

Contact First Name

Contact Last Name

Contact Emails

Telephone number

To provide and manage the services you have requested as a client. We store your data in our CRM database

We also store your data in our accounts system for accounting purposes. 

Legitimate interest: where it is in our legitimate interests to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our customers.

 

To carry out our contractual agreement or take steps to enter into a contract with you.

 

Where the law requires it.

Internally and may be shared with affiliates counsellors.
Clients:

Contact First Name

Contact Last Name

Contact Email

To send you monthly help sheets and promotion of Well-online.

We store your data in spreadsheets database and MailChimp.

Legitimate interest: where it is in our legitimate interests to manage our customer relationship and provide a high level of service

 

To carry out our contractual obligation to send you help sheets

Internally and MailChimp
Clients, potential clients:

Company name

Address

Contact First Name

Contact Last Name

Contact Email

Telephone numbers

To handle enquiries and complaints. We may store your data in our CRM, or email system.Legitimate interest: where it is in our legitimate interests to manage our customer relationship and provide a high level of service, to respond to enquiries and to ensure complaints are investigated promptly and satisfactorily.Internally and may be shared with affiliate counsellors if necessary.
Clients, potential clients:

Company name

Address

Contact First Name

Contact Last Name

Contact Email

Telephone numbers

 

 

To communicate with you by email, phone, post or other digital methods.

 

For example:

– To manage customer and supplier relationships

– For the purpose of meeting contractual or
regulatory requirements

– To keep you informed of changes or updates to
your services

– To respond to an enquiry through our contact us
form on our website

We keep records of communication in our CRM, or email system.

Legitimate interest: where it is in our legitimate interests to do so, to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our clients.

 

Where the law requires it.

 

 

Internally and may be shared with affiliate counsellors or other third party service providers.
Clients:

Company name

Address

Contact First Name

Contact Last Name

Position

Contact Email

Telephone numbers

To contact you with marketing information and offers relating to the products and services offered by us that we think may be of interest.

 

We store your data in our CRM, and email system.  Your data may also be processed through MailChimp.

Legitimate interest: where you have purchased our services or requested information about our goods and services.

 

Where you have opted-in to receiving marketing information.

 

In relation to direct digital marketing – under the Privacy and Electronic Communications Regulations, if you are a limited company, we may send you marketing communications without your consent. However, you can still opt out of receiving marketing emails from us at any time by clicking on the unsubscribe link.

Internally and with third party service providers e.g.  MailChimp
Clients:

Company name,

Address,

Contact First Name

Contact Last Name

Contact email address, Telephone number

Bank account details

To process financial transactions for products and services and to ensure any transaction issues can be dealt with. The majority of this data is generic company accounts and contains no personal identifying Information.To  meet accounting and taxation  requirements.Legitimate interest: where it is in our legitimate interest to ensure our business is run with due diligence.

 

To fulfil our statutory obligations.

 

To carry out our contractual agreement.

Internally and professional advisors e.g. accountants
Clients:

Company name,

Address,

Contact First Name

Contact Last Name

Contact email address, Telephone number

Bank account details

To recover any debts you owe us and enforce other obligations we are entitled to under contract and to protect ourselves against harm to our rights and property interests.

 

We keep records of communication in our CRM database, filing system and accounts system.

Legitimate interest: where it is in our legitimate interest to ensure our business is run with due diligence and we are capable of recovering the debts owed to us.

 

Where the law requires it.

Internally and professional advisors e.g. solicitors
Clients:

Company Name,

Directors names

Physical address,

Email address, telephone number,
Bank account details (for credit accounts).

To undertake checks for the purposes of detecting and preventing fraud, and money laundering, to verify your identity and credit worthiness before providing services to you.Legitimate interest: where it is in our legitimate interest to detect and prevent fraud, money laundering and other crimes and to verify your identify in order to protect our business.

 

Where the law requires it.

Internally and third party service providers e.g. credit checks companies
Customers:

Contact First Name

Contact Last Name

Company

Work address

Home address

Email address

Telephone number

Case notes

To provide and manage the services you have requested under the contract between CiC-EAP and the organisation you work for.

 

We store your data in our secure CiCiS database.

 

Legitimate interest: where it is in our legitimate interests to do so, to manage our customer relationship and provide a high level of service, to protect our business interests and the interests of our clients.

 

To carry out our contractual agreement to provide you with the services you have chosen.

 

Internally but access is restricted to those who require access and only for a specific purpose e.g. Adviceline Counsellors and Clinical Team
Customers:

Contact First Name

Contact Last Name

Company

Email address

Telephone number,

Case notes which may include special category data (see definition below)

To provide and manage the counselling services you have requested, under the contracted service with your organisation, we transmit your data to an affiliate counsellor.

 

We store your data in our secure CiCiS database.

Your consent.

 

To carry out our contractual agreement to provide you with the services you have chosen.

Internally e.g.  Adviceline and shared with your assigned affiliate counsellor
Customers:

Contact First Name

Contact Last Name

Company

Email address

Telephone number,

Case notes which may include special category data (see definition below)

To provide and manage the counselling services you have requested, under the contracted service with your organisation, your assigned affiliate counsellor will maintain confidential case notes of your discussions and support.

Affiliate counsellors will upload case notes to your record in our CiCiS database through a secure portal.

Your consent.

 

To carry out our contractual agreement to provide you with the services you have chosen.

Affiliate counsellor assigned to your case and may be shared with other members of the clinical team where there is a need for further support.
Customers:

Contact First Name

Contact Last Name

Work address

Home Address

Date of birth

Clinical reason for referral, may include health data.

To refer on to professional services e.g. a GP, psychiatrist. solicitor (where the details have been provided by you, the customer) to make recommendations for further support.  To transmit case notes when requested by a solicitor or the psychiatrist.  In critical situations this could be verbal.Your consent.

 

Where it is in our legitimate interest to ensure your safety i.e. vital interest or medical intervention.

 

To carry out our contractual agreement to provide you with the services you have chosen.

Internally e.g. Adviceline and with your GP, psychiatrist or  solicitor etc.

 

Will be shared  with your assigned affiliate counsellor or other third party professional service if required.

Customers:

Contact First Name

Contact Last Name

Work address

Home Address

Date of birth

Reason for requesting emergency support which may include health data.

To refer on to emergency services e.g. police, hospital emergency where there is a risk of harm to the customer or others.

 

To transmit data when requested by the emergency services. In critical situations this could be verbal.

Where it is in our legitimate interest to ensure your personal safety i.e. vital interest or medical intervention.

 

Your consent wherever possible.

 

 

Internally e.g. Adviceline, Clinical Team,  and the emergency services.

 

May be shared you’re your affiliate counsellor or other third party professional service if required e.g. GP.

Customers:

Contact First Name

Contact Last Name

Company/Employer

Address

Content of call

To collect details of a call to the adviceline.

 

The call data is collected in adviceline counsellor notebooks.  Notes are shredded immediately they are finished with.

Your consent.

 

To carry out our contractual agreement to provide you with the services.

Adviceline
Customers:

Contact First Name

Contact Last Name

Company/Employer

Address

Content of call

To collect details of a call to the adviceline.

 

Notes from the call above are entered into our secure CiCiS database.

Your consent.

 

To carry out our contractual agreement to provide you with the services.

 

Vital interest – to assess if onward referral is required to a third party e.g. medical intervention.

Internally and may be shared with your affiliate counsellor or other third party professional service if required.
Customers:

Equality and Diversity Data

Gender, age, Disability, marriage and civil partnership, pregnancy and maternity, race, religion, sexual orientation and

Gender reassignment

Adviceline collects equality and diversity data to enable the monitoring and evaluation of the uptake of services by customers based on their protected characteristics under the Equality Act 2010.

 

The data is anonymised, and analytics provided to clients (if required by contract) and CiC to inform decision making to improve inclusivity.

 

This data is also used to identify if the customer would benefit from an affiliate counsellor with specific training and experience in a protected characteristic

Your consent.

 

To carry out our contractual obligations where the client contract requires it.

 

Where the law requires it e.g. to meet Equality Act 2010 requirements for Public Sector bodies.

Internally and with Client.
Customers:

Contact First Name

Contact Last Name

Company/Employer

Address

Telephone number

Reason for call

Connect Assist:

To provide an out of hours call answering service.

 

Data is entered directly into secure CiCiS database.

Your consent.

 

To carry out our contractual obligations.

Third party service provider – Connect Assist and with affiliate counsellor.

 

 

Special category Data

Special category data is defined under GDPR 2016 Article 9 as personal data revealing ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

We only collect special category data that falls within the equality and diversity data listed in Table 1 for the purposes recorded. For clarification these are: race, religious or philosophical beliefs, data concerning health or data concerning a natural person’s sex life or sexual orientation. We only collect this data with the customer consent or if it is in the customers vital interest to do so.

 

Third parties SERVICE PROVIDERS Who we may share your data with (as defined in Table 1)

  • Government and law enforcement agencies: We may be required by law to share your data with other organisations, such as government or law enforcement agencies:
    • to satisfy any applicable law, regulation, legal process, or governmental request;
    • to detect, prevent, or otherwise address fraud, security, or technical issues;
    • protect our rights, property or safety, our users and the public.

This may include exchanging information with other companies and organisations for fraud protection and spam/malware prevention if required by law.

 

  • Professional advisors including lawyers, bankers, auditors and insurers.

 

  • Service providers who provide IT and system administration services.

 

If we do so we always do so securely, and we won’t share more than we need to.

 

Our service providers:

We have listed in Table 2, service providers who are providing services that makes them ‘processors’ as defined by GDPR 2016. We will always ensure they follow similarly high standards to CiC and are bound by contractual confidentiality, data protection and information security requirements. Third parties to whom we sell, transfer, or merge parts of our business or our assets.

 

TABLE 2

Service providerPurpose of processingLink to Privacy Policy
MailchimpProvides marketing mail portalhttps://mailchimp.com/legal/privacy/?_ga=2.2884912.1025376997.1527161488-2091482877.1526982076
Connect AssistOut of hours call centre
Workbooks CRMCloud based CRMhttps://www.workbooks.com/sites/default/files/_assets/pdf/legal/privacy-notice.pdf
ACMManages CiCiS clinical database
Our ITProvides IT support
Law AssistProvides legal advicehttps://lawexpress.co.uk/privacy-policy

 

YOUR RIGHTS

 

The GDPR aims to give you more control of your data. It provides new and strengthened rights.

 

Right to access – you can ask us whether we’re processing your personal data, including where and for what purpose. You can also request an electronic copy of your personal data free of charge. If you require further copies of the data there may be a charge where permitted by the legislation.

 

Right to restrict processing – in certain circumstances, you can ask us to restrict our use of your personal data.

 

Right to rectification – you can already ask us to correct inaccurate personal data we hold about you.

 

Right to erasure (right to be forgotten) – in certain circumstances, you can ask us to erase your personal data.

 

Right to data portability – you can ask us to provide you with a copy of your personal data in a commonly used electronic format so that you can transfer it to other businesses.

 

Right to object to automated decision-making – in certain circumstances, you can ask us not to make automated decisions about you based on your personal data that produce significant legal effects.

 

Right to lodge a complaint – you can lodge a complaint with the supervisory authority ICO but we ask that you allow us to see if we can resolve the problem first (See complaints and queries section).

 

This means you can at any time:

  • inform us of a correction to your personal data;
  • withdraw any permission you have previously given to allow us to use your information;
  • object to any automated decision-making;
  • ask us to stop or start sending you marketing messages;
  • ask us to send you (or someone you nominate) a copy of the information we hold about you;
  • ask us to stop using your information in certain circumstances.

 

 

 

Data Subject Access Request (DSAR)

You have the right to request a copy of the personal data we hold about you and to have any inaccuracies corrected.  We will require you to prove your identity with 2 pieces of approved identification. We will use reasonable efforts consistent with our legal duty to supply, correct or delete personal information about you on our files.

We will need two copies of forms of identification, which can be:  passport, driving licence, birth certificate, utility bill (from last 3 months), current vehicle registration document or a bank statement (from last 3 months).

If you can advise of the specific information that you require, we can process your request more quickly.  We will respond to your request within one month of you providing information that confirms your identity.

We will then give you a description of your data, why we have it, who it could be disclosed to and it will be in a format that you can access easily.

If you wish to make a DSAR request please contact us using the contact details at the end of this notice and we will provide you with the necessary request documents.

 

 

 

Retention of your data

We will keep your data for as long as we have a relationship with you. Once our relationship has come to an end we will only retain your personal data for a period of time that is calculated depending on the type of personal data and the purposes for which we hold that data. We maintain a Retention of Records Schedule to communicate our record retention requirements to all relevant staff and ensure data is not retained for longer than necessary.

We only retain information that enables us to:

  • maintain business records to comply with our contractual obligations
  • comply with record retention requirements under the law
  • defend or bring any existing or potential legal claims
  • maintain records of anyone who does not want to receive marketing from us
  • deal with any future complaints regarding services we have delivered
  • if required to by law enforcement agencies

 

 

How We Protect Your Personal DATA

 

We are committed to protecting your information. CiC are certified to the ISO 27001 Information Security Standard. We take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of your personal data and against accidental loss or destruction of, or damage to, your personal data.

The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. However, please bear in mind that IT infrastructure and the internet cannot be guaranteed to be 100% secure.  We have security measures in place and restrict access to databases only to those who need access appropriate to their job role. All personal information and details provided as part of an enquiry, support or service request, or financial details are stored on a secure server. We do not store credit card numbers or related identifying information on any of our servers.

 

Digital data and hard copy data is securely disposed of when no longer required. This is conducted in line with our information security Disposal of Data Policy and procedure.

 

Changes to this privacy policy

 

We keep our privacy policy under regular review. This privacy policy was last updated on 25th May 2018.

 

Queries or complaints

 

We try to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. Please get in touch if you think we are using or collecting your data in an inappropriate way.

You can call us on 020 7938 0992 and ask to be referred to the DPO or Client Services Manager;
or you can email dpo@cic-eap.co.uk or you can write to us at the address listed at the beginning of this document.

You can also contact or make a complaint directly to the supervisory body for the UK.  This is the Information Commissioners Office (ICO)

You can visit their website at:   https://ico.org.uk/

Or contact them on: 0303 123 1113