Data Protection & IT Security Policy

SS Competence, Skills & Wellbeing CIC is committed to protecting personal data, maintaining confidentiality, and ensuring the security of all information we hold. This policy sets out how we comply with data protection law and implement robust IT security practices to safeguard the rights of individuals and the integrity of our systems.

This policy applies to:

• Directors and employees of the CIC. 
• Volunteers, contractors, and delivery partners handling CIC data. 
• Any third party processing personal or organisational data on behalf of the CIC. 

This policy is written in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and recognised IT security standards, including Cyber Essentials and ISO 27001 best practice.

• Lawful, fair and transparent processing: Data will be collected and used only for legitimate purposes and in ways individuals can reasonably expect. 
• Purpose limitation: Data will only be used for specified purposes and not processed in ways incompatible with those purposes. 
• Data minimisation: Only the minimum personal data necessary will be collected and retained. 
• Accuracy: Personal data will be kept accurate and up to date. 
• Storage limitation: Personal data will not be kept for longer than necessary and will be securely deleted or anonymised when no longer required. 
• Confidentiality and integrity: Data will be processed securely using appropriate technical and organisational measures. 
• Individual rights: We will respect and respond to individuals’ rights, including access, rectification, erasure, restriction, and objection, in line with UK GDPR.

• Access control: Systems will be protected by secure passwords, role-based permissions, and authentication processes. 
• Data encryption: Sensitive and personal data will be encrypted both in transit and at rest wherever possible. 
• Device and network security: Company devices, servers, and networks will be protected through firewalls, anti-malware tools, and security patches. 
• Secure communications: Emails and online platforms used for sensitive data will be encrypted or password protected. 
• Incident response: Any suspected data breach or IT security incident must be reported immediately and investigated without delay.
• Training and awareness: All directors, staff, and volunteers will receive training to ensure compliance with data protection and IT security requirements.

• Board of Directors: Holds overall accountability for compliance with UK GDPR and IT security governance. 
• Data Protection Lead: Responsible for day-to-day oversight, responding to subject access requests, and managing incidents. 
• Staff, volunteers, and contractors: Must comply with this policy, safeguard data in their work, and report risks or breaches immediately. 
• Third-party providers: Expected to meet contractual and legal standards for data protection and IT security.

This policy will be reviewed annually, or sooner if legislation, regulation, or best practice changes. Updates will be approved by the Board of Directors and published on our website.