Health and Safety

/by

  1. Writing a Health and Safety Policy

  2. Risk Assessment Made Simple

  3. Running a Safe Event

CCVS guide to Writing a Health and Safety Policy

So coming up, we’ll start with the purpose of a safety policy and why it is needed, before looking closely at the three elements that form the content.

The Purpose

Let’s begin then with the Purpose.

A safety policy should be a working document. It should set out your organisation’s general approach to health and safety; and explain how you will manage health and safety in your group, charity or social enterprise.

And that’s it you don’t need to include pages of small print about noise, trips and falls, manual handling and so on… These are all matters that should be dealt with separately in a risk assessment.

But why is it needed?

Having an effective safety policy is a sign of a healthy organisation. It makes clear who is responsible for safety and what this actually involves.

And for organisations that employ staff, it is also the law.

But even if you are, volunteer-only, it is good practice to have a written safety policy

It shows that you plan, check and act on safety matters; and in particular, it demonstrates a positive attitude towards health and safety.

A safety policy may also be a requirement of certain funders.

So clearly, it is an important document. But what about the policy’s content… There are three main elements…starting with

The Statement

Quite simply, this is just a few lines committing the organisation to looking after the health, safety and welfare of its people; and meeting its health and safety duties.

Roles and responsibilities

Next are roles and responsibilities. Firstly, you need someone with overall and final responsibility for health and safety, such as your trustee board; and then someone with day-to-day responsibility such as your chief officer.

You also need to name those with any specific safety roles, such as undertaking risk assessment, monitoring safety controls, dealing with problems, and supervising team members.

You should also set out the responsibility of your staff and/or volunteers to work safely, attend safety training, and report concerns.

Safety arrangements

So what about your safety arrangements? Well, these should cover the actions, processes and procedures you will follow to manage health and safety.

This should include arrangements for conducting risk assessments, such as when and where they are needed, and how often they are carried out.

Other arrangements should cover how and when your team will be consulted on safety matters, your first aid arrangements, safety training, reporting incidents, and your emergency evacuation procedure.

Finally, the arrangements should also name your competent health and safety adviser. This is either an internal or external person who understands the safety issues you face and is experienced in safety matters.

Now, to help you, there are links to a template for a safety policy in the accompanying transcript of this presentation.

But let’s just sum up…

Keep it simple. Start your policy with an opening statement of intent, followed by a list of roles and responsibilities; and finally, a page or two setting out your arrangements. This is all you really need.

Thank you

Video Transcript was produced for CCVS by Green Pepper Consulting

CCVS Guide to Risk Assessment Made Simple

Hello, my name is David Green from Green Pepper Consulting; and in this short training presentation, one of a series from Cambridge CCVS, I will be looking at how we should conduct a safety risk assessment. Let’s begin…

Risk assessment involves identifying hazards, evaluating the risk they pose, and implementing measures to control or remove the risk. There are five steps to the process, so coming up we will look at each of the steps in turn.

What is a hazard?

But first, what exactly do we mean by a hazard?

Well, a hazard is anything that can cause harm.

This might be something that can harm a person’s physical health. Or something that can harm mental health, such as stress.

Why assess risk?

It is perhaps obvious, but to clarify, we assess risk to:

  • understand what safety measures are needed
  • help prevent accidents and occupational diseases
  • meet our legal duties

Risk assessment is a requirement of many safety regulations; and is a key aspect of health and safety management.

What’s more, a failure to assess risk might result in injury or illness to someone, leaving the organisation open to compensation claims and even prosecution.

To help you with the risk assessment process, there are links in the accompanying transcript of this video to a safety inspection checklist and to a risk assessment form.

Ok, Let’s now look at:

Step one of risk assessment – identifying the hazards

You do this by inspecting the workplace, ideally, with a staff rep or colleague, and then by speaking to your staff and volunteers – about their work.

We want to find out about different tasks, the equipment, the methods they use, and the environment in which they work. By looking at the workplace and speaking to your team at work, you can identify any hazards that they may face.

You will need to look for anything that might cause harm, something for example that could cause a trip, slip or fall. There could be manual handling hazards, objects stacked up high that could topple over, chemicals, noise, risk of violence and so on.

Because hazards can differ so widely, sometimes it helps to use a safety inspection checklist when looking around your workplace.

For those who work remotely, such as lone workers and home workers, it may not be possible to inspect how they work. But by discussing working methods with the individuals concerned, prompting and asking them about their safety concerns, you can together work out the likely hazards.

Step two of risk assessment – decide who might be harmed, and how

Step two of risk assessment considers who might be harmed, and how…

Look for anyone who could be harmed by the hazards you identify and how this could happen, including when and where.
Those affected might include members of your team, whether staff or volunteers, including homeworkers, and lone workers. Also your beneficiaries and other visitors to the workplace.

Think also about any special groups who might be more vulnerable to particular harm and may need additional support, such as new or expectant mothers, or people with disabilities.

It might also include those who may have communication difficulties, such as people who don’t have English as a first language.

Once you know who can be harmed, decide how and when it could happen.

Together, the who, how, and when, will give you the likelihood of something causing harm.

Step three – evaluate the risk and introduce safety control measures

Step three has two parts. Firstly to evaluate the risk; and secondly, to introduce safety control measures.

We evaluate risk by combining the likelihood of the hazard, which we have worked out from step two, with the severity of the hazard.

But what if we need to find out more about the hazard before deciding how severe or dangerous it can be?

We can do this by looking up the hazard on the Health and Safety Executive website; and then consulting the manufacturer’s handbook, data sheet or their own website.

So something that has a high degree of severity, and a moderate to high likelihood of occurring, would be a high-risk hazard.

Once you have evaluated a hazard; you can put in place safety control measures.

Always consider the most effective measure first. Your starting point should always be to try and remove the risk altogether. (For example, although you could warn people about a slippery surface, the best remedy would be to remove the slippery surface and replace it with a safe one).

If this isn’t possible then see if there is some less risky way of doing the same thing, for example using a different technique or with different equipment or substances.

Other measures might be to reduce access to the risk (such as cutting the time someone is exposed to the risk, or perhaps using a smaller pool of people). Or to use personal protective equipment.

Finally, make sure your team is trained on how to use your control measures, and that they receive clear instructions on how to mitigate the risk. It’s very important they understand the nature of the risk, and why the control measures are necessary.

Step four – record your findings

We now come to Step four which is to record your findings. One of the simplest ways is in the form of a table. This is the information you will want to record…

  • the hazard
  • who might be harmed
  • how they might be harmed
  • current control measures
  • any new control measures needed
  • who is responsible (for action)

Step five – monitor and review your risk assessment

The final and fifth step is to monitor and review your risk assessment. This will involve periodically checking that the control measures you have implemented are being used properly and that they are effective.

Any shortfalls should prompt a review of the risk assessment; and possibly result in new control measures (or better management of the ones you already have in place); and perhaps better training.

You should also review your risk assessment if there is an accident, or if new information about the hazard or activity becomes available.

So we are almost to the end of this video. Contact information and details of other training videos in this series follow.

Summary of the risk assessment process

  1. identify the hazards
  2. decide who might be harmed and how
  3. evaluate and control the risk
  4. record your findings
  5. monitor and review

Thank you for watching.

Video Transcript was produced for CCVS by Green Pepper Consulting

CCVS Guide to Running a Safe Event

Hello, my name is David Green from Green Pepper Consulting; and in this short training
presentation I will be looking at how an event can be run safely.

Indeed, whenever you organise an event; you have a duty of care to those who attend. So
clearly you will want to avoid accidents or incidents that could cause harm to individuals.
The following explains what you need to do.

OK, This is what we’re going to cover…, We’ll start with the pre-event considerations, then
look at safety plans, followed by risk assessment, and finally, managing an event.
So lets begin with the pre-event considerations.

 

Pre-event considerations
Firstly, you should make someone have overall responsibility for the event’s safety.
Next, make a list of who will need consulting, such as the venue, your event partners and the
active participants. These could be performers, players, speakers, exhibitors etc.

If using contractors for any aspect, such as setting-up, lighting, catering, for example, make
sure they are safe and competent. Ask to see risk assessments and check references.
Alongside all of the above, check your organisation’s safety policy to ensure that you are
following your stated safety arrangements and responsibilities.
And finally, draw up an event safety plan.

This is a key step and we shall cover this next.

 

So what goes into a safety plan?
A key step in planning a safe event is to consult with those who will be involved.
As we have seen, this will include your team, the venue, any partner organisations and
active participants.

Consulting is important to identify the expected roles of those involved, the activities that will
take place at the event; and to find out about possible hazards and the risk assessments that
will be needed.

If you can, visit and inspect the venue as this can inform many aspects of your safety plan.
Next, sketch or obtain a site layout, even if your event is outdoors. This can help you decide
who goes where, the maximum numbers of attendees, and consider the entry and exit
routes etc.

Then assign someone to carry out risk assessments; and check those risk assessments
already supplied by the participants and others. Where gaps are identified, new risk
assessments should be undertaken.

The goal is to make sure everyone knows what safety measures are needed when the event
starts. There will be more on this topic later in the video.

While considering hazards, it is wise to consider contingencies in the case of severe
weather. Outdoor events are more prone to problems, but indoor ones can also suffer,
especially when approaches to buildings are slippery, or when hot weather is making venues
uncomfortable.

So assess poor wintery conditions, or hot summer days in the same way you would as any
other hazard; and plan your response.

Regardless of the size of your event, you should include a crowd or people management
plan. For bigger events youmay also need to include traffic management.

You will also want to ensure, if necessary, that you can contact key people during the
event…so prepare a contact list; and know where they will be if you need them.

A good way to ensure things run smoothly is to appoint members of your team as stewards,
and brief them on what they will need to do. This will include people management, ensuring
safety controls are followed, reporting problems and dealing with accidents.

A very important part of the planning process is to know how to deal with emergencies. You
need to ensure that there are clearly marked fire exits, and that your team of stewards know
what to do if the worst happens. You should also nominate a person to call the emergency
services.

Finally, your safety plan should also include arranging insurance if your existing insurance
does not extend to events. And don’t forget to check information about facilities such as
drinking water, toilets and anything else the venue can provide to help with wellbeing.
Where the venue can’t provide such things, you may have to use contractors so don’t leave
arranging these until the last minute.

Here then is a short summary of what goes into a safety plan.
• consultation
• layout of venue
• risk assessment
• weather contingencies
• people/traffic management
• contact list
• stewards
• emergency procedure
• insurance
• and facilities

 

Risk assessment
We now come to risk assessment.
This will form a vital part of your safety plan; and the results of your risk assessments will
decide how your event can be run.
The process involves assessing all foreseeable risks, whether they be from the activities of
your organisation, the active participants, your chosen venue, or even the public.

So as well as your own risk assessments, you will need to consider any risk assessments
provided by the venue, exhibitors, performers, stall holders, speakers, contractors or
whatever other organisations are involved.

It is from these risk assessments that you can take steps to avoid or control any safety risks
that are presented by your event.

But what does a risk assessment involve…? Well, there are five steps involved in risk
assessment…
1. Identify the hazard(s)
2. Decide who might be harmed, and how
3. Evaluate and control the risk(s)
4. Record your findings
5. Monitor your safety measures, and review them if needed
For more detail on risk assessment, please see our separate training video, Risk
Assessment Made Simple.

 

Managing an event
The final topic is “managing your event” from a safety perspective….
There are a number of considerations.

Firstly, before the event starts ensure that health and safety is covered in an induction for
stewards and the active participants so that everyone understands their role, including what
to do if there is an accident.

Next, check that safety measures are in place.

Thirdly, make sure there are signs and notices to help enforce health and safety.
Also, ensure that stewards and active participants are aware of the emergency procedure;
and understand what they would have to do, should an emergency arise.

Ensure that stewards can guide people so they can move safely into, during and out of the
event. This people management should be in your safety plan. Good signage to car parking
may also be needed.

During the event, monitor safety measures during the event as it progresses, and be ready
to act on a problem.

Finally, check-in with stewards during the event, so keep close at hand your list of key
contacts and your safety plan.

Once the event finishes, do another inspection to check any taking down of equipment is
following correct procedures; and that the venue is left in good order.

Then debrief your team, and learn any lessons for next time.

 

Well, that’s all our topics covered. So before I finish, let’s have a very brief summary of what
it takes to run a safe event…
Consult all those who will be involved
Draw up a safety plan
Assess risks and implement safety measures
Raise awareness of the safety plan so everyone knows who is responsible for what
particular actions
And finally: Monitor safety as the event progresses.
….Thank you for listening.

 

Enabling Activities Community Grant / Cambridge City Council/ No deadline

/by

Enabling Activities Community Grant

Enabling Active Communities Grant that young people or organisations can apply for. It’s for young people aged 12-18 years, who can apply for up to £500 to support sport, dance and physical activity opportunities within Cambridge City.

Who can apply?

Cambridge City Council welcome groups of young people aged 12 to 18 to apply. There must be at least 3 people involved in putting the application together and the activity must benefit a group of at least 8 young people. 

If you are an organisation looking to apply for activity to support young people, please use this form instead - https://forms.office.com/e/KEhg0AcsHn  

How much funding is available?

The group will be awarded a maximum of one grant per financial year (April – March) up to a maximum of £500. 

What can the funding be used for?

Funding can go towards hiring a coach or instructor, hiring a facility and/or equipment costs. The grant can go towards new activity or existing activity that requires additional funding to continue. 

Please note the grant cannot  fund one off activity or day trips. 

District

Cambridge City

How to apply

The application form is really quick and easy to complete, but there will need to be someone with a bank account who can hold the funds.

If anyone has any further questions, please contact Danielle Guy email: Danielle.Guy@cambridge.gov.uk    

For more information and to apply please visit: Enabling Active Communities grants – Cambridge City Council

Deadline

There is no set deadline for applications, funding applications will be assessed on a rolling basis and if successful, applicants will receive the funding within 4 weeks. 

Data Protection

/by

  1. What You Need To Know
  2. What You Need To Do
  3. Writing a Privacy Notice

Data Protection Part 1: What You Need To Know

Welcome.  

This is a short training video from Support Cambridgeshire, the first in a series on data protection.  

We’re looking at the essentials of data protection law. In other words, what you need to know.  

Let’s see what we’re going to cover. We’ll begin with a short look at why privacy matters, and then we’ll move to the principles behind data protection which are set out in law. Then we’ll look at the lawful reasons for which you can process personal data. Finally, we’ll finish off this video with a look at individual data protection rights.  

But before we begin, let’s remind ourselves what we mean by personal data.  

What we mean by personal data

Personal data is any piece of information, including a photograph, from which an individual can be identified. So name, address, payroll number, or bank account number, for example, are all forms of personal data. But things like hair colour, shoe size, town of birth are not personal data because on their own, none of these things can identify a single individual.  

Of course, when you combine certain data, such as a person’s race with their name, for example, then both would be classed as personal data.  

Learn more about Key Data Protection Terms. 

Why privacy matters

Okay, so why should we be bothered about privacy? Isn’t it just common sense?  

Well, it’s much more than that. We all have a right to privacy, and if that right is broken, then the consequences can be severe. For example, the release of personal data about health conditions or perhaps trade union membership could result in discrimination or even dismissal by an employer. Of course, criminals use personal data for identity theft and fraud, blackmail, ransom, and other threats.  

But failing to respect privacy can damage voluntary organisations as well. For a charity, it can lead to bad publicity, damage to reputation, loss of support and funding, fines, and the extra costs of putting things right.  

That’s why we have data protection laws, namely the UK GDPR, which is how it’s known following Brexit, and the 2018 Data Protection Act. But what do these laws say?  

The principles behind data protection

Helpfully, the UK GDPR sets out a number of principles by which personal data must be processed. Follow these, and you shouldn’t get into trouble with the law.  

The first principle is that you must have a lawful reason or basis for your processing. There are six of these which we shall look at later.  

Next, you can only use the data for the purpose it was collected. For example, you can’t use someone’s details for sending them funding requests if you’ve only said you will use it to provide a particular service.  

The third principle says you must only collect and process data that is necessary, so no asking for a postal address if you only ever intend to email someone.  

The fourth principle is that the data you process must be accurate. This means you must take reasonable steps to keep it up to date.  

Fifth, it should be kept for no longer than is actually necessary. Once it’s not needed, it should be deleted.  

And six, it must be secure. This means you need good cyber and physical security for the data.  

Finally, the seventh principle says you are accountable for how you handle data, so you need to make sure you can demonstrate compliance with the law.  

Now, as we’ve seen, the first principle of data protection is that you can only process data for a lawful reason.  

Lawful reasons on which data can be processed 

Let’s just look at the six lawful reasons, sometimes called bases, on which data can be processed.  

The first reason or lawful basis for processing personal data is consent. To be valid, this consent must be freely given by clear, affirmative action for each processing reason. 

There can be no generic or bundled up consents and no pre-tick boxes for someone to untick. Finally, it must be easy to opt out, withdrawing or revoking consent at any time.  

The next lawful reason for processing is contractual. This is where we process data with a view to entering into or operating a contract. Processing personal details, such as in a quote for some work is a contractual reason for data processing.  

We now come to legitimate interest. This is a useful reason to have for data processing because it’s so flexible. However, the small print says that your interest must not override the privacy interests of the individual, so the processing has to be something transparent that the data subject would expect. A business interest, for example, can be a legitimate interest if it is clear and expected. A good example might be processing the names of individuals who have applied to attend a training course. Clearly, you can’t process applications without collecting names. Anyone who signs up would expect you to do this, so there is no hidden processing or undermining of an individual’s privacy. 

The fourth of our six reasons is legal obligation. This is where you are required to process the data by law. For example, an employer has a legal duty to collect income tax through Pay As You Earn, which clearly requires the processing of personal data.  

The next reason is vital interest. It applies in very limited circumstances, specifically when there is a risk to life. 

The sixth and final lawful reason applies to public authorities and elected officials, such as a councillor or member of parliament. Here, personal data can be processed lawfully, specifically in order to provide a service or to perform a public task. 

The next part of this video involves looking at the individual legal rights people have on how their data is processed, all of which are enforced by a regulator, the ICO, (Information Commissioner’s Office).  

So what are these rights?  

Top of the list is the right to be informed about how and why your data is processed. This is usually set out in a privacy notice which must be provided at the point that personal data is collected. We cover privacy notices in the third video in this series.  

You also have a right to access your personal data that an organisation is processing. This is enacted through a “subject access request”.  

Next, you have a right to have errors rectified once the organisation has been made aware of the error.  

And you have a right to restrict processing. This limits how data can be used and usually applies when the accuracy of data is contested or while an objection to data processing is being considered, which leads nicely into your specific right to object to processing in certain circumstances. For example, if you object to your data being used for direct marketing, or if you question why an organisation is relying upon their legitimate interest as the lawful reason for the data processing.  

You also have a right to be forgotten, that is to have data erased when data is no longer needed. For example, if the data is historical or if you have withdrawn consent for processing.  

Perhaps not used quite so often is a right to data portability, which allows you to reuse your data for your own purposes across different services. This is how, for example, insurance comparison sites work.  

Finally, you have certain rights in relation to high volume automated processing and profiling. This is something used to evaluate an individual based on their personal data and decide, for example, what products they may like to buy.  

Okay, that’s all we’re covering in this video, so let’s quickly recap.  

To protect privacy, you should comply with the seven data protection principles, which includes processing data securely and being accountable for what you do. You should always have a lawful basis for every data processing operation. Finally, you should uphold the data protection rights of individuals, which, among other things, means providing privacy information. 

For practical advice on compliance with the law, please look out for the other titles in this Data Protection Series. 

And to learn more about the areas we have covered in this video, please refer to the ICO website. 

Guidance links: 

Data Protection Part 2: What You Need To Do

Welcome. 

This is the second short training video produced by Support Cambridgeshire in a series on data protection. In this one, we’ll be looking in particular at the key steps you should take to comply with data protection law.  

But first, here is a very short recap on what we covered in video one.  

Video one highlighted the seven principles of data protection that underpin the law. One of these is that you must have a lawful reason to carry out your processing. There are six lawful reasons, including consent, entering into a contract and legitimate interest. We ended the first video explaining that individuals have a range of legal rights, including the right to be informed and to have access to the data you hold on them.  

With these things in mind, what are we going to cover in this video? Firstly, we’ll begin with what you’re allowed to do with other people’s personal data. Then we’ll look at what steps you must take to comply with the law and so meet your legal duties. This will include looking at data audits, privacy notices, data protection policies, and staying accountable. Finally, we’ll finish with a look at the vital subject of data security. 

Other people’s personal data

Let’s look at what you’re allowed to do with personal data. The answer may surprise you. If you stick to certain requirements, in other words, the data protection principles and respecting an individual’s data protection rights, you can do almost anything with someone’s personal data.  

This includes processing their data without consent, because consent is just one of six legal reasons for processing data. Profile someone and target specific individuals. Share data, including that of a personal nature such as to do with health, criminal records or a protected characteristic. Sell data, refuse someone a job or even prescribe someone (in other words, bar or prohibit someone from something).  

Remember, though, the data protection principles are strict, and they include having a legal reason for processing data and only processing data for the purpose it is collected.  

Complying with the law  

This looks at what you must do as an organisation to comply with the law.  

The place to start is with a data audit. To make sure you comply with the law, you first need to understand all the different types of data you are collecting. So carry out a data audit to find out what is collected, how, why and when you do this. Also, look at what you actually do with the data, including who, if anyone, it is shared with and how it is stored.  

The importance of auditing your processing operations cannot be understated because it will inform your future data processing arrangements. For example, the audit allows you to decide the legal reason for each of your processing operations and to identify any associated privacy risks.  

Once the audit is complete, you can also use it to produce a privacy notice. This is used to tell people whose data you are processing, why you need their data, and what you’re doing with it. In this way, you’ll be meeting an individual’s right to be informed.  

Your privacy notice must include certain required information as set out by the Information Commissioner’s Office, the Data Protection Regulator. One of these is the lawful reasons by which you are processing data, but others include how your data is stored and who has overall responsibility for data protection in the organisation. Privacy information must also be made available at the time data is collected. You will need to think about your data collection methods and how your privacy notice can be made available to individuals. Again, your data audit should help with this.  

Given the importance of privacy notices, we have devoted the third video of our data protection series to this topic. Please view the video to find out how you write a privacy notice for the data you process.  

General data protection policy

Alongside your privacy notice, you also need to have a general data protection policy. 

This will explain how you meet other aspects of data protection law and good practice. It’s all about showing that you are accountable, trustworthy, and transparent.  

So what does a data protection policy look like? It should start by setting out your commitment to protecting privacy and the levels of responsibility for data protection within your organisation. This includes stating who is in overall charge of data processing. It should then go on to cover all your arrangements for compliance with the law. The arrangements should cover things like your data processing audit, your data security, your data sharing arrangements, and clear procedures for dealing with data breaches, requests, or complaints connected to individual rights.  

To help you develop a suitable policy, a template is available from Support Cambridgeshire. In addition, the NCVO have produced some guidelines for writing a data protection policy, and the link to the relevant page on their website cab be found in the guidance links below.

You need to account for your actions when you process personal data and show that you are complying with the law. Indeed, this is one of the seven principles of data protection. Keep good records, make sure your data protection policy is fit for purpose, and that the arrangements it describes are working properly. Make sure your team is fully trained on how to process data securely and that they know how to recognise cyber attacks like phishing.  

As I explained in the first video of this series, consent, when used as a lawful reason for processing, must be given freely and it must be possible to withdraw the consent at any time, something that must be made clear when consent is given. When it comes to email marketing circulars and e-newsletters, obtaining consent is the only legal route you have.  

Indeed, an individual must consent to be placed on the marketing mailing list, and they must be able to withdraw that consent at any time. This means including an “unsubscribe” notice, or preferably an “unsubscribe” button on every email or newsletter.  

However, an upcoming change in the law will allow charities and voluntary groups to apply what is called the soft opt-in in certain circumstances. This means that direct consent will not necessarily be required. More information can be found in the guidance links below.

Data security

Keeping your data safe, both physically and electronically, is absolutely essential, so you must train your staff and/or volunteers in data security. In fact, you can be fined quite heavily if you fail to protect your data from hackers and thieves, even though you, as an organisation, will have been the victim of a crime.  

So make sure that you: one, control access to data who and where with robust passwords and two-factor authentication of users. Two, regularly back up your data. Three, ensure physical security… The doors, locks, lighting, CCTV, etc. Four, ensure safe disposal of data waste. Five, control the use of laptops and other mobile devices with encryption, passwords, antivirus software, etc. Six, keep software and operating systems up to date. And seven, develop a cyber incident plan so you are ready to deal with any problems if they arise.  

Summary

Okay, we’re almost at the end of this video, so let me sum up. 

As long as you have a lawful reason for your processing and can meet all the other data processing principles, then you can  process data for all sorts of reasons. But to stay within these principles, you must comply with the law. To do this, you need to know what data you are processing and why, and what exactly you will do with it.  

This is where a data audit helps. You should also have policies and procedures setting out who is responsible for what aspects of data protection and the different arrangements you have in place for legal compliance. Key among these is the need to provide privacy information at the time data is collected.  

So use the videos and other resources from Support Cambridgeshire and then complete a data audit. Do this and you’ll find that data protection compliance becomes straightforward.  

For further information, please refer to the Information Commission’s website and see guidance links below for information on: key data protection terms, who needs to register with the Information Commission’s office, dealing with freedom of information and subject access requests, and the soft opt-in for sending out marketing emails.  

That is the end of this video, so thank you for watching..  

Key Data Protection Terms

Who needs to register with the ICO

Freedom of Information 

Subject Access Requests 

The soft “opt-in” 

Guidance on direct marketing using electronic mail

Privacy notice generator tool

Writing a data protection policy and procedures

Guidance on AI and data protection

AI risk toolkit

Data Protection Part 3: Writing a Privacy Notice

This is part three of a series produced by Support Cambridgeshire on Data Protection. In this video, we are looking at writing your privacy notice.  

Let’s see what we’re going to cover.  

We will start by looking at why you need a privacy notice. Then consider where to start. Next, we’ll look at the very important content of a privacy notice. Lastly, we’ll look at making your privacy notice available to people.  

Why you need a privacy notice

So why is it needed? A privacy notice is a statement that tells someone how and why you will be using their personal data. Essentially, it’s a tool to help you comply with the transparency obligations of the UK General Data Protection Regulation, commonly known as the UK GDPR. Because of this law, individuals have a right to be informed, and to comply, you must provide privacy information that tells individuals about your data processing in a way that is easily accessible and easy to understand.  

Where do you start? 

To provide individuals with privacy information, begin by checking your data audit. If you don’t have a data audit, then carry one out to find out about your processing activities. This means looking at each data processing operation in your organisation and deciding what you are processing, why you’re doing it, where and when, the lawful reason that allows your processing to go ahead and who the data is shared with, how it is stored, and so on.  

By doing the data audit, you will have all the information you need to get started on a privacy notice.  

What about the content?

Exactly what should go into a privacy notice is set out by the Information Commissioner’s office. This is the UK regulator responsible for data protection.  

Your privacy notice should include the following: what personal data you use such as name, address, telephone number, and email addresses; why you use it, in other words, what you need it for; how you use it; who, if anyone, it is shared with, such as another organisation or agency; How long you will keep it. It should also provide the lawful basis for your processing, for example, this might be consent; the name and contact details of your organisation; the rights of individuals, and how to complain.  

There may also be some other things that should be included, but only if they apply to your processing. These are, if not obtained from the individual, then the source of someone’s personal data; your legitimate interests for the processing. This only applies if you rely on legitimate interest as a lawful basis. The right to withdraw consent. Again, this only applies if consent is your lawful basis for processing.  

Making your privacy notice available

But how should you go about providing privacy information? How and when do you make your privacy notice available?  

Firstly, it must be provided at the time personal data is collected. This means it can be provided in person or if a link is given, then to a website. But remember, putting your privacy notice on a website is only going to reach those people who look at that particular website. It must also be in a concise accessible format using plain language, so keep it short and jargon free. Remember also that you don’t have to overwhelm someone with privacy information, so you can make it available in layers or parts to suit your audience. You can also use handouts, clearly visible footnotes, dashboards, icons, and banners as as needed.  

Summary

A privacy notice is essential to meet your transparency obligations and should provide information about how and why you process someone’s data. There are certain pieces of information that you are required to provide, and it must be given at the time that personal data is collected. Finally, it must be clear, accessible, and free of jargon.  

For further information, please refer to the Information Commissioner’s website. This includes under the section on “advice for small organisations”, a privacy notice generator tool. And a sample of a privacy notice generated by this tool is also available from Support Cambridgeshire.  

Finally, there is a transcript that accompanies this video with links to additional information on key data protection terms, who needs to register with the Information Commissioner’s office, dealing with freedom of information and subject access requests, and the soft opt-in for email marketing newsletters.     

Key Data Protection Terms  

Who needs to register with the ICO 

Freedom of Information 

Subject Access Requests

The soft “opt-in”

Guidance on direct marketing

Privacy notice generator tool  

Writing a data protection policy and procedures 

 AI and data protection 

AI risk toolkit

 

Learning and Skills Fund /CPCA/ Deadline 1st May

/by

Learning and Skills Fund

The Cambridgeshire and Peterborough Combined Authority Skills Committee has approved further funding to enable third sector organisations to support Cambridgeshire residents to access learning and skills training. The objective is to support adults experiencing disadvantage who may find it difficult to access learning and training, and to motivate and help them towards beneficial onward progress.

Projects are encouraged to facilitate routes for participants to undertake further learning or skills development through one or more of the CPCA funded learning organisations. To that end, applicants will need to reference which of these providers they are working with already or would be able to work with by the end of the project. The CPCA will provide support to help build such relationships with adult learning providers. 

Who can apply?

Local voluntary and community sector organisations which meet CCF requirements. Organisations which are already in receipt of funding from the Adult Education Budget are not eligible.

Who can benefit?

Project participants must be aged 19 years or over and be living in Cambridgeshire (this includes Peterborough) with an eligible residency status.

How much funding is available?

The total funding available is around £200,000 and applicants may apply for funding between £5,000 to £25,000. We are looking for a broad selection of projects and would encourage smaller bids as well as larger. For reference we do not expect to be able to fund more than four or five projects at the higher end of the grant range, and applicants requesting larger amounts will need to demonstrate greater experience of delivering learning and engagement work.

How to apply

Find out more any apply here: Learning & Skills Fund – Cambridgeshire Community Foundation

Deadline

1st May 2025.

Cambridgeshire and Peterborough + Voluntary Sector Network – Update Bulletin – March 2025

/by

The March 2025 edition of the Voluntary Sector News is here. Please get in touch with Sandie Smith or Debbie Drew if you would like to know more about any of our work. Please pass this on to colleagues who may be interested.

Read more

The Voluntary Sector Network Meeting – 26th February 2025/ Online

/by

Chaired by Sandie Smith

Sandie welcomed everyone to the meeting especially the new VSN members.

 Draft ICB Strategic Commissioning Plan – Nicola Ward, ICB

Nicola gave a Powerpoint presentation and took questions during and after. This part of the meeting was recorded and will be available to members. In the short-term Sandie will write a briefing and circulate together with the slides.

ACTION- Sandie to produce a briefing and share with the slides – click below to access the presetion and the briefing.

ACTION- To try and convert the recording so its accessible to all- DD – Click below to access the recording.

Reps Feedback

Sandie will circulate a list of VSN reps and committees so that members know who to speak to regarding committee items.

As Julie Farrow is retiring in April and she has been attending the Integrated Care Partnership meetings the voluntary sector network will be looking for another rep. We need someone with lots of knowledge and expertise- the strategy group are looking at the ask and we will come to group for EOI soon.

We had asked the ICB for a place on the ICB Board – John O’Brian supported our ask but it has to go via NHS England as it’s a change in the constitution. In the interim Sandie or Mark (CCVS) will attend the public meetings.

The Strategy Group- wrote to the ICB and CCC about the uncoupling of the LDP

Healthwatch also raised concerns about lack of information. We will be keeping a close eye on this ensuring that organisations that provide services for people with LD as well as the carers and service users themselves are kept informed and not inconvenienced.

Sharon who sits on the Workforce collaborative regularly brings things to the VSN where you can get involved. You will see these in emails from Debbie.

Programme Director Update

The panel have now considered the EOI for the Assura/ICB  monies. We had a big response to this with 52 submissions. All organisations should have been contacted by now.

One group said they had not heard anything

ACTION- Sandie to ensure notifications have been sent.

Andrea is working hard to get the ongoing funding for the VSN and is aiming for a 3 year commitment

Hunts Forum and CCVs will be merging from beginning of April – most things will be the same but will be led by Mark (CCVS) but you will see a different email address at some point.

The ToR for the VSN need some updating so expect to see something soon – probably by the next meeting.

NI increase- the impact of this on Voluntary sector organisations is likely to have impact. Sandie has received lots of feedback on this. Mark and Julie have been having conversations with groups.  Some commissioners are looking at different ways for organisations to manage.

The CVSs and other infrastructure organisations, including Sandie on behalf of the VSN, attend the aligning support group meetings- this group formed about a year ago. It is addressing inconsistencies between different statutory organisations in the way they commission and are trying to find a coordinated way of doing this. The group wants to be sure it is having an impact. 2 areas being looked at are

  • Review of the old Compact and refreshing it in line with new guidelines. They want it to be a model rather than a document
  • Volunteering – research with Anglia Ruskin looking at local barriers to volunteering- also looking at employment routes from volunteering.

 AOB

Debbie has organised 2 mini showcase events one on Mental Health support the other on support in community. Details have been shared previously but can be found on

https://supportcambridgeshire.org.uk/training/whats-on/

A future Health and Wellbeing Network meeting is being organised around assisted technologies.

It was noted that one of the VSN members is having to close- Hunts Shopmobility after 18 years as there has been no funding stream for them for some time.

Help us improve our website