Privacy Policy

Data Controller

Ronnie Cottrell

 

Collected Personal Data

Contact details provided by you on the contact us page, any relevant ongoing information to enable a transparent working relationship.  See policy for full details.

 

Purpose of collecting data

Pathways Matter – Data Protection Policy

1. Purpose of this Policy

This policy sets out how Pathways Matter CIC collects, uses, stores and protects personal data in line with the UK GDPR and Data Protection Act 2018.
Our approach is grounded in respect, dignity and transparency, reflecting our commitment to trauma‑informed and ethical practice.

2. Scope

This policy applies to:

  • All Pathways Matter CIC activities, including consultancy, training, research, engagement, evaluation and toolkit delivery
  • All personal data relating to clients, participants, partners, suppliers and any individuals whose information we process
  • All formats: digital, paper, audio, video and observational notes

3. Our Data Protection Principles

We follow the six UK GDPR principles. Personal data must be:

  • Lawful, fair and transparent
  • Collected for specific, explicit and legitimate purposes
  • Adequate, relevant and limited
  • Accurate and kept up to date
  • Stored only as long as necessary
  • Handled securely

These principles align with our trauma‑informed values: safety, trust, choice, collaboration and empowerment.

4. What Data We Collect

We may collect:

  • Contact details (name, email, phone, organisation)
  • Professional role and organisational information
  • Engagement or participation data (e.g., workshop contributions, survey responses, feedback)
  • Contractual and invoicing information
  • Optional demographic information where relevant to project aims
  • Any information individuals choose to share during engagement activities

We do not collect unnecessary or intrusive personal data.

5. How We Use Personal Data

We process data only for legitimate purposes, including:

  • Delivering consultancy, training and engagement projects
  • Managing contracts and communications
  • Analysing participation, insight and feedback
  • Producing anonymised reports for clients
  • Improving our services and resources
  • Meeting legal or regulatory obligations

We never sell personal data or use it for unrelated marketing.

6. Lawful Bases for Processing

Depending on the context, we rely on:

  • Contract – to deliver agreed services
  • Legitimate interests – for reasonable, proportionate business activities
  • Consent – for participation activities, recordings, or optional data
  • Legal obligation – where required by law

Where consent is used, it is informed, voluntary and withdrawable at any time.

7. Data Sharing

We may share data with:

  • Project partners or commissioners, only where necessary
  • Trusted suppliers (e.g., secure survey platforms)
  • Legal or regulatory bodies if required

We ensure:

  • Data sharing is minimal and purposeful
  • Data is anonymised wherever possible
  • Third parties meet UK GDPR standards

We never share identifiable data without a lawful basis.

8. Data Security

We use appropriate technical and organisational measures to protect data, including:

  • Encrypted devices and secure cloud storage
  • Strong access controls and password protection
  • Secure transfer methods
  • Minimal paper records
  • Regular review of data handling practices

9. Data Retention

We keep personal data only for as long as necessary:

  • Project data: typically 12–24 months after completion
  • Financial records: 6 years (legal requirement)
  • Participation data: anonymised as soon as possible

Retention periods may vary depending on contractual or legal requirements.

10. Individual Rights

Individuals have the right to:

  • Access their data
  • Correct inaccurate data
  • Request deletion
  • Restrict or object to processing
  • Withdraw consent
  • Request data portability (where applicable)

Requests are responded to within one month.

11. Data Breaches

If a data breach occurs:

  • We act immediately to contain and assess the breach
  • We notify affected individuals where there is a risk to their rights
  • We report to the ICO where legally required
  • We review and improve our processes to prevent recurrence

12. Contact

For questions, concerns or data requests, contact:
Pathways Matter CIC
ronnie@pathwaysmatter.co.uk

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.