Data Protection Policy, including Key Procedures

Name of organisation: Downstream Solutions CIC Ltd

Address for correspondence: or by post to 12 Fryth Wood Chepstow, Monmouthshire NP16 6DU

Aims of this Policy

Downstream Solutions CIC Limited needs to keep certain information on its employees, partners and customers to carry out its day to day operations, to meet its objectives and to comply with legal obligations. The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.  The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

This policy covers Company Directors, employees and contractors


In line with the Data Protection Act 1998 principles, Downstream Solutions CIC Limited will ensure that personal data will:

  • Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
  • Be obtained for a specific and lawful purpose
  • Be adequate, relevant but not excessive
  • Be accurate and kept up to date
  • Not be held longer than necessary
  • Be processed in accordance with the rights of data subjects
  • Be subject to appropriate security measures
  • Not to be transferred outside the European Economic Area (EEA)

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. The organisation will seek to abide by this code in relation to all the personal data it processes, i.e.

  • Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
  • Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
  • Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
  • Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
  • Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Type of information processed

Downstream Solutions CIC Limited processes the following personal information:

  • Email addresses of customers/partners/suppliers
  • Telephone numbers of customers/partners/suppliers
  • Social media ‘handles’

All of which may be personal as many of our contacts will be working as volunteers for small organisations.  All of which may contain information that can be used to identify where an individual works.

Personal information is kept in the following forms:

  • Electronic,
    • in email lists/groups and/or
    • in workflow management software e.g. basecamp
    • in telephone contact lists on devices
    • address (occasional, when offered by the person to help arrange a meeting at their home)
  • On paper: by exception, occasionally, a company representative may write a telephone number, address, in their notebook

Groups of people within the organisation who will process personal information are:

  • The company Directors
  • Selected future contractors


Downstream Solutions CIC Limited is registered with the Information Commission

If there are any interim changes, these will be notified to the Information Commissioner within 28 days. 


Under the Data Protection Guardianship Code, overall responsibility for personal data in a not for profit organisation rests with the governing body. In the case of 3MT Limited, this is the company directorsThe company directors are jointly responsible for:

  • understanding and communicating  obligations under the Act
  • identifying potential problem areas or risks
  • producing clear and effective procedures
  • notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes

All employed staff, trustees and volunteers who process personal information must ensure they not only understand but also act in line with this policy and the data protection principles.

Breach of this policy will result in an investigation and disciplinary action will be considered.  This will be led by the company directors.  It may be appropriate, in some cases as determined by two or more of the directors, to invite in an independent 3rd party view.


To meet our responsibilities staff, volunteers and contractors will:

  • Ensure any personal data is collected in a fair and lawful way;
  • Explain why it is needed at the start;
  • Ensure that only the minimum amount of information needed is collected and used;
  • Ensure the information used is up to date and accurate;
  • Review the length of time information is held;
  • Ensure it is kept safely;
  • Ensure the rights people have in relation to their personal data can be exercised

We will ensure that:

  • Everyone managing and handling personal information is trained to do so.
  • Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do;
  • Any disclosure of personal data will be in line with our procedures.
  • Queries about handling personal information will be dealt with swiftly and politely.


Training and awareness raising about the Data Protection Act and how it is followed in this organisation will take the following forms:

On induction: staff, volunteers and contractors will be required to read this policy and raise any issues and questions.

General training/ awareness raising: will be provided whenever this policy is updated

Downstream Solutions CIC Limited:

All people who are given access to Downstream Solutions CIC Limited datasets (that hold data that is covered by the Data Protection Act) will be asked to read and sign a declaration (verbal confirmation backed up by email is acceptable) to confirm their understanding and agreement to this policy.

3MT Limited will password protect any documents and/or systems that hold personal information.  Those passwords will only be made available to legitimate people who have signed to confirm their understanding and agreement to this policy (as above).

Gathering and checking information

Before personal information is collected, we will consider:

  • whether it is appropriate under the criteria of the exemption;
  • the value of the data and any whether the risks involved in obtaining, using and storing it are proportionate;
  • the appropriate methods for storing it securely;
  • who and how we can safely and securely share it with

Downstream Solutions CIC Limited will normally only collect data that enables it to contact its customers and partners, and to develop and target its own products, services and marketing activities.  In most cases, contact information will be offered by the owner for that explicit intent.

We will inform people whose information is gathered about how we may use their data and with who, through our web platform terms and conditions.

We will take the following measures to ensure that personal information kept is accurate: We will provide the facility for users to update their own personal information.

Personal sensitive information will not be used apart from the exact purpose for which permission was given.

Data Security

The organisation will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

  • Downstream Solutions CIC Limited will password protect any documents and/or systems that hold personal information.  Those passwords will only be made available to legitimate people who have signed to confirm their understanding and agreement to this policy (as above).  Downstream Solutions CIC Ltd is a ‘digital by default’ organisation.  Any paper records that are made will be uploaded to a digital system and the paper copy destroyed.
  • Any unauthorised disclosure of personal data to a third party by an employee may result in disciplinary proceedings as described above.
  • Any unauthorised disclosure of personal data to a third party by a volunteer or trustee may result in disciplinary proceedings as described above.

Subject Access Requests

Anyone whose personal information we process has the right to know:

  • What information we hold and process on them
  • How to gain access to this information
  • How to keep it up to date
  • What we are doing to comply with the Act. 

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under the Act to access certain personal data being kept about them on computer and certain files.  Any person wishing to exercise this right should apply in writing to Downstream Solutions CIC Limited, 2 Green End, Hebden Bridge HX7 8SQ.

We may make a charge of £10 on each occasion access is requested.

The following information will be required before access is granted:

  • Full name and contact details of the person making the request
  • Their relationship with the organisation (former/ current member of staff, trustee or other volunteer, service user

To ensure that we protect personal information we will also require proof of identity before access is granted. The following forms of ID will be required:photographic identification such as a driving licence, passport or identity card issued by the country of residency.

We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 40 days required by the Act from receiving the written request and £10.00 fee. 


This policy will be reviewed annually to ensure it remains up to date and compliant with the law.