Policies of DiversitiQ

DIVERSITIQ CIC – DATA PROTECTION, PRIVACY & INFORMATION SECURITY POLICY

Version 1.0 | December 2025

1. Introduction

DiversitiQ CIC is committed to protecting the privacy, confidentiality and security of all personal information we process. This policy outlines our approach to data protection, information security, storage, retention, deletion, audit and assurance. It applies to all staff, associates, contractors and anyone working on behalf of DiversitiQ CIC.

Our practices comply with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Information Commissioner’s Office (ICO) Code of Practice

This policy is reviewed annually or sooner if legislation, organisational operations or risks change.

2. Scope

This policy applies to all personal data processed by DiversitiQ CIC, including:

  • personal data of clients, learners and professionals
  • organisational contacts
  • staff and associate information
  • data collected through training, events, enquiries or digital platforms

It covers data processing in all formats: digital, audio, and written.

3. Data Protection & Privacy Policy

DiversitiQ CIC is committed to the principles of data protection:

3.1 Lawfulness, Fairness & Transparency

We process data lawfully based on:

  • consent
  • legitimate interests
  • contractual requirements
  • legal obligations

We communicate clearly with data subjects about how their data is used.

3.2 Purpose Limitation

Data is collected for specific, explicit purposes and never used for incompatible reasons.

3.3 Data Minimisation

We only collect data necessary for delivery, administration or legal obligations.

3.4 Accuracy

We maintain accurate, up-to-date records and correct inaccuracies promptly.

3.5 Storage Limitation

Data is kept only as long as necessary, following our retention schedule.

3.6 Integrity & Confidentiality

We use secure storage, access control and encryption to protect data.

3.7 Accountability

We document compliance, maintain internal procedures and undertake regular reviews.

 4. Storage, Handling & Access to Personal Data

DiversitiQ CIC applies strict measures to ensure secure handling of all personal data.

4.1 Secure Storage

  • All data is stored in encrypted cloud environments with MFA (multi-factor authentication).
  • No unencrypted data is stored locally.
  • Devices used for work are encrypted and password protected.

4.2 Access Control

  • Access is limited strictly on a need-to-know basis.
  • Staff and associates receive permissions appropriate to their role.
  • Access rights are reviewed regularly.

4.3 Secure Transfer of Data

  • Sensitive files are transferred using encrypted email, password protection or secure cloud sharing.
  • Personal data is never transferred outside the UK/EEA unless adequate safeguards exist.

4.4 Confidentiality

All staff and associates are bound by confidentiality obligations.

5. Information Retention & Deletion Policy

DiversitiQ CIC follows a defined retention schedule:

5.1 Retention Principles

  • Data is retained only for the minimum period necessary.
  • Retention periods are based on statutory guidance, contractual needs and legitimate business interests.
  • A retention review takes place annually.

5.2 Deletion Processes

  • Digital data is permanently deleted from cloud systems when no longer needed.
  • Physical data (rarely used) is shredded or securely destroyed.
  • Backups that contain personal data are included in deletion cycles.

5.3 Retention Period Examples

  • Client/learner administrative data: up to 24 months
  • Contract documents: 6 years (legal obligation)
  • Enquiry forms/emails: 6–12 months
  • Training registers: 12 months unless required longer by contract

A full retention and deletion schedule is available on request.

6. Information Security Policy

DiversitiQ CIC maintains robust information security measures appropriate to a modern, remote-first organisation.

6.1 Technical Measures

  • Device encryption
  • Firewalls and antivirus protection
  • Multi-factor authentication (MFA)
  • Regular software updates
  • Secure Wi-Fi networks only
  • Automatic cloud backups

6.2 Organisational Measures

  • Staff training on data protection and cyber hygiene
  • Access restriction for personal data
  • Incident reporting procedures
  • No use of personal devices without prior approval

6.3 Third-Party Processors

We only use third-party services that meet GDPR requirements (e.g., encrypted cloud platforms, trusted training systems).

6.4 Data Breach Response

In the event of a suspected or confirmed breach:

  1. The Data Protection Officer (DPO) is notified immediately.
  2. The breach is investigated and contained.
  3. Individuals and the ICO are notified within 72 hours if required.
  4. Actions and lessons learned are recorded.

7. Audit & Assurance

DiversitiQ CIC conducts regular checks to ensure compliance with data protection requirements.

7.1 Internal Audits Include:

  • Reviewing access logs
  • Confirming correct deletion of expired records
  • Monitoring policy adherence
  • Reviewing incident logs
  • Ensuring processing activities match documentation

7.2 Evidence

We maintain documentation to demonstrate compliance, including privacy notices, data maps, risk assessments and impact assessments where required.

8. Privacy Notice

Our Privacy Notice outlines:

  • Categories of personal data we collect
  • How and why data is used
  • Lawful bases for processing
  • Retention periods
  • Sharing of data with third parties
  • Data subject rights
  • Contact details for the Data Protection Officer

This notice is publicly available on our website and shared with clients when appropriate.

9. Data Subject Rights

DiversitiQ CIC supports the rights of individuals to:

  • Access their data
  • Request rectification
  • Request erasure
  • Object to processing
  • Request restriction
  • Request data portability

Requests are acknowledged within 72 hours and fulfilled within one calendar month.

10. Responsibilities

  • Data Protection Officer (DPO):
    Dan Harbord — responsible for GDPR compliance, breach management, training, audits and policy oversight.
  • All staff and associates:
    Must follow all data protection and information security procedures.

11. Review of This Policy

This policy is reviewed annually or in response to:

  • legislative updates
  • organisational changes
  • findings from audits or incidents
  • client requirements

12. Approval

Approved by:
Dan Harbord
Founder & Lead Consultant
DiversitiQ CIC
Date: December 2025

 

Telephone: 0330 133 1218    |    E-mail: support@diversitiq.org

Contact hours:

We’re available Monday to Friday, 9 AM – 5 PM (UK time).

If you contact us outside these hours, we’ll get back to you as soon as we can.
 

©Copyright. All rights reserved.
DiversitiQ is a CIC Limited by guarantee. Registered company number: 16884029

Information icon

We need your consent to load the translations

We use a third-party service to translate the website content that may collect data about your activity. Please review the details in the privacy policy and accept the service to view the translations.