Data Protection and Privacy Policy
The Community Hall Grizebeck CIO
Introduction
The Community Hall Grizebeck CIO (Charity No. CIO 1178759) is committed to protecting the rights and privacy of all individuals whose personal information we collect and process.
We collect and use certain types of personal data in order to manage the hall, administer bookings, communicate with users, support fundraising activities, comply with legal obligations and carry out our charitable purposes.
We are committed to handling personal information lawfully, fairly and transparently in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Personal information may be held electronically or in paper records and may include correspondence, booking information, photographs, financial records and meeting minutes.
The Community Hall Grizebeck CIO is the Data Controller for all personal data it processes.
Committee members, employees and volunteers who have access to personal information are responsible for ensuring that such information is handled securely and in accordance with this policy.
Purpose of this Policy
What personal information we collect
- Why we collect it
- How we use and store it
- How long we retain it
- The rights individuals have regarding their personal information
- The procedures we follow to protect personal data
Definitions
Data Controller
The Community Hall Grizebeck CIO, acting through its management committee, determines the purposes and means of processing personal information.
Data Subject
Any living individual whose personal information is held by the organisation.
Personal Data
Any information relating to an identified or identifiable living person, including names, addresses, telephone numbers and email addresses.
Special Category Data
Personal information requiring additional protection, including information relating to:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Health information
- Sexual orientation
- Genetic or biometric data
Processing
Any operation performed on personal data, including collection, storage, use, amendment, disclosure or deletion.
Information Commissioner’s Office (ICO)
The UK’s independent authority responsible for upholding information rights and enforcing data protection legislation.
Data Protection Principles
The Community Hall Grizebeck CIO will comply with the principles of UK GDPR. Personal data will be:
- Processed lawfully, fairly and transparently.
- Collected only for specified, explicit and legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Accurate and kept up to date where necessary.
- Retained only for as long as necessary.
- Processed securely using appropriate technical and organisational measures.
- Managed in a manner that demonstrates accountability and compliance.
How We Use Personal Information
We collect personal information for purposes including:
- Managing hall bookings and enquiries
- Communicating with users, hirers and supporters
- Administering events and activities
- Managing volunteers and employees
- Maintaining financial records
- Fundraising activities
- Meeting legal and regulatory obligations
Access to personal information is restricted to authorised committee members, employees and volunteers who require it for legitimate operational purposes.
Where individuals need to be identified in publicly available documents such as minutes, initials may be used instead of full names where appropriate.
Individual Rights
Under UK GDPR individuals have the right to:
- Be informed about how their data is used
- Access their personal information
- Request correction of inaccurate information
- Request deletion of information where appropriate
- Restrict or object to processing in certain circumstances
- Request data portability where applicable
- Lodge a complaint with the Information Commissioner’s Office
Requests relating to personal information should be submitted in writing.
Subject Access Requests will normally be responded to within one calendar month.
Reasonable evidence of identity may be requested before information is released.
Responsibilities
The management committee is responsible for ensuring compliance with UK GDPR and the Data Protection Act 2018.
The committee will:
- Collect and use information fairly
- Clearly define the purposes for processing information
- Collect only information necessary for those purposes
- Maintain the accuracy of information held
- Protect the rights of data subjects
- Implement appropriate security measures
- Ensure staff and volunteers understand their responsibilities
- Review data protection practices regularly
Any breach of this policy by committee members, employees or volunteers may result in appropriate action being taken.
Data Protection Contact
The Community Hall Grizebeck CIO is not legally required to appoint a Data Protection Officer.
Any data protection enquiries should be directed to:
Hall Manager
Email: hall.manager@grizebeckhall.co.uk
The Community Hall at Grizebeck CIO
Kirkby-in-Furness, Grizebeck
Cumbria LA17 7XH
Privacy Notice
Who We Are
This privacy notice explains how The Community Hall Grizebeck CIO collects, uses and protects personal information through our website:
www.grizebeckhall.co.uk
By using our website you acknowledge that we may process your personal information in accordance with this notice.
Information We Collect
Contact Forms
When you submit a booking enquiry or other request through our website, we may collect:
- Name
- Email address
- Telephone number
- Booking details
- Any information you choose to provide
This information is used solely to respond to your enquiry and administer bookings.
Cookies
Our website may use essential cookies required for the operation and security of the website.
These cookies do not collect personal information for advertising purposes.
Embedded Content
Pages on our website may include embedded content such as videos, maps or social media feeds.
Embedded content from other websites behaves as though you have visited those websites directly and may collect information in accordance with their own privacy policies.
Website Analytics
We use Cabin Analytics, a privacy-focused analytics platform.
Cabin Analytics does not use cookies and does not collect personally identifiable information. It provides anonymous statistics about website usage to help us improve our website and services.
Sharing Information
- Professional advisers such as accountants or solicitors
- Service providers supporting our operations
- Government or regulatory bodies where legally required
We may share personal information where necessary with:
We do not sell personal information to third parties.
International Transfers
Where third-party service providers process data outside the United Kingdom, we will ensure appropriate safeguards are in place in accordance with UK GDPR requirements.
Website Hosting
Our website is hosted by a UK-based hosting provider and stored within secure data centres operating appropriate information security controls.
Data Retention
Personal information will only be retained for as long as necessary for the purpose for which it was collected or to meet legal obligations.
Typical retention periods include:
- Financial records: 6 years after the end of the relevant financial year
- Booking records: up to 6 years where required for accounting or legal purposes
- Accident records: in accordance with current health and safety requirements
- Governance records, minutes and legal documents: retained permanently where appropriate for historical and legal purposes
Employee Records
Employment records will be retained in accordance with legal and operational requirements.
Unless a longer retention period is required by law, employment records will normally be retained for six years after employment ends.
Certain records relating to pensions, taxation, health and safety or safeguarding may be retained longer where legally required.
CCTV
The Community Hall Grizebeck CIO operates CCTV covering the exterior of the building for security and crime prevention purposes.
- Images are retained for approximately one calendar month unless required for investigation.
- Access is restricted to authorised committee members.
- Footage may be shared with law enforcement agencies where appropriate.
Photography
The Community Hall Grizebeck CIO may use photographs of events for publicity and promotional purposes where there is a lawful basis to do so.
Photographs of children will only be used with the consent of a parent or guardian.
At larger public events, signage may be displayed informing attendees that photography may take place and providing an opportunity to opt out where reasonably practicable.
Hirers are encouraged to follow similar good practice.
Data Security
Appropriate technical and organisational measures will be implemented to protect personal information against:
- Unauthorised access
- Unauthorised disclosure
- Loss
- Misuse
- Alteration
- Destruction
These measures include:
- Password-protected devices
- Secure storage systems
- Restricted access to personal information
- Regular software updates where appropriate
Committee members, employees and volunteers must take reasonable steps to protect personal information at all times.
Portable Devices
Any laptop, tablet or mobile device used to access personal information should be password protected and secured against unauthorised access.
Devices should never be left unattended in public places or visible within unattended vehicles.
Personal information should only be shared by email where necessary.
When emailing multiple recipients who do not know one another, blind carbon copy (BCC) should normally be used to protect privacy.
Emails containing personal information should be retained only where there is a legitimate operational need.
Disclosure of Information
Personal information may be disclosed without consent where permitted or required by law, including:
Safeguarding concerns
• Compliance with legal obligations
• Prevention or detection of crime
• Legal proceedings or obtaining legal advice
• Protection of vital interests
Any other disclosures will normally require an appropriate lawful basis or consent.
Policy Review
This policy will be reviewed periodically and updated to reflect changes in legislation, guidance and organisational practice.
Last Reviewed: May 2026
