Data Protection & Privacy Policy

Workplace Equity
Last updated: 20/02/2026

1. Introduction

Centre for Workplace Equity (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This policy explains how we collect, use, store, and protect personal data in accordance with:

The UK General Data Protection Regulation (UK GDPR)
The Data Protection Act 2018
Applicable Scottish law

We are registered in Scotland.

Data Controller: Centre for Workplace Equity, Office 2 / 3, 48 West George Street, Glasgow G2 1BP; alexander.colling@workplaceequity.org)

2. What Personal Data We Collect

We may collect and process the following categories of personal data:

a) Identity Data
Name
Job title
Organisation name

b) Contact Data
Email address
Telephone number
Postal address

c) Technical Data
IP address
Browser type and version
Device information
Website usage data (via cookies)

d) Correspondence Data
Information you provide via contact forms
Email communications
Event registrations

e) Special Category Data
See below

3. Board Recruitment & “Join Us” Applications

When you apply to join Workplace Equity’s Board or express interest through our “Join Us” page, we may collect and process:

Name and contact details
Curriculum vitae (CV)
Employment history
Professional qualifications
Personal statements or cover letters
Diversity and equality monitoring information (where voluntarily provided)
Any other information you choose to share relevant to your application

Special Category Data
As part of our commitment to equity and inclusive governance, we may collect special category data, such as:

Race or ethnicity
Gender identity
Sexual orientation
Disability status
Health information (if relevant to reasonable adjustments)
Trade union membership

This data will only be processed where:
You have given explicit consent; or
Processing is necessary for reasons of substantial public interest (equality monitoring) in accordance with the Data Protection Act 2018.

Providing diversity data is entirely voluntary and will not negatively affect your application.

4. Lawful Bases for Processing

We process personal data under one or more of the following lawful bases:

Consent – where you have given clear permission (e.g. diversity monitoring, newsletter sign-ups)
Contract – where processing is necessary to take steps prior to entering into a contract (e.g. Board appointment)
Legal obligation – where we must comply with charity, governance, or regulatory requirements
Legitimate interests – including recruitment, governance, and organisational development
Substantial public interest – where applicable to equality monitoring

5. How We Use Your Data

We use personal data to:

Respond to enquiries
Deliver services and consultancy work
Manage events and training
Process Board and volunteer applications
Assess suitability for governance roles
Ensure diverse and equitable recruitment processes
Carry out reference checks (where applicable)
Communicate with applicants about outcomes
Meet legal and regulatory obligations
Improve our website and services

We will never sell your personal data.

6. Data Sharing

We may share data with:

Board members involved in recruitment decisions
IT and website service providers
Professional advisers (legal, financial)
Regulators or authorities where required by law

All third-party processors are required to process data securely and in accordance with UK GDPR.

7. International Transfers

Centre for Workplace Equity operates internationally, and our Board members are located in different countries. As a result, personal data may be accessed from, or transferred to, countries outside the United Kingdom.

We use Google Workspace (provided by Google LLC) to store, process, and share organisational information, including Board recruitment materials, governance documents, and correspondence.

Google as Data Processor

Google acts as a data processor on our behalf under Article 28 of the UK General Data Protection Regulation (UK GDPR). We have entered into appropriate data processing terms with Google, which set out:

The subject matter and duration of processing
The nature and purpose of processing
The types of personal data processed
The categories of data subjects
Google’s obligations to implement appropriate technical and organisational security measures
Google processes personal data only in accordance with our documented instructions.

International Transfers

Because Google operates a global infrastructure and our Board members are located internationally, personal data may be:

Stored on secure servers located outside the UK
Accessed by authorised Board members in different jurisdictions
Transferred across international data centres as part of Google’s infrastructure operations

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR. These safeguards may include:

Transfers to countries subject to UK adequacy regulations
The use of the UK International Data Transfer Agreement (IDTA)
Standard contractual clauses or other approved transfer mechanisms
Google’s contractual commitments regarding international data transfers

Security Measures

We take appropriate technical and organisational measures to protect personal data, including:
Encryption of data in transit (TLS)
Encryption of data at rest within Google’s infrastructure
Access controls and role-based permissions
Multi-factor authentication for authorised users
Secure password requirements
Device-level security protections
Restricted access to Board recruitment and governance materials
Regular review of access rights

Board members are required to maintain confidentiality and comply with our data protection obligations when accessing or processing personal data.

8. Data Retention

We retain personal data only for as long as necessary.

Typical retention periods include:

Successful Board applicants: duration of appointment plus 6 years
Unsuccessful Board applicants: up to 12 months after recruitment concludes
Equality monitoring data: anonymised as soon as practicable
Client records: 6 years after contract completion
Financial records: 6 years
Enquiry data: 12 months

Data is securely deleted or anonymised once no longer required.

9. Your Rights

Under UK GDPR, you have the right to:

Access your personal data
Request correction of inaccurate data
Request erasure (“right to be forgotten”)
Restrict processing
Object to processing
Data portability
Withdraw consent at any time
Lodge a complaint with the Information Commissioner's Office

ICO contact details:

https://ico.org.ukWebsite:

Helpline: 0303 123 1113

We aim to respond to all requests within one month.

10. Data Security

We implement appropriate technical and organisational measures including:

Secure servers and encrypted connections (SSL)
Access controls and password protection
Restricted access to recruitment data
Confidentiality obligations for Board members
Regular software updates
Secure disposal of data

11. Cookies

Our website uses cookies to:

Ensure website functionality
Analyse traffic
Improve user experience

You can manage cookie preferences through your browser settings. A separate Cookie Policy may provide further details.

12. Children's Data

Our services and governance opportunities are not directed at children under 16. We do not knowingly collect personal data from children.

13. Changes to this Policy

We may update this policy from time to time. The latest version will always be available on our website.

14. Contact Us

If you have any questions, please contact us at alexander.colling@workplaceequity.org