Privacy Statement

As the service we provide changes, we may change our privacy statement from time to time so please check back periodically. This Privacy Statement was last reviewed in March 2025

If you have any queries about this statement, please contact the Data Protection Officer via email dataprotection@cacornwall.org.uk

At Citizens Advice Cornwall, we collect and use your personal information to help solve your problems, improve our services and tackle wider issues in society that affect people’s lives. We only ask for the information we need. We always let you decide what you’re comfortable telling us, explain why we need it and treat it as confidential.

When we record and use your personal information, we:

• only access it when we have a good reason
• only share what is necessary and relevant
• don’t sell it to anyone

We collect and use the details you give us so we can help you. We have a ‘legitimate interest’ to do this under data protection law. This means it lets us carry out our aims and goals as an organisation. We’ll always explain how we use your information.

At times we might use or share your information without your permission. If we do, we’ll always make sure there’s a legal basis for it. This could include situations where we must use or share your information:

• to comply with the law – for example, if a court orders us to share information. This is called ‘legal obligation’
• to protect someone’s life – for example, sharing information with a paramedic if a client was unwell at our office. This is called ‘vital interests’
• to carry out our legitimate aims and goals as a charity – for example, to create statistics for our national research. This is called ‘legitimate interests’
• for us to carry out a task where we’re meeting the aims of a public body in the public interest – for example, delivering a government or local authority service. This is called ‘public task’
• to carry out a contract we have with you – for example, if you’re an employee we might need to store your bank details so we can pay you. This is called ‘contract’
• to defend our legal rights – for example, sharing information with our legal advisors if there was a complaint that we gave the wrong advice

We handle and store your personal information in line with the law – including the UK General Data Protection Regulation and the Data Protection Act 2018.

You can check our main Citizens Advice policy for how we handle most of your personal information.

This page covers how we, as your local charity, handle your information locally in our offices.

Who’s responsible for looking after your personal information

The national Citizens Advice charity and your local Citizens Advice operate a system called Casebook to keep your personal information safe. This means they’re a ‘joint data controller’ for your personal information that’s stored in our Casebook system.

Each local Citizens Advice is an independent charity, and a member of the national Citizens Advice charity. The Citizens Advice membership agreement also requires that the use of your information complies with data protection law.

When you share your experience of the impact of our support services, we may contact you to ask if we can add your testimony to our case study database.

If your story is added to our case study database, we will collect your name, email address, and any personal information that you choose to volunteer to us as part of your experience. We may want to publish your story on our website, in our publications, in the media, or via our marketing channels, but we will always ask for your permission before doing so. You also have the option to ask, if your story is published, that we do so anonymously. You can change your preferences at any time by contacting dataprotection@cacornwall.org.uk

We will use your information to help us demonstrate the value of Citizens Advice Cornwall through personal testimony, and to encourage more people to reach out and seek support. We may use your personal information to contact you to learn more about you and your experience, and for the purposes of Equity, Diversity and Inclusion monitoring and analysis.

Citizens Advice Cornwall needs to collect, use, store and share certain information about workforce member applicants (this includes for both employed and volunteer roles) to manage their applications and involvement with the organisation. This is collated and stored on our Human Resources Management System. This tool manages and processes potential and successful applications. We use information about workforce and potential workforce members for the following purposes:

• To answer your questions: If you contact us through our website, by phone, post of email in relation to working/volunteering with us you may be asked to give your personal details for us to get in touch. Where appropriate, we may share your information with relevant people within the organisation to allow them to get in touch to discuss employed or volunteering opportunities.
• To process your application: The information you provide on your application will be used to process your application and decide about whether you will be accepted into Citizens Advice Cornwall. Your application will be shared with relevant people within the organisation.
• To monitor Equity, Diversity and Inclusion amongst applicants and workforce: One of our goals is that our workforce is representative of the communities that we live and work in. To monitor how well we are progressing against this goal, you may be asked some questions relating to sensitive categories of personal information including your gender identity, ethnicity, sexual orientation and disability status. We will seek your explicit consent to use this data for our purposes, which you can amend at any time by emailing dataprotection@cacornwall.org.uk

If your application is successful, throughout the course of your onboarding and volunteering journey we may collect and store additional information about you for the following purposes:

• To check for relevant criminal history: We undertake background checks (DBS) on all workforce members to help us to make safe recruitment decisions and determine whether an applicant with relevant offences is suitable to volunteer or be employed by us. We will keep a record of DBS checks for the duration of your time with the organisation. Where a potential application is declined due to risks identified during the criminal record check, records of this are retained 6 months. This is in line with our retention policy for data held regarding unsuccessful applicants as outlined below.
• To monitor training: When releasing mandatory training we believe it is within our legitimate interest to monitor the completion of that training and take action where this is not complete. We may use data from different internal sources to identify when someone who is actively part of our workforce has not undertaken training.
• To investigate complaints: Interactions between clients and our workforce are stored on our Case Management System and may be used to support investigation of specific incidents and complaints, for example, it may be used to identify which volunteer handed a case that gives rise to a complaint from the client.
• To conduct investigations into workforce conduct: There may be circumstances where we are required to investigate your conduct as a result of a complaint or allegation made against you. This will be dealt with under our internal policies. As part of an investigation, we may collect information from you and others involved for the purpose of assisting with our investigation of the matter and retain this for an appropriate period in order to evidence appropriate internal investigations into serious matters in line with our obligations to safeguard our clients, volunteers and employees.
• To make referrals to relevant bodies following investigations: In some cases, it may be necessary for reasons of substantial public interest and under our regulatory obligations to share information relating to serious misconduct with third parties such as the charity commission, the disclosure and barring service or professional associations. Where there is a requirement to do this without your consent, we will always ensure that we have undertaken the appropriate assessments to ensure that this sharing is lawful.
• To process expenses: If you are eligible to reclaim expenses associated with your role, we will process information about any expenditure including amount and type of expense, as well as your name and bank account details, to determine whether your expenses should be refunded and to make any resultant payment to you.

We keep unsuccessful applicants’ data for 6 months from the date we notify the applicant of the outcome of the recruitment exercise. are kept for 6 years from the date employment/volunteering ceases with the organisation. We consider that it is in our legitimate interests to process your personal data in connection with your employed/volunteering journey with us as described above. Where other legal basis applies, we will detail these in our privacy statement.

Our website may contain links to the websites of other organisations that we believe may be of interest. We are not responsible for the content of these websites, and we recommend that you read the privacy policy for the relevant organisation before sharing any personal or financial information.

When you visit our website and use our online resources, we may use cookies (and similar technologies such as tags) to make the website work. We also use optional cookies including Google Analytics cookies to analyse the effectiveness of our content and advertising. These cookies are subject to Google’s terms, which you can read here: How Google uses information from sites or apps that use our services – Privacy & Terms – Google.

When you first visit our website, we will ask for consent to set any cookies (and to process any personal data collected by those cookies) which are not strictly necessary to make our pages work. Please see our Cookie Policy for further information and to change your preferences.

If you consent to performance cookies, we will use Google Analytics and Microsoft Clarity to measure how the website is performing and to find out how different features are used so that we can improve them.

We operate accounts and groups across various social media platforms (Facebook, Twitter, Instagram, etc.) to increase awareness of our services and events and engage in conversation with our supporters. We do not provide our emotional support services via any of these platforms.

If you share personal information on our social media posts, your information will be publicly available. Such information can be viewed online and collected by third parties. We recommend that you avoid sharing information that be used to identify you (such as your age, email address or location) and always check the privacy policy of the platform you are using to ensure you are happy with how they may use your information. We moderate public comments on our social media profiles, and we may delete, hide or block content or users to keep our online communities safer.

Most of our premises are in shared spaces, some of these spaces operate CCTV systems, so you may be recorded when you visit them. CCTV is installed for their security, to protect yourself, their own staff or volunteers, as well as other organisations such as us. CCTV footage will only be viewed when necessary (for example to detect or prevent a crime) and is only stored on a temporary basis, other than where it has been flagged for review.

We will never sell your personal information.

Where we work with or share your personal information with another organisation, we ensure that these relationships are regulated through appropriate contractual agreements. Where possible and appropriate we will maintain control of data shared with third parties and ensure that processing only takes place on our instruction and in line with our purposes.

From time to time, we may also need, or be required, to share your information with law enforcement, public authorities, regulators and/or our professional advisers. We will only do so where we have a clear lawful basis for doing so, as detailed throughout this privacy statement

We only keep your personal information for as long as required, depending on what it was collected for, and in accordance with legal requirements and tax and accounting rules.

Most information will be kept for 3-16 years (usually 6 years), but the exact time frame will depend on the nature of the information.

If you have told us that you don’t want to be contacted by Citizens Advice Cornwall, we will keep your details on a ‘suppression’ list to help ensure that we do not continue to contact you.

Citizens Advice Cornwall uses ‘cloud-based’ applications provided by external suppliers to collect, store and handle some types of personal information. These suppliers (e.g., Microsoft) may be based outside of the UK or the EEA. Where this is the case, we ask suppliers to provide evidence that they have the appropriate measures in place to ensure that your personal information is kept safe, and we have taken steps to protect that data which is subject to transfer outside the UK and the EEA.

We will always seek to ensure that appropriate or suitable safeguards are in place to protect your personal information and that storage of your personal information in in compliance with applicable data protection laws.

You have the right to be informed about the collection and use of your personal information. We aim to satisfy this right through the provision of this privacy statement.

You have the right to access and receive a copy of the personal information that we hold about you. This is commonly referred to as a subject access request.

Please note that if we are unable to verify your identity, for example if you contact the service anonymously or use a different name to do so, it may not be possible to provide you with the information requested.

You have the right to have inaccurate personal information rectified or completed if it is incomplete. This is most likely to be relevant to client data, for which you can contact the Admin Team, emailing admin@cacornwall.org.uk or telephone on 03333 448 385.

You have the right to request that we delete personal information we hold about you. This is also known as the ‘right to be forgotten’. This right may not apply where we still require the data for the purposes for which it was collected, where an overriding legitimate interest or other exemption applies.

You have the right to request the restriction or suppression of your personal information. This is not an absolute right and only applies in certain circumstances. These requests will be assessed on a case-by-case basis.

You have the right to request for us to provide your personal data in a structured, commonly used and machine-readable format. You can also request that we transmit this data to another controller. This only applies to personal data you have provided to us.

You have the right to object to the processing of your personal data in certain circumstances. Where this is the case, we have provided relevant contact details throughout this privacy statement.