CCTPA has created this Privacy Notice in order to demonstrate our firm commitment to data privacy. It explains how we collect your personal data, the data we hold, what we do with that data, and how long we keep it for. Your privacy is important to us, and we are committed to upholding the data protection principles and protecting your data privacy rights.
This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services.
- Last Updated
This privacy notice was last updated on the 1st November 2021.
We will update this Notice from time to time and you should review it whenever you visit our website or before providing us with any personal data about yourself.
- Who we are
The CIPFA CPRAS Technology Procurement Association (CCTPA) is a UK-based company, a collaboration between CIPFA and CPRAS, the purpose of which is to help put public money to better use through the procurement of frontier technology solutions.
The CCTPA is the controller for the personal information we process, unless otherwise stated.
There are many ways you can contact us, including by phone, email, fax and post. More details can be seen here.
You can contact our Data Protection Manager for data protection related matters as follows:
Post: Data Protection Manager, CCTPA, 77 Mansell Street, London, E1 8AN
- Data we collect
This section details the personal data we collect and how we collect it.
a. Data you provide to us
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- website registration
- CCTPA Membership application
- product enquiries
- enquiries and bookings for an event or a course
- you have made a complaint or enquiry to us
- you have made an information request to us
- you subscribe to our e-newsletter
- you have applied for a job or secondment with us
- you are representing your organisation
‘Data’ and ‘personal information’ can include, but is not limited to: names, address, date of birth, email address, telephone number, job title, work place address and other contact details, ethnicity, marital status, title, professional qualifications, employment details, referees and next of kin information, and social media details.
We also receive personal information indirectly, in the following circumstances:
- where it’s provided by local authorities and subsequent third party contactors of CCTPA
- an employee/member of ours give us your contact details as an emergency contact or a referee.
Where data has been gathered indirectly, if it is not disproportionate or prejudicial, we will contact you to let you know we are processing your personal information.
b. Data from your workplace or professional organisation
Your workplace or professional organisation may provide CCTPA with your personal information as part of their engagement with us.
c. Data from third parties
Where permitted, CTPA may collect your personal information from third parties and publicly available sources such as websites and professional registers. For example, as a finance director of a public body your contact details may appear on your corporate website and CCTPA may use these details to provide you with information regarding public sector finance best practice guidance or other regulatory information. We may process your data from marketing lists. If we gather your data by these means we will follow the relevant guidance from the ICO to ensure we comply with the applicable UK data protection legislation.
d. Services & Communications
We log usage data when you visit or use our services, including our using our web site, such as when you view or click on content, perform a search, or submit data via a form. We use log-in details, cookies, and internet protocol (IP) addresses to identify you and log your use. We may also gather email tracking data to help us improve our services and communications.
- How do we use your data?
CCTPA holds personal information and data collected in order to fulfil a variety of purposes:
- To provide and help develop products, services and activities to meet our obligations and objectives and for use in direct marketing.
- To manage our business.
- To facilitate payment for our services.
- To enable CCTPA to make payments to members, suppliers and associates, e.g. for expenses and fees.
- To validate credentials for example to access restricted areas of websites.
- To help us communicate relevant information.
- To present relevant content on websites, and determine the effectiveness of promotional campaigns and advertising.
- To comply with legislative and regulatory requirements.
- To profile and anticipate your interests and potential needs.
- To control access to network resources and systems and prevent fraud.
Depending on your chosen preferences, we may contact you using available methods including (but not limited to) email, telephone, post, messaging platforms, via our website and online portals, and via social media platforms. We will send you messages about the availability of our services, security, or other service-related issues. We may also send promotional messages. You can let us know your communication preferences using the methods detailed in the Contact Us section below. Please be aware that you cannot opt-out of receiving service messages from us, including security and legal notices related to the services we provide.
If you register for an event or a conference that involves a third party, we may share your contact details and other appropriate information with them so you can receive relevant communications prior to or following the event or conference.
Were appropriate we use your data to investigate, respond to and resolve complaints and improve customer service (e.g. system bugs or customer enquiries).
We may use your personal data to send relevant and targeted communications to you promoting our services. You can let us know your communication preferences using the methods detailed in the Contact Us section below. It may take up to 28 days for the changes to be implemented and for you to stop or start receiving emails.
c. Developing services and research
We use data, to conduct research and development for the further development of our services in order to provide you and others with a better, more intuitive and personalised experience, drive CCTPA community growth and engagement on our services.
- How do we share your information?
We will not share your information with any third parties without informing you first. When we do share your data, we will ensure there are adequate levels of protection and appropriate safeguards in place to guard your rights and freedoms, and that they will only retain it for the period we instruct. They will not share your personal information with any organisation apart from us.
Where appropriate and in accordance with local laws and requirements, we may share your personal data with:
a. Third parties
Third Party Processors: We use third party data processors who provide elements of our services to you on our behalf. We will have contracts in place with such data processors. This means that they cannot do anything with your personal information unless we have instructed them to do it. They may share your data with sub-processors where they have a contract in place that imposes their data protection obligations on that sub-processor. We will ensure the third parties hold your data securely and retain it only for the period we have instructed, subject to their legal obligations.
Conference and Event delegates: When you attend one of our conferences or events, we may share your data with third parties. By registering, you acknowledge that we may share your details such as name, email address and job details, with any sponsor. Sponsors may use your details to contact you about the event or conference and they may send you direct marketing material. You can let us know your communication preferences using the methods detailed in the Contact Us section below. Where you have specified any special requirements, we may share these with any relevant third parties involved with administering the conference or event.
b. Legal obligations
In some circumstances we are legally obliged to share information. For example, under a court order or where we cooperate with other data protection authorities in handling complaints or investigations. We might also share information with other regulatory bodies in order to further their, or our, objectives. In any scenario, we will satisfy ourselves that we have a lawful basis on which to share the information and document our decision.
c. Members and subscribers
Your information may be shared for the following reasons:
- To provide relevant information to your employer about your involvement with us.
- Where other organisations are commissioned by CCTPA to provide specific activities to support the delivery of our services.
- To comply with legal and regulatory obligations.
If you wish to view a list of the third party organisations we hold contracts with please contact email@example.com and we will provide you with this information.
- Lawful Basis
To comply with the data protection principles and article 6(1) of the GDPR we identify a lawful basis for each purpose that we process your data.
The lawful basis that we use are:
- Consent, where you have given us your consent to the process your personal data for one or more specific purposes.
- Contract, where the processing of your data is necessary for the performance of a contract or where we process your data prior to entering into a contract.
- Legal obligation, where the processing of your data is necessary for compliance with our legal obligations.
- Vital interest, where processing is necessary in order to protect your (or others) vital interests.
- Public Interest, where the processing of your data is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.
- Legitimate interest, where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
- Legitimate interests
Our legitimate interests explained – CCTPA think it’s reasonable to expect that if we have (or have had) a professional relationship with you, or you have posted your professional information on professional networking site, or your information is generally available to the public, or we have been given your name as an emergency contact or as a referee, you are happy for us to use your personal data to contact you for a relevant reason. If you do not want any further contact with us you can ask us to stop (opt-out) by contacting us using the details at the end of this Privacy Notice.
It is our policy only to keep records of your personal data for as long as required under the legal obligations of delivering a service to you, or as required by relevant authorities or other legislation, whichever requirement is longer after which it will be erased from our systems and any paperwork will be destroyed.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Our retention policy includes the following :
- If you are a client, a member, or a supplier, we may for regulatory reasons or to settle a dispute keep your data for six years after the end of the engagement with us.
- If you have contacted us via our website, or sent us an email, or we have made contact with you and we do not engage in a professional relationship with you, we will destroy your data after two years or sooner.
- If we are recruiting and you send us your CV or if we are not currently recruiting but are interested in your profile we may keep your cv and personal details for a period of one year, after which your data in this respect will be deleted.
- Transfer of data outside the UK?
Normally your data will not be transferred to a country or territory outside the UK unless that country or territory ensures an adequate level of protection (adequacy decision by the ICO) or the appropriate safeguards are in place to guard your rights and freedoms and ensure your personal data is kept securely.
- Your data protection rights
Under data protection law, you have rights that we want to make you aware of. The rights available to you does depend on our reasons for processing your information. We will respond to your request to exercise your rights at our earliest opportunity and within one month. Under normal circumstances we will not charge a fee. However, if we feel the request (with consideration to other requests you have made) is repetitive, unreasonable or excessive then we may ask for a fee to cover the administrative costs associated with your request.
We may limit our actions when you exercise your rights due to applicable exemptions in data protection law. For example, we may not be able to delete all your data when you exercise your right to be forgotten where we have a legal obligation to retain some of the data ( e.g. for certifications or for criminal law enforcement purposes). Where exemptions apply and where it’s permissible we will tell you why we are not taking action, explain our decision and explain how you can challenge this.
a. The right to be informed
you have the right to be informed of what we do with your data. The detail of what we do is in this privacy notice.
b. Your right of access
You have the right to ask us for copies of your personal information. This is commonly known as making a subject access request or SAR.
c. Your right to rectification
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
d. Your right to erasure
Also known as the right to be forgotten. You have the right to ask us to delete the Personal Data we hold about you.
e. Your right to restrict processing
You have the right to ask us to restrict the processing of your information in certain circumstances. Where consent has been given to process your data, you can withdraw that consent at any time by contacting us using the details at the bottom of this notice.
f. Your right to object to processing
You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests.
g. Your right to data portability
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated.
h. Rights in automated decision making and profiling
You have the right to ask us to stop using automated decision making when processing your data. You also have the right to ask us to stop profiling you by using algorithms and machine-learning. If you have any concerns about these mechanisms then you can ask us to explain what we do and we will provide you with any alternative methods of processing if available.
Please contact us at firstname.lastname@example.org if you wish to make a request.
- Links to other websites and social media
Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide while visiting such sites and such sites are not governed by this privacy notice. You should exercise caution and look at the privacy notice applicable to the website in question. Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes your personal information. We encourage you to read the privacy notices on the other websites you visit.
- How to complain
If you have any concerns about our use of your personal information, you can make a complaint using the methods detailed in the Contact Us section below.
You can also complain to the Information Commissioner’s Office if you are unhappy with how we have used your data. Their contact details are available on their website www.ico.org.uk.
- Contact Us
You can contact us using the methods below:
Post: Data Protection Manager, CCTPA, 77 Mansell Street, London, E1 8AN
Please see our Contact CCTPA page on our website for further options.