Data Protection Policy
What is a BID?
Business Improvement District (BID) schemes are business led initiatives supported by government legislation which give local businesses the power to ‘raise funds locally to be spent locally’ on improving a defined commercial area and supporting the businesses located within that trading area through the delivery of projects and services.
A BID is created when the majority of business ratepayers within that area vote to invest collectively in local improvements. Under BID legislation, a BID can only continue for five years before a new business plan needs to be published and a ballot held where businesses vote ‘yes’ or ‘no’ to the BID. If the majority of businesses by number and rateable value, vote in favour of the proposal, the BID will go ahead and apply to all. It is just like a referendum and the majority view will prevail.
BID schemes are independent of local authorities and other statutory bodies although the local authority has a duty to collect the annual levy on the BID’s behalf.
There are now almost 300* BID schemes operating across the UK with eight in Cornwall. *at time of writing – May 2018.
More information on BIDs and their purpose can be found at www.britishbids.info/about/what-is-a-bid
What Legislation Underpins BID Schemes?
Legislation enabling the formation of bids was passed in 2003 in England and Wales (with subsequent regulations published in 2004 and 2005 respectively) and in 2006 in Scotland.
Collection of the BID levy carries the same enforcement weight as collection of the non-domestic rates and is mandatory for all eligible businesses within the BID area regardless of how they voted.
www.legislation.gov.uk/uksi/2004/2443/contents/made
About St Ives BID.
St Ives BID has been operating since June 2014 as a not for profit company limited by guarantee incorporated in February 2013 (registered in England and Wales company number 08409718).
St Ives BID has positions on its Board for up to nine elected Directors who voluntarily support the BID; there are currently seven Directors drawn from organisations within the BID area who pay the levy.
St Ives BID’s Articles of Association outline that all levy payers are members of the BID Company with voting rights at the annual general meetings.
Our Approach to Data Protection
We are a not for profit organisation that uses data to inform local businesses and organisations about issues and services that will support them or enhance their knowledge. We are not ‘selling’ a product or service but providing information that we deem is in their interest.
We are committed to protecting and respecting personal data and privacy and to complying with all applicable laws including the General Data Protection Regulation (GDPR) which came into force on 25th May 2018.
We will only use data where we have a proper reason to do so; this includes sharing it outside St Ives BID if appropriate with third-party providers. We will never sell our data to companies for marketing purposes. All our data is confidential.
We will regularly review what data we are storing and processing and on what basis it is being used for; each time we communicate, we will check whether there are reasonable grounds to do so and whether we need consent and obtain this where it has not been granted.
We store data on two specific St Ives BID computers which are password protected and regularly backed up by the St Ives BID Manager and BID Administrator who are the only people who have access to these devices; information shared with third parties is encrypted and we seek assurances that third parties have good data protection policies in place.
St Ives BID is registered with the Information Commissioner (ICO) reference ZA361642
We embrace the use of social media and may wish to process any comments made public by you; we will always ask your consent for using your comments.
The Data We Hold
St Ives BID holds the following data and is the data controller and processor. The principles outlined in section 4 apply to all data held:
Levy payers database – levy payers are members of our BID Company under our BID articles. It is essential that we hold this data and keep it up to date in order to communicate with our levy payers who have contributed funds towards the BID.
Our database contains approximately 396 business entries* of organisations over £5,000 rateable value including their name, address, email address, phone numbers and rateable value of business premises and their owners or senior managers. *as of May 2018
We will regularly update these lists for the purpose of communicating with levy payers regarding the renewal of our BID (legal interest) and updating our levy payers on how we are spending their money in line with the business plan upon which the BID was voted in (legitimate interest).
We may share elements of this data with third parties such as our PR Company or an appointed agency contracted to contact levy payers to support them with procuring services at a reduced rate e.g. energy, telecoms, insurance etc (legitimate interest).
Occasionally, we will communicate with levy payers on issues which are not deemed to be in either legal or legitimate interest but require consent; in these instances, we will contact levy payers describing how we wish to use their data and asking for consent (see section 6).
BID team database – we hold data on the members of our BID Board Directors (name, mobile no, email address and home address also listed on Companies House) and other team members (name, mobile no and email address) to enable us to communicate and hold meetings (legitimate interest)
Staff – we hold data relating to our two part time employees which includes staff contracts and appraisal documents. Information is also held on people who have applied for vacancies such as CV’s and interview notes – this information is held electronically in an archived folder (legitimate interest)
Tenders – we hold data relating to those companies who have tendered for work and the associated assessment notes – this information is held electronically in an archived folder (legitimate interest).
Our collection methods are:
Through being eligible to pay into the BID – this information originates from the ratings list held by Cornwall Council but St Ives BID adds to this data by collecting the name of the person operating the business and their email address
Through our website stivesbid.co.uk *
By communications including email, telephone, post or social media
Through networking and one to one visits – when a new business opens in St Ives or there is a change in ownership of an existing business, we make contact with the new occupier to tell them about the BID and what we provide
From third parties who engage with St Ives BID and / or publicly available resources (for example from Companies House)
* When using our website, St Ives BID gathers data from users using cookies and other internet tracking software, such as Google Analytics. The purpose of this is to understand how digital visitors are using our services, and to provide them with better and enhanced services via the BID.
How we have determined the use of data and how it will be used
There are six conditions or ‘lawful basis’ for processing data (the first four of which we have determined apply to St Ives BID):
- Legal obligation
- Contract
- Legitimate interest
- Consent
- Vital Interest
- Public Interest/lawful authority
We have determined that the majority of our BID communications with BID levy payers are either our ‘legal duty’ or in the recipient’s ‘legitimate interest’ where there is a business or commercial reason to use the information.
In this document, we have outlined the types of communication we have determined falls within the various ‘lawful basis’:
Legal – As a BID we have a legal obligation in the run up to a BID renewal which takes place every five years, to provide relevant BID information i.e. ballot papers, business plan. It is our legal duty to communicate with all the businesses in the BID area giving them an opportunity to shape the business plan via consultation, receiving the final business plan, a notice of ballot and the ballot paper.
Communications like the annual financial statement that goes out with the levy bills generated by Cornwall Council also fall under legal interest as per the BID regulations.
There is no opportunity for levy payers to unsubscribe to these communications or to activate their right for erasure given that there is a legal obligation to process their data.
Contract – We sometimes provide services under a contract, as set out in a formal document – this includes contracts of employment for BID staff or contracts with third party suppliers. With contracts, there is a lawful reason to hold the data and to be in communication.
Legitimate Interest – We process data under what we have determined is a ‘legitimate interest’. We will communicate with levy payers regarding the delivery of projects and services to demonstrate how we are using their funds and to give levy payers the opportunity to shape our projects and service delivery. More specifically, we will communicate with levy payers via emails/newsletters for the following purposes:
Letting levy payers know about projects and their delivery as they have paid the levy and have an interest in finding out out what the BID is doing with their money
Giving levy payers the opportunity to shape projects – asking for feedback/completing a BID survey or inviting them to be involved on a working group
Giving levy payers updates on issues that are in their interests to know about e.g. road being resurfaced outside their premises
Asking levy payers if they wish to attend an event – providing that this is not an event with a cost attached
Providing them with information or services that they request from us or which we feel may interest them and have deemed is in their legitimate interest.
Notifying them about changes to our BID
Levy payers will have an opportunity to unsubscribe to these communications if they wish.
Consent – we will seek consent from levy payers or others where we feel our communications do not fall under either legal, contractual or legitimate interest as detailed above.
The circumstances where St Ives BID may seek consent are:
If launching a campaign to sign up members of the public to receive offers from St Ives businesses e.g. a loyalty card
If seeking additional contributions from levy payers or ‘selling’ them something
If St Ives BID run a B2B scheme whereby businesses generate offers for other levy payers and their employees in the area – we would either gain consent from each employee or invite the main levy payer to cascade this to staff or post the offers on our website asking people to sign up to receive them.
Consent can be withdrawn at any time and St Ives BID respects this right.
How we will share data
We will share information within St Ives BID (including our St Ives BID board of directors) for administration purposes to ensure we can deliver our business plan and maintain communications with levy payers on how we are spending their money and provide them with the information required legally during the renewal of the BID.
We occasionally use third party service providers such as agents or mail services to help us support our levy payers and provide services to them and where we have a legitimate interest to do so. These would include:
Survey monkey for consultation exercises, mail chimp for mailing out information updates
Email and secure document share filing systems including Dropbox and Google Drive utilising passwords to protect data
PR companies who are contracted to St Ives BID to deliver PR services to businesses in St Ives. Currently, this is DCA Public Relations
Our accountancy firm who handles the payroll for our staff, completes and submits our VAT returns and End of Year accounts. Currently, this is Greenwood Wilson
Other agencies who may be able to provide support services to our levy payers E.G. with regard to procuring reduced costs on services such as energy, telecoms, merchant services, insurance etc
We will ensure that all our third-party service providers demonstrate that they are compliant with data protection practices and are taking reasonable and appropriate security measures to protect our data. We only permit our third-party service providers to process our data for specified purposes and in accordance with our instructions. We have a data sharing agreement with all our third-party service providers and an assurance that confidentiality is maintained.
We will never transfer or sell our data to a third party for marketing purposes.
Data Retention
We will only retain business data for as long as is necessary to fulfil the purposes for which it is collected taking account of our legal obligations with respect to holding data relating to BID renewal.
Data Deletion
Under GDPR there is the right to erasure under specific circumstances. A request for data to be deleted will be decided on a case by case basis and must be submitted in writing to the contact details provided in this policy.
It is not possible to delete information relating to levy payers who St Ives BID has a legal duty to communicate with during the run up to a BID ballot taking place every five years
Correcting Data
If we are notified in writing, we will correct any inaccurate data as soon as we can
11. Subject Access Request
St Ives BID wishes to be open and transparent giving people access to the data we hold if they request this in writing; the person making the request would need to demonstrate their identity.
Changes to this Policy
St Ives BID may amend this policy from time to time. If we do so, we will post amendments on our website at www.stivesbid.co.uk
Complaints
There is the right to complain about the processing of personal data. In the first instance, please contact us using the details provided below. Alternatively, there is the right to complain to the Information Commissioners Office: www.ico.org.uk/make-a-complaint
Further Information
For further information, please contact Carl Lamb, St Ives BID Manager at carl@stivesbid.co.u