CIC appreciates the trust you place in us when sharing your personal data.
The security of that data is very important to us. This privacy policy explains how we collect, use and look after your personal data.
We will explain what rights you have with regards to your personal data and how you can exercise those rights.
CiC Wellbeing (CLNR Horizons Limited). EAP & workforce wellbeing solutions | CIC Wellbeing is a major provider of personalised Employee Assistance Programmes (EAP), wellbeing and specialist psychological services to customers and their employees globally.
Our corporate address: 2nd Floor, Royal Pharmaceutical Society Building, 66-68 East Smithfield, London E1W 1AW.
The table below provides an overview of services.
| Employee Assistance Programme | Psychological Services | Trauma Services |
|
|
|
We are registered with the Information Commissioner’s Office – Z7242120.
For the purposes of this policy CiC is the Data Controller and:
CiC collects personal information directly from clients. This will be through initial contact (via telephone, email, WhatsApp etc.) and then through sessions with Affiliates, trainers and other CiC staff engaged in the delivery of services to our clients.
CiC collects a wide range of personal data from clients during the delivery of services. This includes name, email address, telephone number, date of birth, employer, job title and employment status.
We also collect information that is defined as special category data under GDPR Article 9. This is personal data revealing ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and processing of genetic data, biometric data for the purposes of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The collection and processing of special category data will be dependent on your individual needs and the service being delivered. However, this will mainly surround health but data concerning other aspects of your life maybe discussed (and hence collected and processed) during the delivery of services.
Each client has an individual record created within our customer records management system (CRM). We utilise the information to deliver the service to the client. Contact information is utilised to communicate with the client, arrange appointments and counselling sessions. Health information is utilised to support the delivery of individualised EAP, trauma and mental health services to clients.
We are committed to protecting your information. CiC are certified to the ISO 27001 Information Security Standard and Cyber Essential Plus. We take appropriate technical and organisational measures to guard against unauthorised or unlawful processing of your personal data and against accidental loss or destruction of, or damage to, your personal data.
The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. However, please bear in mind that IT infrastructure and the internet cannot be guaranteed to be 100% secure. We have security measures in place and restrict access to databases only to those who need access appropriate to their job role.
All personal information and details provided as part of an enquiry, support or service request, or financial details are stored on a secure server. We do not store credit card numbers or related identifying information on any of our servers.
Digital data and hard copy data is securely disposed of when no longer required. This is conducted in line with our information security Disposal of Data Policy and procedure.
In order to ensure that we provide you with the best possible service, we may from time to time conduct research and evaluation. Sometimes we will do this by aggregating and anonymising the data, which means that no one can identify you. On occasion we may ask you to take part in a new piece of research and provide additional information or share your information with a third party for the purpose of research, this will only ever be done with your knowledge and consent. You have the right to opt out of research and survey activities.
To Meet Contractual Obligations – To fulfil the contracts CiC has with employers (customers) to deliver EAP, psychological and trauma services to employees (clients)
To Meet Legal Obligations – In some circumstances we are required to pass on details to law enforcement of people who are involved in certain kinds of illegal or criminal activity. This includes disclosure under the requirements of Prevent and Safeguarding legislation.
Legitimate interest – In order for us to provide the services you are expecting from us, we need your data to allow us to run our business effectively. For example:
– We will use client personal data to stay in contact with them whilst they are accessing our services
– We will use client personal data to track their journey through our service.
We regularly review how long we keep your Personal Data; however, we do have certain legal obligations to retain some types of information for specific periods of time. Normally we retain client personal data for 7 (seven) years.
CiC administrative and managerial staff have access to records. They are only provided access to the records they need to be able to do their roles effectively. Affiliate staff will have access to information relevant to the clients they are supporting/providing services to. All CiC are subject to security clearances and complete data security training.
CiC and affiliate staff deliver services to clients. However, we deploy a range of technologies to support the delivery of services that we need to highlight to clients. These include:
Where we need your agreement to process your information, for example, by passing your contact details to someone offering a specific service, we will ask for your consent, and will clearly state why your information is needed and who we will share your information with. If you agree to your information being shared, we will record your consent on your record. We will regularly review consents to make sure that the relationships, and purposes for processing, have not changed. Note – where you have provided consent for us to share your information with a specific organisation or individual, you have the right to withdraw your consent at any time. Should you wish to withdraw your consent, please tell your key worker, or, send a written request to the Data Protection Officer (address below), who will process your request.
UK GDPR aims to give individuals more control of their data. It provides:
Right to access – You have the right to request a copy of the personal data we hold about you. We will require you to prove your identity – this is in accordance with ICO guidance to ensure that the request is from you and not someone impersonating you. Acceptable forms of identification can be: passport, driving licence, birth certificate, utility bill (from last 3 months), current vehicle registration document or a bank statement (from last 3 months). If you can advise of the specific information that you require, we can process your request more quickly. We will respond to your request within 30 days of us confirming your identity. This is in line with the requirements of Data Protection Act 2018/UK GDPR.
Right to restrict processing – in certain circumstances, you can ask us to restrict our use of your personal data.
Right to rectification – you can ask us to correct inaccurate personal data we hold about you.
Right to erasure (right to be forgotten) – in certain circumstances, you can ask us to erase your personal data.
Right to data portability – you can ask us to provide you with a copy of your personal data in a commonly used electronic format so that you can transfer it to other businesses. Privacy Policy for Users of CiC Services V10 – January 2025 Page 5 of 5
Right to object to automated decision-making – in certain circumstances, you can ask us not to make automated decisions about you based on your personal data that produce significant legal effects.
Right to object to automated decision-making – in certain circumstances, you can ask us not to make automated decisions about you based on your personal data that produce significant legal effects.
Right to lodge a complaint – you can lodge a complaint with the Information Commissioners Officer
Or contact them on: 0303 123 1113
All queries about data rights should be made to our Data Protection Officer dpo@cicwellbeing.com
We review this policy at least annually. It was last reviewed on 17th January 2025.