Data Protection

Cyngor ar Bopeth Gwynedd Citizens Advice (CAB Gwynedd) is committed to doing everything we can to:

  • keep client, staff, volunteer and trustee data safe
  • meet Citizens Advice membership requirements through the leadership self-assessment
  • comply with the UK General Data Protection Regulation (UK GDPR) and Data Protection Act

CAB Gwynedd holds and processes information on staff, volunteers and clients. Personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means. We are registered with the Information Commissioner’s Office. Our ICO registration number is Z2151063.

All staff and volunteers (including trustees) need to be familiar with the principles of the UK GDPR and the rights of individuals – these are at the heart of all our processes and policies and all staff and volunteers must comply with them. There is a training course on GDPR for all staff and volunteers (including trustees) which must be undertaken annually and a separate course for managers which again must be repeated annually.

There are various polices relating to data protection, some of which are mandated nationally and others where we are required to have a local policy but have chosen to follow the national guidance. Some of these are public-facing while others are guidance for staff and volunteers:

Privacy Policy (local – public)

Acceptable Use of Casebook (national requirement)

Data Retention  (local – public)

Note that all client records are required to be kept in Casebook and for this we must conform to the national Casebook Data Retention Policy.

Information Risk (local)

Client Forms

Client data consent form (permission to record, use, or share personal information) English Cymraeg

Client information sheet (to inform decisions on the above)

Client consent to act on their behalf form

Further national guidance on data protection

Expectations of Paid Staff and Volunteers in relation to Information and Communications Technology (ICT)

  1. All CAB Gwynedd facilities and information resources remain the property of CAB Gwynedd and not of particular individuals, teams or bureaux.
  2. When you are recording or obtaining information about individuals, make sure you are not breaking data protection legislation. You must obtain client consent for recording information about them and you must not access information or pass it on to anyone unless there is a clear business reason for doing so. Make sure you follow the Acceptable Use of Casebook Policy.
  3. Use of facilities for leisure or personal purposes (e.g. sending and receiving personal email, personal phone calls, playing computer games and browsing the internet) is permitted during breaks so long as such use does not:
  • incur specific expenditure for CAB Gwynedd
  • impact on your performance of your job or role (this is a matter between each member of staff or volunteer and their line manager)
  • break the law
  • bring CAB Gwynedd into disrepute
  • detrimentally affect the network performance by using large amounts of bandwidth (for instance by downloading / streaming of music or videos)
  • impact on the availability of resources needed (physical or network) for business use.
  • Endanger the security of CAB Gwynedd systems (e.g. by clicking on unsafe attachments within webmail)
  1. Nevertheless CAB Gwynedd provides its phone, internet and email related resources for business purposes and reserves the right to monitor electronic communications in accordance with applicable laws and policies. The right to monitor communications includes messages sent or received by system users (employees, volunteers and temporary staff) within and outside the system as well as deleted messages. 
  2. Any information contained within the office in any form (e.g. AdviserNet) is for use for the duration of your period of work and should not be used in any way other than bureau business, or transferred into any other format (e.g. loaded onto a memory stick / pen drive).
  3. Any users who place and pay for orders online using personal details do so at their own risk and CAB Gwynedd accepts no liability if details are fraudulently obtained whilst the user is using bureau equipment.

Information Security

  1. Do not attempt to gain unauthorised access to information or facilities. The Computer Misuse Act 1990 makes it a criminal offence to obtain unauthorised access to any computer (including workstations and PCs) or to modify its contents. If you do not have access to information resources you feel you need, contact your line manager, the HR and Learning Manager or the Chief Executive.
  2. Do not disclose personal system passwords or other security details to other staff, volunteers or external agents, and do not use anyone else’s log-in; this compromises the security of CAB Gwynedd. If someone else gets to know your password, ensure that you change it or get a Google Guide to help you by emailing
  3. If you leave your PC or workstation unattended without logging off, you are responsible for any misuse of it while you are away. Logging off is especially important where members of the public have access to the screen in your absence.
  4. Any pen drives or other storage devices used on our network should be secure and the property of the bureau. No staff / client personal data should be held on a pen drive unless it is suitably encrypted. Any phone, tablet or laptop with access to CAB Gwynedd information must also be secured. Further information is available here.
  5. Awareness: you must remain aware of who may see your screen when dealing with client information. Always be aware of the physical location you are working in and report any unexpected visitors or instances.  When working away from the bureau, ensure your device is encrypted if it contains personal data. Keep your equipment with you at all times.
  6. Information assurance incidents.  All incidents involving client or sensitive data should be reported to the Chief Executive. If you are aware of another individual behaving inappropriately you should report this to a senior manager. Deliberate disclosure of confidential information may be considered gross misconduct for employees and volunteers will be asked to leave. It may also be a criminal offence and lead to criminal proceedings. We all have a duty to act positively to prevent information misuse.


  1. Take care to use software legally in accordance with both the letter and spirit of relevant licensing and copyright agreements. Copying software for use outside these agreements is illegal and may result in criminal charges.
  2. Be aware of copyright law when using content you have found on other organisations’ websites. The law is the same as it is for printed materials.

Use of Email

  1. Use email in preference to paper to reach people quickly (saving time on photocopying / distribution) and to help reduce paper use.
  2. Take care when emailing personal information whether it relates to staff or clients and business sensitive information. Emails which are passed within CAB Gwynedd or within the Citizens Advice secure network should be safe, but an email sent to a third party server could leave a copy on insecure servers on its journey. If you are sending an email to an external address you must ensure that the confidential information is protected. CAB Gwynedd’s Google Workspace includes the ability to send secure messages – you just click on the padlock symbol at the bottom of the screen when drafting an email and it gives you the option of specifying the mobile number of the recipient. The recipient then gets an email which tells them to click on the link to open the message. The national guidelines are here.
  3. The following are examples of unacceptable use of email:
  • Sending confidential information to external locations without suitable encryption.
  • Distributing, disseminating or storing images, text or materials that might be considered indecent, pornographic, obscene or illegal.
  • Distributing, disseminating or storing images, text or materials that might be considered discriminatory, offensive or abusive, in that the context is a personal attack, sexist or racist, or might be considered as harassment or bullying.
  • Using copyrighted information in a way that violates the copyright.
  • Breaking into the bureau’s or another organisation’s system, or unauthorised use of a password / mailbox.
  • Broadcasting unsolicited personal views on social, political, religious or other non-business related matters.
  • Transmitting unsolicited commercial or advertising material.
  • Undertaking deliberate activities that waste staff effort or networked resources.
  • Introducing any form of computer virus or malware into the corporate network.
  1. When publishing or transmitting information externally be aware that you are representing CAB Gwynedd and could be seen as speaking on CAB Gwynedd’s behalf. Make it clear when opinions are personal. If in doubt, consult your line manager.
  2. Check your inbox at regular intervals during the working day. It is a good idea to decide what to do with each email as you read it (e.g. delete it, reply to it, save the whole email in a folder, or extract just the useful information and save it somewhere logical) and thereby keep your inbox fairly empty so that it just contains items requiring your action. Consider whether to acknowledge receipt of an email if you are unable to reply immediately. Keep electronic files of electronic correspondence, only retaining what you need to. Do not print it off and keep paper files unless absolutely necessary.
  3. Treat others with respect and in a way in which you would expect to be treated yourself (e.g. do not send unconstructive feedback, argue, or invite colleagues to make public their displeasure at the actions / decisions of a colleague).
  4. Do not forward emails warning about viruses (they are invariably hoaxes and IT Support will probably already be aware of genuine viruses – if in doubt, contact them for advice).
  5. Do not open email unless you have a reasonably good expectation of what it contains, and do not download files unless they are from a trusted source, e.g. do open report.doc from a colleague you know and a covering message which is clearly from that person. Do not open sent from an address you have never heard of, or where the covering message does not ring true. If you are not sure consider emailing the individual to check (if you click reply and the address shows in unexpected, it is almost certainly not genuine). Alert IT Support if you receive a suspect email. This is one of the most effective means of protecting CAB Gwynedd against email virus attacks.
  6. Follow guidance on email signatures and when to send messages from your personal account and when to send from a generic account.

Use of the Internet

  1. Use of the internet by employees of CAB Gwynedd is permitted and encouraged where such use supports the goals and objectives of the business. However you must ensure that you:
  • comply with current legislation
  • do not create unnecessary risk to CAB Gwynedd’s reputation and systems.
  1. The following constitute unacceptable behaviour:
  • Visiting internet sites that contain obscene, hateful, pornographic or other illegal material.
  • Using the computer to perpetrate any form of fraud, or software, film or music piracy.
  • Using the internet to send offensive or harassing material to other users.
  • Downloading commercial software or any copyrighted materials belonging to third parties, unless this download is covered or permitted under a commercial agreement or other such licence.
  • Hacking into unauthorised areas.
  • Creating or transmitting defamatory material.
  • Undertaking deliberate activities that waste staff effort or networked resources.
  • Introducing any form of computer virus into the corporate network.
  • Using chat rooms or instant messaging except for business purposes

Social media

  1. For the purposes of this policy, social media websites are web-based and mobile technologies which allow parties to communicate instantly with each other or to share data in a public forum. They include websites such as Facebook, Twitter, LinkedIn. They also cover blogs and image sharing websites such as YouTube, Instagram, Tumblr and Flickr. This is not an exhaustive list and you should be aware that this is a constantly changing area.
  2. Employees and volunteers are permitted to make reasonable and appropriate use of social media websites from the charity’s IT equipment. Employees should ensure that usage is not excessive and does not interfere with work duties. Use should be restricted to your non-working hours, unless this forms part of your work responsibilities. Access to particular social media websites may be withdrawn in the case of misuse.
  3. Inappropriate comments on social media websites can cause damage to the reputation of the charity if a person is recognised as being an employee or volunteer, even if this is done in your own time and away from the office. It is, therefore, imperative that you are respectful to the charity and the Citizens Advice service as a whole, including clients, colleagues, partners and competitors.
  4. You should not give the impression that you are representing, giving opinions or otherwise making statements on behalf of the bureau or Citizens Advice, unless appropriately authorised to do so. Personal opinions must be acknowledge as such, and should not be represented in any way that might make them appear to be those of the bureau. Where appropriate, an explicit disclaimer should be included, for example: ‘These statements and opinions are my own and not those of CAB Gwynedd.’
  5. Any communications that you make in a personal capacity must not:
  • bring the bureau into disrepute, for example by criticising clients, colleagues or partner organisations
  • breach the bureau’s policy on client confidentiality or any other relevant policy, such as Information Assurance.
  • breach copyright, for example by using someone else’s images or written content without permission (note that bureau logos and trademarks cannot be used without the consent of Citizens Advice)
  • do anything which might be viewed as discriminatory against, or harassment towards, any individual, for example, by making offensive or derogatory comments relating to: age, disability, gender reassignment, race, religion or belief, sex, or sexual orientation
  • use social media to bully another individual, such as a co-worker
  • post images that are discriminatory or offensive (or links to such content).
  1. You cannot assume that your comments on social media will remain private. Consider this carefully before posting anything (including retweets and shares) that may be contrary to the above. CAB Gwynedd will take action to prevent misuse of social networking sites as the organisation may be vicariously liable for the acts of a member of staff in certain circumstances. CAB Gwynedd will consider what action to take to address any malicious, untrue or otherwise inappropriate allegations which may circulate on social media sites.
  2. Staff may use CAB Gwynedd telephone facilities to make occasional private calls for essential or emergency matters. Private international calls are not permitted without prior authorisation.
  3. Staff who have CAB Gwynedd-provided mobile phones must reimburse CAB Gwynedd for the use of these phones for private calls and texts etc. at the standard rate of 7p/min or 7p/text or the actual costs incurred if higher.

Back to Workplace Policies