Data Privacy Policy

1. Principles of our policy

• Private: We will never sell, rent or trade information about you to other companies. Your data will not be supplied to anyone except as described in this privacy notice, unless we are obliged by law to disclose it.
• Secure: We follow strict security procedures in the storage and disclosure of information to prevent loss, theft, unauthorised access, or unlawful processing.
• Necessary: We won’t collect information unless it is needed for purposes we have told you about, to deliver a better service or to give you relevant information. Where we rely on our legitimate interests, we will ensure these do not override your fundamental rights and freedoms.

2. What personal data do we hold?

The personal data we collect and receive about you depends on your interaction with us.

a) Directly from you

Communications by phone may be recorded or monitored for quality and training purposes. Recordings are retained for 30 days. Lawful basis: legitimate interests.

b) Website Visitors

When you visit our website, we receive information about you in two ways:

• Directly from you: the contact details and other information you provide in forms, such as name, email address, phone number, and any other details required to register, request information, or download a resource. We use this data to respond to your requests, provide services, and, where you have consented, send relevant communications. Lawful basis: performance of a contract or consent.
• Automatically from the website: We collect technical information from your device and browser, such as IP address, device/app ID, and browsing behaviour. This helps us improve our website and services. We use cookies and similar technologies, as explained in our Cookies Policy. Even if you disable cookies, we may still collect anonymous usage information (e.g., which pages you visit). We will obtain your consent before setting non-essential cookies. Lawful basis: legitimate interests or consent.

c) CMI Bursary applicants and holders

If you apply for a bursary, we hold the following information about you:

• Name, address, phone number, email
• Date of birth, gender, nationality
• Ethnicity and disability (special category data)
• Employment, financial and personal circumstances

How we use your information:

We process this information to assess your eligibility for the bursary and to monitor diversity and inclusion. Special category data is processed based on your consent, while other personal data is processed under our legitimate interests in administering the bursary scheme.

Retention:

If awarded a bursary, your data will be retained as described in the “Members, Subscribers and Friends of asd” section. If your application is unsuccessful, we retain your data only until the earlier of the next bursary application close date or closure of the scheme.

d) Members, Subscribers and Friends of CMI, and individuals applying for Chartered status

If you are a subscriber, member, or a Friend of CMI we hold the following additional information about you:

• Title (e.g. Mr./Miss/ etc), first name, surname
• Date of Birth, gender
• Email address, phone number
• Postal address (not Friends of CMI)
• Other information you voluntarily provided to us (e.g. sector, education, career development, employment details, nationality)
• Information you enter in any of our online tools (e.g. Career Development Centre, CV checker, CPD tool)
• Membership of any CMI committees or communities.

How we use your information:

• To provide information about and administer CMI events, newsletters, research, surveys, and CMI communities that may interest you, and any products or services that you request from us or which we feel may be of interest to you - legitimate interests
• To signpost content based on your input in our online tools - legitimate interests
• To administer your membership (including following up potential renewals or upgrades) and provide you with services under our contracts with you - performance of a contract
• To notify you about changes to our services - legitimate interests
• To anonymise or aggregate information for research, analysis, reporting, or public materials in line with our charitable mission - legitimate interests
• Case studies or testimonials will only identify you if you give explicit consent
• For individuals applying for Chartered Status, anonymised or aggregated data may be used to improve services and support our charitable mission - legitimate interests

Retention:

We keep member and subscriber information for the duration of membership and for 12 months after termination/expiry, unless longer retention is needed to protect legitimate interests, attest or verify qualifications, or resolve incomplete applications. After that, data is deleted or anonymised except as required for statutory/regulatory obligations.

If you are a learner or apprentice and update your personal details, we may share these updates with your university or training provider.

e) Active learners

If you are a learner or apprentice we will receive the following information about you from you or your training provider (e.g. your university or further education institution) or employer:

• Title, first name, surname
• Date of birth, gender
• University email address, postal address, telephone number
• Start and expected completion / graduation dates of qualification
• Assignments and assessment records
• Any information that you voluntarily provide

How we use your information:

• To administer your qualification, register you for relevant qualifications and awards, and provide access to learning resources and support - performance of a contract
• To manage your membership where applicable, as described in “Members, Subscribers, Friends” - performance of a contract
• To enable CMI to improve its offerings and promote its charitable mission, we may anonymise and/or aggregate your information to create research, analyses and reporting in material we may share publicly. Unless you have given us your direct permission to provide a case study or testimonial, the information in this material will not identify you - legitimate interests

Special category data:

You are not required to submit special category data (e.g. health, ethnicity). If provided, it will be flagged for early deletion or redaction where possible. If retention is necessary for assessment records, it will be processed on the basis of substantial public interest (education and training) under UK GDPR and the Data Protection Act 2018

Retention:

• We retain learner information during the course and for 12 months after completion to manage the qualification and membership processes
• Former learners’ information needed to attest or verify qualifications is retained indefinitely, including: replacement certificate records, lost/stolen/destroyed certificate records, centre details, learner name/number, qualification title, completion date, date of birth, last known email address

Chartered Manager Status and Aggregated Data:

If you gain Chartered Manager status, we may publish your name within the media in the year in which, or the year after, you achieve this status, in celebration of your achievement. If you do not want your information used in this way, please contact us using the details below. Lawful basis: legitimate interests and consent (for publicity.)

In respect of Chartered learners, CMI may also anonymise and aggregate the personal data processed in providing our services to you. This deidentified data will be used by CMI to help improve its services and further its charitable mission. Lawful basis: legitimate interests.)

f) Former learners and members (Attesting qualifications or membership)

If you are a former member and/ or learner, we indefinitely retain the information required to process certificates or to attest certificates, including:

• Replacement certificate records
• Record of lost, stolen, or destroyed certificates
• Centre name and number, learner name and number
• Title of qualification and date completed
• Date of birth, email address, and home address at the time of qualification
• How we use your information:
• To process certificate requests or attest qualifications - performance of a contract
• To respond to verification requests from employers or regulatory bodies - legal obligation
• To anonymise or aggregate data for research, analysis, reporting, and service improvement in line with our charitable mission - legitimate interests
• To celebrate achievements such as Chartered Manager status by publishing names in the year of, or the year after, the award, unless you opt out - legitimate interests / consent

Retention:

Information needed to attest or verify qualifications is retained indefinitely.

g) Partners and Training Providers

We process personal data of staff from our training providers and partners to carry out administrative functions, including:

• Contact details (name, email, phone number)
• Role and employment information
• Assessor qualifications and certifications
• Assessment administration records
• How we use your information:
• To coordinate End-Point Assessments and other services - performance of contract
• To verify roles, qualifications, and regulatory compliance - legal obligation
• To communicate regarding operational, administrative, or compliance matters – legitimate interests
• To anonymise or aggregate data for research, analysis, reporting, and service improvement in line with our charitable mission - legitimate interests

Retention:

• Data is retained for the duration of the engagement plus six years after the end of the relationship
• Access is restricted to staff who require it for operational or compliance purposes

h) Recruitment

When you apply for a vacancy with us, we may collect and process:

• Name, contact details, CV, employment history, and other application information
• Publicly available profiles (e.g., LinkedIn) to support the recruitment process

How we use your information:

• To manage the recruitment process, assess your application, and communicate with you - legitimate interests
• To verify employment and qualifications where necessary - legal obligation

Retention:

• Applicant data is retained for four weeks after the vacancy is filled
• If you are contacted for future opportunities, we will retain your data until you request deletion

i) Suppliers

We may collect and process personal data about individuals within organisations that supply goods or services to us, including:

• Name, contact details, role information
• Payment or bank details (for sole traders/partnerships)
• Qualifications, CVs, or DBS checks where required

How we use your information:

• To manage our business relationships, place and pay for orders, and maintain records of dealings - performance of a contract
• To comply with legal, financial, or operational obligations - legal obligation
• To share limited information with trusted third parties such as accountants, banks, legal advisors, or government authorities - legal obligation

Retention:

• Supplier data is retained for as long as necessary to manage the relationship and meet obligations
• Typically, contractual and payment records are kept for 6–7 years after the relationship ends
• Contact details may be deleted sooner if no longer required

j) Awards, Prize Draws and Events

We collect and process personal data for individuals participating in awards, competitions, prize draws, or events, including:

• Name, contact details (email, phone, address)
• Employment details, if relevant
• Submission materials (nomination statements, written entries, images, videos)
• Any other information required for administration and/or judging

How we use your information:

• To administer and judge awards, competitions, and prize draws - legitimate interests
• To communicate with nominees and nominators - legitimate interests
• To send certificates, prizes, or event communications - legitimate interests
• To manage events, registration, access, and follow-ups - legitimate interests
• To feature nominees in promotion or publicity (e.g. announcing winners) - consent
• To feature case studies, testimonials, or promotional material - consent
• Nominator information is only used for administering the nomination and is not used for marketing without separate consent

Retention:

• Award Winners: Retained only as long as necessary to administer and conclude the award, plus a reasonable period for record-keeping, promotion (with consent), or dispute resolution
• Award Nominees and Nominators: Data is kept as needed to administer the award. Consent is required for promotion; you may object or withdraw consent at any time.
• Prize Draw Winners: Retained for up to 6 years to comply with legal, tax, and audit requirements. Publication of names follows UK CAP Code requirements. You can object to publication at the time of entry, and we will respect that unless disclosure is required by the Advertising Standards Authority (ASA).
• Prize Draw Administration: Some prize draws are administered by a third party service provider on our behalf. Personal data processed by the administrator may be retained for up to three years for operational purposes including audit, compliance, and dispute resolution. You can see the applicable prize draw T&Cs for more details.
• Event Attendees: Data is retained only as long as necessary to administer the event and for a reasonable period afterward for record-keeping, reporting, or dispute resolution. Some events are ticketed through third-party platforms, such as Eventbrite, which process personal data on our behalf for event administration.

Marketing Communications:

If you enter a prize draw or attend an event, we may use your personal data to send you marketing communications about our products, services, and offers. We will only do this where we have a lawful basis, such as your consent or our legitimate interests. You can manage your marketing preferences with us at any time, including unsubscribing from communications.

k) Individuals Who Provide Permission for Use of Their Photos/Content

We collect and process personal data for individuals allow us to use certain information including:

• Name
• Image (photograph or video)
• Quotes or testimonials
• Case studies
• Any additional information you provide in relation to the content

How we use your information:

• To feature your content in marketing, promotional materials, case studies, or other communications as specified in the permissions form - consent
• To celebrate achievements or share experiences with our community, where consent has been given - consent
• To create anonymised or aggregated materials for research, reporting, or service improvement - consent

Retention:

• Content is retained only while it is needed for the purposes specified in the permissions form
• Once it is no longer required, it will be securely deleted or archived
• Consent may be withdrawn at any time by contacting us; new uses will stop, but content already published (e.g. online or in printed materials) may continue to appear

l) Prospecting and Lead Generation

We may collect limited personal data (such as name, role, and business contact information) from publicly available sources like LinkedIn or company websites. This is done under our legitimate interest in promoting and developing our business.

3. Who do we share personal data with?

CMI shares your personal information with the following categories of recipient;

• Third party processors who host and process personal information on our behalf;
• Regulators: CMI is an awarding body and is regulated by OFQUAL. Consequently, we are required to register the details of Active Learners with OFQUAL at the point of certification and retain this information for audit and support reasons. Where relevant, we may also provide your information to the Department for Education in order to apply for an apprenticeship certificate;
• Legal and other professional advisers, consultants and professional experts;
• Service providers - in connection with CMI’s website or provision of products and services, such as providers of IT services and customer relationship management services;
• Service providers - in connection with provision of learning, assessment, and training products and services (e.g. assessors, mappers, markers, moderators, certification and credentialing providers);
• Your training provider and/or employer (as appropriate) in the case of information you give us via any CMI membership, learner, apprentice, diagnostic or career development tool you choose to use.

4. Security and Safeguards

CMI’s core systems are located inside the UK and are managed and maintained in accordance with the UK Government's Cyber Essentials standard and ISO27001.

Where processors are located outside the UK and EEA we ensure equivalent protection using legally approved safeguards, such as inclusion on the DPF list, UK adequacy regulations, International Data Transfer Agreements (IDTAs), or the UK Addendum to EU Standard Contractual Clauses (SCCs).

5. Your Data Protection Rights

You have the following rights regarding your personal data:

• You can request all personal data we hold about you and ask us to correct any inaccuracies. Lawful basis: consent / legal obligation.
• You can request that we limit the processing of your data where it is inaccurate, unnecessary, or processing is contested. Lawful basis: consent / legitimate interests.
• You can request deletion of your personal data when it is no longer needed for the purposes it was collected, unless retention is required for legal, regulatory, or contractual obligations. Lawful basis: consent or legal obligation or legitimate interests.
• You can object to the processing of your data where we rely on legitimate interests, including for direct marketing or research purposes. Lawful basis: legitimate interests.
• You can request a copy of your personal data in a structured, commonly used, and machine-readable format where applicable . Lawful basis: consent or performance of a contract.
• You can withdraw your consent at any time for any processing that relies on consent. Withdrawal does not affect the lawfulness of processing prior to withdrawal – lawful basis: consent.

If you wish to exercise any of these rights, you can manage your CMI communication preferences at https://www.managers.org.uk/mycmi/my-account or unsubscribe at the bottom of any non-essential emails you may receive from us. Where allowed by applicable law there may be an administrative charge for supply of copies of data and we may also require you to provide us with appropriate identification before we comply with this request. You may also have the right to data portability.

If you have a complaint about the way in which we use your personal information you have the right to complain to our Data Protection Officer at the email address below and, if your complaint is not resolved, to the Information Commissioner https://ico.org.uk/.

6. Contact Us

Chartered Management Institute is registered on the Information Commissioner’s register of data controllers, number Z5751624.

You can contact us by writing to Chartered Management Institute, Management House, Cottingham Road, Corby, NN17 1TT or by phoning our switchboard on +44 (0)1536207360

Contact our Data Protection Officer at dpo@managers.org.uk