Articles of association

---

MEKARI COLLECTIVE CIC is a Community Interest Company run for the following purpose:

To provide a safe warm creative meditative space for local and surrounding area residents. in their    local community in the Arts, Crafts and Yoga.

The CIC is based at:

First Floor Unit 1 17-21 Worcester Road
Bromsgrove
Worcestershire
B61 7DL

The CIC has adopted this safeguarding policy and expects every adult working, volunteering or helping at the CIC to support it and comply with it.  Consequently, this policy, shall apply to all staff, managers,      trustees, directors, volunteers, students or anyone working on behalf of CIC.

Purpose of the Policy

This policy is intended to protect children and adults who receive any services from us.

Under this policy, the term children shall mean any person who is under eighteen years of age.

The CIC believes that no child or young person or adult should experience abuse or harm and is committed to the protection of children, young people and adults. This policy is intended to provide guidance and overarching principles to those who represent us as volunteers or staff, to guide our approach to child protection and safeguarding.

The Risks to Children and adults

Children can be vulnerable to different forms of abuse and harm. It is important to recognise that abuse and harm of children can cover a wide range of circumstances and behaviours.   For example, children and adults can be at risk of:

- physical abuse

- emotional abuse

- parental neglect (parents with alcohol and substane abuse, domestic violence and parental mental illness) 

- sexual abuse

- female genital mutilation (FGM)

- grooming and exploitation

- trafficking and modern slavery

- exposure to or infliction of domestic abuse

- bullying or cyber bullying

- exposure to other inappropriate content or behaviour, such as violence or criminal behaviour and including but not limited to inappropriate images

- self-harm

- physical harm when engaging with activities without adequate supervision

The causal factors of any such harm and/or abuse can also be wide-ranging. For example, children can be placed at risk by family members or by members of the community.  The impact to exposure to the toxic trio, emotional neglect, exposure and lack of supervision sometimes faced by children from affluent      families are considered to be adverse childhood experiences (ACEs).  ACEs can affect brain development and change how a person’s body will respond to stress.  They have a lasting impact on an individual and the consequences of these adverse experiences can lead to long-term mental and physical health problems, as we as substance misuse and addiction in adulthood.

Safeguarding Principles

Safeguarding children and adults from harm and abuse is an essential responsibility for our CIC. We are committed to ensuring that any child and adult who comes into contact with our services is properly safeguarded. Every person under this policy must ensure that they play an active role in ensuring that children are properly safeguarded.

Every person under this policy holds responsibility for:

- remaining alert and aware of possible safeguarding risks to children (ACEs)/adults

- guarding children against harmful environments with appropriate actions (for example, adequate supervision or ensuring safe environments)

- taking positive steps to maintain the safety and well-being of children engaging with us as a CIC

- reporting concerns expeditiously and appropriately, in line with the CIC’s stated child protection procedures (see Safeguarding site information board and website policy document)

- understanding the duty to report specific concerns (and understanding how this interplays with confidentiality)

- challenging any inappropriate or harmful behaviour of any other adult and reporting this accordingly

- acting appropriately in the presence of children

- not taking any inappropriate risks

- not smoking, drinking alcohol or taking any form of illicit substances in the presence of children nor being intoxicated by any substance while in the presence of children.

Designated Safeguarding Officers (DSO) & Designated Safeguarding Lead (DSL)

The management and oversight of all child safeguarding matters is allocated to the CIC Directors named:

(The Designated Safeguarding Officer)

Susan Norton 07715 889810  Designated Safeguarding Lead

Jenniffer Taylor 07921 920717  Designated Safeguarding Officer

If an allegation or concern is made involving the actions of either the DSL or a DSO, the Board of Directors will be informed at the earliest opportunity.

External Contacts 

Safeguarding children/Adults

If you have reason to believe that a child, young person or adult is at immediate risk from harm contact the Police:

• telephone: 999 

If you have any concerns about a child or young person living in Worcestershire and feel that they may be in need of protection or safeguarding contact the Family Front Door.

Staff are available Monday to Thursday from  9.00am to 5.00pm and Fridays from 9.00am to 4.30pm.

• telephone: 01905 822666 

For assistance out of office hours (weekdays and all day at weekends and bank holidays):

• telephone: 01905 768020 

If a child is resident outside Worcestershire, a referral will be made to both Worcestershire Family Front Door and to the Safeguarding Authority in which the child is resident, and to their school DSL (where this information is known).

Confidentiality and Data Protection

All personal information we may process relating to children, shall be processed and stored in accordance with our data protection privacy policy which can be located at: 

Mekari Collective CIC, First Floor Unit 1, 17-21 Worcester Road, Bromsgrove B61 7DL

Responding to a Safeguarding Concern

Where a child is at immediate risk of serious harm, any adult present should call 999. Thereafter, the CIC's Designated Safeguarding Officer should be contacted as soon as is reasonably practicable.

Where there is a safeguarding concern but no immediate risk of serious harm, the adult who has heard or witnessed this concern should consult with an available Designated Safeguarding Officer as soon as practicable and by no later than the end of that same day.

Where any child makes a disclosure relating to harm or abuse to an adult, it is important for that adult to:

- listen calmly and carefully, showing that their views are taken seriously

- provide an appropriate and honest level of reassurance

- avoid interrogating children or asking probing, intrusive and/or leading questions

- Do not make promises regarding secrets and confidentiality with the child. Explain that what they tell you may have to be shared in order to help keep them safe. Any concern of abuse/harm must be shared with a Designated Safeguarding Officer and may lead to a safeguarding referral. 

- make a confidential written record of the discussion either during the discussion or immediately afterwards. The record should include the key details of the disclosure together with any relevant times, dates, places and names of people concerned. The information recorded should reflect the child’s own words where possible. Sign and date the document. Audio and video recordings of children making disclosures should not be made.

• refer all relevant information to an available Designated Safeguarding Officer as soon as practicable afterwards, and by no later than the end of the same day.

If a child or young person makes a disclosure concerning harm happening to another child, whether that child is part of the CIC groups or not, follow the same confidentiality and recording procedure above. Offer reassurance to the child that they have done the right thing in telling you their concern. Obtain as much information as possible about the child who is named as potentially at risk, for example their full name, school and year group, or another community group attendance eg. Scouts or a faith group.

Upon receipt of any safeguarding concern, a Designated Safeguarding Officer shall consult in confidence with the DSL. The DSL and any other relevant persons and will make any appropriate referrals to the relevant authorities, such as the applicable Local Authority Safeguarding Team (See above). A written record of discussions held and the decision made about how best to act shall be kept in a secure and confidential document.

The DSL will advise the Board that a Safeguarding concern has been raised at the earliest opportunity, maintaining the confidentiality of those concerned. The Board is to be informed if the disclosure involves a person directly associated with the activities of the CIC. In these circumstances, not less than two Directors will be selected to support the DSL and to make decisions relating to the appropriate action to be taken. Confidential information will not be disclosed further than is necessary to ensure the safety of the child, participants, volunteers and staff at the CIC.

Reporting Concerns About Other Adults

Where any person has a concern regarding the conduct of an adult connected to the CIC, which poses or may pose a safeguarding risk to children such as:

- harming a child either physically or emotionally

- exposing a child to behaviour which may cause physical or emotional harm

- engaging in criminal activity concerning a child

This must be raised in the first instance with an available Designated Safeguarding Officer (or where this is not appropriate, a member of the Board of Directors) so that the next appropriate steps may be agreed and actioned. 

We recognise that there could be circumstances where a person may need to report a matter that has taken place in a setting outside of the person's engagement with the CIC.

Usually, any appropriate steps following a safeguarding referral in respect of an individual connected to the CIC will include either:

- further initial enquiries

- escalation to the applicable Local Authority Children's Services department for assessment and/or the police for investigation

- instigation of any appropriate disciplinary, formal investigation processes and suspension of any person concerned within the CIC

- a referral to the Disclosure and Barring Service, Disclosure Scotland or Access Northern Ireland, or any other relevant regulatory bodies

Any person within the CIC who has allegations made against them shall be informed properly in a formal meeting of the particulars of the allegations and the relevant next steps which shall be taken. Such a meeting should ordinarily be held by a Designated Safeguarding Officer. On certain occasions, such a meeting may not be convened until this has been approved by any authorities involved (such as the police or the relevant Local Authority).

Any person from within the CIC who has allegations made against them shall be treated fairly. All enquires, investigations and decisions taken shall be just and fair, and communicated clearly, with the safety of any child concerned at the heart of the process.

Any person from within the CIC who makes an allegation against another person from within the CIC shall be listened to, taken seriously and shall be treated fairly and justly throughout the process of enquiries, investigations and decision making. 

Safeguarding Children at Events and Activities

Responsibilities and Planning

Typically, we may arrange the following types of events and/or activities which could involve children and adults:

Arts & Crafts and Yoga meditation weekly classes

The Designated Safeguarding Officers shall hold ultimate responsibility for the safety and appropriateness of the event. They may, however, appoint an appropriate delegate for some responsibilities for the        purpose of a specific event.

Although the Designated Safeguarding Officers and any appointed delegates will hold ultimate responsibility for overseeing the safety for events and activities, all individuals under this policy must also play an     active role in ensuring the safety of children and adults at all times.

For certain types of events or activities, we may issue an additional code of conduct, policy, or some specific other requirements which are specific to that occasion. Any such additional documentation will be made available to all those concerned (staff members, parents, guardians etc.) in advance. They should be read carefully and adhered to.

Venues

Any events or activities held by us will typically take place at:

Mekari Collective CIC Studios

First Floor 17-21 Worcester Road
Bromsgrove
Worcestershire B61 7DL

We have carried out a health and safety risk assessment of this location in reference to its safety and suitability for children. Where any events or activities are held at any other location we shall also carry out a risk assessment.

The fire safety procedure at this location can be found in the following location:

Fire safety signs are located on the Health & Safety boards located in each studio space, Fire extinguishers are maintained under contract with an outside fire safety company and are serviced annually

First Aid

We have the following first aid procedure within the CIC:

First aid boxes are kept in each studio space and in the kitchen areas. We have a first aider on site at all times

Any accident or injury concerning a child should be brought to the attention of the nearest first aider and should thereafter be formally reported to an available Designated Safeguarding Officer.

Consent Forms

We shall always obtain written consent from a parent or guardian for any event which takes place with children in attendance without their responsible parent or guardian present. Consent will be obtained as follows:

We have a parental consent form for all age groups that covers photo consent, Doctors information for emergency, parents and guardians’ telephone and address information. The file is kept securely with the main weekly register while activities are underway and locked away overnight.

Consent forms will include emergency contact details and will set out any specific safety needs/requirements for children (eg. Allergies and known health conditions).

All consent forms will be kept secure and shall be stored in accordance with our data protection privacy policy.

Supervision

For most activities and events, our procedure for supervision of children is as follows:

groups of up to 8 aged 7 to 11 have one adult tutor and one support worker
groups of 8 up to aged 12 to 15 have one adult tutor and one support worker
Groups of 10 plus ages 15 to 18 have one adult tutor and two support workers

Where we hold any events or activities whereby a child attends alongside their parent or guardian, the parent or guardian will be responsible for properly supervising their child.

Managing Behaviour of Children Generally

Whenever any adult engaged by us is faced with challenging or inappropriate behaviour from a child or with conflict between children, they must:

- treat each child fairly and equally

- approach the situation in a calm and neutral manner

- only ever use physical restraint/intervention in order to protect the immediate safety of a person, for example to prevent an injury or harm either to the child or others

- wherever it is justified to physically restrain a child or to physically intervene, the amount of force used should be kept to the absolute minimum taking into account the risk posed

- make a written record of the incident and ensure this is reported appropriately to an available Designated Safeguarding Officer

Further details regarding our procedures for managing behaviour can be located in our behaviour policy which is kept in the CIC office under Safeguarding in the file section of a locked cabinet.

Managing Risks Posed by Other Children

It is important for all adults engaged by us to recognise that children can face harm from their peers. This can commonly take the form of bullying. Bullying can be defined as any behaviour which is:

- repeated; and

- has the intention of hurting somebody either physically or emotionally.

Bulling can sometimes be motivated by prejudices based on certain groups, for example gender, ethnicity, religion, disability or sexual orientation. Bullying can often include:

- physical harm perpetrated against another child

- name calling and threats

- cyberbullying (threats and abusive comments made via technology)

Any instance of bullying or concern relating to possible bullying between children at any event or activities arranged by us will usually be dealt with by us in the first instance as follows:

All Children will be spoken direct to regarding the problem, and the matter will be dealt with according to our bullying policy. Parents/guardians will be informed.

Where any behaviour amounting to bullying continues following this, and positive supervision has not proved effective, the following steps will be taken:

Persistent bad behaviour after a reasonable warning and parental/guardian notification will result in the child concerned being excluded permanently from CIC activities.

All steps in relation to the prevention or management of bullying should be taken in consultation with a Designated Safeguarding Officer. The CIC recognises that perpetrators of bullying behaviours may themselves be in need of support and that this should also be a Safeguarding consideration.

Photography

Our Photographs

On some occasions, we may take photographs featuring children. We recognise that photography of      children carries risks, such as:

- the potential for images to be re-used, shared or adapted in a damaging or inappropriate manner

- the general risk of sharing images and the impact this could have on child's public image as they grow older

In view of these risks, we will:

- always ask for written permission from a child and their parent/guardian before taking and sharing any image of them

- always ensure that a child and their parent/guardian are properly informed how an image will be used and shared

- always ensure that a child's identity is protected as far as is possible within any published material

- ask that parents, guardians, children and any other person connected to them who may wish to share any of our published images which features other children to refrain from doing so unless they have the permission of the other children and their parent/guardian

- always store photos in accordance with our data protection policy.

Members of the Public

We ask that any members of the public attending our premises, events or activities do not take photographs.

Further information is contained in our photography policy which can be found:

this is located as part of the consent application form that we collect for each child who enrols on the workshops, this information is kept locked in the office.

Other Policies

We have referred within this document to the following other important policies which should be read in conjunction with this policy:

- Our data protection policy

- Our first aid policy

- Our photography policy

- Our behaviour policy

- Our security policy

- Our equality and diversity policy

- Our code of ethics policy

- Our complaints policy

This policy should also be read in conjunction with:

Health & Safety policy on the website

Legal Framework

This policy has been drawn up in accordance with all relevant and applicable legislation and guidance available to the CIC in the jurisdictions it operates within (England).

Signed by The Chair of The Board

Annual Review Date: 20/1/26

Contents

MEKARI COLLECTIVE CIC

1. Introduction 2

2. Information Security Policy 2

3. Acceptable Use Policy 2

4. Disciplinary Action 3

5. Protect Stored Data 3

6. Information Classification 3

7. Access to the sensitive data 3

8. Physical Security 4

9. Protect Data in Transit 5

10. Disposal of Stored Data 5

11. Security Awareness and Procedures 5

12. Network security 6

13. System and Password Policy 6

14. Anti-virus policy 7

15. Patch Management Policy 7

16. Remote Access policy 9

17. Vulnerability Management Policy 9

18. Configuration standards: 9

19. Change control Process 10

20. Audit and Log review 11

21. Secure Application development 12

22. Penetration testing methodology 13

23. Incident Response Plan 15

24. Roles and Responsibilities 18

25. Third party access to card holder data 19

26. User Access Management 19

27. Access Control Policy 20

1. Introduction 

This Policy Document encompasses all aspects of security surrounding confidential Mekari information and must be distributed to all company tutors and volunteers. All company tutors and volunteers must read this document in its entirety and sign the form confirming they have read and understand this policy fully. This document will be reviewed and updated by Mekari Directors on an annual basis or when relevant to include newly developed security standards into the policy and distribute it all tutors and volunteers and contracts as applicable.

1. Information Security Policy

Mekari Collective handles sensitive student/cardholder information daily.  Sensitive Information must have adequate safeguards in place to protect them, to protect student/cardholder privacy, to ensure compliance with various regulations and to guard the future of the organisation.

Mekari Collective commits to respecting the privacy of all its students and to protecting any data about students from outside parties.  To this end Mekari are committed to maintaining a secure environment in which to process student/cardholder information so that we can meet these promises.

Tutors/volunteers handling Sensitive student/cardholder data should ensure:

• Handle Mekari and student/cardholder information in a manner that fits with their sensitivity;
• Limit personal use of Mekari information and communication systems and ensure it doesn’t interfere with your job performance;
• Mekari reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;
• Do not use e-mail, internet and other Mekari resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;
• Do not disclose personnel information unless authorised;
• Protect sensitive student/cardholder information;
• Keep passwords and accounts secure;
• Request approval from Mekari prior to establishing any new software or hardware, third party connections, etc.; 
• Do not install unauthorised software or hardware, including modems and wireless access unless you have explicit Mekari approval;
• Always leave desks clear of sensitive student/cardholder data and lock computer screens when unattended;
• Information security incidents must be reported, without delay, to the individual responsible for incident response locally – Please find out who this is.

We each have a responsibility for ensuring Mekari systems and data are protected from unauthorised access and improper use.  If you are unclear about any of the policies detailed herein you should seek advice and guidance from the Mekari Directors.

1. Acceptable Use Policy

Mekari’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Mekari’s established culture of openness, trust and integrity. Mekari is committed to protecting the tutors and volunteers and Mekari from illegal or damaging actions by individuals, either knowingly or unknowingly.

• Tutors and volunteers are responsible for exercising good judgment regarding the reasonableness of personal use.
• Tutors and volunteers should ensure that they have appropriate credentials and are authenticated for the use of technologies
• Tutors and volunteers should take all necessary steps to prevent unauthorized access to confidential data which includes student/card holder data. 
• Tutors/volunteers should ensure that technologies should be used and setup in acceptable network locations
• Keep passwords secure and do not share accounts. 
• Authorized users are responsible for the security of their passwords and accounts. 
• All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature. 
• All Password and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.
• Because information contained on portable computers is especially vulnerable, special care should be exercised. 
• Postings by tutors/volunteers from a Mekari email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Mekari Collective, unless posting is in the course of business duties. 
• Tutors/volunteers must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code. 

1. Disciplinary Action  

Violation of the standards, policies and procedures presented in this document by an employee will result in disciplinary action, from warnings or reprimands up to and including termination of employment. Claims of ignorance, good intentions or using poor judgment will not be used as excuses for non compliance. 

1. Protect Stored Data  

• All sensitive student/cardholder data stored and handled by Mekari Collective and its tutors/volunteers must be securely protected against unauthorised use at all times. Any sensitive student/card data that is no longer required by Mekari Collective for business reasons must be discarded in a secure and irrecoverable manner.
• If there is no specific need to see the full students details, it has to be masked when displayed.
• If records which are not protected as stated above should not be sent to the outside network via end user messaging technologies like chats, ICQ (I seek you) messenger etc.,

It is strictly prohibited to store: 

1. The contents of the students details are not to be displayed or used on any social media whatsoever.  
2. Information Classification

Data and media containing data must always be labelled to indicate sensitivity level

• Confidential data might include information for which there are legal requirements for preventing disclosure of that would cause severe damage to Mekari if disclosed or modified.  Confidential data includes student/cardholder data.
• Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure; 
• Public data is information that may be freely disseminated.

1. Access to the sensitive student/cardholder data

All Access to sensitive student/cardholder should be controlled and authorised. Any Job functions that require access to student/cardholder data should be clearly defined.

• Any display of student/card holder should be restricted at a minimum of the first 6 and the last 4 digits of the cardholder data.
• Access rights to privileged user ID’s should be restricted to least privileges necessary to perform job responsibilities
• Privileges should be assigned to individuals based on job classification and function (Role based access control)
• Access to sensitive student/cardholder information such as personal information and business data is restricted to tutors that have a legitimate need to view such information. 
• No other tutors/volunteers should have access to this confidential data unless they have a genuine business need. 
• No student/cardholder data is shared with a (3rd party) unless it is a safeguarding issue.

1. Physical Security  

Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data. 

• Tutors/volunteers are responsible for exercising good judgment regarding the reasonableness of personal use.
• Tutors/volunteers should ensure that they have appropriate credentials and are authenticated for the use of technologies
• Tutors/volunteers should take all necessary steps to prevent unauthorized access to confidential data which includes student/card holder data. 
• Tutors/volunteers should ensure that technologies should be used and setup in acceptable network locations
• All files manual or computerised that hold data should be maintained.
• Tutors/volunteers using the computerised files should be trained to report suspicious behaviour and indications of tampering of the devices to the appropriate Mekari Directors.  
• Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts. 
• Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.  
• Under no circumstances should there be media containing sensitive studentcardholder information.
• Visitors must always be escorted by a trusted member of the Mekari Team when in areas that have young children/ people or where information is kept.
• Procedures must be in place to help all personnel easily distinguish between Mekari staff and visitor. A “visitor” is defined as a vendor, guest of an employee, service personnel, anyone who needs to enter the premises for a short duration, usually not more than one day.
• Strict control is maintained over the internal information regarding any students.  Should a tutor need to take over a class as a teacher is ill then information of students may be shared  which has to be approved by the Mekari Team.
• Strict control is maintained over the storage and accessibility of media
• All computer that store sensitive data must have a password protected screensaver enabled to prevent unauthorised use. 

1. Protect of Data   

All sensitive data must be protected securely if it is to be transported physically or electronically. 

• Data must never be sent over the internet via email, instant chat or any other end user technologies.
• If there is a business justification to send data via email or via the internet or any other modes then it should be done after authorization and by using a strong encryption mechanism.    

1. Disposal of Stored Data

• All data must be securely disposed of when no longer required by Mekari Collective, regardless of the media or application type on which it is stored.
• An automatic process must exist to permanently delete on-line data, when no longer required.
• All hard copies of data must be manually destroyed as when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non-electronic data has been appropriately disposed of in a timely manner.
• Mekari will have procedures for the destruction of hardcopy (paper) materials. These will require that all hardcopy materials are shredded or incinerated so they cannot be reconstructed.
• Mekari will have documented procedures for the destruction of electronic media. These will require:
  • All data on electronic media must be rendered unrecoverable when deleted e.g. through degaussing or electronically wiped using military grade secure deletion processes or the physical destruction of the media;
  • If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.
• All information awaiting destruction must be held lockable storage clearly marked “To Be Shredded” - access to this must be restricted.

1. Security Awareness and Procedures  

The policies and procedures outlined below must be incorporated into Mekari practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all tutors and volunteers. 

• Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day Mekari practice. 
• Distribute this security policy document to all tutors and volunteers to read. It is required that all staff confirm that they understand the content of this security policy document by signing an acknowledgement form.
• All tutors and volunteer that handle sensitive information and working with children, young people and vulnerable students will undergo background checks (such as criminal and credit record checks, within the limits of the local law) (DBS) before they commence their employment with Mekari Collective. 
• Company security policies must be reviewed annually and updated as needed. 

1.  Network security

• Firewalls must be implemented at each internet connection and any demilitarized zone and the internal company network.
• Network security is maintained and reviewed every 6 months.
• Firewall and router configurations must restrict connections between untrusted networks and any systems.

1. System and Password Policy

All users with access to Mekari systems, are responsible for taking the appropriate steps, to select and secure their passwords.

1. Be as long as possible (never shorter than 6 characters).
2. Include mixed-case letters, if possible.
3. Include digits and punctuation marks, if possible.
4. Not be based on any personal information.
5. Not be based on any dictionary word, in any language. 

• If an operating system without security features is used then an intruder only needs temporary physical access to the console to insert a keyboard monitor program. If the workstation is not physically secured, then an intruder can reboot even a secure operating system, restart the workstation from his own media, and insert the offending program.
• To protect against network analysis attacks, both the workstation and server should be cryptographically secured.

1. Anti-virus policy

• All machines must be configured to run the latest anti-virus software. The preferred application to use is AVG Anti-Virus software, which must be configured to retrieve the latest updates to the antiviral program automatically on a daily basis. The antivirus should have periodic scanning enabled for all the systems.
• The antivirus software in use should be cable of detecting all known types of malicious software (Viruses, Trojans, adware, spyware, worms and rootkits)
• All removable media (for example floppy and others) should be scanned for viruses before being used.
• Master Installations of the Antivirus software should be setup for automatic updates and periodic scans
• Users must not be able to modify and any settings or alter the antivirus software
• E-mail with attachments coming from suspicious or unknown sources should not be opened. All such e-mails and their attachments should be deleted from the mail system as well as from the trash bin. No one should forward any e-mail, which they suspect may contain virus.

1. Change Control Process

• All change requests shall be logged whether approved or rejected on a standardised and central system. The approval of all change requests and the results thereof shall be documented. A documented audit trail, maintained at a Business Unit Level, containing relevant information shall be maintained at all times.  This should include change request documentation, change authorisation and the outcome of the change.  No single person should be able to effect changes to production information systems without the approval of other authorised personnel.
• A risk assessment shall be performed for all changes and dependant on the outcome, an impact assessment should be performed.
• The impact assessment shall include the potential effect on other information resources and potential cost implications. The impact assessment should, where applicable consider compliance with legislative requirements and standards. 
• All change requests shall be prioritised in terms of benefits, urgency, effort required and potential impact on operations.
• Changes shall be tested in an isolated, controlled, and representative environment (where such an environment is feasible) prior to implementation to minimise the effect on the relevant business process, to assess its impact on operations and security and to verify that only intended and approved changes were made. (For more information see System Development Life Cycle [citation here]).
• All changes shall be approved prior to implementation. Approval of changes shall be based on formal acceptance criteria i.e. the change request was done by an authorised user, the impact assessment was performed and proposed changes were tested. 
• All users, significantly affected by a change, shall be notified of the change.  The user representative shall sign-off on the change. Users shall be required to make submissions and comment prior to the acceptance of the change.
• Implementation will only be undertaken after appropriate testing and approval by Mekari Directors. All major changes shall be treated as new system implementation and shall be established as a project. Major changes will be classified according to effort required to develop and implement said changes.
• Procedures for aborting and recovering from unsuccessful changes shall be documented. Should the outcome of a change be different to the expected result (as identified in the testing of the change), procedures and responsibilities shall be noted for the recovery and continuity of the affected areas. Fall back procedures will be in place to ensure systems can revert back to what they were prior to implementation of changes.
• Information resources documentation shall be updated on the completion of each change and old documentation shall be archived or disposed of as per the documentation and data retention policies.
• Specific procedures to ensure the proper control, authorisation, and documentation of emergency changes shall be in place. Specific parameters will be defined as a standard for classifying changes as Emergency changes.
• All changes will be monitored once they have been rolled-out to the production environment. Deviations from design specifications and test results will be documented and escalated to the solution owner for ratification.  

•  

• . 

   .....................

1. Incident Response Plan

'Security incident' means any incident (accidental, intentional or deliberate) relating to your communications or information processing systems. The attacker could be a malicious stranger, a competitor, or a disgruntled member of staff, and their intention might be to steal information or money, or just to damage your company.

The Incident response plan has to be tested once annually. Copies of this incident response plan is to be made available to all relevant staff members and take steps to ensure that they understand it and what is expected of them.

Tutor and volunteers of Mekari will be expected to report to the Mekari Directors of any security related issues.

Security incident response plan is as follows:

1. Report an incident to the Mekari Directors. 
2. On receiving the report the directors will advise the Mekari Team of the incident. 
3. The Team will investigate the incident and assist the potentially compromised issue in limiting the exposure of data and in mitigating the risks associated with the incident. 
4. The Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties as necessary. 
5. The Team will determine if policies and processes need to be updated to avoid a similar incident in the future, and whether additional safeguards are required in the environment where the incident occurred. 

1. Access Control Policy

• Access Control systems are in place to protect the interests of all users of Mekari systems by providing a safe, secure and readily accessible environment in which to work.
• Mekari will provide all tutors and volunteers with the information they need to carry out their responsibilities in as effective and efficient manner as possible.
• Access to Confidential, Restricted and Protected information will be limited to authorised persons only whose job responsibilities require it, as determined by the data owner or their designated tutor.
• Users are expected to become familiar with and abide by Mekari policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.

The Mekari Directors, who have overall responsibility for this policy, will ensure the provision of adequate resources for its implementation and will regularly assess the continuing improvement of our Mekari’s capabilities and reduction of work related risk.

This policy will be brought to the attention of all tutors and volunteers working on behalf of Mekari and reviewed at least annually.

                                                           April  2025

Agreement to Comply Form – Agreement to Comply With Information Security Policies  

________________________ 

Name (printed)  

________________ 

Working on behalf of Mekari Collective CIC  

I agree to take all reasonable precautions to assure that company internal information, or information that has been entrusted to Mekari by third parties, will not be disclosed to unauthorised persons. At the end of my employment or contract with the Mekari, I agree to return all information to which I have had access as a result of my position. I understand that I am not authorised to use sensitive information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of Mekari Directors who are the designated information owner.  

I have access to a copy of the Information Security Policies, I have read and understand these policies, and I understand how it impacts my job. As a condition of continued employment, I agree to abide by the policies and other requirements found in the Mekari security policy. I understand that non-compliance will be cause for disciplinary action up to and including dismissal, and perhaps criminal and/or civil penalties.  

I also agree to promptly report all violations or suspected violations of information security policies to the designated security officer.  

________________________ 

Signature of tutor or volunteer 

1. DATA PROTECTION PRINCIPLES

Mekari Collective is committed to processing data in accordance with its responsibilities under the GDPR. Article 5 of the GDPR requires that personal data shall be:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals.
2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

1.1 General provisions

1. This policy applies to all personal data processed by Mekari Collective. 
2. The Responsible Person shall take responsibility for Mekari’s ongoing compliance with this policy. 
3. This policy shall be reviewed at least annually. 
4. The Company shall register with the Information Commissioner’s Office as an organisation that processes personal data. 

1.2 Lawful purposes

1. All data processed by the Company must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests. 
2. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in  consent shall be kept with the personal data. 
3. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in Mekari’s systems.

1.3 Data minimisation

1. Mekari shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

1.4 Accuracy

1. Mekari shall take reasonable steps to ensure personal data is accurate. 
2. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date. 

1.5 Archiving / removal

1. To ensure that personal data is kept for no longer than necessary, the Company shall put in place an archiving policy for each area in which personal data is processed and review this process annually. 
2. The archiving policy shall consider what data should/must be retained, for how long, and why. 

1.6 Security

1. Mekari shall ensure that personal data is stored securely using modern software that is kept-up-to-date.  
2. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information. 
3. When personal data is deleted this should be done safely such that the data is irrecoverable. 
4. Appropriate back-up and disaster recovery solutions shall be in place. 

1.7 Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Mekari shall promptly assess the risk to people’s rights and freedoms. 

The Mekari Directors, have the overall responsibility for this policy, will ensure the provision of adequate resources for its implementation and will regularly assess the continuing improvement of our Mekari’s capabilities and reduction of work related risk.

This policy will be brought to the attention of all tutors and volunteers working on behalf of Mekari and reviewed at least annually.

      April 2025 

Health and Safety at Work etc. Act 1974

1 INTRODUCTION

Mekari have developed and implemented a Policy which encompasses all matters relating to Health and Safety. All policies are communicated to all tutors, volunteers and new starters, and our Health and Safety Policy is displayed within the main building.

Meetings are held periodically by Directors, minutes of which are recorded and distributed to relevant parties. The Mekari meetings involve discussion of any health and safety related incidents which may have occurred, changes to procedures, alerts, newly identified risks and control measures. Any actions required resulting in the meetings will be actioned in a timely manner.

Mekari Directors have carried out a number of Risk Assessments and developed Safe Systems of Work, and procedures that are task specific in support of our commitments and procedures addressed within our Health and Safety Policy. All Risk Assessments, Policies and Procedures are communicated to tutors and volunteers and retained within the main building electronically, under the control of the Directors and are available for access and review upon request by all tutors and volunteers. 

All new members will have explained Health and Safety Procedures and Policies which a form is issued and then they sign to say they have understood, all mandatory practices. 

Incident reporting, near miss/hazard alerts and safety concerns and other processes and practices relevant to maintaining good levels of health and safety to be reported in the Health and Safety Book. 

Staff are also provided with continuous training to ensure Health and safety practices are kept up to date and they understand all their responsibilities. All training is recorded within the individual staff member and logged in the Health and Safety log book.

Our statement of general policy is:

• to provide adequate control of the health and safety risks arising from our work activities;
• to consult with our tutors and volunteers on matters affecting their health and safety;
• to provide and maintain safe building and equipment;
• to ensure safe handling and use of substances; (COSHH)
• to provide information, instruction and supervision for all tutors, and volunteers.
• to ensure all tutors and volunteers are competent to do their tasks, and to give them adequate training;
• to prevent accidents and cases of work-related ill health;
• to maintain safe and healthy working conditions; and
• to review and revise this policy as necessary at regular intervals.

2 RESPONSIBILITIES

Overall and final responsibility for health and safety is that of:

Mekari Directors

Day-to-day day responsibility for ensuring this policy is put into practice is delegated to:

Mekari Directors

To ensure health and safety standards are maintained/improved, the following people have responsibility:

• Jenniffer Taylor
• Susan Norton 
• Jane Bishop 

All tutors and volunteers have to: 

• co-operate with Mekari Directors on health and safety matters;
• not interfere with anything provided to safeguard their health and safety;
• take reasonable care of their own health and safety; and
• report all health and safety concerns to an appropriate person (as detailed in this policy statement).

3 HEALTH AND SAFETY RISKS ARISING FROM OUR WORK ACTIVITIES

Risk Assessments will be undertaken by:

Mekari Directors where applicable, advice will be taken from tutors and volunteers

The findings of the risk assessments will be reported to:

Mekari Directors

Actions required to remove/control risks will be approved by:

Mekari Directors 

Person responsible for ensuring the action required is implemented:

Mekari Directors

Assessments will be reviewed every:

12 Months

Or when the work activity changes, whichever is soonest.

4 CONSULTATION WITH TUTORS AND VOLUNTEERS

Tutor and volunteer representatives are:

• Brenda Killigrew – Sandra Higgitt – Elizabeth Connolly

Consultation with tutors and volunteers is provided by:

• Monthly Meetings and handouts

5 SAFE BUILDING AND EQUIPMENT

Mekari Directors will be responsible for identifying all equipment needing maintenance

• Mekari Directors will be responsible for ensuring effective maintenance procedures are drawn up.
• Mekari Directors will be responsible for ensuring that all identified maintenance is implemented.
• Any problem found with equipment should be reported to Mekari Directors
• Mekari Directors will check that new equipment meets health and safety standards before it is purchased.

6 SAFE HANDLING AND USE OF SUBSTANCES

• Mekari Directors will be responsible for identifying all substances which need a COSHH assessment.
• Mekari Directors will be responsible for undertaking COSHH assessments
• Mekari Directors will be responsible for ensuring that all actions identified in the assessments are implemented.
• Mekari Directors will be responsible for ensuring that all relevant employees are informed about the COSHH assessments.
• Mekari Directors will check that new substances can be used safely before they are purchased.
• Assessments will be reviewed every:

12 Months

Or when the work activity changes, whichever is soonest.

7 INFORMATION, INSTRUCTION AND SUPERVISION

• The Health and Safety Law poster is displayed in: the building.
• Health and safety advice is available from Mekari Directors
• Supervision of young workers/trainees will be arranged/undertaken/monitored by;

Mekari Directors

• Mekari Directors are responsible for ensuring that our tutors and volunteers working at locations under the control of other staff are given relevant health and safety information.

8 COMPETENCY FOR TASKS AND TRAINING

• Induction training will be provided for all tutors and volunteers by Mekari Directors
• Job-specific training will be provided by Mekari Directors
• Training records are kept by Mekari Directors
• Training will be identified, arranged and monitored by Mekari Directors

9 ACCIDENTS, FIRST AID AND WORK-RELATED ILL HEALTH

• Health surveillance is required for all tutors and volunteers
• Health surveillance will be arranged by: Mekari Directors
• Health surveillance records will be kept by: Mekari Directors in the Office
• The first-aid boxes are kept at the: painting sink areas
• The appointed first aider is: Sue Norton
• All accidents and cases of work-related ill health are to be recorded in the accident book. The book is kept by Sue Norton in the office
• Sue Norton is responsible for reporting accidents, diseases and dangerous occurrences to the enforcing authority (HSE or your local authority depending upon where you work).

10 MONITORING

• To check our working conditions, and ensure our safe working practices are being followed, we will, conduct regular risk assessments and act on them
• Mekari Directors are responsible for investigating accidents.
• Mekari Directors are responsible for investigating work-related causes of sickness absences.
• Mekari Directors are responsible for acting on investigation findings to prevent a recurrence.

11 EMERGENCY PROCEDURES – FIRE AND EVACUATION

• Mekari Directors are responsible for ensuring the fire risk assessment is undertaken and implemented.
• Escape routes are checked by/every Mekari Directors every week.
• Fire extinguishers are maintained and checked by Mekari Directors every month.
• Alarms are tested by Mekari Directors every month.
• Emergency evacuation will be tested every month.

The Mekari Directors, have the overall responsibility for this policy, and will ensure the provision of adequate resources for its implementation and will regularly assess the continuing improvement of the company’s capabilities and reduction of work related risk.

This policy will be brought to the attention of all tutors, volunteers and anyone working on behalf of Mekari Collective and reviewed at least annually.

      April 2025 

1 GENERAL STATEMENT

The aim of this policy is to communicate the commitment of Mekari to the promotion of equality and Diversity opportunity in Mekari Collective.

It is our policy to provide employment equality and diversity to all, irrespective of:

• Gender, including gender reassignment
• Marital or civil partnership status
• Having or not having dependants
• Religious belief or political opinion
• Race (including colour, nationality, ethnic or national origins, being an Irish Traveller)
• Disability
• Sexual orientation
• Age

We are opposed to all forms of unlawful and unfair discrimination. All staff and volunteers who work for us will be treated fairly and will not be discriminated against on any of the above grounds. Decisions about recruitment and selection, promotion, training or any other benefit will be made objectively and without unlawful discrimination.

We recognise that the provision of equal opportunities in the workplace is not only good management practice, it also makes sound business sense. Our equal opportunities policy will help all those who work for us to develop their full potential and the talents and resources of the workforce will be utilised fully to maximise the efficiency of the organisation.

2 SCOPE

The equal opportunities policy applies to all employees, trainees and applicants.

3 EQUALITY COMMITMENTS

We are committed to:

• Promoting equality of opportunity for all persons
• Promoting a good and harmonious working environment in which all persons are treated with respect
• Preventing occurrences of unlawful direct discrimination, indirect discrimination, harassment and victimisation
• Fulfilling all our legal obligations under the equality legislation and associated codes of practice
• Complying with our own equal opportunities policy and associated policies
• Taking lawful affirmative or positive action, where appropriate
• Regarding all breaches of equal opportunities policy as misconduct which could lead to disciplinary proceedings.

This policy is fully supported by management and has been agreed with all employees.

4 IMPLEMENTATION

The Directors have a specific responsibility for the effective implementation of this policy. We expect all our employees to abide by the policy and help create the equality environment which is its objective.

In order to implement this policy we shall:

• Communicate the policy to all staff and relevant others (such as volunteers)
• Incorporate specific and appropriate duties in respect of implementing the equal opportunities policy into job descriptions and work objectives of all staff
• Provide equality training and guidance as appropriate, including training on induction.
• Ensure that those who are involved in assessing candidates for recruitment will be trained in non-discriminatory selection techniques
• Obtain commitments from other persons or organisations such as subcontractors or agencies that they too will comply with the policy in their dealings with our organisation and our workforce.
• Ensure that adequate resources are made available to fulfil the objectives of the policy.

5 MONITORING AND REVIEW

We will establish appropriate information and monitoring systems to assist the effective implementation of our equal opportunities policy. The effectiveness of our equal opportunities policy will be reviewed annually and action taken as necessary. For example, where monitoring identifies an under-representation of a particular group or groups, we shall develop an action plan to address the imbalance.

6 COMPLAINTS

Staff who believe that they have suffered any form of discrimination, harassment or victimisation are entitled to raise the matter through the notification of Directors. All complaints of discrimination will be dealt with seriously, promptly and confidentially.

In addition to our internal procedures, employees have the right to pursue complaints of discrimination to an industrial tribunal or the Fair Employment Tribunal under the following anti-discrimination legislation:

• Sex Discrimination (Northern Ireland) Order 1976, as amended
• Disability Discrimination Act 1995, as amended
• Race Relations (Northern Ireland) Order 1997, as amended
• Employment Equality (Sexual Orientation) Regulations (Northern Ireland) 2003
• Fair Employment and Treatment (Northern Ireland) Order 1998, as amended
• Employment Equality (Age) Regulations (Northern Ireland) 2006
• Equal Pay Act (Northern Ireland) 1970, as amended.

However, staff wishing to make a complaint to a tribunal will normally be required to raise their complaint under our internal grievance procedures first. Every effort will be made to ensure that employees who make complaints will not be victimised. Any complaint of victimisation will be dealt with seriously, promptly and confidentially. Victimisation will result in disciplinary action and may warrant dismissal.

The Directors, have the overall responsibility for this policy, will ensure the provision of adequate resources for its implementation and will regularly assess the continuing improvement of Mekari’s capabilities and reduction of work related risk.

This policy will be brought to the attention of all staff and volunteers working on behalf of Mekari and reviewed at least annually.

      April 2025

Mekari Collective provides first-class services to customers for whom quality, reliability and efficiency are critical. Our organisation is defined not only by its capabilities and its markets, but by the way it does things.

1 OUR CORE PRINCIPLES

In everything that we do, we will abide by these four principles:

• To comply with the law, wherever we operate, and to be sensitive to local customs and traditions.

• To conduct all our business and make all our decisions within a clear ethical framework.

• To maintain safe and healthy work places, operate safe systems and methods of work and ensure the safety of the public.

• To contribute positively to the physical and social environments in which we operate.

2 OUR KEY COMMITMENTS

In addition to our core principles, we make the following commitments to our customers, co-workers and volunteers.

Customers

• To create, develop and sustain strong and long-lasting relationships with our customers.
• To achieve a thorough understanding of our customers' aims and needs in order to ensure that we satisfy them.
• To deliver high-quality teaching and services to agreed cost specifications and timescales.

Co-workers, Volunteers

• To create a safe, healthy, challenging, rewarding, participative, fair working environment for all people.
• To utilise the full skills of all our staff through effective selection, training and development.

Other Organisations

• To create, develop and sustain strong and long-lasting relationships with our local organisations
• To engage with and promote efficiency to the benefit of all parties.
• To work only with those whose principles, policies and practices are compatible with our own.

The Wider Community

• To seek to contribute positively to the communities in which we work.
• To operate sustainably in all that we do so as to avoid compromising the ability of future generations to meet their own needs. Beatty plc

3 CONFIDENTIALITY

We are committed to maintaining the highest degree of integrity in all our dealings with potential, current and past customers, both in terms of normal confidentiality, and the protection of all personal information received in the course of providing good training tuition and workshops 

4 PROFESSIONAL CONDUCT

We conduct all of our activities professionally and with integrity. 

5 ETHICS 

We always conduct our own services honestly and honourably,and expect our clients and customers to do the same. Our advice, strategic assistance and the methods imparted through our training, take proper account of ethical considerations, together with the protection and enhancement of the moral position of our clients and customers.

6 DUTY OF CARE 

Our actions and advice will always conform to relevant law, and we believe that all businesses and organisations should avoid causing any adverse effect on the human rights of people in the organisations we deal with, the local and wider environments, and the well-being of society at large. 

8 CONTRACTS

Our contract will usually be in the form of a detailed proposal, including aims, activities, costs, timescales and deliverables. The quality of our service and the value of our support provide the only true basis for continuity. We always try to meet our customers' contractual requirements.

9 RATES

Our rates are always competitive for what we provide, which is high quality service. We always try to propose solutions which accommodate our customers' available budgets and timescales. 

10 PAYMENT

We aim to be as flexible as possible in the way that our services our charged. We make no attempt to charge interest on late payments, so we expect payments to be made when agreed. Our terms are generally net monthly in arrears. 

11 QUALITY ASSURANCE 

We maintain the quality of what we do through constant ongoing review with our customers, of all aims, activities, outcomes and the cost-effectiveness of every activity. We encourage regular review meetings and provide regular progress reports. 

12 EQUALITY AND DISCRIMINATION

We always strive to be fair and objective in our advice and actions, and we are never influenced in our decisions, actions or recommendations by issues of gender, race, creed, colour, age or personal disability. 

The Directors, who have overall responsibility for this policy, will ensure the provision of adequate resources for its implementation and will regularly assess the continuing improvement of our company’s capabilities and reduction of work related risk.

This policy will be brought to the attention of all staff co-workers and volunteers working on behalf of the Company and reviewed at least annually.

      April 2025