Data Protection Policy
Purpose
The purpose of this policy is the company legal and regulatory requirements under the GDPR and the Data Protection Act 2018 and the rights of data subjects.
Scope
Third-party users of this website. Personal Data as defined by GDPR.
Principle
Personal data is classified and treated as classification level Confidential, and all associated policies, controls and processes apply.
Data Protection Policy Statement
The company is classed as a Data Controller/Data Processor based on the context of the processes under the current UK Data Protection Act 2018. This policy confirms our commitment to protect the privacy of the personal information of our customers, clients, employees, and other interested parties. We have engaged in a programme of Information Security Management which is aligned to the international standard ISO27001 to ensure that the processes of personal information is conducted using best practice processes.
Legal Basis for Processing
Article 6 of the GDPR provides the legal basis under which Personal Data can be processed. Our legal basis for processing is documented in our Record of Processing Activities.
Data protection principles
The company is committed to processing data in accordance with its responsibilities under the General Data Protection Regulation (GDPR) and Data Protection Act 2018. Article 5 of the GDPR requires that personal data shall be:
Lawfulness, Fairness and Transparency
- processed lawfully, fairly and in a transparent manner in relation to individuals
We have reviewed and documented the data that we control and or process and determined the legal basis for processing. We provide privacy notices and inform data subjects of their rights as well as what processing takes place, by whom, for how long and why.
Purpose Limitation
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be incompatible with the initial purposes
We ensure we only process data for the purposes it has been collected and communicated and not for other reasons without the agreement and knowledge of the Data Subject(s).
Data Minimisation
- adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed
We ensure that data collected is not excessive and is appropriate to the purpose for which it was collected. We conduct Data Privacy Impact Assessments as part of our project lifecycle.
Accuracy
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay
We ensure that data is reviewed and assessed for accuracy on a periodic basis and have implemented processes for the rectification and erasure of data without undue delay.
Storage Period Limitation
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals
We have implemented a data retention policy and data retention schedule in line with legal, regulatory and company needs.
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures.
We have implemented an information security management system in line with ISO 27001 the International Standard for Information Security. We have a culture of information security and assess security controls and requirements throughout the project life cycle.
Personal Information Classification and Handling
Personal data classification and handling is in line with the Information Classification and Handling Policy.
Personal Information Retention
Personal data is retained and destroyed in line with the Information Classification and Handling Policy, Asset Management Policy, and the Data Retention Schedule.
Personal Information Transfer / Transmit
Personal data is transferred in line with the Information Transfer Policy and employees ensure the appropriate level of security in line with the policy and company processes.
Personal Information Storage
Personal Information storage is in line with the Information Classification and Handling Policy, Physical and Environmental Security Policy, Cryptographic Control and Encryption Policy, Backup Policy, and the Data Retention Schedule.
Breach
In the event of a breach of the principles of the Data Protection Act 2018 employees inform their line manager, and /or a member of the Management Review Team and/or Senior Management and invoke the Incident Management Process. Breaches are assessed and where appropriate and required the Data Subjects and / or the Information Commissioners Office are informed without undue delay.
The Rights of Data Subjects
The right to be informed
Individuals have the right to be informed about how we use their Personal Data. This includes:
- The name and contact details of our organisation.
- The name and contact details of our representative (if applicable).
- The contact details of our data protection officer (if applicable).
- The purposes of the processing.
- The lawful basis for the processing.
The right of access
- Individuals have the right to access their personal data.
- This is commonly referred to as subject access.
- Individuals can make a subject access request verbally or in writing.
- We have one month to respond to a request.
- We cannot charge a fee to deal with a request in most circumstances.
The right to rectification
- The GDPR includes a right for individuals to have inaccurate personal data rectified or completed if it is incomplete.
- An individual can make a request for rectification verbally or in writing.
- We have one calendar month to respond to a request.
- In certain circumstances we can refuse a request for rectification.
The right to erasure (the right to be forgotten)
- The GDPR introduces a right for individuals to have personal data erased.
- The right to erasure is also known as ‘the right to be forgotten’.
- Individuals can make a request for erasure verbally or in writing.
- We have one month to respond to a request.
- The right is not absolute and only applies in certain circumstances.
- This right is not the only way in which the GDPR places an obligation on us to consider whether to delete personal data.