Alltecnique

DATA PROTECTION POLICY

May 2018

Contents

Overview 3

Who does this Data Protection Policy apply to? – 3

What are the Risks? – 3

What is ‘Personal Data’? – 5

Complying with GDPR – 6

The Data Protection Principles – 6

Rights of Data Subjects – 7

How we comply with the Data Protection Principles – 7

How we deal with the Rights of Data Subjects – 10

Data Security Policy – 13

Data Retention Policy – 17

Breaches Policy – 17

Dealing with Subject Access Requests – 19

Obtaining Consent for Marketing – 21

Overview

Our Data Protection policies and procedures are designed to help keep personal data safe and to reduce the risks to personal data processed by our company.  Processing’ applies to anything that can be done to records, including obtaining, recording, holding, storing, disclosing, publishing, typing, writing, destroying or disposing.

This Data Protection Policy document is also intended to help us comply with our obligations under the General Data Protection Regulation (GDPR) and the UK Data Protection Regulations 2018.

Who does this Data Protection Policy apply to?

All staff and service providers are required to be aware of, understand and comply with our Data Protection policies and procedures. 

What are the Risks?

Extreme care must be taken when processing personal data. Information must be kept secure. Lost or stolen data can be used to commit offences such as fraud or identity theft. As such, personal data is a high value commodity on the black market and it is our responsibility to keep it safe and secure.

The risks of not looking after data properly include:

  • Customer detriment
  • Adverse publicity / reputational damage
  • Business interruption
  • Financial crime / Cyber crime
  • Enforcement action
  • Fines

We don’t take these risks lightly and all staff are expected to play a part in protecting our business, our customers and the personal data in our possession.

What is ‘Personal Data’?

To understand and use this policy, it is important to understand what ‘personal data’ is. The definitions under GDPR are subtly different from the old definitions under the Data Protection Act and slightly wider.

In the GDPR, ‘Personal Data’ is defined as:

any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic or social identity of that natural person

To consider whether an individual is ‘identifiable’, we need to consider all reasonable factors which could be taken into account to identify an individual directly or indirectly.

Personal data relating to the following are classed as ‘Special Categories’ of data:

  • Racial or ethnic origin
  • Political opinions, religious or philosophical beliefs
  • Trade union membership
  • Genetic and biometric data
  • Health
  • Sex life or sexual orientation

We must take additional care where we process ‘special categories’ of data and any data relating to criminal convictions. This is because the loss, theft or accidental disclosure of this type of information could potentially be quite damaging.

Complying with GDPR

To comply with the GDPR, we must:

  • Process personal data fairly, lawfully and in accordance with the rights of the data subject and the six Data Protection Principles.
  • Be able to demonstrate how we comply with the above (this is referred to as the “accountability” principle).

The Data Protection Principles

There are six Data Protection Principles:

  1. Personal data shall be processed fairly and lawfully and in a transparent manner in relation to the data subject (the principle of “lawfulness, fairness and transparency”);
  2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  3. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the principle of “data minimisation”);
  4. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the principle of “accuracy”)
  5. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of “integrity and confidentiality”)

Rights of Data Subjects

Data subjects have the following rights regarding the personal information we hold about them:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right to erasure
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and processing

How we comply with the Data Protection Principles

This document explains in plain English, how we comply with the six Data Protection Principles.

  1. Personal data shall be processed fairly and lawfully and in a transparent manner in relation to the data subject (the principle of “lawfulness, fairness and transparency”);
  • Under GDPR, we must identify a ‘legal basis’ for each different category of personal data we process. If we don’t have an appropriate legal basis for processing each category of data, then the processing would be classed as unlawful.
  • We have carried out a data audit to identify which legal basis we use to process various categories of data and we have documented this in our Data Audit and Record of Processing Activities, using the template provided by ICO on their website.
  • We provide a Privacy Notice to our customers, where applicable. This document explains to our customers what we do with their data, on what legal basis we process it, how long we keep it for, how we keep it safe and whether it will be disclosed to anyone else.
  • The Privacy Notice also contains other information (required by GDPR) including an explanation of customers’ rights in relation to their personal data. Further information about our policies and procedures for dealing with the rights of Data Subjects is set out later in this document.

2. Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

  • We tell our customers (in our Privacy Notice) why we are collecting their data and what we use it for.
  • We only collect information needed for a specific purpose and we don’t use it for anything else.
  1. Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (the principle of “data minimisation”);
  • We only collect the information we need for the purposes we need it.
  • We don’t collect, store or otherwise process irrelevant or extra information that we don’t need.
  1. Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (the principle of “accuracy”)
  • We try at all times to make sure all personal data we process is accurate, relevant and kept up-to-date.
  • When the data is no longer required, we will delete it in line with our Data Retention policy, which is set out later in this document.
  1. Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  • We will only hold as much data as needed and only for as long as we need it.
  • We have explained this further in our Data Retention Policy, set out later in this document.

6. Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (the principle of “integrity and confidentiality”)

  • We must keep data secure and protect it from being inappropriately used, lost, disclosed or stolen.
  • Our Data Security Policy, set out on the following pages, outlines our internal policies and explains the organisational and technical measures we have put in place to protect personal data.
  • We don’t currently transfer any data to a country outside the EU. If we did need to do this, we would only consider it if the country we were transferring data to had data protection rules compatible with those in the EU.

How we deal with the Rights of Data Subjects

This Data Protection Policy document explains our internal policy on dealing with the rights of data subjects.

  1. The right to be informed
  • Individuals have the right to be informed about what is happening with their personal data (including what we use it for and why).
  • Under GDPR we have to give certain information to individuals whose personal data we intend to process. We do this by providing them with a Privacy Notice, which contains all the information they need and that we are required to give them.
  • A Privacy Notice is available on our website and a copy must be given to all individuals where we intend to process their personal data.
  1. The right of access
  • Individuals have the right to access their personal data. This means they can ask for a copy of the personal data we hold on them and we are required to give it to them.
  • Our internal policy for Dealing with Subject Access Requests is set out later in this document.
  1. The right to rectification
  • Individuals have the right to insist that we correct any inaccurate or incomplete personal data we hold on them.
  • If a data subject requests rectification of the data we hold on them, we will co-operate internally to action this request as quickly as possible.
  • We consider it equally important for us to hold correct data on our data subjects as it is for our data subjects.

4. The right to erasure

  • If an individual requests erasure of the personal data we hold on them, we will comply with this request only where:
      • The personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
      • The individual has withdrawn consent and there are no other legal grounds for the processing;
      • The personal data have been unlawfully processed;
      • The personal data must be erased for compliance with a legal obligation in UK law to which we are subject.

This is a complex matter and all requests for the erasure of personal data should be referred to our Data Security Manager Darren Cooper (Director) who will evaluate them on a case by case basis.

  1. The right to restrict processing
  • Individuals have the right to request that we temporarily stop processing their personal data in certain circumstances:
      • Where they contest the accuracy of the personal data;
      • Where the processing is unlawful;
      • Where we no longer need the personal data for the purposes of the processing, but they are required for the establishment, exercise or defence of legal claims;
      • Where they have objected to processing, but we need to verify whether the legitimate grounds for processing override those of the individual data subject.
  • In all cases, the Data Security Manager Darren Cooper will deal with these requests on a case by case basis.

6. The right to data portability

  • Where processing of data is carried out by automated means, individuals have the right to request a copy of this data in a “structured, commonly used and machine-readable format”. They also have the right to request transmission of the data to another data controller.
  • Where a request is made for data portability, this should be referred to the Data Security Manager Darren Cooper who will check whether it meets the requirements of the regulations and make arrangements for secure transfer of the data where applicable. These requests will be dealt with on a case by case basis.
  1. The right to object
  • All individuals have the right to object to processing of personal data at any time.
  • Where we receive an objection to processing from an individual data subject, this should be referred to our Data Security Manager Darren Cooper who will assess whether it is possible to meet this request or whether another legal basis for processing may prevent this.
  • If an individual data subject objects to receiving direct marketing material, no further processing will take place for marketing purposes, other than to record the objection on a suppression list.
  1. Rights in relation to automated decision making and processing
  • Individuals have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • Where an individual objects to a decision which has been based on automated processing or profiling, it is our policy review this decision manually (although this may not affect the decision).

Right to lodge a complaint with ICO

In addition to the rights described above, individual data subjects also have the right to make a complaint to ICO and we are required to tell them about this right.

It is our policy to include this information in our Privacy Notice.

Data Security Policy

This Data Protection Policy document explains our internal policy on data security and how we keep personal data safe:

  1. Office Security
  • Our premises are locked when unoccupied and fitted with alarms
  • Access to the premises is restricted to employees and customers in Reception
  • All visitors are supervised, including third party contractors, such as office cleaners
  • Staff are trained to understand the importance of security and how to keep personal data safe
  • We operate a clear-desk policy and do not leave personal data where unauthorised staff and/or third party providers can access it.
  • Paper records are stored in locked filing cabinets
  • Personal data that is no longer required is disposed of, or kept secure when disposal is not possible
  • Confidential waste is shredded and disposed of via a specialist secure disposal company. 
  • Computer disks, memory sticks, CDs and any other portable electronic devices are disposed of via an Approved/Licenced organisation.

2. Staff

  • We carry out identity and background/reference checks when hiring new member of staff
  • We get to know our staff and their personal circumstances and aim to be aware of any changes in their financial circumstances which could make them more susceptible to financial crime
  • Relevant staff are trained in the firm’s data protection policies and procedures, including how we deal with the data subject’s rights under GDPR.
  • Staff are required to comply with the six Data Protection Principles and with the firm’s data protection policies and procedures.
  • To prevent unauthorised disclosure of personal data over the telephone, staff must perform identity checks before giving out personal information to anyone over the telephone.
  • Access to personal data is restricted – staff do not have access to personal data they do not need
  • Access to special categories of data and data relating to criminal convictions is restricted
  • Access rights to personal data are removed promptly if a staff member changes roles or leaves
  • Staff members are not allowed to share passwords and log-on details and are not allowed to write their passwords down.
  • Staff members are responsible for ensuring that personal data is not disclosed either verbally or in writing to any unauthorised third party.
  • Staff members are not allowed to store personal data at home.
  • A periodic risk assessment and audit will take place to check our procedures remain sufficient and are being followed and to suggest improvements.

3. IT Security

  • All systems are password protected. We do not allow personal data to be stored on portable devices.
  • Data is backed up continuously and stored securely in encrypted cloud-based storage provided by our IT partners
  • Staff access to web-based communication is restricted.
  • We do not use unsecured email to transfer personal data.
  • All systems are logged off when they are not in use.
  • Computer disks, memory sticks, CDs and any other portable electronic devices are disposed of via an Approved/Licenced organisation.

4. Governance and Management

  • We have completed a Data Audit to make a practical assessment of the risks we run. This information has been used to document our processing activities, using the template provided by ICO on their website.
  • We have appointed a Data Security Manager Darren Cooper who is responsible for overseeing data protection within our firm and ensuring we comply with the requirements.
  • Our recruitment and staff management processes are designed to help reduce the risk of data misuse or theft within our firm
  • We conduct thorough due diligence on all third parties with access to our customers’ personal data, making sure we understand how they treat our customer data and how securely they keep it.
  • We have a comprehensive disaster recovery plan
  • Any breaches (and near misses) must be reported to the Data Security Manager Darren Cooper
  • We support an open and honest culture and encourage all staff to report any data security concerns to the Data Security Manager.

Data Retention Policy

This Data Protection Policy document explains our internal policy on how long we keep personal data and when we destroy it.

  • We process various categories of personal data which are kept for different periods of time.
  • The length of time we keep each category of data is outlined in detail in our record of processing activities. This is managed and reviewed on an annual basis by the Data Security Manager Darren Cooper. Where data is no longer required, it is archived. At the end of the retention period (as specified in our Record of Processing activities) it is securely destroyed where it is possible to do so, otherwise it is kept secure in accordance with our Date Security Policy.

Breaches Policy

This Data Protection Policy Document explains our internal policy on data breaches. This includes dealing with a breach and dealing with the reporting requirements.

If a breach of data security occurs, it is important that we deal with it effectively and quickly.

The breach may arise from a theft, a deliberate attack on our systems, from the unauthorised use of personal data by a member of staff, from accidental loss or deletion, unauthorised access, denial of access, equipment failure or inadvertent disclosure of data. However the breach occurs, all staff must respond to and manage the incident appropriately.

In the event of a breach of data security, the Data Security Manager will instigate our Breach Management Plan.

There are four important elements to our breach-management plan:

  1. Containment and recovery
  • In the event of a breach of personal data, our response to an incident will include an emergency meeting, a recovery plan and, where necessary, procedures for damage limitation.
  1. Assessing the risks
  • The Data Security Manager and his team will assess any risks associated with the breach, as these are likely to affect what we do once the breach has been contained.
  • In particular, the Data Security Manager will assess any potential adverse consequences for individuals; how serious or substantial these might be; and how likely they are to happen.
  1. Notification of breaches
  • The Data Security Manager and his team will consider whether the breach needs to be reported to ICO.
  • A breach is reportable if it could pose a risk to the ‘rights and freedoms’ of an individual.
  • The Data Security Manager and his team will consider the Working Party 29 Guidance on Data Breaches and any other guidance available (for example, from ICO and / or the FCA) in deciding whether a breach is reportable.
  • If the breach is reportable, it must be reported within 72 hours of becoming aware of the breach.
  • If the breach is considered not reportable, the Data Security Manager and his team will document the reasons for this.
  • All breaches must be recorded in the Breaches’ Log.
  • If the breach is likely to pose a high risk to the rights and freedoms of an individual, the Data Security Manager may also need to notify the individual(s) of the data breach, explaining the nature of the breach, the likely consequences, measures taken (or proposed to be taken) to address the breach and, where appropriate the measures taken to mitigate any adverse effects, along with contact details for further information.
  • The Data Security Manager and his team will also consider notifying other regulatory bodies (for example the FCA), other third parties such as the police and the banks.
  1. Evaluation and response
  • It is very important that we investigate the cause(s) of any breach and also evaluate how effectively we responded to it.
  • If necessary, we will update our policies and procedures and our systems accordingly.

Dealing with Subject Access Requests

This Data Protection Policy document explains our internal policy for dealing with Subject Access Requests.

  • Individuals have the right to request a copy of the personal data we hold on them and this is called a Subject Access Request.
  • Subject Access Requests can be received in any format (by email, over the phone, in person or via social media) and the individual doesn’t need to use the words ‘subject access request’. If an individual requests a copy of their data, then it is a subject access request and we must deal with it appropriately.
  • Staff are trained to recognise a Subject Access Request and to refer them to the Data Security Manager.
  • All Subject Access Requests must be referred to the Data Security Manager and will be dealt with on an individual basis, as we do not envisage a high volume of requests. This policy will be revised if we begin to receive a high volume of requests (more than 3 per week).
  • It is our policy to respond to a subject access request within 30 days.
  • It is our policy not to make a charge for Subject Access Requests, but in limited circumstances (if the request is repeated, excessive or would require a disproportionate effort) we reserve the right to make a nominal charge to cover administrative costs, where appropriate.
  • If we anticipate it will take longer than 30 days to respond to the request, we will write to the individual data subject to advise them of this and to let them know when we expect to be able to respond.
  • When responding to a Subject Access Request, we will also provide a copy of the personal data undergoing processing and where the data has been requested electronically, we will respond, where possible, by providing the information in a commonly used electronic format.
  • We will provide information regarding:
      • The purpose of the processing
      • The categories of personal data concerned
      • The recipients or categories of recipients to who the personal data have been or will be disclosed, including any recipients in third countries or international organisations and details of the appropriate safeguards in place
      • The envisaged period for which the data will be stored, or if not possible, the criteria used to determine that period
      • The existence of the right to request rectification or erasure of the personal data or to restrict or object to the processing of that data
      • The right to lodge a complaint with ICO
      • Where the personal data were not collected from the individual data subject, any available information as to their source
      • The existence of automated decision-making including profiling, including information about the logic involved as well as the significance and the envisaged consequences of the processing for the individual data subject

Obtaining Consent for Marketing

This Data Protection Policy document explains our internal policy for obtaining consent to contact customers for direct marketing purposes.

  • Where we obtain consent from an individual to use their personal data for marketing purposes, we must be able to prove that individual has given their consent. 
  • This means we need to record the date they gave their consent and what they consented to.
  • Ideally we will obtain this consent in writing, but if the consent is obtained verbally (for example in person or over the phone) then we will make a record of this on our system or in our client data base.
  • Where we are relying on ‘consent’ as a legal basis for marketing, marketing material must not be sent out without first checking that consent has been correctly obtained and recorded.
  • Individuals must be able to withdraw their consent at any time and must be informed of how to do so.
  • Individuals must give their consent by actively opting in. In line with GDPR, consent must be unambiguous and confirmed.
  • We do not use pre-ticked boxes or ambiguous wording. Consent for marketing is requested via our Customer Satisfaction Questionnaire and does not form part of our TOBA.
  • The Data Security Manager will oversee this process to ensure that consent is correctly recorded in the system/data base and that marketing material is not sent out without first checking for consent –  unless we are relying on another legal basis (for example, legitimate interests). The legal basis we use for various types of marketing is outlined in our Record of Processing Activities.