1. Policy Purpose
This Data Protection Policy describes Informed Solutions’ commitment to protecting the rights and privacy of staff, clients, suppliers and others in accordance with the UK General Data Protection Regulation (GDPR).
Informed Solutions may change this policy from time to time by updating this page. This policy is effective from 9th May 2022.
Organisations and individuals (termed Data Subjects in GDPR parlance) are understandably, and rightly, demanding higher standards of transparency and accountability in how personal data is collected, processed and managed. The GDPR attempts to address this demand by modernising how the privacy of personal data – which could be anything from a name, phone number, IP address or biometric data – is protected, to ensure that privacy regulation is ‘in step’ with the modern digital economy.
At its heart, GDPR imposes much stricter rules on how personal data is fairly and lawfully captured, stored, processed and shared. The GDPR also accords new and stronger rights for individuals to understand and control how their personal data is used. Organisations that do not comply with the GDPR will be subject to huge financial penalties of up to 4% of global turnover or £20 million, whichever is higher. Although Informed Solutions has always taken information security and privacy extremely seriously, through this policy we must ensure that we place even greater focus on how we protect personal data that belongs to our staff, clients and suppliers.
Any breach of this policy, or of the GDPR itself, will be treated with the utmost importance and, in serious situations, this may involve taking disciplinary action.
2. Policy Scope
This policy applies to all activities conducted:
- By Informed Solutions UK and Australia staff, whether permanent, temporary or contractor.
- As part of contractual agreements between Informed Solutions and its suppliers/partners.
- As part of contractual agreements between Informed Solutions and its clients.
This policy should be read in conjunction with the following related policies that define a number of the detailed technical and organisational measures that Informed Solutions has in place to guard against: (1) unauthorised or unlawful processing of personal data; and, (2) accidental loss or destruction of personal data:
- ISO 27001 Information Security Policy.
- Digital Information and Equipment Acceptable Use Policy.
- Informed Solutions Staff Handbook.
This policy will be reviewed and updated periodically to reflect emerging best practice in data protection and information security, and to ensure compliance with any changes or amendments to the GDPR and other relevant legislation.
3. Terms and Definitions
This section explains some of the key terms, definitions and concepts that are used by, and apply under, the GDPR to facilitate understanding.
Term: Data Controller
Definition: A person or organisation that determines why and how personal data is processed.
Term: Data Processor
Definition: A person or organisation that processes personal data on behalf of a Data Controller.
‘Processing’ refers to any manual or automated operation that is performed on personal data including, but not limited to, collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, transmission, dissemination, erasure or destruction.
Term: Data Protection Officer
Definition: The member of Informed Solutions staff who is responsible for ensuring that the Company follows this Data Protection Policy and complies with the GDPR.
Term: Data Subject
Definition: An individual whose personal information is being held or processed.
Definition: A freely given, specific and informed agreement by a Data Subject to the processing of personal information about her/him. Explicit consent is needed for processing sensitive data such as:
a. Racial or ethnic origin of the data subject
b. Political opinions
c. Religious beliefs or other beliefs of a similar nature
d. Trade union membership
e. Physical or mental health or condition
f. Sexual orientation
g. Criminal record
h. Proceedings alleged or committed offences
Term: Personal Data
Definition: Any paper based or digital information about an individual that can be used to directly or indirectly identify them.
Information that can be used to directly identify an individual may include, but not be limited to: name, address, telephone number, email address or biometric data.
Information that can be used to indirectly identify an individual may include, but not be limited to: IP address or location data.
Term: Personally Identifiable Information
Definition: See ‘Personal Data’
4. Scope of Data Controller and Data Processor Activities
4.1 Personal Data that we Control and Process
Through its natural course of business, Informed Solutions controls and processes personal data relating to the following categories of individuals with whom it has a relationship for various purposes:
- Informed Solutions members of staff – This includes staff that are: (1) based in the UK and Australia; (2) permanent, temporary and contractor staff; and, (3) current, former and prospective members of staff.
- Informed Solutions client personnel – This includes personnel that are representatives of current, former and prospective clients.
- Informed Solutions supplier and Alliance Partner personnel – This includes personnel that are representatives of current, former and prospective suppliers and Alliance partners.
4.2 Data Controller Responsibilities
Informed Solutions acts as a Data Controller when processing personal data as part of the following business functions and processes:
- Personnel recruitment, management and administration.
- Finance management and administration, such as payroll, time recording and billing.
- Prospect, opportunity and bid management.
- Reputation and communications management.
- IT management and administration, such as file, email and network management.
- Corporate administration, such as hospitality, event, travel and accommodation management.
4.3 Data Processer Responsibilities
Informed Solutions is often asked to act as a Data Processor on behalf of clients during the delivery of professional services. Occasionally, Informed Solutions also engages third party suppliers and Alliance Partners to provide specialist data processing to fulfil client requirements. An example of this would be where Informed Solutions is asked to implement a cloud hosted digital solution that collects, organises, stores and uses personal data as part of an online transaction. In this instance, Informed Solutions would be a Data Processor responsible for ensuring that the digital solution complies with GDPR and a third-party supplier, such as Amazon Web Services, would be a Data Processor responsible for ensuring that the underlying cloud hosting infrastructure complies with the GDPR.
Where this is the case, contractual agreements between Informed Solutions and its supplier/partners and clients will make Data Controller and Data Processor responsibilities transparent and explicit.
5. Data Protection Measures
This section summarises the strategic measures that Informed Solutions has implemented to comply with the GDPR and prevailing UK data protection legislation.
5.1. Data Protection Principles
The GDPR places a responsibility on every Data Controller and Data Processor to process personal data in accordance with seven principles. The seven principles, and the actions that Informed Solutions will take to comply with each, is summarised below:
- Lawfulness, fairness and transparency – When acting as a Data Controller, Informed Solutions will: (1) tell Data Subjects what processing will occur to their data (transparency); (2) ensure that the processing matches the description given to the Data Subject (fairness); and, (3) ensure that the purpose is consistent with one of those specified by the GDPR (lawfulness).
- Purpose limitation – When acting as a Data Controller or Data Processor, Informed Solutions will process personal data for the specific and lawful purpose for which it was collected and not in a manner that is incompatible with that purpose.
- Data minimisation – When acting as a Data Controller or Data Processor, Informed Solutions will ensure that personal data is adequate, relevant and not excessive for the required purpose.
- Accuracy – When acting as a Data Controller or Data Processor, Informed Solutions will ensure that personal data is accurate and, where necessary, kept up-to-date.
- Storage limitation – When acting as a Data Controller or Data Processor, Informed Solutions will ensure that personal data is only kept for as long as is necessary.
- Integrity and confidentiality – When acting as a Data Controller or Data Processor, Informed Solutions will process personal data in accordance with the rights of the Data Subject under the GDPR.
- Accountability – Informed Solutions will maintain the Data Protection Measures described in this policy so that it is always capable of demonstrating compliance with principles 1 to 7.
5.2. Data Protection Officer (DPO)
The following member of Informed Solutions’ staff has been appointed as the Company’s Data Protection Officer:
Tom Weeks, Technical Director & Head of Information Security
Contact Email: email@example.com
Contact Telephone: +44 (0)161 942 2000
5.3. Data Protection System
As part of its ongoing commitment to data protection by design and by default, Informed Solutions has implemented the following technical and organisational measures to guard against: (1) unauthorised or unlawful processing of personal data; and, (2) accidental loss or destruction.
- An ISO 27001 and Cyber Essentials Plus certified Information Security Management System (ISMS) that implements Standard Operating Procedures for:
- Risk assessment and treatment.
- Organisation of Information Security (including an Information Security Policy).
- Human resources security (including information security training and awareness).
- Building and environmental Security.
- Supplier and Partner Security.
- Business Continuity Management.
- IT Asset Management.
- IT Equipment Security
- IT Network Security.
- IT Change Management.
- User Responsibilities.
- User, Network, Operating System and Application Access Control.
- Document, Data and Media Labelling, Handling and Exchange.
- Security in Client Engagements.
- Reporting and Managing Information Security Incidents, Vulnerabilities and Improvements.
- A Digital Information and Equipment Acceptable Use Policy.
- Data protection provisions in contractual agreements with suppliers and Alliance Partners.
- Data protection provisions in contractual agreements with clients.
- The appointment of a Data Protection Officer (see section 5.2)
5.4. Data Subject Rights
Where Informed Solutions is acting as a Data Controller, Informed Solutions’ ‘Data Subject Requests’ Operating Procedure specifies how Informed Solutions Data Protection Officer will resolve requests made by Data Subjects with respect to the following rights under Articles 12 to 23 of the GDPR.
- Right of access.
- Right to rectification.
- Right to erasure (‘right to be forgotten’).
- Right to restriction of processing.
- Right to data portability.
- Right to object.
Data Subject Requests should be directed to the Data Protection Officer named in section 5.2.
5.5. Data Transfers
The GDPR specifies that no personal data be transferred to a country or a territory outside the European Economic Area (EEA) unless that country or territory ensures adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data.
Informed Solutions’ ‘Document, Data and Media Labelling, Handling and Exchange’ Operating Procedure (IS-ISMS-OP010) specifies how Informed Solutions manages the transfer of personal data between Informed Solutions UK and Informed Solutions Australia (and vice versa) in compliance with the GDPR.
Unless otherwise agreed, all data (not just personal data) pertaining to Informed Solutions UK operations is securely stored in the UK and will not be transferred to another country or territory without express written agreement by the relevant party(s).
5.6. Data Breaches
Informed Solutions’ ‘Reporting and Managing Information Security Incidents, Vulnerabilities and Improvements’ Operating Procedure (IS-ISMS-OP015) specifies how Informed Solutions will detect, investigate and report a personal data breach to the relevant supervisory authority:
- In the UK, the supervisory authority is the Information Commissioners Office.
- In Australia, the supervisory authority is the Office of the Australian Information Commissioner.
Any suspected data breaches will be immediately reported to the Data Protection Officer named in section 5.2.