Data Protection Policy

On a daily basis, our team implements critical services to improve the security of our customers’ IT systems, and the same is true of our own. You can rest assured that we take all the necessary steps to protect the data that you provide. Those steps are detailed below and if you would like to learn more about how we make use of this data, please read our Acceptable Usage Policy.

Information gathered from our website

You may choose to provide personal information to us when you register on our website to ask us to contact you or sign up for our Define Tomorrow™ events. You may be asked to provide information about yourself including (but not necessarily limited to) your name, title, postal address, telephone number and/or email address.

Information gathered to offer our products and services

If you contact us and request information and/or a quotation for the products and services we provide or become our client, we will need to obtain basic information to confirm your preferred means of communication, including your name, title and postal address, together with normal contact details for you and any other parties that will be included in any products or services we provide.

Information gathered automatically

We may also collect information automatically about your access and usage of our website using cookies and other analytical technology. Full details of our data collection methods are included in the ‘Cookie’ section below. We will use your IP address, which is a numeric code that identifies a computer on the internet, to collect internet traffic data and information on your browser type and computer. If you do not wish to receive cookies, you may reject them by amending your browser settings, unless they are required for the delivery of our website or services to visitors.

Information gathered from third parties

Additionally, we may obtain information about you from legitimate third parties, including suppliers, partners or other specialist contractors that are relevant to your enquiry, quotation or supply.

Protection of your information

We have implemented relevant administrative, technical and physical controls for our website, which are designed to mitigate the risk of loss, misuse, unauthorised processing or disclosure of the personal information that we hold.

Where we transfer information to third parties to enable them to process it on our behalf, we ensure that these third parties can meet or exceed relevant legal or regulatory requirements for transferring and securing information under their control.

We will also ensure that where information is transferred to a country or international organisation outside of the UK / EEA, we will comply with the relevant legal rules governing such transfers.

We will retain your personal information for no longer than necessary for the purposes that it was collected. Details of our information retention policy is available upon request. Our terms of business include details of how we keep clients’ personal information secure. Our processes have been certified against the requirements of the ISO27001:2013 standard, in relation to our Information Security Management System (ISMS).

1. Introduction

1.1 – This Policy sets out the principles that the Company will follow in relation to Personal Data that it holds about all Data Subjects. It also sets out your obligations in relation to Personal Data in your possession.

1.2 – If you require any clarification of the terms of this Policy, whether information amounts to Personal Data and/or whether certain actions amount to processing data, you should contact your manager.

2. Definitions

2.1 – Data is information which is stored electronically, on a computer, or in certain paperbased filing systems.

 ‘Personal Data‘ means data relating to a living individual who can be identified either from that data alone, or from that data and other information, which is held or likely to come into the possession of the data controller.

 ‘Sensitive Personal Data’ means Personal Data which consists of information regarding racial or ethnic origin, political opinions, religious or other beliefs, trade union membership, physical or mental health or condition, sex life, the commission or alleged commission of any offence or proceedings for any offence committed or alleged to have been committed (including the disposal of any such proceedings and/or the sentence of any court in such proceedings).

2.2 – Data controllers are the people who or organisations which determine the purposes for which, and the manner in which, any personal data is processed. They have a responsibility to establish practices and policies in line with the Act. 

2.3 – Data users include employees whose work involves using personal data. Data users have a duty to protect the information they handle by following our data protection and security policies at all times.

2.4 – Data processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include suppliers which handle personal data on our behalf.

2.5‘Data Subject‘ means an individual who is the subject of Personal Data. This includes job applicants, employees, consultants, agency workers, temporary staff, casual workers, contract workers, work experience placements, gap-year students and ex-employees.

2.6‘Processing‘ includes the holding, obtaining, recording, organising, retrieving, consulting, using, adapting, altering, disclosing, transferring, disseminating and destroying of information. Processing extends to any operation or set of operations carried out on information or data.

3. Processing Data

3.1 – The Company processes Personal Data (both manually and electronically), including Sensitive Personal Data, for a number of reasons, including but not limited to:

  • recruitment, appraisals, promotions, career planning, training and the provision of references;
  • payment of salary and benefits, payroll, taxation, national insurance (and other statutory or contractual deductions from salary) reimbursement of expenses and business travel;
  • health and safety matters;
  • review and management of HR policies and procedures;
  • disciplinary, grievance and performance management;
  • and other purposes required by law, regulation or as deemed necessary by the Company for the management of its employees and its business.

3.2 – Sensitive Personal Data is only processed by the Company for monitoring equal opportunities, diversity and employee welfare and for the purpose of providing specific services to individuals, including but not limited to:

  • sickness absence, sick pay, suitability and fitness for work, health and safety control, administration of the Company’s Medical Insurance Scheme or as a result of medical or psychological examinations conducted at the Company’s request;
  • maternity, paternity, adoption leave and pay, parental leave and/or time off for family and dependents;
  • the Company’s obligations under the Disability Discrimination Act 1995;
  • absence control; and
  • as required by applicable laws and regulations.

4. Collection of Data

4.1 – The Company collects and records Personal Data from various sources, including obtaining information from Data Subjects themselves.

4.2 – In some circumstances, data may be collected indirectly from monitoring devices (including but not limited to door access-control mechanisms, closed-circuit television and other security systems, telephone, e-mail and internet-access logs and recordings).

4.3 – Save for data collected from the Company’s security systems, data collected indirectly from monitoring devices is not routinely accessed but access is possible. Data collected from monitoring devices is accessed and reviewed regularly. Such data may be processed in circumstances including but not limited to the investigation of security breaches, abuse of the Company’s Information Technology Systems, or where the data is required for regulatory purposes.

4.4 – Anyone processing personal data must comply with the eight enforceable principles of good practice. These provide that personal data must be:

  • Processed fairly and lawfully.
  • Processed for limited purposes and in an appropriate way.
  • Adequate, relevant and not excessive for the purpose.
  • Accurate.
  • Not kept longer than necessary for the purpose.
  • Processed in line with data subjects’ rights.
  • Secure.
  • Not transferred to people or organisations situated in countries without adequate protection.

5. Transferring Data

5.1 – Personal Data may be transferred to third parties to process on the Company’s instructions subject to confidentiality arrangements approved by the Company.

6. Retaining Data

6.1 – The Company endeavours to ensure that the Personal Data held is accurate and that inaccurate, irrelevant and excessive information is either deleted or rendered anonymous as soon as reasonably practical. However, the Company may retain some Personal Data (including Sensitive Personal Data) in order to comply with legal and regulatory obligations and for other legitimate business reasons.

6.2 – The Company reserves the right, at its absolute discretion, to retain Personal Data (including Sensitive Personal Data) after the termination of your employment, for purposes including, but not limited to, equal-opportunities monitoring, health and safety records and in relation to possible or actual legal claims.

6.3 – Maintaining data security means guaranteeing the confidentiality, integrity and availability of the personal data, defined as follows:

  • Confidentiality means that only people who are authorised to use the data can access it.
  • Integrity means that personal data should be accurate and suitable for the purpose for which it is processed.
  • Availability means that authorised users should be able to access the data if they need it for authorised purposes. Personal data should therefore be stored on our central computer system instead of individual PCs.

6.4 – Security procedures include:

  • Entry controls. Any stranger seen in entry-controlled areas should be reported.
  • Secure lockable desks and cupboards. Desks and cupboards should be kept locked if they hold confidential information of any kind. (Personal information is always considered confidential.)
  • Methods of disposal. Paper documents should be shredded. Floppy disks and CD-ROMs should be physically destroyed when they are no longer required.
  • Equipment. Data users should ensure that individual monitors do not show confidential information to passers-by and that they log off from their PC when it is left unattended.

6.5 – Any member of staff dealing with telephone enquiries should be careful about disclosing any personal information held by us. In particular they should:

  • Check the caller’s identity to make sure that information is only given to a person who is entitled to it.
  • Suggest that the caller put their request in writing if they are not sure about the caller’s identity and where their identity cannot be checked.

7. Your Responsibilities 

7.1 – You must notify your manager immediately of any changes in your personal circumstances, which could cause the Personal Data held by the Company to be incorrect.

7.2 – If you are in possession of Personal Data (including but not limited to data held in spreadsheets, contained in CVs, contact lists or address books) you are obliged to ensure that such Personal Data is kept in a safe place and is not accessed by unauthorised persons. You should use secure filing cabinets and password protected computer applications as appropriate.

7.3 – The Company will make Personal Data held about you available to you upon written request. If you wish to exercise this right you should contact David Wynn, Technical Director.