GDPR Policy Statement

Objective

To provide clarity on the company position on system and data security to ensure we meet the expectations of our employees, customers and suppliers.

Definitions

The business – Netmetix Limited, 4 Sycamore Court, Birmingham Road, Allesley, Coventry, CV5 9BA.

Overview

The business follows a set of general industry best practices and recommendations to continually improve and enhance the policies we apply to our IT systems and ultimately the protection of company data.

These policies are based on our interpretation of what is current industry best practice and our understanding of current legislation on data protection and security such as the DPA, GDPR (May 2018) and the Cyber Essentials Framework

As a business we maintain and secure our own data which may contain personal information of internal company employees and our suppliers and customers. As such, we have a duty to ensure that this data is stored as safely and securely as possible.

We only process personal data for core business purposes, so therefore do not have to register with the Information Commissioners Office (ICO).

This document has been produced based upon the guidance issued by the ICO and in lines with general best practice.

Although we do not require a full-time data protection officer, the business has appointed Greig Schofield – Technical Director for overall responsibility of system and data security.

Following an internal review, the business has classified itself as a data controller for internal systems and data processor for external (client) systems.

The business has also identified that a number of supplier organisations, predominantly Microsoft, are data processors or have access to personal data. Such organisations have compliance with the GDPR regulation and security of any data they may receive, hold or have access to.

This data code of practice governs how we protect and handle sensitive data and is based on the following principles:

  • Data is only stored when it is absolutely necessary to do so.
  • Data is only stored in a secure environment and moved using secure methods.
  • Client or Supplier data is never shared with any third-parties.
  • Data is transferred between storage locations only when it is absolutely necessary to do so and always by a secure means
  • Data is only accessed by those with a need to perform their duties to the business

All company staff have undergone data protection training and are versed in the six principals of the GDPR act and are aware of the process and procedures to follow in respect to GDPR legislation.

GDPR Specific

Sensitive Data and High-Risk Processing

The business understanding of sensitive data is;

This is personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.

The business has determined it does not directly process any data belonging to customers or suppliers. Any personal data collected is in the normal remit or normal business and any such data is used for essential daily operations. Any such data will only be used for such a purpose. The business has policies in place to ensure any such data is checked to ensure it is still required and deleted securely if it is determined there is no further requirement. Any such data will be fully removed from our secure archive system within 1 year.

Risk to Individuals

The business has determined there is minimal risk to individuals based upon the data stored, the data is minimal, and business related, held securely and not used for any other purpose than conducting essential business.

This includes profiling or processing that could lead to discrimination, identity theft, damage to the reputation or reversal of pseudonymisation. It includes any processing of sensitive personal data or personal data about children or other vulnerable persons or processing that involves large amounts of personal data.

Six General Principles

All business staff have been trained in GDPR and are aware of the six principles being defined as:

  • Lawfulness, fairness and transparency – Personal data must be processed lawfully, fairly and in a transparent manner;
  • Purpose limitation – Personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (with exceptions for public interest, scientific, historical or statistical purposes);
  • Data minimisation – Personal data must be adequate, relevant and limited to what is necessary in relation to purposes for which they are processed;
  • Accuracy – Personal data must be accurate and, where necessary, kept up to date. Inaccurate personal data should be corrected or deleted;
  • Retention – Personal data should be kept in an identifiable format for no longer than is necessary (with exceptions for public interest, scientific, historical or statistical purposes); and
  • Integrity and confidentiality – Personal data should be kept secure.

Conditions

It is anticipated that the business will process data where there is either:

Legitimate interests – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition.

OR:

Consent – The individual has given consent to the processing for one or more specific purposes

OR In the case of sensitive information:

Conditions will be established on a case by case basis.

OR In the case of a child:

Consent will be authorised by a parent.

Data Security

The business has determined that data security is satisfactory in respect to access rights, relevant data and infrastructure security however is also investigating additional measures such as:

  • The pseudonymisation and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of its information technology systems;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Handling Third Party Data (Data Processor)

Overview / Responsibilities

As a business we support a number of organisations, providing Third Party external IT Services. At some time or another we may have a requirement to access their internal systems to provide support. To ensure the security of our and their systems, a number of data and basic steps should be followed when accessing.

We configure Third Party systems following best practice for performance and security.

Where applicable:

  • We may be responsible for configuring and managing firewalls and other system point of entries.
  • We may take overall responsibility for the business Infrastructure and they must be kept informed as to what actions are being carried out by any third parties or indeed customer.
  • When we require access to Customer system, we will arrange and agree beforehand via E-Mail or Phone call
  • We ensure that our staff processing the data are subject to a duty of confidence
  • We take appropriate measures to ensure that any data processed is done securely and with confidentiality
  • Where a sub-processor (Microsoft for example) is utilised, we will gain prior consent from our supported organisation (Third Party/ Data Controller) and apply a processor-sub-processor contract.
  • The business will assist the Data Controller/Third Party in providing subject access and allowing data subjects to exercise their rights under the GDPR
  • The business will assist the Data Controller/Third Party in meeting its GDPR obligations in relation to the security of processing, the notification of personal data breaches and data protection impact assessments;
  • The business will delete or return all personal data to the controller as requested at the end of the contract.
  • The business must assist the Controller/Third Party submit to audits and inspections. Also to provide the controller with whatever information it needs to ensure that they are both meeting their Article 28 obligations, and tell the controller immediately if it is asked to do something infringing the GDPR or other data protection law of the EU or a member state.