Data Protection Policy, including GDPR & Key Procedures

Aims of this Policy

CCR3 Limited needs to keep certain information on its clients and associate partners clients to carry out its day to day operations, to meet its objectives and to comply with legal obligations.

The organisation is committed to ensuring any personal data will be dealt with in line with the Data Protection Act 1998. In addition, CCR3 has taken the steps outlined by the IDC to comply with GDPR as there are some differences which may apply to our operations. To comply with the law, personal information will be collected and used fairly, stored safely and not disclosed to any other person unlawfully.

The aim of this policy is to ensure that everyone handling personal data is fully aware of the requirements and acts in accordance with data protection procedures. This document also highlights key data protection procedures within the organisation.

This policy covers all parties associated contractually with CCR3

According to IDC, the European Union (EU) General Data Protection Regulation (GDPR) is the most significant privacy regulation update since 1995. GDPR was passed in April 2016 and will take effect on 25 May 2018.

Every organisation, including CCR3 Limited, that collects and/or processes data of people in the EU is subject to GDPR and needs to comply. There are five processes required to comply.

This outlines what CCR3 has done in advance to be compliant in GDPR and how using a data management platform enables us to comply.

• We set up a cross-functional data governance team. Currently this consists of the CEO, the CFO and the COO.
• We launched a data mapping and analytics programme. CCR3 has integrated an analytics engine that can map data and provide real time reporting functions to provide accurate data lists from all servers and systems.
• We use a single platform for data governance and policy management, and extend data governance and control to cloud-based data. We align the same robust practices we apply from our server data policy to all of our cloud based systems.
• We use ultra modern MySQL database design techniques and the Advanced Encryption Standard (AES) encryption algorithm that supports 128-bit encryption on our data vaults. We use 128-bit encryption as a data/file encryption technique that uses a 128-bit key to encrypt and decrypt our data files. Our latest technology update was in August 2017, and would define our systems as state of the art in terms of technology attributes and processes with regards to structured and unstructured data. We have the ability to data mine and/or report on any and all aspects of the data we hold.
• Although the data we hold is basic in nature and restricted to name, email, gender, roles and organisation, we have developed an incident response process for communication with both the local data protection authority and with the public so that we can control what information gets disseminated in the event of our systems being breached.

Definitions

In line with the Data Protection Act 1998 principles, as well as the current GDPR guidelines, CCR3 Limited will ensure that personal data will:

• Be obtained fairly and lawfully and shall not be processed unless certain conditions are met
• Be obtained for a specific and lawful purpose
• Be adequate, relevant but not excessive
• Be accurate and kept up to date
• Not be held longer than necessary
• Be processed in accordance with the rights of data subjects
• Be subject to appropriate security measures
• Not to be transferred outside the European Economic Area (EEA)

The definition of ‘Processing’ is obtaining, using, holding, amending, disclosing, destroying and deleting personal data. This includes some paper based personal data as well as that kept on computer.

The Personal Data Guardianship Code suggests five key principles of good data governance on which best practice is based. CCR3 Limited will seek to abide by this code in relation to all the personal data it processes, i.e.

• Accountability: those handling personal data follow publicised data principles to help gain public trust and safeguard personal data.
• Visibility: Data subjects should have access to the information about themselves that an organisation holds. This includes the right to have incorrect personal data corrected and to know who has had access to this data.
• Consent: The collection and use of personal data must be fair and lawful and in accordance with the DPA’s eight data protection principles. Personal data should only be used for the purposes agreed by the data subject. If personal data is to be shared with a third party or used for another purpose, the data subject’s consent should be explicitly obtained.
• Access: Everyone should have the right to know the roles and groups of people within an organisation who have access to their personal data and who has used this data.
• Stewardship: Those collecting personal data have a duty of care to protect this data throughout the data life span.

Type of information processed

CCR3 Limited processes the following personal information:

• Name/s
• Emails
• Telephone numbers
• Address
• Role titles & Descriptions
• Encoded data from our systems – encrypted

Personal information is encrypted and kept in/on the following forms:

• Data Base
• PDF formats – protected
• Word Documents – protected
• Cloud Based Services
• Encrypted Servers

Groups of people within the organisation who will process personal information are:

• Only CCR3 Limited Employees or designated CCR3 Contracted Associates

Notification

If necessary, due to the needs of a specific client/body that requires publication of the data, any such need for processing personal data would be recorded on the public register maintained by the Information Commissioner. We would notify and/or renew our notification on an annual basis as the law requires.

If there are any interim changes, these will be notified to the Information Commissioner within 28 days.

The name of the Data Controller within our organisation as specified in our notification to the Information Commissioner is Lorraine Hucker.

Responsibilities

Under the Data Protection Guardianship Code, overall responsibility for personal data in our organisation rests with the Cross Functional Data Governance Team (DGT). In the case of CCR3 Limited, this is members of the Senior Management Team.

The DGT delegates tasks to the Data Controller. The Data Controller is responsible for:
• understanding and communicating obligations under the Act
• identifying potential problem areas or risks
• producing clear and effective procedures
• notifying and annually renewing notification to the Information Commissioner, plus notifying of any relevant interim changes

All CCR3 Staff and associates who process personal information under this section are trained to ensure they not only understand but also act in line with this policy and the data protection principles.

Any breach of this policy will result in the appropriate action being taken to protect the client’s data and the integrity of CCR3 Limited.

Policy Implementation

To meet our responsibilities, CCR3 Limited will:

• Ensure any personal data is collected in a fair and lawful way;
• Explain why it is needed at the start
• Ensure that only the minimum amount of information needed is collected and used
• Ensure the information used is up to date and accurate
• Review the length of time information is held
• Ensure it is kept safely
• Ensure the rights people have in relation to their personal data can be exercised

CCR3 Limited will ensure that:

• Everyone managing and handling personal information is trained to do so
• Anyone wanting to make enquiries about handling personal information, whether a member of staff, volunteer or service user, knows what to do
• Any disclosure of personal data will be in line with our procedures

Queries about handling personal information will be dealt with swiftly and politely.

Training

Relevant training and raising awareness about the Data Protection Act/GDPR and how it is followed in this organisation will take the following forms:

• On induction

• General training/ raising awareness

In addition, general reminders, specific changes in procedures and in law are communicated throughout the company.

Gathering and checking information

Before personal information is collected, we will consider the needs of the contract and the outcomes required from our computer systems and consultative methodologies.

We will inform people whose information is gathered about the following:

• Individual findings and results
• Team Dynamics as to team interaction
• Trends and patterns identified from the results
• Suggested actions required to meet the needs of any findings

We will take the following measures to ensure that personal information kept is accurate:

• Data entered into our systems is done so with a unique identifier being assigned to a person or the data itself. There are several layers of security/encryption in our systems which prevent any crossover of data from one account to another.

• Our systems are reliant upon Mathematics. We use various methods to ensure the accuracy of the data going into our systems and methodologies and the output that results. The aim is to provide the highest measurable scores for the process. Meaning that as data is collected, the system is accurate in what it asks for and how it registers that data.

• We validate our systems every 90 days by using algorithms to identify any shift in patterns, mean scores or standard deviation thresholds. This allows our systems to process the client’s data with Mathematics that are current and correct in the regions and continents that we work within.

• Personal or sensitive information will not be used apart from the exact purpose for which permission was given.

Data Security

CCR3 Limited will take steps to ensure that personal data is kept secure at all times against unauthorised or unlawful loss or disclosure. The following measures will be taken:

• Encryption
• Firewall
• All of our URL’s are HTTPS:// secure
• Password Protection
• Permissions Based Access
• Super Admin access controls allowing blocks to any user

Any unauthorised disclosure of personal data to a third party by an employee will result in legal action and immediate dismissal.

Subject Access Requests

Anyone whose personal information we process has the right to know:

• What information we hold and process on them
• How to gain access to this information
• How to keep it up to date
• What we are doing to comply with the Act.

They also have the right to prevent processing of their personal data in some circumstances and the right to correct, rectify, block or erase information regarded as wrong.

Individuals have a right under the Act to access certain personal data being kept about them on computer and other files. Any person wishing to exercise this right should apply in writing to;

CCR3 Limited
Legal Department
Innovation Centre
1 Ainslie Road
Hillington Park
Glasgow G52 4RU

We may make a charge for information on each occasion where access is requested and granted.

The following information will be required before access is granted:

• Authorisation letter
• Appropriate Identification
• Confirmation of request being appropriate

Where we require proof of identity before access is granted, the following forms of ID will be required:

• Photographic Licence
• Passport
• Letterhead

Queries about handling personal information will be dealt with swiftly and politely.
We will aim to comply with requests for access to personal information as soon as possible, but will ensure it is provided within the 28 days required by the Act from receiving the written request, free of charge.

Review

This policy will be reviewed at intervals of 12 months to ensure it remains up to date and compliant with the law.