At Reprise IT, we’re committed to protecting and respecting your privacy.
This Policy explains when and why we collect personal information about users who visit our website, how we use it, the conditions under which we may disclose it to others and how we keep it secure.
We may change this Policy from time to time so please check this page occasionally to ensure that you’re happy with any changes. By using our website, you’re agreeing to be bound by this Policy.
Any questions regarding this Policy and our privacy practices should be sent by email to: firstname.lastname@example.org
How do we collect information from you?
We obtain information about you when you contact us about products and services or make an enquiry via the contact page on our website.
What type of information is collected from you?
The personal information we collect might include your name, email address, IP address, and information regarding what pages are accessed and when.
How is your information used?
We may use your information to:
supply you with our products and services
reply to your emails
send you communications which you have requested and that may be of interest
to carry out our obligations arising from any contracts entered into by you and us
notify you of changes to our service
We will hold your personal information on our systems for as long as is necessary for the relevant activity, or as long as is set out in any relevant contract you hold with us.
Who has access to your information?
We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.
We may pass your information to our third party service providers, agents subcontractors and other associated organisations for the purposes of completing tasks and providing services to you on our behalf (for example delivery of goods).
However, when we use third party service providers, we disclose only the personal information that is necessary to deliver the service and we have a contract in place that requires them to keep your information secure and not to use it for their own direct marketing purposes.
You have a choice about whether or not you wish to receive information from us. If you do not want to receive direct marketing communications from us relating to our products and services, then you can notify us by email to email@example.com.
Use of ‘cookies’ on this website
If you don’t want us to process your data anymore, please contact us at firstname.lastname@example.org or write to us at : Unit 3 Pound Barton, Sutton Veny, Warminster, BA12 7BT.
If you would like to: access, correct, amend or delete any personal information we have about you, you are invited to contact us at email@example.com or write to us at : Unit 3 Pound Barton, Sutton Veny, Warminster, BA12 7BT.
We keep this Policy under regular review. This Policy was last updated in May 2018.
Data Protection Notice
Context and overview
Policy prepared by: Darren Woodyatt
Approved by board / management on: 01/04/2018
Policy became operational on: 10/04/2018
Next review date: 01/04/2019
Reprise IT Ltd needs to gather and use certain information about individuals.
These can include customers, suppliers, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This policy describes how this personal data must be collected, handled and stored to meet the company’s data protection standards — and to comply with the law.
Why this policy exists
This data protection policy ensures Reprise IT Ltd:
Complies with data protection law and follow good practice
Protects the rights of staff, customers and partners
Is open about how it stores and processes individuals’ data
Protects itself from the risks of a data breach
People, risks and responsibilities
This policy applies to:
The head office of Reprise IT Ltd
All branches of Reprise IT Ltd
All staff and volunteers of Reprise IT Ltd
All contractors, suppliers and other people working on behalf of Reprise IT Ltd
It applies to all data that the company holds relating to identifiable individuals. This can include:
Names of individuals
…plus any other information relating to individuals
Data protection risks
This policy helps to protect Reprise IT Ltd from some very real data security risks, including:
Breaches of confidentiality. For instance, information being given out inappropriately.
Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Everyone who works for or with Reprise IT Ltd has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
The board of directors is ultimately responsible for ensuring that Reprise IT Ltd meets its legal obligations.
The Data Protection Officer, Darren Woodyatt, is responsible for:
Keeping the board updated about data protection responsibilities, risks and issues.
Reviewing all data protection procedures and related policies, in line with an agreed schedule.
Arranging data protection training and advice for the people covered by this policy.
Handling data protection questions from staff and anyone else covered by this policy.
Dealing with requests from individuals to see the data Reprise IT Ltd holds about them (also called ‘subject access requests’).
Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
The IT manager, Darren Woodyatt, is responsible for:
Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
Performing regular checks and scans to ensure security hardware and software is functioning properly.
Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
The Marketing Manager, Nigel Davers, is responsible for:
Approving any data protection statements attached to communications such as emails and letters.
Addressing any data protection queries from journalists or media outlets like newspapers.
Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
General staff guidelines
The only people able to access data covered by this policy should be those who need it for their work.
Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
Reprise IT Ltd will provide training to all employees to help them understand their responsibilities when handling data.
Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
In particular, strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorised people, either within the company or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the IT manager or data controller.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
When not required, the paper or files should be kept in a locked drawer or filing cabinet.
Employees should make sure paper and printouts are not left where unauthorised people could see them, like on a printer.
Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
Data should be protected by strong passwords that are changed regularly and never shared between employees.
If data is stored on removable media (like a CD or DVD), these should be kept locked away securely when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services.
Servers containing personal data should be sited in a secure location, away from general office space.
Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
All servers and computers containing data should be protected by approved security software and a firewall.
Personal data is of no value to Reprise IT Ltd unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
Data must be encrypted before being transferred electronically. The IT manager can explain how to send data to authorised external contacts.
Personal data should never be transferred outside of the European Economic Area.
Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
The law requires Reprise IT Ltd to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort Reprise IT Ltd should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
Reprise IT Ltd will make it easy for data subjects to update the information Reprise IT Ltd holds about them. For instance, via the company website.
Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
It is the marketing manager’s responsibility to ensure marketing databases are checked against industry suppression files every six months.
Subject access requests
All individuals who are the subject of personal data held by Reprise IT Ltd are entitled to:
Ask what information the company holds about them and why.
Ask how to gain access to it.
Be informed how to keep it up to date.
Be informed how the company is meeting its data protection obligations.
If an individual contacts the company requesting this information, this is called a subject access request.
Subject access requests from individuals should be made by email, addressed to the data controller at firstname.lastname@example.org. The data controller can supply a standard request form, although individuals do not have to use this.
The data controller will aim to provide the relevant data within 14 days.
The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Reprise IT Ltd will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Reprise IT Ltd aims to ensure that individuals are aware that their data is being processed, and that they understand:
How the data is being used
How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company
DATA BREACH POLICY
1.1 Reprise IT Ltd (the company) holds, processes, and shares personal data, a valuable asset that needs to be suitably protected.
1.2 Every care is taken to protect personal data from incidents (either accidentally or deliberately) to avoid a data protection breach that could compromise security.
1.3 Compromise of information, confidentiality, integrity, or availability may result in harm to individual(s), reputational damage, detrimental effect on service provision, legislative noncompliance, and/or financial costs.
2.1 Reprise IT Ltd is obliged under the Data Protection Act to have in place an institutional framework designed to ensure the security of all personal data during its lifecycle, including clear lines of responsibility.
2.2 This Policy sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across the company.
3.1 This Policy relates to all personal and sensitive data held by Reprise IT Ltd regardless of format.
3.2 This Policy applies to all staff at Reprise IT Ltd. This includes temporary, casual or agency staff and contractors, consultants, suppliers and data processors working for, or on behalf of the company.
3.3 The objective of this Policy is to contain any breaches, to minimise the risk associated with the breach and consider what action is necessary to secure personal data and prevent further breaches.
4.0 Definition / Types of Breach
4.1 For the purpose of this Policy, data security breaches include both confirmed and suspected incidents.
4.2 An incident in the context of this Policy is an event or action which may compromise the confidentiality, integrity or availability of systems or data, either accidentally or deliberately,
and has caused or has the potential to cause damage to the company’s information assets and/or reputation.
4.3 An incident includes but is not restricted to, the following:
- Loss or theft of confidential or sentitive data or equipment on which such data is stored (e.g. loss of laptop, USB stick, iPad/tablet device, or paper record)
- Equipment theft or failure
- Unauthorised use of, access to or modification of data or information systems
- Attempts (failed or successful) to gain unauthorised access to information or IT system(s)
- Unauthorised disclosure of sensitive / confidential data
- Website defacement
- Hacking attack
- Unforeseen circumstances such as a fire or flood
- Human error
- ‘Blagging’ offences where information is obtained by deceiving the organisation who holds it
5.0 Reporting an incident
5.1 Any individual who accesses, uses or manages the company’s information is responsible for reporting data breach and information security incidents immediately to the Data Protection Officer (at email@example.com).
5.2 If the breach occurs or is discovered outside normal working hours, it must be reported as soon as is practicable.
5.3 The report will include full and accurate details of the incident, when the breach occurred (dates and times), who is reporting it, if the data relates to people, the nature of the
information, and how many individuals are involved. An Incident Report Form should be completed as part of the reporting process. See Appendix 1
5.4 All staff should be aware that any breach of the Data Protection Act may result in the company’s Disciplinary Procedures being instigated.
6.0 Containment and Recovery
6.1 The Data Protection Officer (DPO) will firstly determine if the breach is still occurring. If so, the appropriate steps will be taken immediately to minimise the effect of the breach.
6.2 An initial assessment will be made by the DPO in liaison with relevant officers to establish the severity of the breach and who will take the lead investigating the breach (this will depend on the nature of the breach in some cases it could be the DPO).
6.3 The Lead Investigation Officer (LIO) will establish whether there is anything that can be done to recover any losses and limit the damage the breach could cause.
6.4 The LIO will establish who may need to be notified as part of the initial containment and will inform the police, where appropriate.
6.5 Advice from experts may be sought in resolving the incident promptly.
6.6 The LIO, in liaison with the relevant officer(s) will determine the suitable course of action to be taken to ensure a resolution to the incident.
7.0 Investigation and Risk Assessment
7.1 An investigation will be undertaken by the LIO immediately and wherever possible within 24 hours of the breach being discovered / reported.
7.2 The LIO will investigate the breach and assess the risks associated with it, for example, the potential adverse consequences for individuals, how serious or substantial those are and how likely they are to occur.
7.3 The investigation will need to take into account the following:
· the type of data involved
· its sensitivity
· the protections are in place (e.g. encryptions)
· what’s happened to the data, has it been lost or stolen
· whether the data could be put to any illegal or inappropriate use
· who the individuals are, number of individuals involved and the potential effects on those data subject(s)
· whether there are wider consequences to the breach
8.1 The LIO and / or the DPO, in consultation with the Director of IT, will determine who needs to be notified of the breach.
8.2 Every incident will be assessed on a case by case basis; however, the following will need to be considered:
· Whether there are any legal/contractual notification requirements;
· Whether notification would assist the individual affected – could they act on the information to mitigate risks?
· Whether notification would help prevent the unauthorised or unlawful use of personal data?
· Would notification help the company meet its obligations under the seventh data protection principle;
· If a large number of people are affected, or there are very serious consequences, whether the Information Commissioner’s Office (ICO) should be notified. The ICO will only be notified if personal data is involved. Guidance on when and how to notify ICO is available from their website at: https://ico.org.uk/media/1536/breach_reporting.pdf
· The dangers of over notifying. Not every incident warrants notification and over notification may cause disproportionate enquiries and work.
8.3 Notification to the individuals whose personal data has been affected by the incident will include a description of how and when the breach occurred and the data involved. Specific and clear advice will be given on what they can do to protect themselves, and include what action has already been taken to mitigate the risks. Individuals will also be provided with a way in which they can contact the University for further information or to ask questions on what has occurred.
8.4 The LIO and or the DPO must consider notifying third parties such as the police, insurers, bank or credit card companies, and trade unions. This would be appropriate where illegal activity is known or is believed to have occurred, or where there is a risk that illegal activity might occur in the future.
8.5 All actions will be recorded by the DPO.
9.0 Evaluation and response
9.1 Once the initial incident is contained, the DPO will carry out a full review of the causes of the breach; the effectiveness of the response(s) and whether any changes to systems, policies and procedures should be undertaken.
9.2 Existing controls will be reviewed to determine their adequacy, and whether any corrective action should be taken to minimise the risk of similar incidents occurring.
9.3 The review will consider:
· Where and how personal data is held and where and how it is stored
· Where the biggest risks lie, and will identify any further potential weak points within its existing measures
· Whether methods of transmission are secure; sharing minimum amount of data necessary
· Identifying weak points within existing security measures
· Staff awareness
· Implementing a data breach plan and identifying a group of individuals responsible for reacting to reported breaches of security
9.4 If deemed necessary a report recommending any changes to systems, policies and procedures will be considered by the Company Directors.