Data Protection Policy
Introduction
Evoke Systems Ltd status is actively registered with the ICO as a data processor. This policy is agreed and signed off by the Board annually.
Evoke Systems Ltd is committed to protecting the rights and freedoms of data subjects. In accordance with our legal obligation this policy outlines how Evoke Systems Ltd and their staff safely and securely processes data subject’s data in line with GDPR https://www.itgovernance.co.uk/data-protection-dpa-and-eu-data-protection-regulation
Why this policy exists
This data protection policy ensures Evoke Systems Ltd:
- complies with data protection law and follow good practice
- protects the rights and data of staff, customers and clients
- has a transparent policy about how we obtain, store, process and delete data
- implements robust safeguards and procedures to prevent and manage data breach
Policy scope
The policy applies to Evoke Systems Ltd and all staff working within Evoke Systems Ltd.
All staff must take responsibility to be familiar with the policy and implement within their daily working practice.
Any updates to the policy will be communicated and circulated to all staff. Individuals must confirm that they have read and understood all updates.
Personal Data
This is relating to any information relating to a living, identified or identifiable natural person. This could be directly (e.g. a person’s name) or indirectly (e.g. the owner of that business).
The definition of personal data applies to any piece of information which can be used to identify an individual, based on ‘all means reasonably likely to be used’. So, for example, a user ID number is classed as personal data, because it can be matched to the name of a user on a database. The term ‘personal data’ still applies to data even if it requires the use of information elsewhere to identify an individual. Examples of personal data includes:
- names, dob, address, email address, credit card details etc
- location data – is associated with data as it could be used to identify where a person live, works sleeps etc
- online identifiers – refer to digital information such as IP addresses, cookie strings or mobile device ids. for example, as an IP address can be used to find out where an individual is located.
- sensitive data – types of data that should be treated with extra protection and care. this includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sex life
Accountability and transparency
To comply with data protection laws and the accountability and transparency Principle of GDPR, Evoke Systems Ltd must demonstrate compliance:
- maintain up to date and relevant documentation on all processing activities
- conducting data protection impact assessments
- fully implement technical and organisational measures to ensure data protection by design and data protection by default, including where appropriate and among others:
- data minimisation
- pseudonymisation
- transparency
- allowing individuals to monitor processing
- creating and improving security and enhanced privacy procedures on an ongoing basis
Anyone who works for Evoke Systems Ltd is responsible for ensuring that data is collected, stored, processed and deleted appropriately.
Each division that handles personal data must ensure that it is handled in line with this policy and data protection principles.
However, these people have key areas of responsibility:
board of directors is ultimately responsible for ensuring that the company complies with legal obligations and;
ensuring that their teams abide with data protection principles in line with this policy.
approving data protection statements attached to emails or any other form of marketing copy
An appointed Data Protection Officer (DPO) who is responsible for:
keeping the board of directors updated about data protection responsibilities, risk and issues.
reviewing all data protection procedures and related policies, in line with an agreed schedule
arranging adequate and frequent data protection training to all staff within Evoke Systems Ltd
handling data protection questions from staff and anyone else covered in this policy.
dealing with requests from individuals to see the data Evoke Systems Ltd holds about them (also called subject access request)
checking and approving contracts or agreements with third parties that may acquire, store, process or delete company’s sensitive data
overseeing regular data audits (annually) to ensure that Evoke Systems Ltd maintains up to date logs of data Evoke Systems Ltd stores, processes and any third parties involvement to identify and mitigate risks. audits will include information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.
overseeing the processes and procedures of any data protection breaches
The Chief Technical Officer who is responsible for:
ensuring that all systems, services and equipment used for storing data meet acceptable security standards.
performing regular checks and scans to ensure security hardware and software is functioning properly and that Evoke Systems Ltd could identify a potential or successful breach.
ensure sufficient checks and audits are carried out on a regular basis (monthly) to enable Evoke Systems Ltd to identify a potential or successful breach
evaluating any third-party services the company is considering using to store or process data. for example, cloud computing services
Responsibilities as a data processor
As a data processor Evoke Systems Ltd must maintain our appropriate registration with the Information Commissioners Office in order to continue lawfully processing of data.
Evoke Systems Ltd must comply with our contractual obligations and act only on the documented instructions of the data controller.
As a data processor, we must:
- not process data without written authorisation of the data controller
- ensure wherever possible data is kept up to date
- co-operate fully with the ICO or other supervisory authority
- ensure the security of the processing
- keep accurate records of processing activities
- notify the controller of any personal data breaches
- prevent data from being lost or open to misuse
- retain data for no longer than is necessary
- not transfer personal data outside of the EU without documented instructions to do by the data controller or unless required to do so by Union or Member State law to which Evoke Systems Ltd is subject
- establish a lawful basis for processing data from the controller. for example, consent for processing data is recent, clear, explicit, and defined for a specific purpose.
- have the ability to stop the processing at any time on request and have suitable and robust processes in place to achieve this.
Evoke Systems Ltd must ensure that individuals whose data is being processed are aware of Evoke Systems Ltd’s involvement in the process. This should occur via a privacy notice. This applies whether we have collected the data directly from the individual, or from another source.
Staff Guidelines and responsibilities
any electronic files that contain personal data:
- must be protected by suitably strong passwords that where possible are not reused but as a minimum changed regularly.
- passwords are only shared to contacts within Evoke Systems Ltd and externally that are considered necessary and communicated securely.
- passwords are logged in a secure location and shared securely. the password to to the secure location must never be shared externally
- must be transferred internally and externally by sftp and password should never be transferred by email
- must only be stored on designated encrypted drives and servers, and should only be uploaded to an approved cloud computing service
- sensitive data should be encrypted before being transferred
- any transfer of data should be approved by line manager
- if hard copies or removable storage mediums (like cd’s) of data are used:
- must be kept in a secure place when not being used.
- data stored on cd’s and memory sticks must be encrypted
- limited people have access and a log kept of who has had access
- destroyed securely i.e. by shredding paper copies
- servers containing personal data should be sited in a secure location away from general office space.
- data should be backed up frequently and should be tested regularly (at least every 3 months) to ensure that potential or successful breaches are identified.
- data should never be saved directly onto personal computers or mobile devices.
- all servers and computers containing data should be protected by approved security software and appropriate network level protection.
- when working with personal data employees should ensure that screens of their computers are always locked when unattended.
- data will be held in as few places as possible. no unnecessary replication of data will be made.
- only necessary employees will have access to data.
Evoke Systems Ltd will ensure that they maintain accurate and up to date records or data in line with legal requirements:
Evoke Systems Ltd will make it easy for staff to update client and personal records.
Rights of individuals
Individuals have rights to their data which we must respect and comply with to the best of our ability. We must ensure individuals can exercise their rights in the following ways:
- right to be informed
- providing privacy notices which are concise, transparent, intelligible and easily accessible, free of charge, that are written in clear and plain language, particularly if aimed at children.
- keeping a record of how we use personal data to demonstrate compliance with the need for accountability and transparency.
- right of access
- enabling individuals to access their personal data and supplementary information
- allowing individuals to be aware of and verify the lawfulness of the processing activities
- right to rectification
- we must rectify or amend the personal data of the individual if requested because it is inaccurate or incomplete.
- this must be done without delay, and no later than one month. this can be extended to two months with permission from the DPO.
- right to be forgotten
- we must delete or remove an individual’s data if requested and there is no compelling reason for its continued processing.
- right to restrict processing
- we must comply with any request to restrict, block, or otherwise suppress the processing of personal data.
- we are permitted to store personal data if it has been restricted, but not process it further. we must retain enough data to ensure the right to restriction is respected in the future.
- right to data portability
- we must provide individuals with their data so that they can reuse it for their own purposes or across different services.
- we must provide it in a commonly used, machine-readable format, and send it directly to another controller if requested.
- right to object
- we must respect the right of an individual to object to data processing based on legitimate interest or the performance of a public interest task.
- we must respect the right of an individual to object to direct marketing, including profiling.
- we must respect the right of an individual to object to processing their data for scientific and historical research and statistics.
- rights in relation to automated decision making and profiling
- we must respect the rights of individuals in relation to automated decision making and profiling.
- individuals retain their right to object to such automated processing, have the rationale explained to them, and request human intervention.
Subject Access Request
An individual has the right to receive confirmation how their data is being processed, access to their personal data and supplementary information. Evoke Systems Ltd must provide an individual with a copy of the information upon request, free of charge, without delay and within one month of receipt of request.
if complying with the request is complex or numerous, the deadline can be extended by two months, but the individual must be informed within one month.
Evoke Systems Ltd can refuse to respond to certain requests, and can, in circumstances of the request being manifestly unfounded or excessive, charge a fee. this would come into effect if the request is for a large quantity of data. instead Evoke Systems Ltd will request the individual specify the information they are requesting.
once a subject access request has been made, Evoke Systems Ltd staff must not change or amend any of the data that has been requested. doing so is a criminal offence and would be subject to instant dismissal.
Evoke Systems Ltd will provide data requested in a structured, commonly used and machine-readable format. we must provide this data either to the individual who has requested it, or to the data controller they have requested it be sent to.
in line with ‘the right to be forgotten’ as long as this is deemed reasonable, we will remove any records of individuals upon request
requests must be made via email and Evoke Systems Ltd will run checks to ensure that individuals making access requests are reasonably verified i.e. confirm name, address and dob as a minimum and where appropriate also confirm the request is reasonable with the data controller responsible for the data
The right to be forgotten
Individuals have a right to have their data deleted and for processing to cease in the following circumstances:
- where the personal data is no longer necessary in relation to the purpose for which it was originally collected and/or processed
- where consent is withdrawn
- where the individual objects to processing and there is no overriding legitimate interest for continuing the processing
- the personal data was unlawfully processed or otherwise breached data protection laws
- the processing relates to a child
If personal data that needs to be deleted has been passed onto other parties, they must be contacted and informed of their obligation to delete the data. If the individual asks, we must inform them of those who those third parties are.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be shared with law enforcement agencies without consent from the data subject. Under these circumstances, Evoke Systems Ltd will disclose requested data. However, the data controller responsible for the data will be required to ensure the request is legitimate, seeking assistance from the Board of Directors and from the company’s legal advisers where considered necessary.
Using third party controllers and processors
As a processor, we must have written controller processor contracts in place with any third parties that we use and work with. The contract must contain specific clauses which set out our and their liabilities, obligations and responsibilities.
As a data processor, we must only act on the documented instructions of a controller. We acknowledge our responsibilities as a data processor under GDPR and we will protect and respect the rights of data subjects.
Contracts
Our contracts must comply with the standards set out by the ICO and, where possible, follow the standard contractual clauses which are available. Our contracts with data controllers must set out the subject matter and duration of the processing, the nature and stated purpose of the processing activities, the types of personal data and categories of data subject, and the obligations and rights of the controller.
At a minimum, our contracts must include terms that specify:
- acting only on written instructions
- those involved in processing the data are subject to a duty of confidence
- appropriate measures will be taken to ensure the security of the processing
- sub-processors will only be engaged with the prior consent of the controller and under a written contract
- the controller will assist the processor in dealing with subject access requests and allowing data subjects to exercise their rights under GDPR
- the processor will assist the controller in meeting its GDPR obligations in relation to the security of processing, notification of data breaches and implementation of data protection impact assessments
- delete or return all personal data at the end of the contract
- submit to regular audits and inspections and provide whatever information necessary for the controller and processor to meet their legal obligations.
- nothing will be done by either the controller or processor to infringe on GDPR.
Reporting breaches
Any breach of this policy or of data protection laws must be reported as soon as they are identified. Evoke Systems Ltd has a legal obligation to report any data breaches to the ICO within 72 hours working hours of being identified.
All members of staff have an obligation to report actual or potential data protection compliance failures to their line manager and DPO within 24 of identifying breach or risk. Notification should be made by email. This allows Evoke Systems Ltd to:
- investigate the failure and take remedial steps if necessary
- maintain a register of compliance failures
- notify the ICO of any compliance failures that are material either in their own right or as part of a pattern of failures
Evoke Systems Ltd takes compliance with this policy very seriously. Failure to comply puts client, data subjects and Evoke Systems Ltd at risk.
The emphasis of this policy means that any employees failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.
If individuals have any questions or concerns about anything in this policy, do not hesitate to contact the DPO.
Any member of staff who fails to notify of a breach or is found to have known or suspected a breach has occurred but has not followed the correct reporting procedures will be liable to disciplinary action.
What is a data breach
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data. Some examples of what is considered a data breach:
- access by an unauthorised third party
- deliberate or accidental action by a controller or processor
- sending personal data to an incorrect recipient
- computing devices containing personal data being lost or stolen
- alteration of personal data without permission
- loss of availability of personal data
Data breach process
Upon identification of a data breach the individual must notify the DPO and line manager by email. Email needs to include accurately recorded details of breaches including:
- the date and time the breach occurred;
- the date and time it was discovered;
- who/what reported the breach;
- description of the breach;
- details of any ICT systems involved;
- and any other substantiating material.
- Containment and recovery – DPO will review breach to establish if there is anything that can be done to recoup loss/limit damage breach causes
- Risk assessment – DPO will assess the breach to identify adverse consequence for individuals. The following should be considered:
- data involved and how sensitive it is
- security mechanisms in place i.e. password protection
- how many individuals are impacted
- Notification of breach – DPO to complete an incident report and update Evoke Systems Ltd internal breach log. The incident report needs to detail:
- detail of the breach confirmed when initially raised
- any potential risk to further breaches in the future
- any weak spots in controls and processes
- what lessons can be taken
- what can be done to prevent reoccurrence of breach in the future
In the event that the data breach raised highlights that there is a risk that any future breaches could occur, all processing of data under the same or similar circumstances must be paused with immediate effect. Only when approved by the DPO and Board of Directors following the implementation of more robust processors or controls can the processing of data reconvene.
DPO will inform Board of Directors within 24 hours of breach being raised.
DPO will inform ICO, confirmed/potential data subjects involved, data controller and any third parties within 48 hours unless data is encrypted.
All clients of Evoke Systems Ltd post 25th May 2018 will be asked to enter into a controller processor agreement and confirm that they are registered for the purposes of GDPR with the ICO and are GDPR compliant.