Personal Data and Information Policy
This policy has been prepared to comply with current data protection legislation and specifically the General Data Protection Regulations (GDPR). It outlines our management of personal data and our internal processes for controlling this information. As an underlying principle. we will not do anything with personal information that customers might find misleading, unexpected or objectionable.
Bruach Design and Consultancy are registered with the Information Commissioner’s Office (ICO), registration number ZA309563. Details can be found online here – https://ico.org.uk/ESDWebPages/Entry/ZA309563
Who is responsible for ensuring we comply with data protection legislation?
All Directors are legally responsible for complying with data protection legislation. Our named Data Controller is Colin Hastie, who is a Director of the company.
Why do we store personal information?
We process personal information as part of our regular business activities, including providing consultancy and advisory services to clients, to advertise/ promote our services, and to maintain our own accounts and records.
We process personal information about our customers, clients, employees, complainants, enquirers, suppliers, advisers and other professional experts with whom we work.
We will never sell personal data we hold to other parties or share this without a legitimate business reason or the express consent of the individual.
What personal information do we process?
Personal information we retain may include :
• personal details (including names and contact information)
• family, lifestyle and social circumstances
• business activities of the person whose personal information we are processing
• details of goods and services provided
• financial details, including account information for sending/ receiving payments
• education and employment information
We may also process sensitive classes of information that may include the following :
• physical or mental health details
• offences and alleged offences
• racial or ethnic origin
• religious or other beliefs of a similar nature
What personal information do we store from CVs and potential job applicants/ candidates?
We often receive personal information from third parties applying for jobs or enquiring about potential opportunities. When we receive this type of information we will reply to applicants to advise them that unless they confirm positively with their consent for us to retain this information, we will delete the email and all attachments within 7 days.
Will we share personal information with others?
We may be required to share the personal information we process with the individual themselves, and with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act. The following are types of organisations we may need to share some of the personal information we process with :
• business associates, local authority agencies, and other professional advisers
• family, associates and representatives of the person whose personal data we are processing
• financial organisations
• current, past or prospective employers
• educators and examining bodies
• suppliers and services providers
How long do we retain personal information?
We retain personal information only for as long as we need it. In accordance with the RIAS guidance on Professional Indemnity Insurance run-off cover, we will ensure our insurance is in place for ten years after completion of a project. For this reason, we may retain personal information related to projects or services for ten years following completion. Personal information we hold is reviewed on an annual basis and erased if it is found to no longer be required.
How do we keep personal information secure?
All digitally held personal information (in files and emails) is retained within Microsoft Office 365, which uses several strong encryption protocols, and key files are password protected. All of our computers and mobile devices are secured with individual login credentials, and are protected from cyber-attacks and viruses by market-leading commercial anti-virus software.
It may be required at times to transport personal information on portable storage devices (USB drives, external hard drive etc). Files being transported on portable storage devices will have passwords set to open files to create a barrier to unauthorised access.
At times hard copies of personal data may be prepared, but these are securely destroyed (shredded) when no longer required.
How can individuals request personal data be corrected or deleted?
Any individual on whom we retain personal data may request that it be updated or deleted at any time. The request should be made in writing to a Director of the company. Confirmation will be issued when records are updated.
How do we handle subject access requests?
Any written request by an individual asking for their personal information is a subject access request. Typically these comprise a “routine” or “formal” enquiry. Routine enquiries (eg confirmation of project/ account information) can be handled without a formal process. Formal enquiries (eg written request for personal information, or from a solicitor acting on behalf of someone) should be handled as follows :
1. Respond promptly (within 30 days of receipt)
2. Request evidence to confirm the person’s identity
3. Request additional information reasonably required to locate and identify the information requested
4. Once the identity of the requester is confirmed, the information is compiled, and the fee is received, issue the individual a hard copy of the information requested
We will not supply information related to other people unless the other people mentioned have given their consent for the disclosure, or if it is reasonable to supply the information without their consent.
Some information may be exempt from subject access requests, in which case we would respond confirming that we do not hold any of their personal data that we are required to reveal. Further information on exemptions can be found in Chapter 9 of the ICO guide “Subject Access Code of Practice”.
How would we would handle a data breach?
We consider a “data breach” to mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes, and means that a breach is more than just about losing personal data.
A data breach may include the following events/ activities :
• access by an unauthorised third party
• deliberate or accidental action (or inaction) by a controller or processor
• sending personal data to an incorrect recipient
• computing devices containing personal data being lost or stolen
• alteration of personal data without permission
• loss of availability of personal data.
The following process will be followed in the event of a data breach being realised :
1. Notify the ICO within 72 hours of becoming aware of the breach
2. Assess the potential adverse consequences for individuals, based on how serious or substantial these are, and how likely they are to happen
3. If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, notify those individuals immediately
4. Take steps as appropriate to rectify or contain the breach
If you have any questions or would like further information on the above please feel free to contact us.