Introductory Statement
Business Modelling Associates Ltd, trading as Business Modelling Applications has to collect and use information about people with whom they work, and recognise that this personal information must be handled and dealt with properly. This is irrespective of how it is collected, recorded and used, and whether it is held on paper, electronically or by other means.
Business Modelling Applications regard the lawful and correct treatment of personal information as being crucial to our success and to maintain confidence between the organisation and clients, and commit to ensuring that it is treated lawfully and correctly. To emphasise this commitment, the organisation has invested in obtaining UKAS accredited certification to ISO27001, and this policy should be read in conjunction with our Information Security Policy and the Information Security aspects of our Integrated Management System (IMS).
Business Modelling Applications fully endorse and commit to complying with the principles and requirements of the General Data Protection Regulation (GDPR) and Data Protection Act (DPA) (2018). This policy applies to the processing of personal data in manual and electronic records maintained by the business.
This policy applies to the personal data of job applicants, existing and former employees, apprentices, volunteers, placement students, self-employed contractors and other workers. Such persons are referred to in this policy as ‘employees’ or ‘data owners’, as most appropriate, although other titles may be used.
Definitions
Data Protection Principles
Under GDPR, all personal data obtained and held by Business Modelling Applications shall be processed according to a set of core principles. In accordance with these principles, the organisation will ensure that data:
Types of Data Held
All of the above information is required for internal processing activities; more details on these are available on request.
In addition, the organisation also holds data provided by its clients and other third parties, which enable it to perform its function with regards to producing analytics solutions, and the nature and extent of this depends on the nature of the project being performed.
Employee Rights
Employees have the following rights in relation to the personal data held by Business Modelling Applications:
The organisation has legal obligations to retain certain records and cannot delete these. The above records are kept for a minimum of 7 years after the employee leaves the organisation.
Responsibilities
The Information Security Manager (and thereby Data Protection Officer) for Business Modelling Applications, and is responsible for ensuring:
Data Processing Procedures
Data Access
Data owners who wish to access the data Business Modelling Applications holds on them shall make such a request in writing (which includes email). Business Modelling Applications will comply with such a request without delay, and in any case within 28 days, unless any lawful reason exists that requires an extension. Business Modelling Applications shall keep the data owner who made the request fully informed of any requirements to extend the time limit.
Business Modelling Applications commit to not charging for any data access request, unless such a request is excessive, repetitive, unfounded or if duplicate copies are to be provided to third parties, which case a reasonable charge will be made.
Data Processing
Business Modelling Applications understand that data processing may only be carried out where a lawful basis for such processing exists. In the event of any processing being required, that does not have any lawful basis, the data owner’s consent shall be obtained prior to performing such processing.
Business Modelling Applications further understand that consent must be freely given, specific, informed and unambiguous, and in the event of consent being sought, this shall be done on a specific and individual basis, as required. Data owners will be given clear instructions on the proposed processing activity, informed of the consequences of their consent and of that they have a right to withdraw their consent at any time.
Data Security
Hard copies of personal data shall be kept in a secure manner, such as a locked receptacle, e.g. a safe, filing cabinet etc., so that they are only accessible by those who have a need and/or a right to access them.
Similarly, any computer etc. shall be locked when unattended, and data stored on such devices shall be password protected or encrypted on both local and network drives. In the event of a copy being held on a removable storage device (e.g. a USB stick), then such devices shall be held in a locked receptacle as previously referenced. Passwords must never be passed to persons who are not entitled to have them, and all reasonable measures taken to ensure any item containing personal data cannot be stolen.
Failure to follow Business Modelling Applications’ data security processes shall be dealt with via the organisation’s disciplinary procedures.
Disclosure of Data
Business Modelling Applications may be required to disclose certain data/information, under circumstances that include:
Such disclosures shall only be made when strictly necessary.
Third Party Data Processing
Business Modelling Applications utilise third parties to perform various tasks on their behalf, including data processing, and implement agreements to ensure that the appointed third party take all measures necessary to maintain the organisation’s commitments, policies, and procedures.
Business Modelling Applications do not transfer any personal data outside of the United Kingdom, EU or the agreed regional boundaries.
Breach Notification Requirements
Any data breach shall be recorded, and if required, Business Modelling Applications shall notify the Information Commissioner within 72 hours of the initial discovery, and where required, notify the data owner whose data was breached.
Training and Awareness
New employees shall be briefed on all aspects of information security and data protection at their induction and shall be required to confirm understanding. In addition, all employees who are required to perform activities that could impact on data protection shall be provided with appropriate training, where required, to enable them to perform their duties effectively and lawfully, and to understand the consequences of any potential lapses and breaches.