Privacy Policy


​This privacy policy applies between you, the User of this Website and ID Insight Consulting Ltd, the owner and provider of this Website. ID Insight Consulting Ltd takes the privacy of your information very seriously. This privacy policy applies to our use of any and all Data collected by us or provided by you in relation to your use of the Website. Please read this privacy policy carefully.

Definitions and interpretation

 1. In this privacy policy, the following definitions are used:

Data

collectively all information that you submit to ID Insight Consulting Ltd via the Website. This definition incorporates, where applicable, the definitions provided in the prevailing regulation;

Cookies

a small text file placed on your computer by this Website when you visit certain parts of the Website and/or when you use certain features of the Website. Details of the cookies used by this Website are set out in the clause below (Cookies);

ID Insight Consulting Ltd, or us

ID Insight Consulting Ltd, a company incorporated in England and Wales with registered number 9363477 whose registered office is at 15 Palace Street, Norwich, Norfolk, NR3 1RT;

UK and EU Cookie Law

the Privacy and Electronic Communications (EC Directive) Regulations 2003 as amended by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011;

User or you

any third party that accesses the Website and is not either (i) employed by ID Insight Consulting Ltd and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to ID Insight Consulting Ltd and accessing the Website in connection with the provision of such services; and

Website

the website that you are currently using, http://www.idinsightconsulting.com/home.html, and any sub-domains of this site unless expressly excluded by their own terms and conditions.

 2. In this privacy policy, unless the context requires a different interpretation:

 a. the singular includes the plural and vice versa;

 b. references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this privacy policy;

 c. a reference to a person includes firms, companies, government entities, trusts and partnerships;

 d. "including" is understood to mean "including without limitation";

 e. reference to any statutory provision includes any modification or amendment of it;

 f. the headings and sub-headings do not form part of this privacy policy.

Scope of this privacy policy

 3. This privacy policy applies only to the actions of ID Insight Consulting Ltd and Users with respect to this Website. It does not extend to any websites that can be accessed from this Website including, but not limited to, any links we may provide to social media websites.

Data collected

 4. We may collect the following Data, which includes personal Data, from you:

 a. Name

 b. Date of Birth;

 c. Gender;

 d. Job Title;

 e. Profession;

 f. Contact Information such as email addresses and telephone numbers;

 g. Demographic information such as post code, preferences and interests;

 h. in each case, in accordance with this privacy policy.

Our use of Data

 5. For purposes of the prevailing regulation, ID Insight Consulting Ltd is the "data controller".

 6. We will retain any Data you submit for 6 months.

 7. Unless we are obliged or permitted by law to do so, and subject to any third party disclosures specifically set out in this policy, your Data will not be disclosed to third parties. This does not include our affiliates and / or other companies within our group.

 8. All personal Data is stored securely in accordance with the principles of the prevailing regulation. For more details on security see the clause below (Security).

 9. Any or all of the above Data may be required by us from time to time in order to provide you with the best possible service and experience when using our Website. Specifically, Data may be used by us for the following reasons:

 a. internal record keeping;

 b. improvement of our products / services;

 c. transmission by email of promotional materials that may be of interest to you;

 d. contact for market research purposes which may be done using email, telephone, fax or mail. Such information may be used to customise or update the Website;

in each case, in accordance with this privacy policy.

Third party websites and services

 10. ID Insight Consulting Ltd may, from time to time, employ the services of other parties for dealing with certain processes necessary for the operation of the Website. The providers of such services have access to certain personal Data provided by Users of this Website.

 11. Any Data used by such parties is used only to the extent required by them to perform the services that we request. Any use for other purposes is strictly prohibited. Furthermore, any Data that is processed by third parties will be processed within the terms of this privacy policy and in accordance with the prevailing regulation.

Links to other websites

 12. This Website may, from time to time, provide links to other websites. We have no control over such websites and are not responsible for the content of these websites. This privacy policy does not extend to your use of such websites. You are advised to read the privacy policy or statement of other websites prior to using them.

Changes of business ownership and control

 13. ID Insight Consulting Ltd may, from time to time, expand or reduce our business and this may involve the sale and/or the transfer of control of all or part of ID Insight Consulting Ltd. Data provided by Users will, where it is relevant to any part of our business so transferred, be transferred along with that part and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the Data for the purposes for which it was originally supplied to us.

 14. We may also disclose Data to a prospective purchaser of our business or any part of it.

 15. In the above instances, we will take steps with the aim of ensuring your privacy is protected.

Controlling use of your Data

 16. Wherever you are required to submit Data, you will be given options to restrict our use of that Data. This may include the following:

 17. use of Data for direct marketing purposes; and

 18. sharing Data with third parties.

Functionality of the Website

 19. To use all features and functions available on the Website, you may be required to submit certain Data.

 20. You may restrict your internet browser's use of Cookies. For more information see the clause below (Cookies).

Accessing your own Data

 21. You have the right to ask for a copy of any of your personal Data held by ID Insight Consulting Ltd (where such Data is held) on payment of a small fee, which will not exceed £0.

Security

 22. Data security is of great importance to ID Insight Consulting Ltd and to protect your Data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure Data collected via this Website.

 23. If password access is required for certain parts of the Website, you are responsible for keeping this password confidential.

 24. We endeavour to do our best to protect your personal Data. However, transmission of information over the internet is not entirely secure and is done at your own risk. We cannot ensure the security of your Data transmitted to the Website.

Cookies

 25. This Website may place and access certain Cookies on your computer. ID Insight Consulting Ltd uses Cookies to improve your experience of using the Website. ID Insight Consulting Ltd has carefully chosen these Cookies and has taken steps to ensure that your privacy is protected and respected at all times.

 26. All Cookies used by this Website are used in accordance with current UK and EU Cookie Law.

 27. Before the Website places Cookies on your computer, you will be presented with a pop-up requesting your consent to set those Cookies. By giving your consent to the placing of Cookies, you are enabling ID Insight Consulting Ltd to provide a better experience and service to you. You may, if you wish, deny consent to the placing of Cookies; however certain features of the Website may not function fully or as intended.

 28. This Website may place the following Cookies:

 29. Type of CookiePurposeStrictly necessary cookiesThese are cookies that are required for the operation of our website. They include, for example, cookies that enable you to log into secure areas of our website, use a shopping cart or make use of e-billing services.Analytical/performance cookiesThey allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily.Functionality cookiesThese are used to recognise you when you return to our website. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).Targeting cookiesThese cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.

 30. You can choose to enable or disable Cookies in your internet browser. By default, most internet browsers accept Cookies but this can be changed. For further details, please consult the help menu in your internet browser.

 31. You can choose to delete Cookies at any time; however you may lose any information that enables you to access the Website more quickly and efficiently including, but not limited to, personalisation settings.

 32. It is recommended that you ensure that your internet browser is up-to-date and that you consult the help and guidance provided by the developer of your internet browser if you are unsure about adjusting your privacy settings.

Transfers outside the European Economic Area

 33. Data which we collect from you may be stored and processed in and transferred to countries outside of the European Economic Area (EEA). For example, this could occur if our servers are located in a country outside the EEA or one of our service providers is situated in a country outside the EEA. These countries may not have data protection laws equivalent to those in force in the EEA.

 34. If we transfer Data outside the EEA in this way, we will take steps with the aim of ensuring that your privacy rights continue to be protected as outlined in this privacy policy. You expressly agree to such transfers of Data.

General

 35. You may not transfer any of your rights under this privacy policy to any other person. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.

 36. If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.

 37. Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.

 38. This Agreement will be governed by and interpreted according to the law of England and Wales. All disputes arising under the Agreement will be subject to the exclusive jurisdiction of the English and Welsh courts.

Changes to this privacy policy

 39. ID Insight Consulting Ltd reserves the right to change this privacy policy as we may deem necessary from time to time or as may be required by law. Any changes will be immediately posted on the Website and you are deemed to have accepted the terms of the privacy policy on your first use of the Website following the alterations.

You may contact ID Insight Consulting Ltd by email at admin@idinsightconsulting.com.


04 April 2018

​ 

DATA PROTECTION POLICY

ID Insight Consulting is registered as a Data Controller with the Information Commissioner’s Office (ICO).  It is the responsibility of ID Insight Consulting and all its employees to ensure that they adhere to the Data Protection Principles at all times.

The Data Protection Principles are set out in the Data Protection Act 2018. The core Principles within the act are shown below.

These principles are also included in the current Market Research Society’s Code of Conduct, to which we adhere.

Scope – the principles apply to any personal data held by ID Insight Consulting, in particular this policy covers data held on

A) ID Insight Consulting’s employees       

B) Participants of market research conducted by ID Insight Consulting

C) Client data shared with ID Insight Consulting

ID Insight Consulting’s DPO is the business owner

Definitions :-

§  Personal Data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, generic, mental, economic, cultural or social identity of that natural person.

§  Special categories of Personal Data is information pertaining to an individual’s race or ethnic origin, political, religious or philosophical beliefs, trade union membership, health data including physical or mental health, sexual life and sexual orientation and biometric data. For obvious reasons, particular care must be taken with this type of information.

Processing of personal data – processing means obtaining, recording or holding data or carrying out any operation(s) on the data.
De-personalised data is exempt from the Act.

§  Employee is any individual employed by ID Insight Consulting, whether as a permanent member of staff, a contract worker or employed on any other basis.

§  Participant is any individual or organization from or about whom data is collected or is approached for Interview.

§  Interview is any form of contact intended to provide information from a Respondent or group of Respondents.

§  Children - for the purpose of the MRS Code of Conduct, children are defined as those under 16.

Additional definitions can be found here: http://www.privacy-regulation.eu/en/article-4-definitions-GDPR.htm

The core Principles within the Data Protection Act 2018 are:

1.     Personal data shall be:

(a)   processed lawfully, fairly and in a transparent manner in relation to the data subject ('lawfulness, fairness and transparency'); 

(b)   collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes ('purpose limitation'); 

(c)   adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed ('data minimisation'); 

(d)   accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay ('accuracy'); 

(e)   kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject ('storage limitation'); 

(f)    processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures ('integrity and confidentiality').

2.     The Controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’)

ID Insight Consulting maintains a record of processing (as per GDPR art.30)

The core principles of the MRS Code of Conduct are:

MRS Members shall:

1. Ensure that their professional activities can be understood in a transparent manner.

2. Be straightforward and honest in all professional and business relationships.

3. Be transparent as to the subject and purpose of data collection.

4. Ensure that their professional activities are not used to unfairly influence views and opinions of participants.

5. Respect the confidentiality of information collected in their professional activities.

6. Respect the rights and well-being of all individuals.

7. Ensure that individuals are not harmed or adversely affected by their professional activities.

8. Balance the needs of individuals, clients, and their professional activities.

9. Exercise independent professional judgement in the design, conduct and reporting of their professional activities.

10. Ensure that their professional activities are conducted by persons with appropriate training, qualifications and experience.

11. Protect the reputation and integrity of the profession.

12. Take responsibility for promoting and reinforcing the principles and rules of the MRS Code of Conduct

In order to ensure ID Insight Consulting and its employees adhere to the Principles of the Data Protection Act 2018, they must comply with the following procedures and practices:

ID Insight Consulting will ensure new employees are made aware of the company’s Data Protection Policy and are briefed to relevant aspects of the data protection requirements, during their induction/training.

All employees must comply with the data protection requirements and training given and are responsible for keeping themselves up to date with the requirements.

The company considers breaches of the Data Protection Principles outlined in this policy to be a serious offence, which may result in disciplinary action including dismissal.

A. Personal data held on employees

ID Insight Consulting undertakes to adhere to the provisions of the Data Protection Act and the relevant Codes of Practice relating to personal data held on employees, including employment records, monitoring in the workplace, recruitment and selection and medical records.

ID Insight Consulting will:

Inform employees of their rights under the Data Protection Act 2018 and inform new employees what information will be held about them. As per the Data Protection Act 2018, we will provide the following rights for individuals:

1-    The right to be informed

2-    The right to access

3-    The right to rectification

4-    The right to erasure

5-    The right to restrict processing

6-    The right to object

7-    Rights in relation to automated decision making and profiling 

·         give individuals the opportunity to regularly update personal information

provide appropriate security for personal data held, and limit the number of persons with access to such records – to prevent unauthorised or unlawful processing of personal data, and to protect against accidental loss, destruction of or damage to personal data.

In particular, ID Insight Consulting and its employees will:

only store hard personal data in secure locations with restricted access, such as locked filing cabinets

only store electronic personal data in specified locations on the company’s protected spaces

ensure ID Insight Consulting’s data is only accessible to ID Insight Consulting employees and approved agents:

o    access to ID Insight Consulting’s data is password protected;

o    user passwords are only known to relevant individuals, and are changed regularly

o    conduct and comply with an annual review of systems access

o    remove employee access to all ID Insight Consulting systems and data, including email and third-party software, at point of contract termination

ensure a pre-determined plan is in place for disaster recovery

comply with ID Insight Consulting’s back-up procedures 

ensure ID Insight Consulting premises are protected against intrusion

comply with the measures taken to secure ID Insight Consulting’s offices, including setting of alarms and locking up procedures

follow best practice relating to the recruitment and selection of new employees

not disclose information to third parties without consent

not transfer information to a country or territory outside the European Economic Area unless there is adequate provision for protection

retain only those employment records that are genuinely required for the needs of the business

dispose of any personal data by destroying it in a manner that prevents it being obtained by 3rd parties

provide employees with a copy of the personal data held about them on their request – this “subject access request” should be made in writing, and ID Insight Consulting must respond within 30 days.

(ID Insight Consulting is required to provide this information free of charge)

ID Insight Consulting’s employees will:

ensure the personal information they give the company is accurate, and inform the company of any changes to that information

comply with the requirements outlined above where these are applicable to their role

All staff are required to report immediately all incidents that involve the suspected or actual loss, theft, unauthorised disclosure or inappropriate use of personal data to the business owner

B. Personal data held on market research participants

ID Insight Consulting undertakes to adhere to the provisions of the Data Protection Act and the relevant Codes of Practice, including the MRS Code of Conduct, relating to personal data obtained and processed for the purpose of conducting market research.

https://www.mrs.org.uk/pdf/MRS-Code-of-Conduct-2019.pdf

We have privacy policies in place and guidance for different data collection methods.

ID Insight Consulting and its employees will:

conform to all relevant national and international laws

behave ethically and not do anything that might damage the reputation of market research

ensure that participants cooperation is voluntary by obtaining their agreement to participate in an Interview

take special care when carrying out research among children and other vulnerable groups of the population; the informed consent of the parent or responsible adult must be obtained before interviewing a child under 16

ensure that participants anonymity is preserved

ensure transparency, that participants cooperation is based on adequate information about the general purpose and nature of the project – the reason for the research must be clearly spelt out to participants at the beginning of an interview

ensure participants are clear that the information collected during the interview will only be used for confidential research purposes

ensure participants permission for a further interview is gained during the initial interview, where it is known a further interview is likely to be necessary

·         never undertake any activities, under the guise of research, which aim to manipulate, misled or coerce individuals.

respect participants right to refuse participation, and ensure they are not contacted again on a project after refusing

respect participants right not to be contacted again, and ensure their details are removed from future sample files

provide participants with a copy of the personal data held about them on their request – this “subject access request” should be made in writing, and ID Insight Consulting must respond within 30 days and free of charge.

ensure participants are told, normally at the beginning of the interview, if recording equipment or observation techniques are being used (except where these are used in a public place)

if a participant so wishes, the record or relevant section of it must be destroyed or deleted - participants anonymity must not be infringed by the use of such methods

ensure that – where a participant has given permission for data to be passed on in a form that allows the participant to be identified personally –

o    the participant is first told to whom the information would be supplied and the purposes for which it would be used

o    the information will not be used for any non-research purposes

o    The recipient of the information has agreed to confirm to the requirements of the MRS Code of Conduct

·         disclose the identity of clients where there is a legal obligation to do so

·         take all reasonable precautions to ensure that participants are in no way directly harmed or adversely affected as a result of their participation in a market research project

·         take all reasonable precautions to ensure that participant data is not processed to support measures or decisions with respect to those particular individuals

o    ensure the following where research results are to be used for purposes other than “classic” research, in particular at a personal level:

o    that feedback is provided where personal data drawn when sampling from a customer database is shown at the interview state to be inaccurate or out-of-date

o    individual complaints or dissatisfaction about customer service raised by participants during an interview are fed back at the participants request

o    ensure personal data collected on participants is exclusively used for research purposes

ensure participants are able to check without difficulty the identity and bona fides of the researcher or research company

only keep personal data for as long as is necessary for the purpose(s) it was obtained for

dispose of any personal data by destroying it in a manner that prevents it being obtained by a third party 

provide appropriate security for personal data held and limit the number of persons with access to such records – to prevent unauthorised or unlawful processing of personal data, and to protect against accidental loss, destruction of or damage to personal data

In particular, ID Insight Consulting and its employees will follow the procedures outlined earlier.

not transfer information to a country or territory outside the European Economic Area unless there is adequate provision for protection

ensure that research projects and activities are designed, carried out, reported and documented accurately, transparently, objectively and to appropriate quality

Re scope of this policy:

Children have the same rights as adults within the 2018 Act.

Internet research – the same principles apply to online data collection and survey management

Business to Business Research – 2018 Act doesn’t apply to data held about corporate or other types of organisation, but “care should be taken to ensure that….the 2018 Act is not infringed when collecting/holding data about individuals working within organisations. This particularly applies when interviewing individuals who are registered as sole traders or within partnerships.”

See also “Guidelines for Business to Business Research” by MRS.

Other points to be aware of, not specifically covered above:

- qualitative research – client must make sure they have written permission to video participants AND to show video material to client; in theory we ought to have a standard sentence saying focus groups are held with the understanding that clients are complying with the DP act etc.

- surveys involving prize draws – must always include relevant T&Cs

- client owned customer databases – specific issues apply here, covered in DP Act

See: “Data Protection & Research: Guidance for MRS Members and Company Partners 2018” and further guidance on the MRS website: https://www.mrs.org.uk/standards/binding-guidelines

ID INSIGHT CONSULTING – BUSINESS OWNER

November 2019

          

Data Retention Policy

V2 February 2020  

ID INSIGHT CONSULTING DATA RETENTION POLICY

Record Type                                                                                                    Maximum Retention Period                           Reason

HR Records
Right To Work in UK                                                                                        2 years                                                           Home Office requirement

Financial Records
Accounting Records                                                                                        7 years                                                           https://www.gov.uk/running-a-limited-company/company-and-accounting-records
                                                                                                                                                                                               https://www.gov.uk/vat-record-keeping
Income tax and NI returns, income tax records                                              Not less than 7 years after the end of            Taxes Management Act 1970; The Income Tax (Employments) Regulations   

and correspondence with HMRC                                                                    the financial year to which they relate            1993 (SI 1993/744) as amended, for example by The Income Tax                                                                                                                                                                                                                        (Employments) (Amendment No. 6) Regulations 1996    (SI 1996/2631)
Other                                                                                                               6 years                                                           Statute of Limitations 1980

Clients Records
Client Information – including personal data where agency is processor       To be agreed with Client by contract /            n/a 
                                                                                                                        agreement

                                                                                                                        In absence of agreement delete data at

                                                                                                                        earliest opportunity with consent of client

                                                                                                                        Default is 6 months
Client Contracts                                                                                               6 years (or less if agreement has time limit   Statute of Limitations 1980

                                                                                                                        for claims)
Client Emails                                                                                                   6 years (or less if agreement has time limit   Statute of Limitations 1980

                                                                                                                        for claims)

Supplier Records
Supplier Contracts                                                                                           6 years (or less if agreement has time limit   Statute of Limitations 1980

                                                                                                                         for claims)
Supplier Emails                                                                                                6 years (or less if agreement has time limit   Statute of Limitations 1980

                                                                                                                         for claims)

All                                                                                                                     6 years (or less if agreement has time limit   Statute of Limitations 1980


                                                                                                                         for claims)

New Business
Information received from prospective new clients in relation to pitches         Amount of time specified in pitch                   Retention required in case subsequently selected and need to rely on  

(and pitch is unsuccessful)                                                                              documentation or if not specified, 1 year       materials

Property
Leases                                                                                                             7 years                                                           Tax

Incident Reports
All Incident Reports e.g. IT Security Breach Report / logs                              3 years from the date of the last entry            GDPR Compliance

IT Systems
Office365* (Email, OneDrive, SharePoint, Teams)                                          7 years                                                           A global policy has been applied in Office365 to retain all data for seven years 

*Excluding Health US who have a 1-year retention policy in place                                                                                       from the date it was created or modified (whichever is newest) or for email, the                                                                                                                                                                                                    date it was sent or received.
                                                                                                                                                                                              Any O365 data that is deleted by end-users is still recoverable by IT up to unless                                                                                                                                                                                               purposely deleted for ex-staff as part of the leavers process
QuestionPro                                                                                                    1 year maximum or on completion of           Annually renewable contract.  Deletion of records from live surveys on platform

                                                                                                                        project hosted                                               once data downloaded to ID Insight and anonymised.

Research Records
Survey data/ Sample                                                                                      1 year unless required (*e.g. see below)      The need for back-checks, propensity for follow up research and the variable
  
(e.g. respondents recruited via panels and face to face)                                If possible encrypt or pseudonymise            duration of research projects

                                                                                                                        personally identifiable data asap
​Audio and Video Data                                                                                     1 year unless required                                  The need for back-checks, propensity for follow up research and the variable                                                                                                                               If possible encrypt or pseudonymise            duration of research projects

                                                                                                                        personally identifiable data asap

* If we are running a once-a-year tracking study, data can be retained for 1.5 years for back-checking purposes.



Information Sharing and Data Management Policy


Introduction

The EU General Data Protection Regulation (GDPR), and Data Protection Act 2018 (DPA 2018) which implements it in the UK, has strengthened legislation in this area, in particular requiring that organisations are accountable and able to demonstrate compliance.   References to data protection legislation in this policy include provisions of the GDPR and DPA 2018.  It is important that ID Insight Consulting Ltd protects and safeguards person-identifiable information that it gathers, creates processes and discloses, to comply with the law and relevant ID Insight Consulting Ltd policy, as well as provide assurance to clients and other stakeholders.

All employees of ID Insight Consulting Ltd must comply with data protection legislation.  Staff must handle personal information they may come into contact with during the course of their work in a lawful and compliant manner.  This is not just a requirement of their responsibilities but also a requirement within data protection legislation.  It is important for staff to be aware that it is an offence under DPA 2018 for a person knowingly or recklessly to obtain or disclose personal data.

This policy sets out the requirements placed on all ID Insight Consulting Ltd staff when sharing personal information both internally withing the business and externally with clients and other stakeholders.

The Information Commissioner’s Office (ICO) has issued a data sharing code of practice that must be adhered to when sharing personal data.  Information can relate to clients, staff of ID Insight Consulting Ltd (including temporary staff), members of the public, or any other identifiable individual, however stored.  Information may be held on paper, CD/DVD, USB sticks, computer file or printout, laptops, mobile phones, digital cameras or even heard by word of mouth.

Sharing of non-personal information 

Some information sharing does not involve personal data, for example where only statistics that cannot identify anyone are being shared.

Anonymous or aggregate (numbers) information may be shared internally or with other organisations.  

Sharing personal information with other organisations

Necessary and proportionate, personal information may be shared with other organisations.

This policy covers two main types of information sharing:

• ‘Systematic’, routine information sharing where the same data sets are shared between the same organisations for an established purpose; and

• exceptional, one-off decisions to share information for any of a range of purposes.

Different approaches apply to these two types of information sharing and this policy reflects this. Some of the good practice recommendations that are relevant to systematic, routine information sharing are not applicable to exceptional, one-off decisions about sharing.

‘Systematic’ information sharing

This will generally involve routine sharing of data sets between organisations for an agreed purpose.

Exceptional or ‘one-off’ information sharing

Much information sharing takes place in a pre-planned and routine way.  As such, this should be governed by established rules and procedures.  However, staff may also decide, or be asked, to share information in situations which are not covered by any routine agreement.  All ad-hoc or one-off sharing decisions must be carefully considered and documented.  

Factors to consider

When deciding whether to enter into an arrangement to share personal data (either as a provider, a recipient or both) you should consider what the sharing is to achieve.  There should be a clear objective or set of objectives.  Being clear about this will identify the following:

• Could the objective be achieved without sharing the data or by anonymising it?

• It is not appropriate to use personal data to plan service provision, for example, where this could be done with information that does not amount to personal data.

• What information needs to be shared? You should not share all the personal data you hold about someone if only certain data items are needed to achieve the objectives.

• Who requires access to the shared personal data? You should employ ‘need to know’ principles, meaning that when sharing both internally between staff and externally with other organisations, individuals should only have access to your data if they need it to do their job, and that only relevant staff should have access to the data.  This should also address any necessary restrictions on onward sharing of data with third parties.

• When should it be shared?  Again, it is good practice to document this, for example setting out whether the sharing should be an on-going, routine process or whether it should only take place in response to particular events.

• How should it be shared?  This involves addressing the security surrounding the transmission or accessing of the data and establishing common rules for its security.

• How can we check the sharing is achieving its objectives?  You will need to judge whether it is still appropriate and confirm that the safeguards still match the risks.

• What risk to the individual and/or the organisation does the data sharing pose?  For example, is any individual likely to be damaged by it?  Is any individual likely to object?  Might it undermine individuals’ trust in the organisations that keep records about them?

It is good practice to document all decisions and reasoning related to the information sharing.

For any assistance and guidance, and if in any doubt about when it is appropriate to share information please refer to the Owner.

In all circumstances of information sharing, staff will ensure that:

• When information needs to be shared, sharing complies with the law and this guidance.

• Only the minimum information necessary for the purpose will be shared.

• Individuals’ rights will be respected, particularly confidentiality, security and the rights established by the GDPR.

• Confidentiality must be adhered to.

• Reviews of information sharing should be undertaken to ensure the information sharing is meeting the required objectives/purpose and is still fulfilling its obligations.

Information Sharing Agreements

Information sharing agreements, sometimes known as ‘Information sharing protocols’ or ‘data sharing protocols’, set out a common set of rules to be adopted by the various organisations involved in an information sharing operation.  These could well form part of a contract between organisations.  It is good practice to have an information sharing agreement in place, and to review it regularly, particularly where information is to be shared on a large scale, or on a regular basis.

An information sharing agreement must, at least, document the following:

• The purpose, or purposes, of the sharing.

• The legal basis for sharing under the DPA 2018 / GDPR.

• The potential recipients or types of recipient and the circumstances in which they will have access.

• Who the data controller(s) is and any data processor(s).

• The data to be shared.

• Data quality – accuracy, relevance, usability.

• Data security.

• Retention of shared data.

• Individuals’ rights – procedures for dealing with access requests, other applicable GDPR rights, queries and complaints.

• Review of effectiveness/termination of the sharing agreement; and

• Any particular obligations on all parties to the agreement, giving an assurance around the standards expected, sanctions for failure to comply with the agreement or breaches by individual staff.



Data Management and Handling

Introduction

All ID Insight Consulting Ltd staff members must ensure they are familiar with the contents of this policy, which describes the standards of practice we require in the management of our records.  It is based on current legal requirements and professional best practice. 

Records and Documents are different.  Documents consist of information or data that can be structured or unstructured and accessed by ID Insight Consulting Ltd staff.  Records provide evidence of the activities of functions and policies.  Records have strict compliance requirements regarding their retention, access and destruction, and generally have to be kept unchanged.  Conversely, all records are documents. 

This policy relates to all documents and records held by ID Insight Consulting Ltd staff, regardless of format, including, but not limited to, email, paper, digital, social media, videos and telephone messages. 

Records are created to provide information about what happened, what was decided, and how to do things.  Individuals cannot be expected or relied upon to remember or report on past policies, discussions, actions and decisions accurately all of the time.  So, as part of their daily work they keep a record – by updating a register or database, writing a note of a meeting or telephone call, audio recordings of interaction or filing a letter or email – which ensures that they and their successors have something to refer to in the future. 

Records are a valuable resource because of the information they contain.  High-quality information underpins the delivery of high-quality services.  Information has most value when it is accurate, up-to-date and accessible when it is needed.  An effective records management function ensures that information is properly managed and is available whenever and wherever there is a justified need for that information, and in whatever media it is required. 

Records management is about controlling records within a framework made up of policies, standard operating procedures, systems, processes and behaviours.  Together they ensure that reliable evidence of actions and decisions is kept and remains available for reference and use when needed, and that the organisation benefits from effective management of one of its key assets - its records.

A records retention schedule is a control document.  It sets out the classes of records which ID Insight Consulting Ltd retains and the length of time these are retained before a final disposition action is taken (i.e. destruction).  It applies to information regardless of its format or the media in which it is created or might be held.  All staff members should be familiar with this records retention schedule and apply retention periods to records.

A records management policy is a cornerstone of effective management of records in an organisation.  It will help to ensure ID Insight Consulting Ltd keeps the records it needs for business, regulatory, legal and accountability purposes. 

The purpose of this policy is to establish a framework in which ID Insight Consulting Ltd records can be managed, and to provide staff members with an overview of their obligations under it.

Scope

Staff of ID Insight Consulting Ltd fall under the scope of this document, including contractors, temporary staff and all permanent employees.

Responsibilities

Owner

Responsibility for data management and handling resides ultimately with the Owner.

All Staff

All staff are responsible for data management and handling and therefore must understand and comply with this policy and associated guidance.  Failure to do so may result in disciplinary action. 

Procedures

This policy covers the management of both documents and records at ID Insight Consulting Ltd.  The policy sets in place the arrangements for all documents and records produced and received by ID Insight Consulting Ltd.

This policy is mandatory and applies to all information in all formats.  It covers all stages within the information lifecycle, including retention and disposition. 

Staff members must not alter, deface, block, erase, destroy or conceal records with the intention of preventing disclosure under a request relating to the Freedom of Information Act 2000 or the Data Protection Act 2018. 

Staff members are expected to manage records about individuals in accordance with this policy irrespective of their race, disability, gender, age, sexual orientation, religion or belief, or socio-economic status.  

Records and Information Management

Stage 1 – Creation and Receipt

This part of the process is when we put pen to paper, make an entry into a database or start a new electronic document.  This is the first phase.  It can be created by members of staff or received from an external source.

Stage 2 - Distribution

Distribution is managing the information once it is created or received whether it is internal or external.  It occurs when records are sent to someone for which they were intended or were copied.  Records are distributed when photocopied, printed, attached to an email, hand delivered or regular mail, etc.  After records are distributed, they are used.

Stage 3 - Use

This stage takes place after information is distributed.  This is when records are used on a day to day basis, in line with business activities. 

Stage 4 - Maintenance

Maintenance is when records are not used on a day to day basis and are stored.  Even though they are not used on a day to day basis, they will be kept for reference future need until they have met their retention period.  The maintenance phase includes filing, transfers and retrievals.  The information may be retrieved during this period to be used as a resource for reference or to aid in a business decision.

Stage 5 - Disposition

Disposition is when a record is less frequently accessed, has no more value to ID Insight Consulting Ltd or has met its assigned retention period.  It is then reviewed and if necessary destroyed under confidential destruction conditions.  This is the final phase. 

Record Naming and Good Practice

Record naming is an important process in the management of data and it is essential that a unified approach is undertaken within the business. 

Staff members should refrain from naming folders or files with their own name unless the folder or file contains records that are biographical in nature about that individual, for example, personnel records.  

ID Insight Consulting Ltd standard naming convention must be used for the filename of all electronic documents created by staff members. 

The re-naming of old documents is optional but new documents must follow the standard naming convention.

Version Control is the management of multiple revisions to the same document.  Version control enables us to tell one version of a document from another. 

Where records contain person identifiable data or corporate sensitive information it is a requirement that such data is stored securely.  You must ensure access to the data is password protected and access only allowed for specific, named personnel.

Good record keeping should prevent record duplication.  Staff members should ensure team members have not previously created a record prior to initiating a new document.

Staff members should ensure records are relevant and need to be retained.

Record Maintenance

Electronic documents and records should be maintained in accordance with this policy.

The movement and location of paper records should be controlled and tracked to ensure that a record can be easily retrieved at any time. This will enable the original record to be traced and located if required and must be held in a shared location.

Records Security - Work Base, Home Working, Agile Working

All person identifiable data or commercially sensitive data must be saved with appropriate security measures. 

Staff must not use home email accounts or private computers to hold or store any sensitive records or information which relates to the business activities of ID Insight Consulting Ltd.

Removable Media must be owned by ID Insight Consulting Ltd.  Ideally, person sensitive data should not be stored on any removable media, however if there is no other option ensure this data is stored on a corporate encrypted device and deleted once transferred to identified secure area folder.

When printing paper records, especially sensitive documents, ensure appropriate measures have been taken in collecting all documents immediately after printing.

When transferring data, ensure security measures and precautions have been actioned by the sender and receiver. 

Never leave your computer screen open when unattended.  Always lock it using the keys Control + Alt + Delete and then click on ‘Lock This Computer’.

Missing and Lost Records

A ‘missing record’ is when a record cannot be found, or is not available when required. 

In the event of a missing record, a thorough search must be undertaken.  

If after 5 working days, the record has not been found, the missing record must be reported to the Owner.  The severity of the incident will determine the level of investigation required.

Business Continuity and Recovery

The business owner will make appropriate plans for business continuity in the event of any business interruption that compromises delivery of contracted services to clients.  This will also extend to disaster recovery planning.  Key principles of planning are:

·         Ability to access business critical systems remotely – from secure, protected devices

·         Secure storage of key documents within recoverable systems

·         Use of encrypted and password protected removable devices containing key business documents

·         Availability of appropriate alternative work spaces for employees in the event of main office being inaccessible for a period of more than 1 week

·         Identifiable resources, in addition to key project owners for all continuous projects

Monitoring

Compliance with the policies and procedures laid down in this document will be monitored by the Owner.  The Owner is responsible for the monitoring, revision and updating of this document if the need arises.



INFORMATION SECURITY POLICY

1.    INTRODUCTION

Information Security is strategically important to our business and accordingly we are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout the organisation in order to preserve our reputation, cash-flow, profitability, legal, regulatory and contractual compliance and commercial position.

2.    PURPOSE

This information security policy defines the framework within which information security will be managed within the business and demonstrates the commitment and support for information security within the business.

3.    SCOPE

All employees are obliged to comply with this policy.

The policy covers, but is not limited to, any systems or data related to our computer or telephone networks, any systems provided by us and any communications sent to or from the agency and any data which is owned either by the business or on behalf of our clients held on systems internally or external to the agency’s network.

4.    ORGANISATION AND RESPONSIBILITY


Our responsibilities

The owner is ultimately responsible for the maintenance of this policy and for compliance within the business. This policy has been approved and forms part of our policies and procedures.

The owner is responsible for reviewing this policy on an annual basis and is responsible for identifying and assessing security requirements and risks. They will provide clear direction, visible support and promote information security through appropriate commitment and adequate resourcing.

The owner is responsible for the management of information security and, specifically, to provide advice and guidance on the implementation of this policy.

It is the responsibility of all employees to implement this policy within their area of responsibility and the responsibility of the owner to ensure they are fully aware of the policy and given appropriate support and resources to comply.

Your responsibilities

It is the responsibility of EVERY EMPLOYEE to adhere to this policy at all times.

Failure to comply with this policy that occurs as a result deliberate, malicious or negligent behaviour, may result in disciplinary action.

5.    POLICY

We are committed to protecting the security of its information and information systems and to a policy of education, training and awareness for information security. It is our policy that the information we manage shall be appropriately secured to protect against breaches of confidentiality, failures of integrity or interruptions to the availability of that information and to ensure appropriate legal, regulatory and contractual compliance. In particular, contingency plans, data backup procedures, avoidance of viruses and hackers, access control to systems and information security incident reporting are fundamental to this policy. Control objectives for each of these areas are defined and are supported by specific, documented policies and procedures as appropriate.

To determine the appropriate level of security control that should be applied to information systems, a process of risk assessment shall be carried out in order to define security requirements and identify the probability and impact of security breaches.

It is our policy to report and log all information or IT security incidents, or other suspected breaches of the policy. All employees will follow the procedure for escalation and reporting of security incidents and any data breaches that involve personal data will subsequently be reported to the Information Commissioner’s Office, as appropriate.

Owner

February 2020

ID insight consulting

Corporate Policies