Data Protection Policy
Purpose
This data protection policy (“Policy”) describes how data will be processed and managed by Think Information Technology Ltd (“Think IT”), also referred to as “us”, “we” and “our”.
This Policy includes:
- our approach to data protection; and
- alignment of our approach to relevant legislation and regulatory requirements.
The objectives of this Policy are:
- to clarify our commitment to data protection in relation to Think IT staff, clients, suppliers and other third parties;
- to set out relevant data protection processes and practices that we adopt; and
- to align our data protection processes and practices with relevant legislation and regulatory requirements.
This Policy applies to:
- all personal data processed by us in the course of our business;
- all products and services developed and/or provided by us, to the extent that such products and services interface with personal data; and
- all of our staff, to the extent that they interface with personal data.
It is intended for use by ourselves, our clients, our suppliers and other third parties with a legitimate interest in our data protection processes.
Guidelines and Background
We need to store and use various data in order to operate, including (i) to provide our services; (ii) to employ our staff; and (iii) to adhere with applicable requirements.
We shall seek to achieve and to maintain a good standard of data protection and information security.
We shall seek to support our data protection activities with relevant review and assurance processes (e.g. Cyber Essentials).
The supervisory authority for the UK is the Information Commissioner’s Office (“ICO”): https://ico.org.uk/
General Information
Our Services
- We shall seek to ensure that our services achieve and maintain a good standard of data protection.
- We shall develop and manage our services using principles of data protection by design and data protection by default.
- Where our services undertake processing of special category personal data, they shall be subject to additional controls.
Data Controller
We are the data controller where:
- the data subject is, has been, or might be (i.e. is interested in becoming) a member of our staff;
- the data subject is using, or is intending to use, one or more of our services as a private individual; or
- the data subject is receiving, or is intending to receive, information from us through (i) our website; (ii) email, including ‘service update’ emails and ‘email marketing’; or (iii) events which require or provide the opportunity for personal data to be shared with us.
Data Processor
We are the data processor where:
- the data subject is employed by, is a contractor to, is a director of or volunteers for a client or other organisation that is using, or is intending to use, our services;
- the data subject is employed by, is a contractor to, is a director of or volunteers for a supplier or other organisation that is providing or is intending to provide their goods and/or services to us, or is working or intending to work with us; or
- the data subject is a third party.
Data Retention
We shall retain personal data only for as long as it is required for legitimate purposes.
The retention periods for personal data shall take in to account any contractual requirements, relevant available guidance (statutory and non-statutory), and the nature of the service to which the personal data is related.
The retention periods for personal data and other data shall be set out in our internal process documents.
Staff
Our staff shall observe and comply with this Policy.
We shall conduct initial training with new staff, and regular training and/or awareness sessions with all staff.
Supervisory Authority
We shall fully co-operate with the supervisory authority (the ICO) and shall observe relevant guidance provided by the ICO.
Risk Management
We shall observe data protection as a risk that requires ongoing review and shall identify it within our internal risk management systems.
Our directors shall review risks regularly.
Data Processing
We shall process personal data only where:
- the processing is lawful, fair and transparent to the data subject;
- the processing is for specified, explicit and legitimate purposes;
- the processing is limited to adequate and relevant personal data;
- the processing includes steps to ensure that personal data is accurate and up to date;
- the processing is undertaken for no longer than is necessary for the purpose; and
- the processing is undertaken with appropriate security.
We shall seek to be able to demonstrate compliance with these processing requirements.
We shall set out our processing obligations in:
- relevant documentation for clients; and
- notices, including our Privacy Policy and Cookie Policy.
Data Subject Rights
We shall recognise, observe and protect the rights of data subjects in accordance with relevant legislation and with guidance from the ICO (which can be found at the ICO website), including:
- The right to be informed: the right of a data subject to be informed about how personal data is collected, processed and managed. Where this right is permitted and supported by relevant legislation, we shall seek to provide this information in a clear and transparent manner.
- The right to access: the right of a data subject to access personal data held by a data controller. Where this right is permitted and supported by relevant legislation, and where we are the Data Controller, we shall provide access to the personal data. Where we are not the data controller, pursuant to a request from the relevant data controller we shall seek to provide the personal data requested in a clear and transparent manner.
- The right to object to direct marketing: the right of a data subject to object, particularly to automated profiling and to direct marketing. To the extent we undertake such processing, and where this right is permitted and supported by relevant legislation, we shall cease to undertake the processing.
Where we undertake direct marketing, data subjects shall be provided with the ability to stop such direct marketing by unsubscribing from it. - The right to object to processing: the right of a data subject to object to processing undertaken on the basis of legitimate interests. To the extent we undertake processing on this basis, and where this right is permitted and supported by relevant legislation, we shall cease to undertake the processing unless compelling legitimate grounds for the processing are established.
- The right to erasure: the right of a data subject to have personal data provided in a structured, commonly used and machine readable form. Where this right is permitted and supported by relevant legislation, we shall provide personal data in a compliant manner.
- The right to data portability: the right of a data subject to have personal data provided in a structured, commonly used and machine readable form. Where this right is permitted and supported by relevant legislation, we shall provide personal data in a compliant manner.
- The right to object to decisions being taken by automated means: we shall not use automated decision making where the outcomes of such decisions could have a material effect on data subjects.
- The right to rectification: the right of a data subject to have personal data rectified if it is inaccurate or incomplete. Where this right is permitted and supported by relevant legislation, we shall rectify personal data accordingly.
- The right to restrict processing: the right of a data subject to have personal data restricted or blocked from further processing by us. Where this right is permitted and supported by relevant legislation, we shall restrict processing accordingly.
Lawful Basis for Processing Personal Data
We shall only process personal data where such processing:
- is undertaken with the consent of the data subject: in certain cases (e.g. marketing and communications), we may use this as the lawful basis for processing;
- is necessary for the performance of a contract: in certain cases (e.g. where a service is provided (or intended to be provided) to an individual), we may use this as the lawful basis for processing;
- is necessary for compliance with a legal obligation: in certain cases (e.g. where there is a requirement to provide certain information to a public authority), we may use this as the lawful basis for processing;
- is necessary to protect vital interests of a data subject or another person: in certain specific cases (e.g. where a risk to the life or health of a person is identified), we may use this as the lawful basis for processing;
- is necessary in the public interest: in certain specific cases (e.g. where criminal activity is suspected), we may use this as the lawful basis for processing; or
- is necessary for the purposes of pursuing our legitimate interests or those of a third party: (e.g. where a service is provided (or intended to be provided) to an organisation and personal data is required to enable that service to be provided), we may use this as the lawful basis for processing.
Personal Data Transfer
We shall not provide personal data to third parties for commercial purposes.
We shall only disclose personal data obtained if:
- required or authorised to do so by law;
- it is necessary to enforce or apply our terms and conditions and/or other agreements; or to protect our rights, property, or the safety of our staff, our clients, or others;
- we sell or buy any business or assets, in which case personal data may be disclosed to the prospective seller or buyer of such business or assets; or if we or substantially all of our assets are acquired by a third party, in which case personal data held may be one of the transferred assets;
- such data is required by another person or organisation in order to provide goods and/or services; and/or
- we have the data subject’s consent to do so.
We may employ third party companies and/or individuals to perform certain functions (including sending postal mail or email, in relation to events, delivering certain aspects of our service, and processing card payments). To the extent that third parties require access to personal data (and where it is not possible to achieve the desired outcome by providing this data in an anonymised manner), we shall disclose personal data only where:
- the third party agrees to use it only for the agreed function(s) and not for any other purposes; and
- the third party agrees to process the personal data in a manner permitted by relevant data protection legislation of the UK; or
- where a third party is located outside the EEA, that suitable levels of protection for personal data can be assured.
Information Security
We shall employ suitable measures and controls to ensure an appropriate standard of information security.
Further information can be found in our Information Security Policy.
Breach Management
We shall establish and maintain effective data breach management processes.
Where a data breach is suspected, it shall be reported to the information security team without delay, and three activity streams shall typically commence:
- Suspension: affected systems shall be isolated; auditing and logging shall be sustained; and affected accounts shall be disabled or changed;
- Analysis: should the suspected data breach be confirmed, the impact of the data breach shall be assessed (including the impact to the affected data subjects); the cause of the data breach shall be identified; and the resolution plan shall be created;
- Communication: internal and external communications shall be issued.
Where a data breach has, or could have, an impact on personal data, and we are the data controller:
- we shall notify the ICO within 72 hours of becoming aware of the personal data breach; and
- where the impact assessment suggests a high risk to data subjects, we shall notify the affected data subjects without undue delay.
Where a data breach has, or could have, an impact on personal data, and we are the data processor, we shall notify the relevant data controller(s) without undue delay.
Legislation
The legislation below is applicable to data protection:
- Data Protection Act 2018;
- General Data Protection Regulation (“GDPR”);
- Investigatory Powers Act 2016;
- Privacy and Electronic Communications Regulations (“PECR”) 2003;
- Protection of Freedoms Act 2012; and
- The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.
Review
This Policy is subject to annual review.
Updated versions of this Policy shall be published following review.
This version of the Policy was updated on 14 April 2021.