Data protection statement and security policy
Fiveways NP Limited is registered with the ICO, registration reference: ZA353977, expiring on 29 April 2020.
Generally, Fiveways’ approach to capturing and managing personal data is as follows:
- We only keep information about an individual if we know what we are going to use it for
- The people that we hold information about, know that we’ve got it, and know what we are using it for
- Personal data is kept securely within our systems, and on the systems that we use (e.g. SmartSurveys). Data being transferred outside of those systems is password protected
- Personal information is deleted one we have no more need for it. For our evaluation projects this is between 3 and 6 months after the conclusion of the project
- Only Fiveways Directors have access to systems where personal information may be stored
- Personal information that is transferred to our associates, for example for research purposes, is password protected. Any contract with associates includes reference to their responsibilities regarding the processing and storing of personal data
- Richard Donaldson, one of our Directors, is responsible for making sure we comply with the GDPR
- All personal data we keep is stored within Europe, and we do not transfer data outside the European Economic Area (EEA).
General Data Protection Regulation (2018)
The GDPR applies to ‘personal data’, meaning any information relating to an identifiable person who can be directly or indirectly identified, in particular by reference to an identifier. This includes special category data, such as about race, health or sexual orientation (broadly similar to the concept of sensitive personal data).
Personal data has ‘controllers’ and ‘processors’. A controller determines the purposes and means of processing personal data. A processor is responsible for processing personal data on behalf of a controller.
The vast majority of the personal data that Fiveways captures and holds is given to us directly by the individual subject, meaning that in most of our projects we are a data controller and a processor. The GDPR places specific legal obligations on processors – for example being required to maintain records of personal data and processing activities – and processors have legal liability if responsible for a breach. Controllers are not relieved of obligations where processors are involved – the GDPR places further obligations on controllers to ensure contracts with processors comply with the GDPR.
As most of the data processed by Fiveways is given to us directly, the lawful basis for processing is typically ‘consent’. Fiveways ensures that this is freely given, specific, informed, and unambiguous, and has compliant mechanisms for individuals to withdraw their consent easily, and tell people they have the right to withdraw consent. For example, when personal data is captured on in a survey, it is always made clear why the data is being processed, what is happening with it, whether it will be shared with anyone, and for how long Fiveways intends to keep it.
When processing special category data, such as to do with health, we are also clear about the basis for processing data, and this is documented separately.
Individuals have the right to access their personal data (commonly referred to as subject access). Our process for this is that individuals should email email@example.com, and will receive a response without undue delay and certainly within one month to let the individual know what data we are holding about them. If people request their personal data verbally in person, a record of the request is kept securely on our system.
Fiveways follows the National Cyber Security Centre guidance for small businesses – https://www.ncsc.gov.uk/smallbusiness.
These means that we follow guidance in the following areas:
- We back up all business-critical information
- We are protected from malware by installing antivirus software on all relevant devices, and patching regularly
- We password protect mobile devices with a complex PIN or password, or fingerprint recognition, and have the capacity to delete data from devices if they are lost
- We use passwords to protect data on other devices, using two-factor authentication where possible, and always changing default/factory passwords
- We don’t open emails or files that are from unknown sources, or which are out of the ordinary, and report any phishing attacks or scams internally.
Issues relating to data protection and data security, this policy, or complaints about Fiveways work in this area should be directed to Richard Donaldson firstname.lastname@example.org.
This policy was last updated in June 2019