DATA PROTECTION AND PRIVACY POLICY
1. Introduction
The purpose of this policy is to explain how Ethicall Field Services Ltd collects, protects, and uses sensitive data. Ethicall Field Services Ltd is committed to ensuring that any sensitive data supplied by its clients or is otherwise generated by its business activities is collected and processed fairly and lawfully.
2. What Types Of Sensitive Data Does Ethicall Field Services Ltd Collect?
Ethicall Field Services Ltd needs certain sensitive data to enable it to provide its products and services to its clients. The sensitive data collected is on three levels:
-
Level 1 – Client information
Company and employee details including operational addresses, telephone numbers and email addresses are taken for the purposes of administration, communication and invoicing.
-
Level 2 – Borrower information
Case file details of borrower information for the purposes of facilitating a field visit by an Ethicall employee.
-
Level 3 – Website enquiries
Website user enquiries generated via the contact page from our corporate website.
3. How Does Ethicall Field Services Ltd receive Sensitive Data?
Ethicall Field Services Ltd obtains sensitive data in a number of ways including from orders placed by clients for borrower field visits. This data will usually be entered directly into the Ethicall Workflow System (EWS) via an interactive web page or by the uploading of a batch file from within a secure area of the EWS. Sometimes clients will email/fax/post /courier/DX data sensitive files to us.
4. How Does Ethicall Field Services Ltd Use The Sensitive Data It Holds?
4.1. Providing and Improving the Ethicall Service
Most of Ethicall Field Services Ltd use of sensitive data is necessary to enable it to provide a service to its clients, including borrower field visits and subsequent client reports as well as for administrative purposes. In addition, Ethicall Field Services Ltd may also use certain non-identifiable management information to provide performance data to its clients.
5. Does Ethicall Field Services Ltd Transfer Sensitive Data Overseas?
Ethicall Field Services Ltd does not process sensitive data overseas.
6. To Whom Does Ethicall Field Services Ltd Disclose Sensitive Data?
Ethicall Field Services Ltd will pass sensitive data within its internal departments in order to fulfil support obligations as well as to finance department to enable invoicing.
Ethicall Field Services Ltd will not disclose sensitive data to unaffiliated third parties except where Client consent has been obtained, where Ethicall Field Services Ltd is under an obligation by law to disclose sensitive data or where Ethicall Field Services Ltd has contracted with any third party to whom we disclose information for trading purposes has been vetted to meet our stringent information security/privacy policy requirements.
7. How Does Ethicall Field Services Ltd Protect the Sensitive Data it Holds?
Ethicall Field Services Ltd considers Information Security and Privacy of paramount importance in its day to day business affairs. Ethicall Field Services Ltd has implemented appropriate internal security procedures that restrict access to and disclosure of sensitive data within Ethicall Field Services Ltd.
These procedures will be reviewed from time to time to determine whether they are being complied with and are effective. Ethicall Field Services Ltd will also actively investigate and co-operate with law enforcement agencies on any allegations of abuse or violation of system or network security.
p>
8. Clients´ Rights
The law in certain jurisdictions (including countries within the European Economic Area) gives individuals whose sensitive data is held by Ethicall Field Services Ltd specific rights to access and rectify sensitive data held about them. These include the right to:
8.1
Obtain from Ethicall Field Services Ltd, confirmation that sensitive data is held, as well as a written description of such sensitive data, the purpose(s) for which it is being used, the source(s) of the sensitive data and details of any recipients;
8.2
Request the deletion or rectification of sensitive data which is inaccurate.
8.3
Ethicall field services will respond to any data access requests within one calendar month of the request being made.
8.4
Ethicall Field Services would advise that if there is any issue/concern with the way Ethicall Field Services process data, an individual or company can contact us directly or take the matter directly to:
The Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF.
9. Contact Details
If any individual wishes to contact Ethicall Field Services Ltd regarding the sensitive data held about them or has any other question about Ethicall Field Services Ltd data privacy procedures, they should direct an email to
enquiries@ethicallfs.co.uk
or send a letter to:
Ethicall Field Services Ltd
1 Billing Road
Northampton
NN1 5AL
10. Policy Updates
As part of Ethicall Field Services Ltd commitment to compliance with data privacy requirements, and to reflect changes in Ethicall Field Services Ltd operating procedures, Ethicall Field Services Ltd may update the terms of this policy from time to time and will post the revised policy at
http://www.ethicallfs.co.uk/privacy.html.
11. Instances of data breaches
In the event of a data breach Ethicall Field Services will follow the ICO and GDPR directives with respect to reporting to both the client and the governing bodies.
12. Lawful base for processing
Ethicall Field Services lawful base for processing is for legitimate interests
Data Protection Policy Statement (GDPR)
We regard the lawful and correct treatment of personal information by Ethicall Field Services Ltd as important to the achievement of our objectives and to the success of our operations, and to maintaining confidence between those with whom we deal and ourselves. We therefore need to ensure that our organisation treats personal information lawfully and correctly.
To this end, we fully endorse and adhere to the Principles of data protection, as set out in the Data Protection Act 1998 and more recently the GDPR.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.
Article 5 of the GDPR requires that personal data shall be:
-
Processed lawfully, fairly and in a transparent manner in relation to individuals;
-
Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
-
Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
-
Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
-
Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
-
Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5(2) requires that:
"The controller shall be responsible for, and be able to demonstrate, compliance with the principles."
In addition the eight Data Protection Principles require that personal information:
-
Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless certain conditions are met.
-
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
-
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
-
Personal data shall be accurate and, where necessary, kept up to date.
-
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
-
Personal data shall be processed in accordance with the rights of data subjects under this Act.
-
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
-
Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
|