The security and management of data is important to ensure that we can function effectively and successfully for the benefit of our clients. In doing so, it is essential that people’s privacy is protected through the lawful and appropriate use and handling of their personal information. The use of all personal data by Indigosoft is governed by the General Data Protection Regulation (GDPR).
Every employee of Indigosoft has a responsibility to adhere to the Data Protection Principles outlined in the GDPR, and to this Data Protection Policy. If you have a question about this Data Protection Policy or an area of concern about data protection matters, please contact our Data Protection Officer (DPO).
2. Data Protection Principles
There are six Data Protection Principles defined in Article 5 of the GDPR. These require that all personal data be:
- processed in a lawful, fair and transparent manner.
- collected only for specific, explicit and limited purposes (‘purpose limitation’).
- adequate, relevant and not excessive (‘data minimisation’).
- accurate and kept up-to-date where necessary.
- kept for no longer than necessary (‘retention’).
- The Data Processing Register will be reviewed at least every 6 months by the Data Protection Officer.
- handled with appropriate security and confidentiality.
We are committed to upholding the Data Protection Principles. All personal data under our control must be processed in accordance with these principles.
3. Lawful Processing
1. All processing of personal data must meet one of the six lawful bases defined in Article 6(2) of the GDPR:
- Where we have the consent of the data subject
- Where it is in our legitimate interests and this is not overridden by the rights and freedoms of the data subject.
- Where necessary to meet a legal obligation.
- Where necessary to fulfil a contract, or pre-contractual obligations.
- Where we are protecting someone’s vital interests.
- Where we are fulfilling a public task, or acting under official authority.
2. Any special category data (sensitive types of personal data as defined in Article 9(1) of the GDPR) must further be processed only in the line with one of the conditions specified in Article 9(2)
3. The most appropriate lawful basis will be noted in the Data Processing Register. (see Section 5. Accountability)
4. Where processing is based on consent, the data subject has the option to easily withdraw their consent.
4. Data Minimization And Control
- Data collection processes will be regularly reviewed by the Data Protection Officer to ensure that personal data collected and processed is kept to a minimum.
- We will keep the personal data that we collect, use and share to the minimum amount required to be adequate for its purpose.
- Where we do not have a legal obligation to retain some personal data, we will consider whether there is a business need to hold it.
- We will retain personal data only for as long as it is necessary to meet its purpose. Our approach to retaining and erasing data no longer required will be specified in the retention policy and schedule. This schedule will be reviewed annually.
- In the case of sharing personal data with any third party, only the data that is necessary to fulfil the purpose of sharing will be disclosed.
- Anonymization and pseudonymization of personal data stored or transferred should be considered where doing so is a possibility.
- Indigosoft will maintain a Data Processing Register as required by Article 30 of the GDPR to document regular processing activities.
- The ‘Data Protection Officer’ (DPO) has the specific responsibility of overseeing data protection and ensuring that we comply with the data protection principles and relevant legislation. (see Section 6. Role of the Data Protection Officer).
- The DPO will ensure that the Data Processing Register is kept up to date and demonstrates how the data protection principles are adhered to by our activities. Individual employees have a duty to contribute to ensure that the measures outlined in the Register are accurately reflected in our practice.
- The Data Protection Officer monitors our compliance with relevant policies and regulatory requirements in respect of data protection as part of our Data Management Strategy.
- All employees who will be handling personal data on behalf of Indigosoft will be appropriately trained and supervised where necessary.
- The collection, storage, use and sharing of personal data will be regularly reviewed by the Data Protection Officer, the Governance Group, and any relevant business area.
- We will adhere to relevant codes of conduct where they have been identified and discussed as appropriate.
- Where there is likely to be a high risk to individuals rights and freedoms due to a processing activity, we will first undertake a Data Protection Impact Assessment (DPIA) and consult with the ICO prior to processing if necessary.
6. Role of the Data Protection Officer
- The Data Protection Officer role is assigned to a member of staff on a voluntary basis i.e. we are not legally obliged to have a DPO. We have chosen to do so as part of demonstrating our accountability and ensuring our compliance with data protection requirements.
- The DPO assists IndigoSoft to:
- monitor our internal compliance
- inform and advise on our data protection obligations
- provide advice regarding Data Protection Impact Assessments
- act as a contact point for data subjects and the Information Commissioner’s Office.
3. The DPO reports to Senior Management on data protection matters.
4. The DPO is easily accessible as a point of contact for staff for data protection issues and is identified as the point of contact in our privacy notice and other external material.
5. The DPO identifies, organises and delivers training for staff and meets with new staff during their induction to discuss data protection matters, including this policy.
6. The DPO is required to have appropriate knowledge of data protection law and best practice, and is provided with adequate resources to help them carry out their role. This might include appropriate training and accreditation where identified.
7. The DPO is nominally responsible for carrying out responses to requests made by data subjects, reporting breaches and drawing up policies and procedures.
8. This does not preclude another responsible member of staff for carrying out these duties.
7. Procedures for Employees
While this policy helps us to demonstrate how we seek to comply with data protection legislation and be accountable for our actions, all employees must comply with these procedures for processing or transmitting personal data.
We use appropriate technical and organizational measures to protect the personal information that we collect and process. The measures we use are designed to provide a level of security appropriate to the risk of processing personal information. In particular, we:
- Hold personal information in secure facilities and where the information is held electronically, on secure servers.
- Use encrypted transmission links whenever we can.
- Use other safeguards such as firewalls, authentication systems (e.g., passwords), and access control mechanisms to control unauthorized access to systems and data.
- Regularly review our information collection, storage and processing practices, including physical security measures, to guard against unauthorized access to systems.
- Restrict access to personal information to our employees, contractors and agents who need to know that information in order to process it for us and who are subject to strict contractual confidentiality obligations. We may discipline or terminate individuals who maliciously acquire information, without being entitled to its access.
If you do have a question or are unsure about any of these procedures, contact the Data Protection Officer or a member of the Information Team.
8. Reporting of Breaches
- A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- All employees should be vigilant and able to identify a suspected personal data breach. A breach could include:
- hacking or other forms of unauthorised access to a device, email account, or the network
- disclosing personal data to the wrong person, through wrongly addressed emails, or bulk emails that inappropriately reveal all recipients email addresses
- alteration or destruction of personal data without permission
- loss or theft of devices or data, including information stored on USB drives or on paper
3. Where an employee discovers or suspects a personal data breach, this should be reported to the DPO as soon as possible.
4. Where there is high risk to individuals’ rights and freedoms, Indigosoft will inform those individuals without undue delay.
5. The DPO will keep a record of all personal data breaches reported, and follow up with appropriate measures and improvements to reduce the risk of reoccurrence
9. Application forms
We will not sell your personally identifiable information, gathered as a result of filling out our account application form, to anyone.
10. Choosing how we use your data
We understand that you trust us with your personal information and we are committed to ensuring you can manage the privacy and security of your personal information yourself.
With respect to the information relating to you that ends up in our possession, and recognizing that it is your choice to provide us with your personally identifiable information, we commit to giving you the ability to do all of the following:
You can verify the details you have submitted to us by contacting our Customer Services team at firstname.lastname@example.org
Our security procedures mean that we may request proof of identity before we reveal information, including your e-mail address and possibly your address.
You can also contact us by the same method to change, correct, or delete your personal information controlled by us regarding your profile at any time. Please note though that, if you have shared any information with others through social media channels, that information may remain visible, even if your account is deleted.
You can always feel free to update us on your details at any point by contacting us at email@example.com
You can request a readable copy of the personal data we hold on you at any time. To do this, please contact us at firstname.lastname@example.org
12. Filing a Complaint
If you have a concern about our handling of your personal information, please get in contact with us first so we can try to resolve your query by any of the following methods: