AI data usage and privacy
1. Introduction
The security and management of data is important to ensure that we can function effectively and successfully for the benefit of our company and clients.
The use of all client data by is governed by:
-
The General Data Protection Regulation (GDPR)
-
The UK Data Protection Act 2018 (DPA)
-
The Privacy and Electronic Communications Regulations (PECR)
Every member of staff has a responsibility to adhere to the Data Protection Principles outlined in the GDPR, and to this Data Protection Policy.
2. Data protection principles
There are six data protection principles defined in Article 5 of the GDPR. These require that all personal data be:
-
processed in a lawful, fair and transparent manner.
-
collected only for specific, explicit and limited purposes (‘purpose limitation’).
-
adequate, relevant and not excessive (‘data minimisation’).
-
accurate and kept up-to-date where necessary.
-
kept for no longer than necessary (‘retention’).
-
handled with appropriate security and confidentiality.
We are committed to upholding the data protection principles. All personal data under our control must be processed in accordance with these principles.
3. Data processing procedure
Our Data is generated in two ways:
-
Data that Is publicly available and accessible, royalty free
-
Data provided by the Client Company
Data provided by the Client Company is treated confidentially, unless expressed otherwise.
The general process is as follows:
-
The data is uploaded and processed on our internal servers and is not accessible to anyone outside the organisation
-
The data backups are encrypted and uploaded to Amazon AWS S3 storage and are not accessible to anyone outside the organisation.
-
The processed data is only accessible to the assigned members of staff dealing with the client and is not accessible online.
Any queries and outputs from the system are run through the company and are sent to the client via email or other appropriate methods.
4. Lawful processing
-
All processing of personal data must meet one of the six lawful bases defined in Article 6(2) of the GDPR:
-
Where we have the consent of the data subject.
-
Where it is in our legitimate interests and this is not overridden by the rights and freedoms of the data subject.
-
Where necessary to meet a legal obligation.
-
Where necessary to fulfil a contract, or pre-contractual obligations.
-
Where we are protecting someone’s vital interests.
-
Where we are fulfilling a public task, or acting under official authority.
-
-
Any special category data (sensitive types of personal data as defined in Article 9(1) of the GDPR) must further be processed only in the line with one of the conditions specified in Article 9(2).
-
Where processing is based on consent, the data subject has the option to easily withdraw their consent.
-
Where electronic direct marketing communications are being sent, the recipient should have the option to opt-out in each communication sent, and this choice should be recognised and adhered to by us.
5. Data minimisation and control
-
Where we do not have a legal obligation to retain some personal data, we will consider whether there is a business need to hold it.
-
We will retain data only for as long as it is necessary to meet its purpose.
-
Anonymisation and pseudonymisation of personal data stored or transferred should be considered where doing so is a possibility.
6. Accountability
-
We will maintain a Data Processing Register as required by Article 30 of the GDPR to document regular processing activities.
-
The ‘Data Protection Officer’ (DPO) has the specific responsibility of overseeing data protection and ensuring that we comply with the data protection principles and relevant legislation. (see Section 7. Role of the Data Protection Officer).
-
The DPO will ensure that the Data Processing Register is kept up to date and demonstrates how the data protection principles are adhered to by our activities. Individual members of staff have a duty to contribute to ensure that the measures outlined in the Register are accurately reflected in our practice.
-
We will adhere to relevant codes of conduct where they have been identified and discussed as appropriate.
-
Where there is likely to be a high risk to individuals rights and freedoms due to a processing activity, we will first undertake a Data Protection Impact Assessment (DPIA) and consult with the ICO prior to processing if necessary.
7. Role of the Data Protection Officer
-
The Data Protection Officer role is assigned to a member of staff on a voluntary basis.
-
The DPO assists to:
-
monitor our internal compliance.
-
inform and advise on our data protection obligations.
-
provide advice regarding Data Protection Impact Assessments.
-
act as a contact point for data subjects and the Information Commissioner’s Office.
-
-
The DPO advises Management on data protection matters.
-
The DPO is easily accessible as a point of contact for staff for data protection issues and is identified as the point of contact in our privacy notice and other external material.
-
The DPO identifies, organises and delivers training for staff and meets with new staff during their induction to discuss data protection matters, including this policy.
-
The DPO is required to have appropriate knowledge of data protection law and best practice, and is provided with adequate resources to help them carry out their role. This might include appropriate training and accreditation where identified.
-
The DPO is nominally responsible for carrying out responses to requests made by data subjects, reporting breaches and drawing up policies and procedures.
-
This does not preclude another responsible member of staff form carrying out these duties.
8. Reporting of breaches
-
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
-
All members of staff should be vigilant and able to identify a suspected personal data breach. A breach could include:
-
loss or theft of devices or data, including information stored on USB drives or on paper.
-
hacking or other forms of unauthorised access to a device, email account, or the network.
-
disclosing personal data to the wrong person, through wrongly addressed emails, or bulk emails that inappropriately reveal all recipients email addresses.
-
alteration or destruction of personal data without permission.
-
-
Where a member of staff discovers or suspects a personal data breach, this should be reported to the DPO as soon as possible.
-
Where there is a likely risk to individuals’ rights and freedoms, the DPO will report the personal data breach to the ICO within 72 hours of the organisation being aware of the breach.
-
Where there is also a likely high risk to individuals’ rights and freedoms, we will inform those individuals without undue delay.
-
The DPO will keep a record of all personal data breaches reported, and follow up with appropriate measures and improvements to reduce the risk of reoccurrence.