A&N Safety Consultants Limited (‘we’, ‘us’, or ‘our) are committed to having the correct procedures in place to protect and respect your privacy, in line with the guidelines Data Protection Act 1998.
We may need to gather and use certain information about individuals. These individuals can include customers, suppliers, business contacts, employees, and other people that the organisation has a relationship with or may need to contact.
This policy, along with our Terms and Conditions, state the types of information we may gather or that you may provide us with, how they will be processed, and who may be able to access this information along with the privacy procedures we have in place to handle and store the data.
The policy applies to all A&N Safety Consultants Limited employees and all Personal Data processed at any time by A&N Safety Consultants Limited. The objective of the policy is to ensure that:
· We process personal data in compliance with the Data Protection Act 1998 and GDPR regulations.
· A&N Safety Consultants Limited and all its staff members are aware of all obligations and protocols when processing personal data.
· We protect the rights of the staff, customers and partners.
· A&N Safety Consultants Limited protects itself from the risks of a data breach.
· Data Controller: the organisation that determines the manner and purposes for which personal data is to be processed.
· Data Processor: the organisation or individual who processes data on behalf of the Data Controller.
· Data Subject: an individual who is the subject of Personal Data.
· Personal Data: information relating to an individual who can be directly identified from the information. Personal data includes factual information as well as expressions of opinion or intentions.
· Personal Data Breach: loss, theft, or unauthorised access, use or disclosure of Personal Data.
This policy applies to:
· The head office of A&N Safety Consultants Limited.
· All branches of A&N Safety Consultants Limited.
· All staff and volunteers of A&N Safety Consultants Limited.
· All contractors, suppliers and other people working on behalf of A&N Safety Consultants Limited.*Please see appendix.
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:
· Names of individuals.
· Postal addresses.
· Email addresses.
· Telephone numbers.
· Company name.
· Bank account details (for a supplier).
· Business information.
· Along with any other information that relates to individuals.
3a. Data protection risks
This policy helps to protect both A&N Safety Consultants Limited and our data subjects from some real data security risks:
· Breaches of confidentiality: such as information being given out inappropriately.
· Failing to offer choice: all individuals should be free to choose how the company uses data relating to them.
· Reputational damage: the company could suffer if hackers successfully gained access to sensitive data.
Everyone who works for or with A&N Safety Consultants Limited has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data ensures that it is handled and processed in line with this policy and data principles.
However, the individuals below have key areas of responsibility.
· The board of directors is ultimately responsible for ensuring that A&N Safety Consultants Limited meets its legal obligations.
· The Data Protection Officer, is responsible for:
o Keeping the board updated about data protection responsibilities, risks and issues.
o Reviewing all data protection procedures and related policies, in line with an agreed schedule.
o Arranging data protection training and advice for the people covered by this policy.
o Handling data protection questions from staff and anyone else covered by this policy
o Dealing with requests from individuals to see the data A&N Safety Consultants Limited holds about them (also called ‘subject access requests’).
o Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
· The IT Manager, is responsible for:
o Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
o Performing regular checks and scans to ensure security hardware and software is functioning properly.
o Evaluating any third-party services, the company is considering using to store or process data.
· The Marketing Manager, is responsible for:
o Approving any data protection statements attached to communications such as emails and letters.
o Addressing any data protection queries from journalists or media outlets like newspapers.
o Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
A&N Safety Consultants Limited. will:
· Comply with the Data Protection Legislation and adhere to the following 8 Data Protection Principles:
o Must be processed fairly and lawfully.
o Must be obtained only for specific and lawful purposes.
o Must be adequate, relevant and not excessive.
o Must be accurate and kept up to date.
o Must not be held for any longer than necessary.
o Must be processed in accordance with the rights of data subjects.
o Must be protected in appropriate ways.
o Must not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
· Comply with the statutory requirement to maintain accurate entries on the Information Commissioner’s public register of Data Controllers which describes the purposes for which Personal Data is processed.
· Comply with all other relevant legal requirements which apply to its processing of Personal Data, including:
o A&N Safety Consultants Limited Disclosure of Personal Data to the Police and other Statutory Law Enforcement Agencies policy.
o A&N Safety Consultants Limited Information and Records Management Policy.
o A&N Safety Consultants Limited Information Security Policy.
o A&N Safety Consultants Limited Code of Conduct.
· Implement appropriate structures, systems, and processes to manage all Personal Data fairly and lawfully.
· Be transparent about how Personal Data is processed, providing clearer privacy notices at the point it is collected, providing users with an option.
· Ensure that procurement processes and contractual arrangements with external service providers also adhere to adequate measures to ensure compliance with the Data Protection Principles.
· Approach the identification, control, mitigation, and elimination of Privacy risk in the same way as financial and operational risk.
· Provide customers with an opportunity to opt in to receiving future marketing communications at the point at which their Personal Data is collected and provide a simple process to unsubscribe should they change their mind.
· Ensure that requests from customers to change the use of their data for the purposes of marketing/ the provision of service updates are acted upon promptly.
· Not disclose Personal Data to third parties except where disclosures are permitted or required by law.
· Label Personal Data in accordance with its Information Security Classification Standard for protectively marking information.
· Ensure that any complaint about A&N Safety Consultants Limited processing of Personal Data or non-compliance with the policy will be passed to the Privacy and Data Protection Team. The complaint will then be dealt with promptly in accordance with the Privacy and Data Protection Complaints Handling Procedure.
· Provide training to any relevant member of staff and ensure that training is kept up to date.
· View serious or repeated breached of this policy by A&N Safety Consultants Limited employee as misconduct that will be managed and resolved in accordance with relevant disciplinary policies and procedures.
4a. Types of data that we may collect:
Information that you may give us:
You may provide us with information about yourself through the use of on-site forms, through speaking with a staff member on the phone, via email, by letter or in person. This includes information that you give us when you use our website, subscribe to our services, participate in any discussions via social media or report an issue with our website. This information may include but is not limited to: your name, email address, phone numbers, addresses, gender, company name, position in company, bank account details (for a supplier), or confidential business information.
Information that we may collect:
When you visit our website, we measure visits using Google Analytics, Mouseflow and standard web server log files. These record which pages you visit, how you arrived at the site, and other basic information about your computer. All this information is anonymous, and we do not make any attempts to find out the identities of those visiting the website.
Details of your URL
We may gather information about your visit to our website including the URL clickstream to and from the website, the date and time, pages viewed, length of page visit, interaction with those pages, their response times, any errors, your exit behaviour from the website and if you called directly from viewing the website on mobile, we may collect your mobile number.
Cookies & Google Analytics
Google Analytics and Mouseflow both set cookies on your device to function. These cookies do not personally identify you and the data these services collect is anonymous. We use these services and the data they collect to make our website better.
Any email sent to A&N Safety Consultants Limited, including any attachments, may be monitored, and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
Information we may be given from other resources:
We may have access to certain information if you use any of the other services we provide or if you interact with our social media pages. We also work with some third parties, such as: business partners, subcontractors, payment services, ad networks, analytics providers, search engine providers, credit reference agencies, so we could receive information about you from them if it is necessary.
4b. How we may use your data:
A&N Safety Consultants Limited may use your information to:
· Carry out obligations arising from contracts entered between A&N Safety Consultants Limited and yourselves.
· Provide you with information, products and services that you request from us.
· Provide you with information about other goods and services that we offer that are similar to those you have already purchased, enquired about, or that we would recommend.
· Permit (where appropriate) approved third parties to provide you with information about goods or services that we feel may be appropriate for your company and may interest you. Where we permit third parties to use your data, we (or they) will contact you only if you have consented to this.
· Administer our site and for internal operations such as troubleshooting, data analysis, testing, or for research purposes.
· To improve our site in order to ensure that content is presented in the most effective manner for you and your computer.
· To allow you to interact with features of the service
· To help us keep out site safe and secure.
· To measure the effectiveness of advertising served to you
· To make suggestions and recommendations to you about services that may interest you.
Personal data is of no value to A&N Safety Consultants Limited unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft.
· When working with personal data, employees ensure the screens of their computers are locked when left unattended.
· Personal data is not shared informally. In particular, it is never sent by email as this form of communication is not considered secure.
· Data must be encrypted before being transferred electronically. When personal data is transferred it is always done over an encrypted connection, either https or ssh.
· Personal data is never be transferred outside of the European Economic Area.
· Employees do not save copies of personal data to their own computers and are always encouraged to access and update the central copy of any data.
4c. Data Accuracy:
It is the responsibility of all employees at A&N Safety Consultants Limited who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
· Data is held in as few places as necessary. Staff are advised against creating any unnecessary data sets and if this is required, they must dispose of this data by either shredding the paper copy or thoroughly deleting the additional copy.
· Staff take every opportunity to ensure that data is updated. For instance, by confirming a customer’s details when they call, or if they change their contact information in their email footer.
· A&N Safety Consultants Limited make it easy for data subjects to update the information A&N Safety Consultants Limited holds about them. This is done through an enquiry form where a data subject can request a change or request the right to be forgotten. We would aim to update this data or delete this data as promptly as possible, within 14 days.
· Data is updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it is removed from the database.
· The marketing manager ensures that marketing databases are checked against industry suppression files every six months.
5a. Data access
The only people who are able to access data covered by this policy are those who need it for work: employees of A&N Safety Consultants Limited. We do this by using built in firewalls to block external connections from untrusted sources on all servers and computers in our offices. Our router also has a built-in firewall. There is limited physical access to the building as staff members must use their key fob at 3 separate stages to get into the office. Doors are automatically locking and can only be unlocked with each staff member’s key fob.
5b. Data sharing
Data is not shared informally. When access to confidential information is required, employees will request this from their line managers and provided with the required details if appropriate.
A&N Safety Consultants Limited provides training to all employees, to help them understand responsibilities when handling data. Employees are trained to keep all data secure by taking sensible precautions and following the guidelines provided. Employees are also encouraged to request help from their line manager or the data protection officer if there are any aspects, they become unsure of regarding data protection.
Strong passwords are used and are never shared. Personal data is not disclosed to unauthorised people, neither internally within the company or externally.
Data is regularly reviewed and updated if it is found to be out of date. If it is no longer required, it is deleted and/or disposed of.
If necessary, legal and in your best interests, we may share your personal information with selected third parties including:
· Business partners, suppliers, and sub-contractors for the performance of any contract we enter into with them or you.
· Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others.
· Analytics and search engine providers that assist us in improving our website.
· Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
· We may permit (where appropriate) approved third parties to provide you with information about goods or services that we feel may be appropriate for your company and may interest you. Where we permit third parties to use your data, we (or they) will contact you only if you have consented to this.
When might this be necessary?
· In the event that we sell any business or assets, in which case data may be disclosed to the seller or buyer of such business/assets.
· In the circumstance that A&N Safety Consultants Limited or all its assets are acquired by a third party. Personal information would be one of the transferred assets.
· If we have a duty to disclose information in order to comply with legal obligations.
· In order to apply agreements between us, to protect our rights, property, safety and customers. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
We set up and host websites and databases on their own secure cloud servers, located at a state-of-the-art data centre in London. Servers are not shared with any other websites.
Daily backups are made of websites we host as part of our automated backup system, which are stored securely offsite. In the event of a disaster, websites can be recovered within 2 working hours and the restored data would be at most 24 hours old.
Servers have a minimum of 99.9% uptime per annum, which equates to a maximum of 9 hours of unplanned downtime per year. A&N Safety Consultants Limited use an automated website monitoring system which alerts us if websites go offline or are loading slowly which ensures we can fix any issues as soon as possible.
Wherever possible, A&N Safety Consultants Limited endeavour to avoid keeping ‘physical’ data.
When data is stored on paper, it is kept in a secure place where unauthorised people cannot see it. This also applies to data that is stored electronically, but may have been printed out.
· When the document is not required, the paper or files are kept in a locked drawer or filing cabinet.
· Employees ensure that paper and print-outs are not left where unauthorised people could see them, i.e. displayed on a desk or left on the printer.
· Data printouts are shredded and disposed of securely once they are no longer required.
A&N Safety Consultants Limited ensure to keep electronic data stored safely and securely.
· When data is stored electronically, it is protected from unauthorised access, accidental deletion and malicious hacking attempts.
· Data is protected by strong passwords that are changed regularly and never shared between employees.
· If data is stored on removable media (like a CD or USB stick) they are kept locked away securely when they are not used.
· Data is only stored on designated drives and servers and are only uploaded to an approved cloud computing services.
· Servers containing personal data are sited in a secure location, away from general office space in a state-of-the-art data centre in London.
· Data is backed up daily for the purpose of disaster recovery. The backup data is transmitted over a secure connection to an offsite location, provided by Amazon S3. The backups are tested regularly in line with A&N Safety Consultants Limited backup procedures. We retain backup data containing personal information for 30 days, after which is it automatically deleted.
· Data is never saved directly mobile devices like tablets or smartphones.
· All servers and computers containing data in our offices use a built-in firewall to block external connections from untrusted sources. Our router has a built-in firewall.
All individuals who are the subject of personal data held by A&N Safety Consultants Limited are entitled to make subject access requests, which include:
· Ask what information the company holds about them and why.
· Ask how to gain access to it.
· Be informed how to keep it up to date.
· Be informed how the company is meeting its data protection obligations.
We will inform you before collecting your data if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. We will provide you with the opportunity to opt into this. You can exercise your right to prevent such processing by checking the tick boxes on the forms we collect your data with or if you wish to opt out of such processing after you have agreed to having such data processed, you must express your Subject Access Request in writing by contacting [email protected] The data controller can supply a standard request form, although individuals do not have to use this.
Individuals will be charged £10 per subject access request. The data controller will aim to provide the relevant data within 14 days. The data controller will always verify the identity of anyone making a subject access request before handing over any information.
Our website may contain links to and from websites we partner with such as advertisers or affiliates. If you do follow these links, it is important to be aware that these websites use their own privacy policies so A&N Safety Consultants Limited will be unable to accept any responsibilities for these policies.
Any changes made to our policies will be posted on this page and where possible we will update you via email. Please check back frequently to see any updates made.