Purpose
This policy is intended to provide guidance for establishing, implementing, and maintaining a privacy information management system for the processing of (PII) Personally Identifiable Information.
This Policy helps to protect Bennett Workplace Solutions Limited (from hereon in referred to as the Company) and its clients and aids in meeting our legal obligations under GDPR and ISO27001.
Responsibilities
Antony Bennett is the Managing Director with overall responsibility for IT security strategy Louise Hughes is the Service Delivery Director and has day-to-day operational responsibility for implementing this Policy.
Review Process
This Policy should be reviewed no less than annually or, immediately should key factors change.
Information Classification
Unclassified
Information which can be made public without any implications for the Company, such as information already in the public domain.
Company confidential
Contains contracts, source codes, business plans, passwords for critical IT systems, client contact records and accounting information.
Client confidential
Personally identifiable information such as name or address, passwords to clients’ systems, clients’ business plans, new product information and market sensitive information.
| Type of information | Systems involved | Classification level |
| Customer records | Axis Diplomat | Client confidential |
| Supplier records | Axis Diplomat | Company confidential |
| Student records | CUDOS | Client confidential |
| Support worker records | CUDOS | Company/client confidential |
| Officer records | CUDOS | Client confidential |
| Invoice records | CUDOS | Client confidential |
| Student records | Portal | Client confidential |
| Officer records | Portal | Company confidential |
PII Personal Identifiable Information
| PII | Collected | |
| Telephone number | Yes | Back office and online portal |
| Date of birth | No | |
| Postal Address | Yes | Back office use only |
| Driver license number | No | |
| Social Security number | No | |
| Credit card number | No | |
| Email address | Yes | Back office and online portal |
| Passport number | No | |
| Name | Yes | Back office and online portal |
| Biometrics | No | |
| Full name | Yes | Back office and online portal |
| Gender | No | |
| Race | No | |
| Medical records | No | |
| Place of birth | No | |
| Account numbers | No | |
| IP address | Yes | Portal only used only for security reasons |
| Religion | No | |
| Ethnic origin | No | |
| Fingerprint or other biometric data | No | |
| Postcode | Yes | Back office and online portal |
| Financial information | No | |
| Login details | Yes | |
| Medical information | Yes | Only where needs assessment required |
Data storage locations
The Company’s back-office system is located on a Windows Server in our head office. Data is stored securely and encrypted in a Microsoft SQL server database.
The CUDOS and Portal databases are stored securely and encrypted in a Tier 3 data centre in Reading UK.
Storage of any customer data elsewhere is forbidden by company policy and enforced with Microsoft group policies/systems
Data security protocols
Data at rest and in transit is TLS1.2 and above.
Access Controls
Internally, as far as possible, the Company operates on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.
As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Furthermore, we shall provide upon request, a copy of their personal data, free of charge in electronic format.
We also allow data subjects to transmit their own personal data to another controller. However, in general, to protect confidential information we implement the following access controls:
In addition, admin privileges to company systems will be restricted to specific, authorised individuals for the proper performance of their duties as follows: Alex Hooton (IT Manager) and Ashley Cook (Development Support Engineer).
Employees Joining and Exiting
The Company operates an ISO approved Joiners, Leavers, and Mover’s system. This ensures access to systems is dependent on role and leavers have credentials and access to systems disabled/removed on exit.
Training is provided to all new staff and existing staff to implement the Policy. Training includes:
Data Retention
Data is retained for processing purposes in our back-office system for 7 years in accordance with HMRC rules. Where a request for erasure under GDPR has been actioned, all personal information is destroyed with the exception of financial data in accordance with HMRC rules.
Data Sharing, Transfer, and Disclosure
The Company does not sell, distribute or lease personal information to third parties unless we have permission or are required by law to do so.
Data Transfer Upon Termination or Expiration
The Company will implement its exit plan and take all necessary actions to ensure a smooth transition of data with minimal disruption to the client. As mutually agreed upon and as applicable, The Company will work closely with its successor to ensure a successful transition, with minimal downtime and effect on the client, all such work will be coordinated and performed in advance of the formal, transition date.
GDPR Obligations
Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we will notify the customers and data controllers within 72 hours after becoming aware of it.
ICO registration reference: Z8070841
Key Personnel Contact Information
| Name | Title | Telephone | |
| Antony Bennett | Managing Director | 01204 322 333 | [email protected] |
| Alex Hooton | IT Manager | 01204 322 333 | [email protected] |
| Louise Hughes | Service Delivery Director | 01204 322 333 | [email protected] |