GDPR

Proteus Communications Group LLP: Data Protection Statement

Context & Introduction

Introduction
Proteus Communications Group LLP (“PCG”) need to gather and use certain information about companies and on occasions, about individuals. The data on individuals is collected exclusively during public consultation processes on behalf of clients (See specific section below).
This can include clients, suppliers, consultants, business contacts, employees and other people the organisation has a relationship with or may need to contact.
This Statement describes how Personally Identifiable Information (PII) (i.e. any data that could identify a specific individual) and other less sensitive data types such as business contacts and invoice information, must be collected, handled and stored to meet the Company’s data protection standards and to comply with the law.
A data audit detailing the types of information held by PCG, its storage, usage, transfer and disposal methods, has been carried out and is appended to this document. This Statement and the data audit are live documents that will be updated on a quarterly basis.

Contacts
Data Controller: Paul Davison.
Proteus Communications Group LLP
Suite 113, 15 Cromwell Park, Chipping Norton, Oxfordshire, OX7 5SR
Telephone 01295678391
Email: info@proteus-cg.com


Why this Statement exists
This Data Protection Statement ensures PCG:
• Complies with the General Data Protection Regulation 2018 (Data Protection Act 1998 now superseded) and follows good practice;
• Protects the rights of staff, clients and other data sources;
• Is open about how it stores, processes and disposes of data, and
• Protects itself and those whose data we handle, from the risks of bad practice or in the worst case a data breach.

General Data Protection Regulation 2018 (Previously Data Protection Act 1998)
The General Data Protection Regulation 2018 (GDPR) describes how organisations, including PCG, must collect, handle and store all information, particularly PII. This EU law replaces the Data Protection Act 1998 in May 2018.
The Regulation applies regardless of whether data is stored electronically, on paper or on other materials.
To comply with GDPR, all data held about companies and PII must be collected and used fairly, stored safely and not disclosed unlawfully. GDPR also gives individuals greater control over their own personal data.
GDPR has six areas of data protection principles; they are referred to as the Privacy Principles. They are:
  1. You must have a lawful reason for collecting personal data and must do it in a fair and transparent way.
  2. You must only use the data for the reason it is initially obtained.
  3. You must not collect any more data than is necessary.
  4. It has to be accurate and there must be mechanisms in place to keep it up to date.
  5. You cannot keep it any longer than needed.
  6. You must protect the personal data.
Furthermore, these principles are supported by a further overarching principle – Accountability. This means that PCG must not only do the right thing with the data, but must also show that all the correct measures are in place to demonstrate how compliance is achieved. A data audit forms part of this Statement and demonstrates PCG’s compliance and how it is achieved. This are appended to this Statement all of which can be found on our website and within the electronic Company Policies file.

People, Risks and Responsibilities (The Statement Scope)
This Statement applies to:
  • All locations where work is carried out by PCG, including when working from home and when travelling;
  • All staff of PCG, and
  • All contractors, suppliers and other people working on behalf of PCG.
It applies to all data that the company holds relating to PII but also to any other sensitive data held about companies, suppliers, consultants and other data sources.
After assessment, using a data flow audit, it considered that PCG’s processing of data will not result in a high risk to the rights and freedoms of individuals. Despite this, PCG takes its accountability and responsibility very seriously. A copy of this Statement can be found on our website, in staff handbooks and electronically. All staff will be regularly trained on data protection and privacy.

Data protection risks
This Statement helps to protect PCG and those whose data we handle from some very real data security risks, including:
  • Breaches of confidentiality. For instance, information being given out inappropriately.
  • Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them or their company.
  • Right to erasure of data. Under the GDPR, a data subject has the right to ask for their data to be removed from ALL systems. It is therefore of paramount importance that the data flow audit is used as a working document to record where and how all data is collected, stored, transferred and disposed of. This can be found at the end of this document.
  • Reputational damage. For instance, the company and individual could suffer if hackers successfully gained access to sensitive data, such as PII held about staff or project correspondence between employees and clients.
Responsibilities
Everyone who works for or with PCG has some responsibility for ensuring data is collected, stored and handled appropriately.
Each staff member that handles PII and other sensitive data must ensure that it is handled and processed in line with this Statement and GDPR privacy principles.
However, the following people have key areas of responsibility:
The Directors are ultimately responsible for ensuring that PCG meets its legal obligations.
  • The Office Administrator is responsible for the following;
    • Assisting to keep the Directors updated about data protection responsibilities risks and issues;
    • Reviewing all data protection procedures and related policies;
    • Arranging data protection training and advice for the people covered by this Statement;
    • Handling data protection questions from staff and anyone else covered by the Statement;
    • Dealing with requests from individuals to see the data PCG holds about them (also called ‘subject access requests’);
    • Ensuring all systems, services and equipment used for storing data, meet acceptable security standards;
    • Checking and advising on any contracts or agreements with third parties that may handle the Company’s sensitive data, and
    • Evaluating any third-party services the Company is considering using to store or process data. For instance, cloud computing services, including accountancy software.
  • The Partner, Paul Davison, are responsible for :
    • Overseeing all of the above with the Finance and Office Administrator (since PCG does not have an appointed data protection officer);
    • Approving any data protection statements attached to communications such as emails and letters;
    • Addressing any data protection queries from journalists or media outlets like newspapers;
    • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles, and
    • Overseeing any data protection and privacy policy training, data disposal and erasure requests
General Staff Guidelines
  • The only people able to access data covered by this Statement should be those who need it for their work.
  • Data should not be shared informally. When access to confidential information is required, employees can request it from the Directors who will determine if the data can be released.
  • PCG will provide training to all employees to help them understand their responsibilities when handling data.
  • Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
  • In particular, strong passwords must be used and they should never be shared.
  • Personal data should not be disclosed to unauthorised people, either within the Company or externally.
  • Data should be regularly reviewed (quarterly) and updated if it is found to be out of date. If no longer required it should be deleted and disposed of.
  • Employees should request help from a Director or the Finance and Administration Officer if they are unsure about any aspect of data protection
Data Storage
These rules describe how and where data should be safely stored.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it. 
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
  • When not required, the papers holding PII data should be kept in a locked drawer or filing cabinet. Documents containing sensitive data should be filed away appropriately and safely.
  • Employees should make sure paper and printouts are not left where unauthorised people could see them, for instance on a printer.
  • Data printouts of PII or sensitive data should be shredded and disposed of securely when no longer required.
  • When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
  • PII data will be protected by strong passwords that are changed regularly and never shared between employees.
  • Sensitive data should also be password protected.
  • PII data will not generally be stored on removable media (like CD, DVD, portable drive). Where this is necessary these should be kept locked away securely when not being used.
  • Data should only be stored on designated drives and services and should only be uploaded to an approved cloud computing services.
  • The back -up servers containing data should be sited in a secure location away from the main office space.
  • Data will be backed up frequently and tested regularly.
  • Should sensitive data be saved on to laptops or other mobile devices, this should be password protected and then deleted once no longer needed. PII data should not be saved onto mobile devices other than laptops used for business purposes.
  • All servers and computers containing data should be protected by an approved security software and firewall.
  • When data is stored on cloud based applications such as Mailchimp, Xero and the pension administration dashboard, these applications will only be used once they have been assessed by the Finance and Office Administrator and the Directors to ensure their appropriateness in meeting acceptable security standards.
  • Cloud based data storage accounts will be accessed by a restricted number of employees and will be protected by strong passwords that are changed regularly.
  • After an initial opt in request sent prior to 25 May 2018, those on PCG’s Mailchimp mailing list will be reminded during each contact that they can opt out and remove their data from the mailing list or update their contact preferences.
Data Use
Besides the PII data that the company holds for employees in order to carry out HR functions such as payroll and pension administration, it is rare that PCG collects or makes use of PII data. As stated within the Statement Scope, it is considered that PCG’s processing of data will not result in a high risk to the rights and freedoms of individuals.
It is worth being aware however, that it is when this data type is accessed and used that it can be at the greatest risk of loss, corruption or theft:
  • When working with personal data, employees should ensure the screens of their computers are always locked when left unattended, particularly during invoicing, payroll and pension administration.
  • PII data should not be shared informally. In particular, it should not be sent by email to unknown recipients, as this form of communication is rarely secure. When PII data needs to be shared, with the company accountants for instance, the recipient should be expecting the data to be sent within a certain time frame and able to confirm receipt.
  • PII and sensitive data should never be transferred outside of the European Economic Area.
The data most used by PCG is that of client, consultant and supplier contact details and other data for use in carrying out the purpose of the business, contacting consultants and invoicing clients. It contains PII in the form of individual contacts employed by the instructing client company. The data does not contain home addresses and other personal information, unless the business is that of a sole trader who chooses to use their PII such as their name and address as their registered business, in which case, the information is in the public domain and therefore using it without anonymization is not a data breach.
During the normal course of business PCG needs to establish details of members of the public for the purpose of providing accurate records of contact and feedback to support a public consultation process. This data will be collected on a voluntary basis for the purposes of consultation only and will not be used for any other purposes. 

Data Accuracy
The law requires PCG to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
  • Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
  • Staff should take every opportunity to ensure data is updated.
  • PCG will make it easy for data subjects to update the information PCG holds about them, if requested.
  • Data should be updated as and when inaccuracies are discovered.

Subject Access Requests and ‘Right to Be Forgotten’
All individuals who are the subject of PII data held by PCG are entitled to:
  • Ask what information the company holds about them and why;
  • Ask how to gain access to it;
  • Be informed how to keep it up to date, and
  • Be informed how the Company is meeting its data protection obligations.
If an individual contacts the Company requesting this information, this is called a subject access request. Subject access requests from individuals should be made by email, addressed to info@PCGlanning.co.uk and marked ‘GDPR Enquiry’. Individuals will be charged £10 per subject access request and PCG will aim to provide the relevant data within 14 days. The identity of anyone making a subject access request will be verified before any information is handed over.
Individuals also have a ‘Right to be Forgotten’, meaning that all PII data pertaining to that individual must be removed from all of our records. Such requests should be made in the same way as Subject Access Request and will be dealt with within 14 days. *

Disclosing Data for Other Reasons
In certain circumstances, GDPR allows PII data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, PCG will disclose requested data. However, the Directors will ensure the request is legitimate, with assistance from the Company’s legal advisers where necessary.

Providing Information
PCG aims to ensure that individuals are aware that their data is being processed, and that they understand:
  • How the data is being used, and
  • How to exercise their rights.
To these ends, the Company has carried out a data audit, setting out how data relating to individuals is used by the company, this are appended to this statement.

Public Consultation Data Collection
As part of the public consultation activity implemented by Proteus CG on behalf of its clients, the company may be the data controller for the collection of personal information from members of the public relevant to a public consultation exercise. This data is only collected for the purpose of each specific project being supported and is restricted to personal identifiers only – no sensitive data will be collected. Data collected from public consultation is covered by our general policy, but some specific issues also need to be addressed.

Why we need the data
Data is collected on a voluntary basis and is intended to allow:
A record, personal identifiers (Name, address and contact details) of people attending events or submitting feedback about a proposal
This allows us to identify the area from which feedback is being received, allowing us to ensure we are targeting the right areas for the consultation activity
Data analysis also allows us to see if there are variations in issues raised from different parts of a community, allowing us to be more effective in our community engagement
Personal data identifiers (Names and addresses) also allows us to demonstrate to the planning authorities that the feedback is raised by genuine residents 
Personal data identifiers also allows us to contact those leaving feedback and opinion if we are unclear about their responses

Who is the information shared with?
The data and feedback information is only shared with the relevant planning authorities for each specific project. No data is given to any other third party, unless we are required to do so by law.

Retention of data
All storage in compliance with the general requirements of GDPR and will ensure compliance specifically with Article 5(d) of GDPR which requires personal data to be erased without delay when no longer required - all data is securely disposed. 

Disposing of General Data Securely
Data will not be held for longer than is necessary and will disposed of in an appropriate and secure manner.
Data relating to PAYE, maternity pay or statutory sick pay will only be kept for 3 years after an employee leaves PCG, as that is how long HMRC may be interested in the information for conducting reviews or audits.
Data such as employees’ personal records, performance appraisals, employment contracts, etc. will be held for 6 years after they have left PCG. Under the GDPR, the condition for this processing period is PCG’s legal obligation.
Sensitive data such as financial information, invoices, supplier contracts etc will be held for no-longer than 7 years for HMRC/accountancy purposes.
Closed or archived files pertaining to communications services will be retained for as long as is deemed necessary (decided upon on a case by case basis) however as far as is practicable PII will be removed from this stored data. Once no longer needed, all paper files and documents containing PII or sensitive data will be shredded and disposed of securely.
Electronic files will be deleted and removed from archive/recycle bins and the server memory upon request to Partner Paul Davison.
* PCG has a supplementary in-house Privacy Policy that includes a Data Flow Audit and our detailed Right to be Forgotten and Subject Access Request procedures.

How to complain 
If you are unhappy with any aspect of our privacy notice, or how your personal information is being processed please contact our data controller at the address above.
If you are still unhappy, you have the right to make a complaint to the Information Commissioner’s Office at
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF
Tel: 0303 123 1113
Internet www.ico.org.uk


Latest version updated: 2
10/10/19



Share by: