Keyst1.co - Privacy & Security

private.policy

Privacy Policy

Introduction

This Privacy Policy is published and maintained by Keyst1 International Consultants Limited (“us” or “we” or “Keyst1").

Keyst1 regards the lawful and correct processing of personal and sensitive data as an integral part of its purpose. Keyst1 believes this is vital for maintaining the confidence of clients, customers, partners, consultants, contractors, subcontractors, suppliers, employees and other stakeholders about whom we process data.

Policy statement

This privacy policy explains how Keyst1 will meet its legal obligations concerning confidentiality and data security standards. The requirements within the policy are primarily based upon the Data Protection Act 2018 (“DPA”), which is the UK’s implementation of the General Data Protection Regulation (GDPR), the latter being the key piece of legislation covering data security and confidentiality of personal data in the European Union.

The key principles of this policy are as follows:

- Keyst1 will fully implement all aspects of DPA

- Keyst1 will ensure all employees and others handling personal data are aware of their obligations and rights under DPA, and

- Keyst1 will implement adequate and appropriate measures to ensure the correct management of all data contained in or handled by its systems and its security.

This policy guides the protection, sharing and disclosure of personal data within Keyst1.

Definitions of personal data and sensitive personal data

“Personal data”, or “personal information”, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (i.e. anonymised data).

Examples of personal data that Keyst1 processes include:

- names, addresses, emails, phone numbers and other contact information

- some financial information including national insurance numbers and payroll data, and

- photographs, video and audio recordings.

“Sensitive personal data” means any personal data that reveals racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data, and any personal data relating to criminal offenses and convictions. Sensitive personal data needs and attracts additional legal protection.

Data protection principles

Keyst1 adheres to the data protection principles set out in the DPA, which requires that all personal data be:

- processed lawfully, fairly and in a transparent manner collected only for specified, explicit and legitimate purposes

- adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed

- accurate and where necessary kept up to date

- not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed

- processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and accidental loss, destruction or damage

- not transferred to another country without appropriate safeguards being in place, and

- made available to data subjects and data subjects allowed to exercise certain rights in relation to their personal data.

Keyst1 is responsible for and must be able to demonstrate compliance with the data protection principles listed above at all times.

Personal data must not be used other than for the specific purpose required to deliver a product or service. The individual should always know that their data is being processed. When that data is especially sensitive, consent is required before the data can be processed by Keyst1, unless there is a specific legal basis for processing this.

Personal data can be computerised and/or in a physical format. It may include such documentation as:

- paper documents (e.g. CVs, employee records, letters received and sent)

- electronic records

- printouts

- photographs, and

- videos and tape recordings.

Backup data (e.g. archived data or disaster recovery records) also falls under DPA; however, a search within them should only be conducted if specifically asked for by an individual through an official Subject Access Request as defined below.

Right of access by individuals

The DPA gives every living person (or their authorised representative) the right to apply for access to the personal data that organisations hold about them irrespective of when and how this is compiled (e.g. handwritten records, electronic and manual records held in a structured file). This is called a ‘Subject Access Request’.

These rights can be exercised at any time, against the Controller; by sending a specific request in writing to the e-mail address privacy(at)keyst1.co

Keyst1 duties

Understanding and complying with the Data Protection Act is key to Keyst1’s responsibilities as a data controller. Therefore, Keyst1 will, through the use of appropriate measures and controls:

- ensure there are lawful grounds for using any personal data

- ensure that the use of the data is fair and meets one of the specified conditions

- use sensitive personal data only if it is necessary and after having obtained the individual’s explicit consent (unless an exemption applies)

- explain to individuals, at the time their personal data is collected, how that information will be used

- obtain and use personal data only for those purposes which are known to the individual

- ensure personal data is only used for the purpose it was given. If we need to use the data for other purposes, further consent will be obtained

- only keep personal data that is relevant to Keyst1

- keep personal data accurate, up to date and only held for as long as is necessary

- always adhere/be in compliance with to our Subject Access Request Procedure and be receptive to any queries, requests or complaints made by individuals in connection with their personal data

- ensure individuals are given the opportunity to ‘opt-in' to receiving mass communications, and

- take appropriate technical and organisational security measures to safeguard personal data

In addition, Keyst1 will ensure that:

- everyone managing and handling personal data understands that they are legally responsible for following good data protection practices and has read this privacy policy

- enquiries about handling personal data are dealt with promptly

- methods of handling personal data are clearly described in policies and guidance

- a review and audit of data protection arrangements are regularly undertaken

- methods of handling personal data are regularly assessed and evaluated, and

- suitable protections are in place before any personal data is transferred to a third party

Roles and responsibilities

Employees, partners, contractors, subcontractors, and suppliers

Maintaining confidentiality and adhering to data protection legislation applies to everyone at Keyst1. Keyst1 will take necessary steps to ensure that everyone managing and processing personal data understands that they are responsible for following good data protection practices. Employees will receive training and must read this policy as part of their induction.

All employees partners, contractors, subcontractors, and suppliers have a responsibility to:

- observe all guidance and codes of conduct in relation to obtaining, using and disclosing personal data

- obtain and process personal data only for specified purposes

- only access personal data that is specifically required to carry out their activity or work

- record data accurately in both manual and electronic records

- ensure any personal data held is kept secure

- ensure that personal data is not disclosed in any form to any unauthorised third party, and

- ensure personal data is sent securely.

Failure by an individual to adhere to any guidance in this policy may result in disciplinary action.

Senior Managers

All Senior Managers are responsible for:

- determining what personal data is held by their area and ensuring that the data is adequately secure, access is controlled and the data is only used for the intended purposes

- providing clear messaging to their teams about data protection requirements and measures

- ensuring personal data is only held for the purpose intended

- ensuring personal data is not communicated or shared for non-authorised purposes, and

- ensuring personal data is password protected when transmitted electronically or appropriate security measures are taken to protect the data when in transit or storage.

Information Commissioner’s Office (ICO)

The ICO is the UK’s independent authority set up to uphold information rights in the public interest and data privacy for individuals. The ICO has wide-ranging powers to investigate complaints relating to the use of personal data and personal data breaches. Any failure to comply with data protection obligations may lead to an investigation by the ICO, which could result in serious financial or other consequences for Keyst1.

Dealing with Data Protection breach

A personal data breach can be broadly defined as a security incident that has affected personal data's confidentiality, integrity or availability.

Personal data breaches can include:

- access by an unauthorised third-party

- sending personal data to an incorrect recipient

- computing devices containing personal data being lost or stolen

- alteration of personal data without permission, and

- loss of availability of personal data.

If a data breach is suspected, the person who identified the breach should immediately notify the data controller and provide all relevant details regarding the breach.

Following notification of a breach, the data controller will take the following action as a matter of urgency:

- implement a recovery plan, which will include damage limitation

- assess the risks associated with the breach

- inform the appropriate people and organisations that the breach has occurred, and

- review Keyst1’s response and update our information security as appropriate.

Registration with the Information Commissioner

Keyst1 is registered with the ICO with registration number ZB886889.

Glossary of terms used in this policy

“Data controller” means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data is processed. The data controller for the purposes of this document is Keyst1.

“Data processor” means any person who processes personal data on behalf of the data controller but is not employed by them.

“Data subject” means an individual who is the subject of personal data. This includes employees, partners, contractors, subcontractors, suppliers, clients, customers, consultants and visitors.

“Processing” means recording or holding data or carrying out any operations on that data including organising, altering or adapting it; disclosing the data or aligning, combining, blocking or erasing it.

“Subject access request” means a written, signed request (which includes email and other written formats) from an individual to see personal data which Keyst1 holds about them. Data controller must provide all such information in a readable form within one month of receipt of the request.

“Third-party” means in relation to personal data, any person other than the data subject, the data controller, or any data processor or other person authorised to process data for the data controller or processor. For example, the Police or HMRC.