The purpose of this policy is to ensure that all Forensic Analytics staff members have been made aware of the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) and the seriousness with which Forensic Analytics views its responsibilities under this legislation.
This policy defines Forensic Analytics directive, requirement and stance with regard to compliance with data privacy legislation and in safeguarding personal data.
Forensic Analytics staff members, contractors and any other interested parties including customers.
Forensic Analytics will only use personal information to administer duties on a lawful basis and will not share or provide personal information to a third party without appropriate consent.
This Policy aims to ensure compliance with the DPA (inclusive of GDPR) and all personal data shall be:
Forensic Analytics fully supports and complies with the main data protection principles and in line with Article 5 of the GDPR has process in the place to ensure that personal data shall be:
Forensic Analytics may update this Data Privacy Policy from time to time with the minimum of a formal yearly review being undertaken. Forensic Analytics will ensure any updated versions are published with access and/or a copy will be provided to all concerned parties.
Forensic Analytics undertakes all reasonable technical and organisational precautions to prevent the loss, misuse or alteration of personal information.
All personal information provided will be stored in appropriate, fit for purpose and secure environments.
The security of any data transmission requested by data subjects or data controllers over the internet cannot be guaranteed. It is not Forensic Analytics policy to transmit sensitive data over the internet.
If personal information held by Forensic Analytics is found to be incorrect or requires updating the following responsibilities apply:
Forensic Analytics will process personal data in accordance with the below reasons / requirements:
In order for processing of personal data to be lawful under Data Protection law, one of a set of conditions must be met for each and every aspect of such processing. Article 6 sets out six such conditions for lawful processing and Forensic Analytics ensures at least one of these applies in all instances:
The information held by Forensic Analytics should be accurate and up to date. The personal information Forensic Analytics holds will be held securely in accordance with the security policy, requirement and law. The categories of personal data held includes but is not exclusive to:
Personal data will only ever be passed by Forensic Analytics to third parties to fulfil contractual or legal obligations.
Retention period policies for personal data held by Forensic Analytics will be adhered to and personal data shall not be kept for longer than is necessary for the purposes of processing.
Under the Data Protection legislation, data subjects have the following rights with regards to their personal information:
a. the right to be informed about the collection and the use of their personal data.
The right to information allows data subjects to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how to make a complaint, and with whom the data will be shared.
b. the right to access personal data.
Data subjects have a right to submit subject access requests (SAR) and attain information whether their personal information is being processed and access to their personal data and provision of a copy.
The above is not applicable for information being processed with regard to the Criminal Justice System and any requests will be referred to the relevant data controller.
c. the right to have inaccurate personal data rectified or completed if it is incomplete.
The right to rectification allows data subjects to request update to any inaccurate or incomplete data. If it is confirmed that the data is inaccurate, the legal deadline to respond to a request is one month. Upon the request, Forensic Analytics will take steps to ensure that the data is indeed inaccurate and to rectify it.
d. the right to erasure (to be forgotten) in certain circumstances.
This right allows data subjects to ask for their personal data to be deleted if:
The Right to Erasure does not provide an absolute “right to be forgotten” and the request can be declined for instance once the processing is based upon a contract or compliance with legal obligations.
e. the right to restrict processing in certain circumstances.
Data subjects can request the limitation of use of their personal data, but this is not an absolute right and only applies in certain circumstances. A request can be made verbally or in writing and Forensic Analytics will ensure identity verification.
If processing is restricted Forensic Analytics can store the personal data, but not use it. In this event exactly what is held and why will be explained.
f. the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services.
Data portability allows data subjects to obtain their own personal data that has previously been provided in a structured, commonly used, and machine-readable format. Data subjects can also request for their data to be transferred directly to another organisation. However, this can only be applied to the data that an individual has provided to the data controller by consent or contract and if the processing is carried out by automated means (no papers).
g. the right to object to processing in certain circumstances
The right to object allows data subjects to object to the processing of personal data in certain situations.
Data subjects can request the ceasing of the processing of their personal data for direct marketing purposes as this is their absolute right and can object to the processing of data on the grounds of legitimate interest, or tasks in the public interest.
h. rights in relation to automated decision making and profiling
Data subjects have the right not to be subject to automated decision-making if it is producing a legal effect that significantly affects them. However, it will not apply if the processing is necessary for the performance of a contract, if it is authorised by the law, or if the processing is based on explicit consent.
Information will be provided without charge and without delay following the timescales prescribed by the ICO. If an extension is required or requests are considered manifestly unfounded or excessive, in particular because they are repetitive, Forensic Analytics has the right to choose to charge a reasonable fee taking into account the administrative costs of providing the information or refuse to respond. The reasons for this will be formally notified to the requesting party and rights to appeal to the appropriate supervisory authority will be highlighted.
To protect personal data Forensic Analytics will seek to verify identity of requesting parties before releasing any information, which will normally be in electronic format. If Forensic Analytics is the data processor and not the data controller it will seek permission from the relevant data controller before releasing any information to any party.
Forensic Analytics will use the data provided under lawful conditions for the following purposes:
All commercially and practically reasonable precautions will be applied by Forensic Analytics on a physical and electronic basis including as appropriate but not exclusive to:
Forensic Analytics has direct access to and operation of a Data Protection Officer to oversee all Data Protection requirements.
This Data Privacy Declaration is authorised by Martin Hanly, Quality and Compliance Director, Forensic Analytics and is subject to regular review to ensure that it remains fit for purpose.
Qualio POL-13 V2.0
Name: Martin Hanly
Role: Quality and Compliance Director
Signature:
Forensic Analytics solutions, services and training are always evolving in response to ever-changing customer needs. CSAS V3 is here. To find out more subscribe to our latest updates.