Data Privacy Policy

Purpose and scope

The purpose of this policy is to ensure that all Forensic Analytics staff members have been made aware of the Data Protection Act (DPA) and the General Data Protection Regulation (GDPR) and the seriousness with which Forensic Analytics views its responsibilities under this legislation.

This policy defines Forensic Analytics directive, requirement and stance with regard to compliance with data privacy legislation and in safeguarding personal data.

Target Audience

Forensic Analytics staff members, contractors and any other interested parties including customers.

Policy Overview

Forensic Analytics will only use personal information to administer duties on a lawful basis and will not share or provide personal information to a third party without appropriate consent.

This Policy aims to ensure compliance with the DPA (inclusive of GDPR) and all personal data shall be:

  1. Processed fairly and lawfully.
  2. Obtained and processed for specific lawful purposes.
  3. Adequate, relevant and not excessive.
  4. Accurate and kept up to date.
  5. Retained for no longer than necessary.
  6. Processed in accordance with rights of data subjects.
  7. Processed and held in a secure manner.
  8. Not transferred outside the European Economic Area (EEA) unless there is adequate protection.

Forensic Analytics fully supports and complies with the main data protection principles and in line with Article 5 of the GDPR has process in the place to ensure that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes.
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed are erased or rectified without delay.
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required in order to safeguard the rights and freedoms of individuals.
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage using appropriate technical or organisational measures.

Policy Amendments

Forensic Analytics may update this Data Privacy Policy from time to time with the minimum of a formal yearly review being undertaken. Forensic Analytics will ensure any updated versions are published with access and/or a copy will be provided to all concerned parties.

Security of Personal Information

Forensic Analytics undertakes all reasonable technical and organisational precautions to prevent the loss, misuse or alteration of personal information.

All personal information provided will be stored in appropriate, fit for purpose and secure environments.

The security of any data transmission requested by data subjects or data controllers over the internet cannot be guaranteed. It is not Forensic Analytics policy to transmit sensitive data over the internet.

Updating Information

If personal information held by Forensic Analytics is found to be incorrect or requires updating the following responsibilities apply:

  • The data subject will inform Forensic Analytics.
  • Forensic Analytics will make relevant changes where requested / required and engage with the data subject in the event of any incorrect information being identified.

Purpose of Processing Personal Data

Forensic Analytics will process personal data in accordance with the below reasons / requirements:

  • To administer the activity of the business for employees and associated persons / stakeholders.
  • To provide the best possible service to customers and associated persons / stakeholders.

Lawful Conditions for Processing Personal Data

In order for processing of personal data to be lawful under Data Protection law, one of a set of conditions must be met for each and every aspect of such processing. Article 6 sets out six such conditions for lawful processing and Forensic Analytics ensures at least one of these applies in all instances:

  1. The data subject has given consent to the processing their personal data for one or more specified purposes.
  2. The processing is necessary:
    1. for the performance of a contract to which the data subject is party, or
    2. in order to take steps at the request of the data subject with a view to entering into a contract.
  3. The processing is necessary for compliance with any legal obligation to which Forensic Analytics is subject.
  4. The processing is necessary in order to protect the vital interests of the data subject or another natural person.
  5. The processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested with Forensic Analytics.
  6. The processing is necessary for the purposes of legitimate interests pursued by Forensic Analytics or by a third party or parties, except where such interests are overridden by the interests or fundamental freedoms of the data subject which require the protection of personal data, in particular where the data subject is a child.

Categories of Personal Data Processed

The information held by Forensic Analytics should be accurate and up to date. The personal information Forensic Analytics holds will be held securely in accordance with the security policy, requirement and law. The categories of personal data held includes but is not exclusive to:

  • Staff information regarding employment.
  • Customer, Supplier and Subcontractor information.
  • Information related to Forensic Analytics business activities.

Passing for Personal Data to Thirds Parties

Personal data will only ever be passed by Forensic Analytics to third parties to fulfil contractual or legal obligations.

Personal Data Retention

Retention period policies for personal data held by Forensic Analytics will be adhered to and personal data shall not be kept for longer than is necessary for the purposes of processing.

Rights for Data Subjects

Under the Data Protection legislation, data subjects have the following rights with regards to their personal information:

a. the right to be informed about the collection and the use of their personal data.

The right to information allows data subjects to know what personal data is collected about them, why, who is collecting data, how long it will be kept, how to make a complaint, and with whom the data will be shared.

b. the right to access personal data.

Data subjects have a right to submit subject access requests (SAR) and attain information whether their personal information is being processed and access to their personal data and provision of a copy.

The above is not applicable for information being processed with regard to the Criminal Justice System and any requests will be referred to the relevant data controller.

c. the right to have inaccurate personal data rectified or completed if it is incomplete.

The right to rectification allows data subjects to request update to any inaccurate or incomplete data. If it is confirmed that the data is inaccurate, the legal deadline to respond to a request is one month. Upon the request, Forensic Analytics will take steps to ensure that the data is indeed inaccurate and to rectify it.

d. the right to erasure (to be forgotten) in certain circumstances.

This right allows data subjects to ask for their personal data to be deleted if:

  • the personal data is no longer necessary
  • an individual withdraws consent
  • the personal data has been unlawfully processed
  • an individual objects to the processing and there is no reason to continue processing
  • data erasure is necessary for compliance with a legal obligation (EU law or national law)

The Right to Erasure does not provide an absolute “right to be forgotten” and the request can be declined for instance once the processing is based upon a contract or compliance with legal obligations.

e. the right to restrict processing in certain circumstances.

Data subjects can request the limitation of use of their personal data, but this is not an absolute right and only applies in certain circumstances. A request can be made verbally or in writing and Forensic Analytics will ensure identity verification.

If processing is restricted Forensic Analytics can store the personal data, but not use it. In this event exactly what is held and why will be explained.

f. the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services.

Data portability allows data subjects to obtain their own personal data that has previously been provided in a structured, commonly used, and machine-readable format. Data subjects can also request for their data to be transferred directly to another organisation. However, this can only be applied to the data that an individual has provided to the data controller by consent or contract and if the processing is carried out by automated means (no papers).

g. the right to object to processing in certain circumstances

The right to object allows data subjects to object to the processing of personal data in certain situations.

Data subjects can request the ceasing of the processing of their personal data for direct marketing purposes as this is their absolute right and can object to the processing of data on the grounds of legitimate interest, or tasks in the public interest.

h. rights in relation to automated decision making and profiling

Data subjects have the right not to be subject to automated decision-making if it is producing a legal effect that significantly affects them. However, it will not apply if the processing is necessary for the performance of a contract, if it is authorised by the law, or if the processing is based on explicit consent.

Fees, Timings and Identity Verification for responding to Data Subject Requests:

Information will be provided without charge and without delay following the timescales prescribed by the ICO. If an extension is required or requests are considered manifestly unfounded or excessive, in particular because they are repetitive, Forensic Analytics has the right to choose to charge a reasonable fee taking into account the administrative costs of providing the information or refuse to respond. The reasons for this will be formally notified to the requesting party and rights to appeal to the appropriate supervisory authority will be highlighted.

To protect personal data Forensic Analytics will seek to verify identity of requesting parties before releasing any information, which will normally be in electronic format. If Forensic Analytics is the data processor and not the data controller it will seek permission from the relevant data controller before releasing any information to any party.

How Forensic Analytics use Personal Data

Forensic Analytics will use the data provided under lawful conditions for the following purposes:

  • To manage and run the Human Resource and contractual requirements of the business.
  • To fulfil customer orders, requirements and services.
  • To respond to any enquiries submitted by a data subject.
  • To carry out transactions or agreements.
  • To operate and improve services.
  • Where permitted we may use information such as e-mail addresses to provide news, newsletters, product / service information and to seek feedback.

How Forensic Analytics ensure Security of Information

All commercially and practically reasonable precautions will be applied by Forensic Analytics on a physical and electronic basis including as appropriate but not exclusive to:

  • Password protection.
  • Encryption.
  • Firewalls.
  • Internal access restrictions.
  • Restricted physical access.
  • Active monitoring.

Data Protection Officer

Forensic Analytics has direct access to and operation of a Data Protection Officer to oversee all Data Protection requirements.

This Data Privacy Declaration is authorised by Martin Hanly, Quality and Compliance Director, Forensic Analytics and is subject to regular review to ensure that it remains fit for purpose.

Qualio POL-13 V2.0

Name: Martin Hanly
Role: Quality and Compliance Director