Data Privacy Notice
This document was last updated 30 April 2018. It will be updated periodically to reflect changes in practice, please check omsuk.com/privacyfor updates.
“Personal data” relates to a living individual. This data could be as simple as your name and email address, or much more sensitive information relating to your finances or health. The processing of personal data is governed by the General Data Protection Regulation 2016 (GDPR).
If you have any queries regarding this policy, or require additional clarification, please contact Khalid Mehmood.
Why do we retain/process/control personal data
Clients & Prospective Clients
As it would not be possible to provide our services without personal information relating to the contact/project, “contractual necessity” is our lawful basis for processing under the GDPR.
Employees
A requirement for us to retain your information is bound into law.
Consultants, Contractors and Others
Our Professional Indemnity Insurance requires us to process and retain your data as part of our project files.
Who has access to your data
In order to facilitate collaborative working, all permanent members of our team have access to live contract and project data. Special arrangements with more limited access are provided for new recruits and people exiting the business.
Some third party contracted service providers require some personal information to provide certain services, a list of which is found in our Third Party Data Dependancy Documents. We use The Post office and other national courier companies to send physical documents as needed.
Employee records are access controlled, with some access granted to Directors, the finance team and first aiders.
You have the right to request copies of personal data held by the company at any time. Requests to access, amend or delete data will be considered and responded to without undue delay.
In order to help facilitate compliance with the GDPR, we politely request that all contact with us be limited to email, telephone and face-to-face meetings. The use of alternative text-based messaging platforms or social media cannot be accepted.
Retention periods
In line with the requirements of Professional Indemnity Insurance, we typically retain all documentation related to contracts and projects electronically for no fewer than six years and no longer than seven years after the contract or project is complete. This information includes contractual correspondence, emails and other non-structured information. After this period, our records will be destroyed.
We maintain a list of client information which may relate to individuals within the client business for the purpose of providing the associated services only as long as the individual is employed by the client.
We provide third parties only the personal data required to run/use these services (as described in our Third Party Data Dependancy Documents which are available to contracted clients upon request) and make best efforts to remove this data within 30 days of termination of these services unless otherwise legally required to do so.
Employee records are kept for the duration of the employment contract. From the time an employee leaves the business, we periodically review the information retained with the aim of reducing the amount of data held.
How we store your information
Unless otherwise communicated to you, your data will be stored on our internal servers and storage arrays. Our CRM ticket system ConnectWise is one example exception as detailed in our Third Party Data Dependancy Documents. Backups will be made both within our business, and to a European data-centre. Printed copies of information may also be produced and stored. If your information leaves our network, for instance on an employee’s laptop, then it is typically encrypted to minimise the risk of it falling into the wrong hands. All employee devices are encrypted according to our internal policies.
We will generally try to avoid issuing data via physical media. If the need arises, we will require the media to be purchased by the issued party and delivered by an employee or special delivery (‘Signed For”).
We make best efforts to keep all personal data and communications within the EU unless required to leave the EU (such as the client being physically outside the EU at time of communication).
What if something goes wrong?
We have policies in place to ensure an appropriate response to any data breach, be it something simple such an incorrectly addressed email, or a serious attack on our network from a third party. These policies will ensure that the appropriate people are alerted following any breach (or suspected breach).