Edworthy Consulting are committed to

1)      Complying with the requirements of the General Data Protection Regulation (GDPR)

2)      Storing only those data that you have given us explicit consent to hold

3)      Preserving the confidentiality of those data

4)      Processing those data only for the lawful purposes detailed in this data protection policy

5)      Responding promptly to an enquiry from you and giving you full access to the data held about you, acting promptly to correct or erase and remove any data requested by you, and acting promptly on request to supply you with your data in an ASCII text document format (e.g. Windows Notepad)

6)      Communicating with you promptly about a data breach that affects your data and reporting the breach to the Information Commissioner’s Office

PERSONAL Data held and the uses to which they are put

The personal data we hold about you and the uses to which we put them are as follows: -

Group

Data

Use

A

Family and First name(s).

Job title/Role.

Organisation Name.

Organisation Address.

Email addresses(es).

Business phone number.

Mobile phone number.

Essential for communicating with you

 

 

B

Dates of contacts with us made by you.

Summaries of business/work enquiries made by you.

Dates, times, locations and purposes of meetings with you.

Your signature on a Non-Disclosure agreement, Contract Acceptance, and on this form

Essential for organising and managing work with your organisation

Basic contact details may be shared with other parties but only with your explicit permission on every occasion.

Data are never made available to other individuals or organisations except where demanded lawfully by a UK law-enforcement agency.

Location of Stored Data, who has access to it and how it is protected

Data are stored in the UK except when my encrypted laptop accompanies me on occasional business trips outside the UK.

Group A data are stored in two places: -

  • on the internal IT system of Edworthy Consulting, on a whole-disk-encrypted laptop and in the secure office filing system of Edworthy Consulting (accessible to Doug Edworthy only), and
  • on the IT system of our bookkeeper (accessible to our book-keeper only).

Group B data are stored on the internal IT system, on a whole-disk-encrypted laptop and in the secure office filing system of Edworthy Consulting (accessible to Doug Edworthy only).

Data at both locations are protected by

  • Internet firewall,
  • continually updated anti-malware software
  • regular backup to secure storage, and
  • password-protected access.

We do not store your data on removable storage devices (USB sticks, DVD/CD disks).

DATA RETENTION and disposition

Unless you ask us to remove/delete your data, personal data forming part of project records are retained for twenty years to allow me to notify you of changes that affect your management system and to allow past project information to be retrieved intact and the participants in projects to be identified correctly. This timescale is to allow projects to be revived for management system updates or amendments after they have been in operation for many years.

IT data are disposed-of by secure deletion from IT systems (deleting data files, ‘Recycle Bin’ files, backup files and by overwriting storage locations with random data). End-of-use hard disk platters are physically destroyed before recycling through the WEEE waste stream. Hard copy data are disposed-of by shredding and incineration.

PERSON RESPONSIBLE

The person responsible for all aspects of the implementation of this policy is Doug Edworthy.


Non-Disclosure Agreements

We routinely invite new clients to enter into a non-disclosure agreement. Our standard agreement ensures we maintain absolute confidentiality in respect of all designs, plans, documents and any other intellectual property and all information concerning the organisation of, business, finances, transactions, affairs of our client or the customers of our client which come to our knowledge and we will not disclose any of the information (and if disclosure is authorised in writing by our client will make disclosure only under the terms of the agreement) to any other person, firm, company, body or authority or use or attempt to use any such knowledge or information in any manner which may injure or cause loss directly or indirectly to our client or their customers.

Alternatively, we would be happy to consider client-originated non-disclosure agreements.