Edworthy Consulting is committed to
1) Complying with the requirements of the General Data Protection Regulation 2016 and the UK Data Protection Act 2018
2) Storing and processing personal data only for the lawful purposes detailed in this data protection policy
3) Preserving the confidentiality of those data
4) Responding promptly to an enquiry from you and giving you full access to the data held about you, acting promptly to correct or erase and remove any data requested by you, and acting promptly on request to supply you with your data in hard copy or an ASCII text document format (e.g. Windows Notepad)
5) Communicating with you promptly about any data breach that affects your data and, where appropriate, reporting the breach to the UK Information Commissioner’s Office
We hold and process your personal data for the lawful purpose detailed below, and do not use them for marketing purposes. We believe, therefore, that explicit permission is not required. If you have any concerns about this please contact Doug Edworthy via the contact details on the Contact Us page.
PERSONAL Data held and the uses to which they are put
The personal data we hold about you and the uses to which we put them are as follows: -
Family and First name(s).
Business phone number.
Mobile phone number.
Essential for communicating with you
Dates of contacts with us made by you.
Summaries of business/work enquiries made by you.
Dates, times, locations and the plans and records of meetings with you.
Your signature on a Non-Disclosure agreement or Contract documentation
Essential for organising and managing work with your organisation
Basic contact details (Group A) may be shared with other parties but only after obtaining your explicit permission. Other data are never made available to other individuals or organisations except where demanded lawfully by a UK law-enforcement agency.
Location of Stored Data, who has access to it and how it is protected
Data are stored in the UK except when my encrypted laptop accompanies me on occasional trips outside the UK.
Group A data are stored in two places: -
- on the internal IT system of Edworthy Consulting, on a whole-disk-encrypted laptop and in the secure office filing system of Edworthy Consulting (accessible to Doug Edworthy only), and
- on the IT system of our bookkeeper (accessible to our book-keeper only).
Group B data are stored on the internal IT system, on a whole-disk-encrypted laptop and in the secure office filing system of Edworthy Consulting (accessible to Doug Edworthy only).
Data at both locations are protected by
- Internet firewall,
- continually updated anti-malware software
- regular backup to secure storage, and
- password-protected access.
We do not store your data on removable storage devices (USB sticks, DVD/CD disks).
DATA RETENTION and disposition
Unless you ask us to remove/delete your data our project records containing personal data are retained for twenty years. This timescale allows for past project information to be retrieved intact and the participants in projects to be identified correctly in order to
- notify you of changes that may affect your management system
- carry out management system updates or amendments requested by you, or
put you in contact with other parties in accordance with this data protection policy
IT data are disposed-of by secure deletion from IT systems (deleting data files, ‘Recycle Bin’ files, backup files and by overwriting storage locations with random data). End-of-use hard disk platters are physically destroyed before recycling through the WEEE waste stream. Hard copy data are disposed-of by shredding and incineration.
The person responsible for all aspects of the implementation of this policy is Doug Edworthy.
We routinely invite new clients to enter into a non-disclosure agreement.
Our standard agreement commits us to maintain absolute confidentiality in respect of all designs, plans, documents and any other intellectual property and all information concerning the organisation of, business, finances, transactions, affairs of our client or the customers of our client which come to our knowledge and we will not disclose any of the information (and if disclosure is authorised in writing by our client will make disclosure only under the terms of the agreement) to any other person, firm, company, body or authority or use or attempt to use any such knowledge or information in any manner which may injure or cause loss directly or indirectly to our client or their customers.
Alternatively, we would be happy to consider client-originated non-disclosure agreements.