iQuda Ltd is hereinafter referred to as iQuda and “the company”.
iQuda is committed to protecting the rights, freedoms and privacy of individuals in accordance with the General Data Protections Regulation (GDPR).
The GDPR became legally enforceable on 25th May 2018 and applies to individuals and organisations operating within the EU. The regulation places specific legal obligations on data controllers and data processors with regards to handling of personal data.
As a processor, iQuda is legally required to take certain steps to protection personal information in our care. iQuda will have a legal liability if the organisation is responsible for a breach.
This document outlines how iQuda intends to comply with the requirements of the GDPR.
This policy applies to all personal data processed and controlled by iQuda. The policy is available to all staff working with iQuda. This includes all temporary or locum staff, and agents acting on behalf of iQuda.
While voluntary, temporary and locum staff are expected to comply with the policy, this does not imply or create an employment relationship.
A copy of this policy will also be made available on the iQuda website.
Any breach of this policy or the regulation itself will be considered an offence and will be dealt with under iQuda disciplinary procedures.
Breaches of the regulation will be reported to the Information Commissioners Office (ICO).
The GDPR demands higher transparency and accountability for the handling of personal data. iQuda needs to process specific information about its employees, clients, and other stakeholders for various reasons such as, but not limited to:
- Paying staff and keeping internal records
- Maintaining accurate records
- Tracking website visitors
- Administration in association with the provision of IT services
- Complying with legal obligations
The GDPR applies to both ‘controllers’ and ‘processors’. The data controller determines the purposes and means of processing personal data. The data processor is responsible for processing personal data on behalf of a controller.
To comply with the GDPR, iQuda must ensure that the data we collect is processed fairly, collected for legitimate reasons, adequate for it’s purpose, accurate and up to date, deleted when no longer needed, and processed and stored securely. The organisation is committed to demonstrating how it is taking steps to comply with these principles.
5.1 What is Personal data?
The GDPR defines personal data as any information that relates to an identifiable person who can be identified, directly or indirectly, from that information (the data subject).
Personal data can include:
- Dates of birth
- Location data
- Email addresses
- Identification numbers
- IP addresses
- Pseudonymous data
- Online identifiers
5.2 What is Sensitive Personal Data?
The GDPR refers to sensitive personal data as “special categories of personal data”.
The special categories specifically include genetic data, and biometric data where processed to uniquely identify an individual.
Sensitive Personal Data can include data about:
- Health data
- Genetic data
- Biometric data
- Sexual orientation
- Trade union membership
- Political opinions or beliefs
- Religious or philosophical beliefs
Personal data relating to criminal convictions and offences are not included, but similar extra safeguards apply to its processing.
Where iQuda processes Sensitive Personal Data, it will be anonymised. Sensitive personal data is primarily processed in relation to employees at iQuda, for example health information that is relevant to the individuals safety at work. iQuda aims to minimise the processing of Sensitive Personal Data wherever possible.
Article 5 of the GDPR requires that personal data shall be:
“a) processed lawfully, fairly and in a transparent manner in relation to individuals;
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
Article 5 (2) requires that:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
iQuda intends to comply with the above requirements and will implement appropriate mechanisms to ensure continued compliance.
5.4 Types of Data iQuda May Process
iQuda has defined that the following data categories may be collected, processed and used:
☐ Employee/Volunteer/Part Time Workers Name, Title, Address, Contact Details, Staff Numbers, Payroll Numbers
☐ Professional, commercial or business addresses
☐ Date / Year / Birth Date
☐ Telecommunications data (e. g. connection, location, usage and traffic data)
☐ Telephone Numbers
☐ Email Address
☐ Third Party Data for the purposes of communication and liaison between the Processor and the Controller’s third parties on behalf of the Controller i.e. Vendors.
☐ Contract data (contractual relationship, product and/or contractual interests)
☐ Customer history, contract implementation and payment data
☐ Software and hardware license data for the purpose of managing these components as relevant to to the services delivered by the Processor to the Controller
☐ Personal data that is covered by the obligation to maintain professional secrecy
☐ IP addresses
☐ Planning and control data
☐ Device and service related diagnostic data
☐ IT usage data, such as: performance, network traffic, CPU usage statistics and similar IT related data
5.5 Categories of Data Subjects
iQuda has defined the following data subject categories from who the Personal Data as defined above may be collected, processed and used:
☐ Employees (Internal)
☐ Contact persons
☐ Employees of external companies
☐ Interested parties
☐ Tenants / landlords, lessees / lessors
5.6 Lawful Basis for Processing
What are the lawful bases for processing?
The lawful bases for processing are set out in Article 6 of the GDPR. iQuda will identify the lawful basis for processing wherever the organisation processes data. The lawful bases for processing are as follows:
“(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
(b) Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
(d) Vital interests: the processing is necessary to protect someone’s life.
(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
(f) Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.”
Where consent is relied upon as a legal basis for processing, iQuda will collect consent in a recorded and demonstrable manner. Consent will be gathered in a way that is freely given, specific, informed and unambiguous.
iQuda will make it explicitly clear to the individual what they are giving consent for, and will process their personal data in a manner that is consistent with the consent the individual has given. iQuda will make it as easy for an individual to revoke consent as it was to grant consent.
Marketing emails sent by iQuda will include an unsubscribe link.
5.8 Controllers and Processors
As a Data Controller, iQuda will only work with processors who can provide sufficient guarantees to implement appropriate technical and organizational safeguards to meet the GDPR requirements and protect the rights, freedoms and privacy of data subjects.
As a Data Controller and Processor, iQuda will implement it’s own appropriate technical and organizational safeguards where the organisation processors data to ensure the rights, freedoms and privacy of data subjects. Where the organisation processes sensitive personal data, additional safeguards will be implemented.
iQuda will implement:
- pseudonymisation and/or encryption of personal data where required.
- Measures to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing personal data.
- Measures to ensure the ability to restore the availability and access to data in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
- Appropriate policies and governance frameworks to ensure continued compliance throughout the organisation.
- All controller-processor relationships will be documented and managed with contracts that mandate privacy obligations.
iQuda will assign appropriate GDPR and Data Protection responsibilities to its staff. Staff who are made responsible for GDPR and Data Protection will be given sufficient support and resources to do fulfill their responsibilities.
Garth Macintosh is the nominated Data Protection Officer at iQuda.
The staff who are made responsible for GDPR and Data Protection will:
- Inform and advise stakeholders, including staff, volunteers and other parties as relevant, of their obligations to comply with the GDPR and other applicable laws.
- Monitor compliance with the GDPR on an ongoing basis.
- Issue appropriate training to staff involved with data processing.
- Ensure appropriate resources are made available for GDPR and Data Protection considerations.
- Conduct data impact assessments when required.
- Work with the relevant supervisory authorities on issues relating to the processing of personal data.
- Implement appropriate measures to be able to evidence compliance with GDPR.
All staff, volunteers or locum employees working at iQuda will be responsible for maintaining an awareness of the requirements of the GDPR and for seeking appropriate assistance when processing personal data.
5.10 Technical and Organisational Measures Based on the EU General Data Protection Regulation
iQuda will implement appropriate technical and organisational measures to protect personal data against accidental loss, alteration, disclosure or access. These measures ensure a level of security appropriate to the risks presented by the processing and the nature of personal data being processed.
iQuda ensures that the processing of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law and does not violate the relevant provisions.
iQuda has implemented, but not limited to, the following measures to prevent the unauthorized access to data processing systems where personal data is processed:
|☒ Alarm system
☒ Access control policies
☒ Photoelectric sensors / Movement detectors
☒ Key Management (Issuance of keys, etc.)
☒ Logging of visitors
☒ Careful selection of security mechanisms
☒ Manual locking system (Limited usage for key employees to be used in the event of a failure in the access control systems
|☒ CCTV at entry points (all entraces)
☒ Security locks
☒ Visitor management at reception desks
☒ Careful selection of cleaning staff
☒ A separate, specific and documented access control for data centres and server rooms for authorized persons is implemented. Access by authorized persons is documented by name, reason for access and approval.
Access Control (systems)
iQuda has implemented, but not limited to, the following measures, to prevent the use of data processing systems by unauthorised persons:
|☒ Assignment of user rights
☒ Assignment of passwords
☒ Authentication with username / password
☒ Use of Intrusion-Prevention-Systems
☒ Use of Hardware Firewalls
☒ Creation of user profiles
☒ Additional measures: web-application firewalls, regular vulnerability scans, regular penetration testing, patch management, minimum requirements for password complexity and forced password changes, use of virus scanners
|☒ Assignment of user profiles to IT systems
☒ Use of VPN Technology
☒ Encryption of mobile storage media
☒ Use of central smartphone administration (for example: remote wiping of smartphone)
☒ Disk encryption on laptops / notebooks
☒ Use of a software firewall (office clients)
iQuda has implemented, but not limited to, the following measures, to ensure that authorised users of a data processing system may only access the data for which they are authorised, and to prevent personal data from being read while the data is in use, in motion, or at rest without authorisation:
|☒ Creation of an authorization concept
☒ Number of administrators reduced to “absolute necessary”
☒ Logging of application access, especially during the entry, modification and deletion of data
☒ Secure media sanitization
☒ Use of shredders
|☒ Disk encryption (backup tapes for off-site storage, laptops)
☒ Management of rights by system administrators
☒ Password policy including password length, password change management
☒ Secure storage of data carriers
☒ Logging of secure media destruction
☒ Compliant destruction of data media
iQuda has implemented, but not limited to, the following measures, to ensure that personal data cannot be read, copied or modified during electronic transmission or during transportation or storage to disk. Additionally, to control and determine to which bodies that the transfer of personal data provided by data communication equipment is allowed:
|☒ Creation of dedicated lines or VPN tunnels
☒ Documentation of recipients of data and the time periods for the provision of data including agreed deletion times
☒ During physical transport, careful selection of transport personnel and vehicles
☒ Disk encryption
|☒ Disclosure of data in anonymous or pseudonymous form
☒ Creation of an overview of regular request and delivery operations
iQuda has implemented, but not limited to, the following measures, to ensure that it is possible to ensure, subsequently control, and determine if and by whom, personal data has been entered, changed or removed on data processing systems:
|☒ Logging of input, modification and deletion of data
☒ Traceability of input, modification and deletion of data by individual user names (not user groups)
☒ Granting of rights for the input, modification or the deletion of data based on an authorization concept
|☒ Creation of an overview of which applications are permitted to input, modify or delete which data
☒ Storage of forms, through which data has been acquired
iQuda has implemented, but not limited to, the following measures, to ensure that personal data which is processed by request of the data owner by a data processor, shall only be processed as instructed by the data owner:
|☒ Contractor selection via history review (in particular regarding data security)
☒ Written instructions to the contractor (for example, by Data Processing Agreement) (GPDR)
☒ Ensure contractors have appointed Data Protection Officers
☒ Effective control rights over data processors have been agreed
|☒ Prior examination of the documentation and the security measures taken by the contractor
☒ Obligation of the contractor’s employees to maintain data confidentiality (GPDR)
☒ Ensure the secure destruction of data after termination of the contract
☒ Continual review of contractors and their activities
iQuda has implemented, but not limited to, the following measures, to ensure that personal data is protected against accidental destruction or loss:
|☒ Uninterruptible power supplies (UPS)
☒ Devices for monitoring temperature in server rooms
☒ Fire and smoke detection systems
☒ Alarm when unauthorised entry is detected
☒ Testing of data recovery
☒ Secure off-site storage of data backups
|☒ Air conditioning in server rooms
☒ Protection power strips in server rooms
☒ Fire extinguishers in server rooms
☒ Creation of a backup & recovery concept
☒ Preparation of an emergency response plan
5.11 Data Subject Rights
Individuals (Data subjects) have certain rights in relation to their personal data under the GDPR. Those rights include;
- The right to be informed – Data subjects have a legal right to confirm whether or not their personal data is being processed and to access that data along with certain additional information.
- The right of access – Data subjects have a legal right to access a copy the personal information held about them. This must be supplied in a commonly used format (e.g. PDF, Excel or Word document).
- The right to rectification – You have the right to have any inaccurate personal data about you rectified and, taking into account the purposes of the processing, to have any incomplete personal data about you completed.
- The right to erasure – In some instances, Data subjects have a right to request the erasure of their personal data without delay. These instances may include: processing is no longer necessary for the purposes it is being processed, consent has been withdrawn where the legal basis for processing is consent, the Data subject objects to processing and there is a valid reason under Data Protection law, processing is for direct marketing purposes, and the data has been unlawfully processed. General exclusions from this clause may include where processing is necessary for a legal reason or for the exercise or defense of legal claims.
- The right to restrict processing – In some instances Data subjects have a right to restrict the processing of their personal data. These instances include: the data is inaccurate, processing is unlawful but the subject opposes erasure, the subject has objected to certain forms of processing but agrees to other forms, or the subject has objects to processing but the organisation requires it for the exercise or defense of legal claims.
- The right to data portability – The right to data portability gives individuals the right to receive personal data they have provided in a structured, commonly used and machine-readable format. It also gives them the right to request that their data is transferred from one controller to another.
- The right to object – Article 21 of the GDPR gives individuals the right to object to the processing of their personal data. The right to object only applies in certain circumstances. Whether it applies depends on the purpose for processing and the lawful basis for processing. Individuals have an absolute right to object to data processing for direct marketing purposes.
- Rights in relation to automated decision making and profiling -Individuals have the right not to be subject to the results of automated decision making, including profiling, which produces legal effects on him/her or otherwise significantly affects them. This is defined as a process where there is no human involvement in the decision-making process.
iQuda intends to comply with the above rights of individuals and will not take part in automated decision-making and profiling activities.
iQuda will make all reasonable efforts to ensure that individuals who are the focus of the personal data (data subjects) are informed of the identity of the data controller, the purposes of the processing, any disclosures to third parties that are envisaged; given an indication of the period for which the data will be kept, and any other information which may be relevant.
iQuda will ensure that the reason for which it collected the data originally is the only reason for which it processes those data, unless the individual is informed of any additional processing before it takes place.
iQuda will not seek to collect any personal data which is not strictly necessary for the purpose for which it was obtained. Forms for collecting data will always be drafted with this mind. If any irrelevant data is given by individuals, they will be destroyed immediately.
iQuda will review and update all data on a regular basis. It is the responsibility of the individuals giving their personal data to ensure that this is accurate, and each individual should notify iQuda if, for example, a change in circumstances mean that the data needs to be updated. It is the responsibility of iQuda to ensure that any notification regarding the change is noted and acted on.
iQuda undertakes not to retain personal data for longer than is necessary to ensure compliance with the legislation, and any other statutory requirements. This means iQuda will undertake a regular review of the information held and implement a weeding process.
iQuda will dispose of any personal data in a way that protects the rights and privacy of the individual concerned (e.g. secure electronic deletion, shredding and disposal of hard copy files as confidential waste). A log will be kept of the records destroyed.
Where consent is relied on as a lawful basis for processing at iQuda, individuals have a right to withdraw consent at any time.
5.12 Data Retention and Deletion
iQuda will not retain or process Personal Data for longer than is necessary or for longer than any period agreed to by the Data Subject. As a general rule, data will be retained as long as a relationship exists between the organisation and the data subject, plus a maximum of 6 years.
iQuda agrees to return or destroy the Data Subjects data if the Data Subject requests for the organisation to do so. Following the deletion of Personal Data iQuda shall notify the Data Subject that the Personal Data in question has been deleted. Where applicable, the Processor shall also provide confirmation that the Personal Data has been destroyed in accordance with instructions issued by the Data Subject.
5.13 Location of Processing
All Data processed by iQuda will be processed within the European Economic Area (EEA).
5.14 Transfers Outside the European Economic Area
iQuda will not transfer personal data to territories outside of the European Economic Area (EEA) without the explicit consent of the individual, or where a suitable privacy agreement exists that complies with the GDPR, for example the EU-US Privacy Shield.
This also applies to publishing information on the Internet – because transfer of data can include placing data on a website that can be accessed from outside the EEA – iQuda will always seek the consent of individuals before placing any personal data (including photographs) on its website.
5.15 Record Keeping
In addition to the above actions, iQuda commits the keeping appropriate records for the purpose of demonstrating compliance with the GDPR.
6.0 Subject Access Requests (Data Subject Access Requests/DSARs)
You are legally entitled to ask iQuda to confirm whether the company is processing data about you, and to request a copy of the data. This will be provided in a commonly used format such as a PDF, Word, or Excel document.
iQuda may charge a reasonable fee to cover the administrative costs to provide you with your data, if your request is manifestly unfounded or excessive. In this circumstance, iQuda will not release your data untill the fee is paid. iQuda will comply with all Subject Access Requests within 30 days of receipt.
Subject access requests should be submitted by email or by post to “The Data Protection Officer”, and sent to the postal address or email address listed in section 10 of this policy.
7.0 Breach & Notification
In the event of a breach involving personal data, iQuda will notify the Information Commissioners Office (iCO) promptly and without undue delay. Where feasible, the ICO will be notified no later than 72 hours after the organisation becomes aware of the breach. Where this timeframe cannot be met, iQuda will provide a reasoned justification for the delay.
Notice is not required if the breach is unlikely to result in a risk to the rights and freedoms of individuals.
If an individual believes that iQuda’s processing activities infringe data protection laws, the individual has a legal right to lodge a complaint with a relevant supervisory body. In the United Kingdom the governing body is the Information Commissioners Office (the ICO). You can find their details online: https://ico.org.uk
Regulators have authority under the GDPR to issue penalties equal to the greater of €10 million or 2% of the entity’s global gross revenue for violations of record-keeping, security, breach notification, and privacy impact assessment obligations.
Violations of obligations related to legal justification for processing, data subject rights, and cross-border data transfers may result in penalties of the greater of €20 million or 4% of the entity’s global gross revenue.
9.0 Applicability of Other Policies
This document is part of iQuda’s cohesive set of security policies. Other policies may apply to the topics covered in this document and as such the applicable policies should be reviewed as needed.
10.0 Contact Information:
Please direct all queries and Subject Access Requests by post to:
Garth Macintosh – Data Protection Officer
Unit 3 Heron Business Park
Or by email to:
iQuda Ltd is a company limited by guarantee (registration no. 03792344), registered in England and Wales at 3 Kensworth Gate, 200-204 High Street South, Dunstable, Bedfordshire, LU6 3HS.