What our promise means to us
We promise to keep the personal information we process secure by continuously assessing our security risks and implementing appropriate security measures in line with industry practice.
First, we all understand that each of us has a significant part to play in keeping personal information safe. We recognise that security is not all about hackers and cyber theft. Most security risks are caused by staff errors.
Second, we ensure we know what personal information we process and where it is as this is essential to actually keeping it safe.
Third, we assess our security risks by assessing what level of damage (to our organisation and individuals) could result from the loss, destruction, theft or unauthorised access to personal information.
Fourth, we continuously assess where our security vulnerabilities are, or could be.
Fifth, we implement and maintain appropriate technical and organisational measures to maintain security which are appropriate to the level of risk we have identified, which respond to any vulnerabilities and which ensure that our processing of personal information complies with the law.
Finally, we regularly review such measures and update them when necessary, taking account of technological advances.
What we all need to do to keep our promise
We all understand that we need to be aware of the risks of data breaches (including loss of personal information and damage to personal information). We all understand that each of us plays our part in keeping personal information secure. We all understand and care about the policies and processes that have been put in place to protect personal information and we follow them.
We all:
understand and comply with our All Staff Privacy Pledge;
understand and comply with our Tech Use and Confidentiality Policy;
understand and comply with our Information Retention and Disposal Policy; and
understand what to do if we suspect that there has been a data breach.
We also all understand that compliance with this Promise 6 is easier to achieve if: we collect less personal information in the first place; we only share the minimal personal information we collect with people we can trust and control; and we correctly delete the personal information when we no longer need it. So we all:
collect less personal information;
only share personal information wisely; and
delete personal information properly when we no longer need it.
Our Privacy Hub Owner and our Privacy Champions are responsible for implementing technical and organisational measures that have regard to:
the state of the art (i.e security controls will be chosen based on a consensus of up to date professional opinions);
the costs of implementation (i.e security controls will be the output of good management decisions);
the nature of the personal information we are processing (eg. is it special category data?);
the scope of our processing (eg. the volume of personal information we are processing);
the context of our processing (eg. as part of employee performance monitoring); and
the purposes of our processing activities.
Our Privacy Hub Owner and our Privacy Champions will:
manage user privileges to limit access to personal information;
establish controls over removable media which we all understand and follow;
take steps to prevent malware infecting our systems and educate us all in what we can do to help;
train all staff in relation to personal information security management, the laws associated with it and the policies which we must all adhere to;
ensure that controls are in place to make sure that personal information is secure when we are in the office and out of the office;
ensure that our network security is regularly monitored and tested;
ensure that all our systems are securely configured and security patches promptly applied;
be responsible for putting measures in place to ensure personal information is processed in accordance with our Information Retention and Disposal Policy; and
ensure that our Vendors and Partners protect personal information at least as well as we do and only work with sub-processors with our consent.
If a data breach occurs we will follow our Internal Breach Reporting Procedure and Incident Response Plan, including notifying the ICO and/or any other relevant supervisory authority and affected individuals, if necessary under that plan. We know that notification must occur without undue delay and, where feasible, not later than 72 hours after becoming aware of it. We understand that a data breach is more than just a loss of personal information – it is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to personal information.
Our documents demonstrating compliance with our promise
| TEMPLATES - Generic documents for us to customise | |
|---|---|
| If you'd like to see these documents, speak to a Hub Owner or Privacy Champion. |
| RECORDS - Documents recording our compliance activities | |
|---|---|
| If you'd like to see these documents, speak to a Hub Owner or Privacy Champion. |
| INFORMATION - Documents containing information to help us comply | |
|---|---|
| No documents made available yet | |
| POLICIES - Documents containing our policies | |
|---|---|
| No documents made available yet | |
Demo request
Once you have requested a free demo, one of our team will contact you to arrange a convenient time for you to
try out The Privacy Compliance Hub.
The demo takes around 30 minutes and can be completed anywhere as we do this remotely by sharing our screen
with you.
You will be guided through the various data protection tools, templates and features, whilst we explain how
The Hub would be implemented in your organisation.
All of your questions will be answered, ensuring you have complete confidence in our product before you decide
whether it is right for your organisation.
Please complete the details below and we will be in touch very shortly:
Contact us
Please provide some information about yourself and we will get in touch.