Vaccoda Limited Privacy and Data Protection Policy
This privacy and data protection policy sets out how Vaccoda Limited (the “Company”) collects, uses and protects any information you provide when you use this website, our hosting service or our data backup service.
The Company is committed to ensuring that your privacy is protected. If we ask you to provide information by which you can be identified when using this website or any of our services, then you can be assured that it will only be used in accordance with this policy.
Policy prepared by: Rob Fisher
Policy became operational on: 23 March 2006
Last reviewed: 17 October 2017
Next review date: 17 April 2018
The Company needs to gather and use certain information about individuals.
These include customers, suppliers, business contacts, employees and other people the Company has a relationship with or may need to contact.
This policy describes how we collect, handle and store such personal data to meet the Company’s data protection processes and procedures, and to comply with the law.
Why this policy exists
This data protection policy ensures the Company:
- complies with applicable data protection law and follows good practice;
- protects the rights of staff, customers and partners;
- is open about how it stores and processes individuals’ data; and
- protects itself from the risks of a data breach.
Our business, internal computer systems and website is designed to comply with the UK’s Data Protection Act and the EU’s General Data Protection Regulation.
Data protection law
The Data Protection Act describes how organisations such as the Company must collect, handle and store personal information.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
The Data Protection Act is underpinned by eight important principles. These say that personal data must:
- be processed fairly and lawfully;
- be obtained only for specific, lawful purposes;
- be adequate, relevant and not excessive;
- be accurate and kept up to date;
- not be held for any longer than necessary;
- be processed in accordance with the rights of data subjects;
- be protected in appropriate ways; and
- not be transferred outside the European Economic Area, unless that country or territory also ensures an adequate level of protection. (The EEA is made up of the 28 EU member states, Iceland, Liechtenstein and Norway.)
Additionally, the General Data Protection Regulation requires that personal data must be:
- processed lawfully, fairly and in a transparent manner in relation to individuals;
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
- accurate and, where necessary, kept up to date;
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Scope of this policy
This policy applies to:
- the Company;
- all the Company’s staff; and
- all contractors, suppliers and other people working on behalf of the Company.
This policy applies to all data the Company holds relating to identifiable individuals. This can include (but may not be limited to):
- the names of individuals;
- postal addresses;
- email addresses;
- telephone numbers; and
- any other information relating to individuals.
Data protection risks
This policy helps to protect the Company from some very real data security risks, including:
- breaches of confidentiality – for instance information being given out inappropriately;
- failing to offer choice – all individuals should be free to choose how the Company uses data relating to them; and
- reputational damage – the Company’s reputation could suffer if, for example, hackers successfully gained access to sensitive data.
Website enquiries via contact forms
When enquiring about our services, we will request the following information from you:
- your full name;
- contact information, including your email address and telephone number;
- demographic information such as your address and postcode; and
- other information that is relevant to your enquiry.
How this information is sent to us
When you submit your enquiry to us, your data will be collated into an email. That email is sent directly to us via the Simple Mail Transfer Protocol (SMTP). Our SMTP servers are fully protected by SSL certification, meaning that emails are encrypted using 256-bit cryptology before being transmitted across the internet to us. When emails arrive with us, they are then decrypted by our local computers.
What we do with this information we gather and how your information is stored
We need this information so we can properly understand your requirements and provide you with relevant details about, and accurate costs of, our services.
Your details will only be used internally for evaluation of your requirements.
Your details will be retained so we are able to communicate with you in future, should you wish to enquire about or use our services in the future. However, if you tell us you do not want to retain your information, we erase it securely and in a timely manner.
We are committed to ensuring the security of your information. To prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect from you.
The right to be forgotten/the right to erasure
We securely retain your data while you are a client of the Company. We need to retain this data so we can contact you about your account and/or our services if we need to and so we can bill you for our charges.
If you no longer use our services, you can request the deletion of the information we hold on record for you if you feel there is no compelling reason for us to retain these details and unless we are legally compelled to retain some or all of the information. To do this, please call us on 020 8776 0400 and we will erase your information (or the part(s) of it we can) securely and in a timely manner. If you ask us to, we will confirm by email that your information has been permanently erased as far as is legally permissible.
Tracking visits to our website
Like many websites, this website uses Google’s Google Analytics tools to track user behaviour while they are using our website. The data gathered by Google Analytics is used to tell us how many people use our website, so we can better understand how visitors use our site, how different pages on the site are accessed, and to see the user journey through the website.
Google Analytics records data such as your geographical location, the device you are using to browse our site, your browser type and operating system. However, this information is anonymous and cannot personally identify you.
Google Analytics also records your computer’s IP address. This could potentially be used to identify you. However, Google does not grant us access to your IP address. If you are concerned about Google’s use of your IP address, please contact Google directly.
You can disable cookies in your browser to stop Google Analytics from tracking any part of your visit to our website.
Google is considered to be a third-party data processor, which simply means a third party we use to process data on our behalf. Google complies with the Data Protection Act and the General Data Protection Regulation. Google also complies with the EU-US Privacy Shield Framework.
Our servers – for website and email hosting and data backup
We host our website on the Google Cloud Platform (https://www.google.com/cloud/). All hosting accounts for our customers are also provided via the Google Cloud Platform.
For these purposes, Google acts as a “data processor”, which means it must implement appropriate measures to ensure and demonstrate that its data processing is performed in compliance with the GDPR.
The Company acts as a “data controller”. We must ensure that, as our data processor, Google provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that its processing meets the requirements of the GDPR.
More details on how Google operates in relationships like its relationship with us can be found here: https://www.google.com/cloud/security/gdpr/. Additionally, Google Cloud Platform’s full security policy (which we operate under) can be found here: https://cloud.google.com/security/.
The data controller of this website is Vaccoda Limited (company number 06886432), whose registered office is at The Firs, Platt House Lane, Fairseat, Sevenoaks, Kent, TN16 7LX and whose operating address is 102 High Street, West Wickham, Kent, BR4 0NF.
Vaccoda Limited’s data protection officer is Robert Fisher, Managing Director. You can contact him on 020 8776 0400 or at [email protected].
Everyone who works for or with the Company has some responsibility for ensuring data is collected, stored and handled appropriately.
The Company’s directors are responsible for ensuring the Company meets its legal obligations. But each person handling personal data must ensure it is handled and processed in line with this policy and in compliance with the Data Protection Act and the General Data Protection Regulation.
However, these people have key areas of responsibility:
The Company’s data protection officer, Rob Fisher, is responsible for:
- regularly reviewing all data protection procedures and policies;
- arranging data protection training and advice for the people covered by this policy;
- handling data protection questions from anyone covered by this policy;
- dealing with requests from individuals to see the data the Company holds about them (often called “subject access requests”); and
- checking and approving contracts with third parties who may handle personal data collected by the Company.
Technical director Aaron MacDonald is responsible for:
- ensuring all systems, services and equipment used for storing data meet acceptable security standards;
- performing regular checks to ensure security hardware and software is functioning properly; and
- evaluating third party services the Company is considering using to store or process data on its behalf (for example, cloud computing services).
Marketing manager Matt Martin is responsible for:
- approving data protection statements attached to communications such as emails and letters;
- addressing data protection queries from media outlets; and
- ensuring marketing initiatives abide by data protection principles.
General staff guidelines
- The only people authorised and able to access data covered by this policy are those who need to do so for their work.
- Data must not be shared informally. When access to confidential information is required, colleagues can request it from the directors.
- The Company will provide training to all colleagues to help them understand their responsibilities when handling data.
- Colleagues should keep all data secure by taking sensible precautions and following these guidelines.
- Strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the Company or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If data is no longer required, it should be securely deleted.
- Colleagues should request help from the Company’s directors if they are unsure about any aspect of data protection compliance.
These rules describe how and where data should be safely stored. Questions about storing data safely should be directed to Aaron MacDonald.
When data is stored on paper:
- when not required, it should be kept in a secure place (such as a locked drawer or filing cabinet) where unauthorised people cannot see or access it.
When data is usually stored electronically but has been printed out:
- when not required, it should be kept in a secure place (such as a locked drawer or filing cabinet);
- colleagues should ensure printouts are not left where unauthorised people could see or access them; and
- printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically:
- it should be protected by strong passwords that are changed regularly and never shared between colleagues;
- if it is stored on removable media (like a CD, DVD, USB thumb drive, laptop computer or smartphone), these should be kept in a secure place (like a locked drawer or filing cabinet) when not being used;
- it should only be stored on designated drives and servers, and should only be uploaded to one of the Company’s approved cloud computing services;
- servers storing personal data must be sited in a secure location, away from general office space;
- it should be backed up frequently and those backups should be tested regularly, in line with the Company’s standard backup procedures; and
- servers and computers storing personal data should be protected by Company-approved security software and a firewall.
All client records and personal data within our accounting/invoicing software is cloud-based and securely secured via SSL encryption. Only the Company’s directors have access to this software, with user sessions and user actions fully logged within the software.
All client usernames, passwords and other personal data (such as email account login details) are securely stored via SSL encryption in the cloud, using software secured by a fully-encrypted, unique identifier key. Only the Company’s directors have access to this software.
Personal data is of no value to the Company unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft. When working with personal data:
- you should ensure the screen of your computer is always locked when left unattended;
- it should not be shared informally and should never be sent by email, as general email communications are not secure;
- it must be encrypted before being transferred electronically (Aaron MacDonald can explain how to securely send data to authorised recipients);
- it should never be transferred outside of the European Union;
- you should not save copies to you own computer, but instead should always access and update the central copy of any data.
The law requires the Company to take reasonable steps to ensure data is kept accurate and up to date.
It is the responsibility of everyone who works with data to take reasonable steps to ensure it is kept as accurate and up to date as possible. To help with this:
- data should be held in as few places as necessary and you should not create any unnecessary additional data sets;
- you should take every opportunity to ensure data is updated (for example, by confirming a customer’s details when they call);
- the Company will make it easy for data subjects to update the information we hold about them;
- data should be updated when inaccuracies are discovered (for instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database); and
- Matt Martin will ensure marketing databases are checked against industry suppression files before every mailing the Company makes.
Subject access requests
All individuals who are the subject of personal data held by the Company are entitled to:
- ask what information the Company holds about them and why;
- ask how to gain access to it;
- be informed how to keep it up to date; and
- be informed how the Company is meeting its data protection obligations.
If an individual contacts the Company requesting this information, this is called a subject access request.
If you wish to make a subject access request please do so by email, addressed to the Data Controller, at [email protected]. (We can supply a standard request form, but you do not have to use this.)
In accordance with General Data Protection Regulation, there is normally no charge for subject access requests. However, we may charge a discretionary administrative fee for requests we deem to be manifestly unfounded, excessive or repetitive, or if further copies of the same information are requested.
The Company will ordinarily provide the relevant data within one month. However, this may be extended by up to a further two months if a request is particularly complex and/or numerous. If this is the case, we will inform you within one month of the receipt of your subject access request and explain why the extension is necessary.
The Data Controller will always verify the identity of anyone making a subject access request before handing over any information.
Disclosing data for other reasons
In certain circumstances, we may disclose your personal data to law enforcement agencies without your consent. If we receive a valid request from such an agency, we will disclose the requested data. However, the Data Controller will first ensure the request is legitimate, seeking assistance from the Company’s directors and the company’s legal advisers where necessary.
The Company aims to ensure that individuals are aware that their data is being processed, and that they understand:
- how the data is being used; and
- how to exercise their rights.
In the unlikely event of any unlawful data breach by the Company or by our third-party data processors, we will report within a 72-hour timeframe of the breach first occurring to all affected persons and to the authorities.
Changes to our Privacy and Data Protection Policy
The Company may change this policy from time to time by updating this page, in line with legislation changes or industry developments. As we will not be informing clients of changes as they occur, we recommend that you check this page regularly for any changes.