Quadratica (UK) Ltd is fully committed to compliance with the requirements of the Data Protection Act 1998 and the General Data Protection Regulations 2018 ('the Acts').
STATEMENT OF POLICY
In order to operate efficiently, Quadratica (UK) Ltd has to collect and use information about people with whom it works. These may include current, past and prospective employees, customers, associates and suppliers. This personal information must be handled and dealt with properly, however it is collected, recorded and used, and whether it be on paper, in computer records or recorded by any other means, there are safeguards within the Act to ensure this.
This information is held exclusively by Quadratica (UK) Ltd for the purpose of providing a service to those it supports.
Quadratica (UK) Ltd regards the lawful and correct treatment of personal information as very important to its successful operation and to maintaining confidence between the Company and those with whom it works. Quadratica (UK) Ltd will ensure that it treats personal information lawfully and correctly.
THE PRINCIPLES OF DATA PROTECTION
The Act stipulates that anyone processing personal data must comply with Eight Principles of good practice.
The Principles require that personal information:
1. Shall be processed fairly and lawfully and in particular, shall not be processed unless specific conditions are met.
2. Shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes;
3. Shall be adequate, relevant and not excessive in relation to the purpose or purposes for which it is processed;
4. Shall be accurate and where necessary, kept up to date;
5. Shall not be kept for longer than is necessary for that purpose or those purposes;
6. Shall be processed in accordance with the rights of data subjects under the Act;
7. Shall be kept secure i.e. protected by an appropriate degree of security;
8. Shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of data protection.
The Act provides conditions for the processing of any personal data. It also makes a distinction between personal data and ‘sensitive’ personal data.
Personal data is defined as data relating to a living individual who can be identified from:
• That data;
• That data and other information which is in the possession of, or is likely to come into the possession of the business and may include expressions of opinion about the individual including but not limited to training courses and outcomes managed by other employees/Directors of the business.
Sensitive personal data is defined as personal data consisting of information as to:
• Racial or ethnic origin;
• Political opinion;
• Religious or other beliefs;
• Trade union membership;
• Physical or mental health or condition;
• Sexual life;
• Criminal proceedings or convictions.
HOW DO WE COLLECT YOUR PERSONAL INFORMATION?
Quadratica (UK) Ltd collects the personal data of its data subjects via the following:
• From Quadratica (UK) Ltd clients i.e. the data controller
• From prospects via a contact form on our website
• Directly from the data subject
• Throughout the course of the contractual relationship and during working activities
WHY AND HOW DO WE USE YOUR PERSONAL INFORMATION?
We will only use your personal information when the law allows us to. These are known as the legal bases for processing. We will use your personal information in one or more of the following circumstances:
1. the individual has consented to the processing
2. the processing is necessary for the performance of a contract with the individual,
3. the processing is required under a legal obligation (other than one imposed by a contract),
4. the processing is necessary to protect vital interests of the individual
5. the processing is necessary to carry out public functions e.g. administration of justice
6. the processing is necessary in order to pursue our legitimate interests or those of third parties (unless it could unjustifiably prejudice the interests of the individual). Specifically, in relation to legitimate interest processing, employees are permitted to object to their data being processed for this purpose.
HANDLING OF PERSONAL/SENSITIVE INFORMATION
Quadratica (UK) Ltd will, through appropriate management and the use of strict criteria and controls:
• Observe fully conditions regarding the fair collection and use of personal information;
• Meet its legal obligations to specify the purpose for which information is used;
• Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements including but not limited to first name, last name and email address;
• Ensure the quality of information used;
• Apply checks to determine the length of time information is held in accordance with legal requirements;
• Take appropriate technical and organisational security measures to safeguard personal information;
• Ensure that personal information is not transferred without suitable safeguards;
• Ensure that the rights of people about whom the information is held can be fully exercised under the Act.
• Ensure consent is obtained from customers to their data being stored and controlled by Quadratica (UK) Ltd.
• The right to be informed that processing is being undertaken;
• The right of access to one’s personal information within one month of the request, (three months in the case of complex requests) and are free of charge (unless the request is manifestly unfounded or excessive)
• The right to prevent processing in certain circumstances;
• The right to data portability;
• The right to correct, rectify, block or erase information regarded as wrong information.
In addition, Quadratica (UK) Ltd will ensure that:
• There is someone with specific responsibility for data protection in the Company;
• Everyone managing and handling personal information understands that they are contractually responsible for following good data protection practice;
• Everyone managing and handling personal information is appropriately trained to do so;
• Everyone managing and handling personal information is appropriately supervised;
• Anyone wanting to make enquiries about handling personal information, whether a member of staff, associate or customer knows what to do;
• Queries about handling personal information are promptly and courteously dealt with;
• Methods of handling personal information are regularly assessed and evaluated;
• Data sharing is carried out under a written agreement, setting out the scope and limits of the sharing. Any disclosure of personal data will be in compliance with approved procedures.
The Company also has in place procedures to deal with a suspected data security breach and we will notify the Information Commissioner’s Office (or any other applicable supervisory authority or regulator) and you of a suspected breach where we are legally required to do so.
STORAGE OF COMPUTER DATA
Quadratica (UK) Ltd stores information about employees, associates, suppliers, customers and their employees on its computers. All computer data is stored in a MS SQL database and MS Azure virtual server. All computers are password protected and can only be accessed by user name and password. Employees of Quadratica (UK) Ltd will only be provided access to areas of the Company computer network which are necessary for the execution of their day to day duties.
All of Quadratica (UK) Ltd computer data is backed up remotely with a high degree of security by an authorised computer security business.
All servers are secured behind firewalls, both software and hardware, that restrict access to only authorised users and locations. They are backed up daily to an off-site, geo-redundant data centre to prevent data loss. Anti-malware software is utilised to protect against viruses and other unwanted applications that could endanger your data.
The databases are encrypted to prevent data loss in unlikely event of a breach of the database server.
Our servers are supplied and protected by Microsoft’s Azure cloud platform, which ensures that our servers are always updated and protected by industry leading security practises. The data centres holding our servers are physically protected with access control checks.
FOR HOW LONG DOES THE COMPANY KEEP PERSONAL INFORMATION?
The Company will only retain personal information for as long as is necessary to fulfil the purposes for which it was collected and processed, including for the purposes of satisfying any legal, tax, health and safety, reporting or accounting requirements.
• Electronic client records, for example purchase records and client training certifications and results are stored for up to 6 years for Department for Transport audit purposes.
DISPOSAL OF ELECTRONICALLY STORED DATA
Information which is no longer to be retained will be securely and effectively destroyed or permanently erased from our IT systems.
The Directors will be responsible for ensuring that the Policy is implemented. They shall be jointly responsible for:
• The provision of data protection training for employees
• For carrying out compliance checks to ensure adherence with the Data Protection Act(s).
• Notifying the Information Commissioner where applicable.