Data Protection Policy
The Service Provider holds Personal Data about our users, employees, clients, suppliers and other individuals for a variety of business purposes. This policy sets out how we seek to protect Personal Data and ensure that staff understand the rules governing their use of Personal Data to which they have access in the course of their work in particular, this policy requires staff to ensure that the Managing Director be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed. The Service Provider operates in several jurisdictions, including Australia, the United Kingdom, New Zealand, and the United States. This policy describes principles and procedures which ensures the Service Provider complies with the various regulations across all the regions in which we operate. The procedures described in this policy must be followed at all times by the Service Provider, its employees, agents, contractors, or other parties working on behalf of the Service Provider. The Service Provider is committed not only to the letter of the law but also to the spirit of the law and places a high premium on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of all individuals with whom it deals.
Scope
This policy applies to all staff. You must be familiar with this policy and comply with its terms. This policy supplements our other policies relating to internet and email use. We may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted. As Managing Director, Gavin Keane has overall responsibility for the day-to-day implementation of this policy.
Training
All staff will receive training on this policy. New staff will receive training as part of the induction process. Further training will be provided at least every year or whenever there is a substantial change in the law or our policy and procedure. Training is provided through in-house seminars and online training on an annual basis, and covers the applicable laws relating to data protection, and the Service Providers data protection and related policies and procedures. Completion of training is compulsory. If you have any questions or concerns about anything in this policy, do not hesitate to contact the Managing Director.
Personal Data
The Service Provider defines Personal Data as the broader of the definitions contained in the PDPA, DPA, and GDPR. The Service Provider defines Sensitive Personal Data as the broader of the definitions contained in the PDPA, DPA, and GDPR. Any use of sensitive Personal Data is to be strictly controlled in accordance with this policy. While some data will always relate to an individual, other data may not, on its own, relate to an individual. Such data would not constitute Personal Data unless it is associated with, or made to relate to, a particular individual. Generic information that does not relate to a particular individual may also form part of an individual’s Personal Data when combined with Personal Data or other information to enable an individual to be identified.
Aggregated data is not Personal Data
The Service Provider gathers Personal Data for two purposes: for providing IT Services, and for internal operations. Personal Data for IT Services relates to identifiable individual users and may include: user profile information such as Full name, Photograph, Date of Birth, Mobile telephone number, and Personal email address; Personal Data we gather for internal operational purposes relates to identifiable individuals such as job applicants, current and former employees, contract and other staff, clients, suppliers, and marketing contacts, and the data gathered may include individuals’ contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.
Principles
Consent
The user (data subject) must give their explicit, active consent to the collection and processing of their Personal Data. This consent can be revoked at any time.
Notification
The Service Provider notifies all users about the intended purpose of any collected data prior to collection.
Purpose Limitation
Personal Data can be used only for the purposes explained to the user, and for which they have explicitly given consent. The data collected must be necessary for the performance of the purpose, and not excessive with respect to the purposes for which it was collected.
Right to Access and Correction
Users should be able to access their personal, wearable, and messaging data, and to correct said data where applicable.
Accuracy
The Service Provider should take all reasonable steps to ensure users’ data is accurate and up to date.
Protection
The Service Provider should take all reasonable steps to ensure user data is secured and protected against unauthorised or unlawful processing, accidental loss, destruction, or damage.
Retention Limitation
The Service Provider should not keep personal user data for any longer than necessary to fulfil the purposes for which the user gave their consent.
Data Portability
Upon request, a user should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.
Right to be Forgotten
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Privacy by Design and Default
Privacy by Design is an approach to projects that promote privacy and data protection compliance from the start. The Managing Director will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.
When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
International Data Transfers
Specific consent from the user must be obtained prior to transferring their data outside their source region.
The Service Provider must not transfer data to another geographic region unless The Service Provider can ensure an adequate level of protection of the rights and freedoms of users in relation to the processing of their Personal Data within the destination region.
Purposes
The purposes for which Personal Data may be used by us include:
- Providing IT related services to our users
- The ability to bill clients
- Research and Development of AI and chat technology in support of our IT services
- Compliance with our legal, regulatory, and corporate governance obligations and good practice
- Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests ensuring business policies are adhered to (such as policies covering email and internet use)
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, and security vetting
- Investigating complaints
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration, and assessments
- Monitoring staff conduct & disciplinary matters
- Marketing our business
- Improving our services
- Risk modelling for our health and life insurance partners
Responsibilities
Responsibilities of the Data Protection Officer (Managing Director) include:
- Overseeing the implementation of, and compliance with this Policy, working in conjunction with the relevant employees, managers and/or department heads, agents, contractors and other parties working on behalf of the Service Provider
- Reviewing all data protection procedures and policies on an annual basis
- Arranging data protection training and advice for all staff members and those included in this policy
- Answering data protection queries or complaints from users, clients, staff, board members, and other stakeholders
- Responding to individuals such as clients and employees who wish to know which data is being held on them by The Service Provider
- Checking and approving with third parties that handle the Service Provider’s data
- Any contracts or agreement regarding data processing
Responsibilities of the The Infrastructure Manager’s responsibilities include:
- Ensuring all systems, services, software, and equipment meet acceptable security standards;
- Researching and reviewing third-party services The Service Provider uses to store or process data (such as cloud computing services) on a regular basis; and
- Managing authentication and authorisation for engineering staff to access The Service Provider’ infrastructure, including cloud services, databases, and application servers.
Responsibilities of The Marketing Manager’s responsibilities include:
- Approving data protection statements attached to emails and other marketing copy; and
- Coordinating with the Managing Director to ensure all marketing initiatives adhere to data protection laws and The Service Provider’s Data Protection Policy.
Organisational Measures
The Service Provider shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
All employees, agents, contractors, or other parties working on behalf of the Service Provider are made fully aware of both their individual responsibilities and The Service Provider’s responsibilities under this Policy, and shall be provided with a copy of this Policy; Only employees, agents, sub-contractors, or other parties working on behalf of the Service Provider that need access to and use of personal data in order to carry out their assigned duties correctly shall have access to personal data held by the Service Provider; All employees, agents, contractors, or other parties working on behalf of the Service Provider handling personal data will be appropriately trained to do so; All employees, agents, contractors, or other parties working on behalf of the Service Provider handling personal data will be appropriately supervised; Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed; The performance of those employees, agents, contractors, or other parties working on behalf of the Service Provider handling personal data shall be regularly evaluated and reviewed; All employees, agents, contractors, or other parties working on behalf of the Service Provider handling personal data will be bound to do so in accordance with the principles of this Policy by contract; All agents, contractors, or other parties working on behalf of the Service Provider handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Service Provider arising out of this Policy; Where any agent, contractor or other party working on behalf of the Service Providers handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Service Provider against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Our Procedures
Consent
The Service Provider ensures consent is given by making informed, explicit, active consent a requirement of the registration process, including a clear identification of what the relevant data is, why it is being processed, and to whom it will be disclosed.
Notification
The Service Provider ensures Consent is informed by notifying users in plain language about the intended Purpose of any data prior to collection, and by requiring users to give their consent to that Purpose as part of the mobile app registration process.
Fair and lawful processing
We must process Personal Data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process Personal Data unless the individual whose details we are processing has consented to this happening.
The processing of all data must be:
Necessary to deliver our services in our legitimate interests and not unduly prejudice the individual’s privacy, in most cases this provision will apply to routine business data processing activities.
Purpose Limitation
The Service Provider staff must not use Personal Data for any Purpose other than that consented to by the user. In the general case, this means that it must be for the purpose of delivering a health coaching application and or supporting activities.
The Service Provider staff should not access Personal Data except where required to do so in the course of their work.
Right to Access, Correction, and Accuracy
The Service Provider should take all reasonable steps to ensure users’ data is accurate and up to date.
The Service Provider assumes that Personal Data collected directly from the user will be accurate and complete. We will ensure that any Personal Data we process is accurate, adequate, relevant, and not excessive, given the purpose for which it was obtained. We will not process Personal Data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this. Individuals may ask that we correct inaccurate Personal Data relating to them. If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the Managing Director.
Protection
The Service Provider should take all reasonable steps to ensure user data is secured and protected against unauthorised or unlawful processing, accidental loss, destruction, or damage. In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it. Printed data should be shredded when it is no longer needed. Sensitive Personal Data should never be saved directly to local devices such as workstations, laptops, or smartphones – it should be kept secured on remote storage provided by The Service Provider’ selected cloud storage provider. All digital services used by The Service Provider should be protected on a per-user basis, by strong passwords, with role-based permissions. We encourage all staff to use a password manager to create and store their passwords. Personal Data should not be stored on local storage media such as CDs, DVDs, or memory sticks. The Managing Director and Infrastructure Manager must approve any cloud service used to store data. Data should be regularly backed up in line with The Service Provider’s backup procedures. All servers or services containing sensitive data must be protected by security software and firewalls. All data should be transmitted over secure networks only. Transmission over unsecured networks is not permitted in any circumstances, including via email. No personal data may be shared informally. If an employee, agent, sub-contractor, or other party working on behalf of The Service Provider requires access to any personal data that they do not already have access to, such access should be formally requested from their relevant manager. If Personal Data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it. Under no circumstances should any personal passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of The Service Provider, irrespective of seniority or department.
Retention Limitation
The Service Provider should not keep personal user data for any longer than necessary to fulfil the purposes for which the user gave their consent. The Service Provider keeps personal user data for a maximum period of 48 months after the user’s has terminated their service unless the user requests that their account be deleted earlier. The Service Provider will (soft) delete the user’s account within 5 working days of confirmation of the request by the user.
Data Portability
Upon request, a user should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.
Right to be Forgotten / Erasure
A user may request that any information held on them is deleted, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.
Privacy by Design and Default
Privacy by Design is an approach to projects that promote privacy and data protection compliance from the start. The Managing Director will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan. When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.
Transferring Data Internationally
No data may be transferred outside of the The Service Provider’ Australian (Azure) data centres without prior approval from the Managing Director Specific consent from the user must be obtained prior to transferring their data outside their source region. You must not transfer Personal Data to another geographic region unless 1) The Service Provider can ensure an adequate level of protection of the rights and freedoms of users in relation to the processing of their Personal Data within the destination region, and 2) you have been given permission to do so by the Managing Director.
Data Audit and Register
The Managing Director will conduct regular data audits to manage and mitigate risks, and record the data held by The Service Provider.
User Access Requests
Individuals are entitled, subject to certain exceptions, to request access to information held about them. Processing data in accordance with the individual’s rights Do not send direct marketing material to someone electronically (e.g. via email) unless you have an existing business relationship with them in relation to the services being marketed. Please contact the Managing Director for advice on direct marketing before starting any new direct marketing activity. PDPA & GDPR PROVISIONS FOR USERS
Privacy Notice – Transparency of Data Protection
Being transparent and providing accessible information to individuals about how we will use their Personal Data is important for our organisation.
The following are details on how we collect data and what we will do with it:
What information is being collected?
The Service Provider collects Personal Data about users including, but not limited to:
- Full name
- Mobile telephone number
- Personal email address
- Work email address
- Billing Information
- Credit Card details
How is it collected?
The Service Provider collects data using via application forms which maybe in paper or electronic form. The Service Provider specifically asks the individual for permission to collect their data for the purpose of providing IT Services. The Service Provider also requires explicit consent to collect Personal Data for any additional purposes required by our clients. The Service Provider only collects data from third parties once the user has provided their permission. (User permission is explicitly required to enable the retrieval of any data from third parties.)
Why is it Being Collected?
The Service Provider collects Personal Data for the purpose of providing IT Services. Personal Data is accessed by The Service Provider staff only where necessary to perform the tasks of their job. All user data is stored in: Remotely in databases secured & hosted on Microsoft Azure in their Australian data centres. In the following cloud based applications: WHMCS (Billing System), SharePoint (Microsoft Data Centre’s) Fresh Desk (Ticket System) and Ninja (Remote Monitoring Tool) The Service Provider users do not extract, copy, or use local copies of user data unless it has been anonymised or aggregated. Database access by The Service Provider staff is authorized on a IP-whitelisted, per-user basis according to the requirements of their job, and authenticated using strong passwords. The Service Provider does not print or save to local storage any Personal Data. The Service Provider does not transfer Personal Data to any third parties excepting our clients on whose behalf we are the data intermediary.
Details of transfers to third countries and safeguards
- The Service Provider stores data on the Azure hosting platform in two data centres in Australia.
- The Service Provider keeps all data secured in accordance with the standards required by relevant UK, EU, NZ and USA legislation.
- The Service Provider keeps all data encrypted both in transmission and at rest.
- Identity and contact details of any data controllers?
- The Service Provider’ designated Data Protection Officer is: Gavin Keane, Managing Director.
Reporting Breaches
All members of staff have an obligation to report actual or potential data protection compliance failures. This allows us to:
- Investigate the failure and take remedial steps if necessary
- Maintain a register of compliance failures
- Notify the Supervisory Authority of any compliance failures that are material either in their own right or as part of a pattern of failures
Under the GDPR, the Managing Director is legally obliged to notify the Supervisory Authority within 72 hours of the data breach (Article 33). Individuals have to be notified if adverse impact is determined (Article 34). In addition, The Service Provider must notify any affected clients without undue delay after becoming aware of a personal data breach (Article 33).
However, The Service Provider does not have to notify the data subjects if anonymized data is breached. Specifically, the notice to data subjects is not required if the data controller has implemented pseudonymisation techniques like encryption along with adequate technical and organizational protection measures to the personal data affected by the data breach (Article 34).
Monitoring
- Everyone must observe this policy.
- The Managing Director has overall responsibility for this policy.
- The Managing Director will monitor this policy regularly to make sure it is being adhered to.
Data Protection Complaints
Data Protection Complaints can be received via:
- The Service Provider website/ticket system
- Email or Phone Call to Managing Director
The Complaint Process is:
- Within 1 working day: Managing Director will respond to the complaint to notify the complainant that the complaint is being investigated
- Managing Director to conduct investigation, escalating to client as required
- Managing Director to investigate & resolve complaints within 5 working days where possible
- Managing Director to regularly update complainant at least weekly on progress of investigation & expected time to resolution
- Upon completion of investigation, MANAGING DIRECTOR to provide written report to complainant containing the investigation findings and steps to resolution
- Managing Director to carry out steps to resolution
- Managing Director to confirm with user that complaint has been satisfactorily resolved
Consequences of Failing to Comply
We take compliance with this policy very seriously. Failure to comply puts both you and the organisation at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal.