Phoenix Drilling Ltd Data Privacy Processes and Policies
This document outlines our data protection policy.
- This is version 1.1 dated 7th May 2018
- Policy prepared by Samantha McLeary – General Manager
Why this policy exists
This data protection policy ensures Phoenix Drilling Ltd:
- Complies with data protection law and follow good practice
- Protects the rights of staff, customers and partners
- Is open about how it stores and processes individuals’ data
- Protects itself from the risks of a data breach
Data protection law
The UK Data Protection Legislation is underpinned by eight important principles. These say that personal data must:
- Be processed fairly and lawfully
- Be obtained only for specific, lawful purposes
- Be adequate, relevant and not excessive
- Be accurate and kept up to date
- Not be held for any longer than necessary
- Processed in accordance with the rights of data subjects
- Be protected in appropriate ways
- Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection
This policy applies to:
- The offices of Phoenix Drilling Ltd
- All staff and volunteers of Phoenix Drilling Ltd
- All contractors, suppliers and other people working on behalf of Phoenix Drilling Ltd
It applies to all data that the company holds relating to identifiable individuals. This can include:
- Names of individuals
- Postal addresses
- Email addresses
- Telephone numbers
- … any other necessary information relating to individuals
Data protection risks
This policy helps to protect Phoenix Drilling Ltd, its clients, and contractors, from some very real data security risks, including:
- Breaches of confidentiality. For instance, information being given out inappropriately.
- Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
- Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
General staff guidelines
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- Phoenix Drilling Ltd will provide training to employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the company or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
- Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
We acquire data regarding clients, prospects and 3rd party data sources from:
- Onboarding a new client
- Updating existing client details
- Inbound emails
- Business cards
- Supplier invoices
- Word of mouth
- By setting up or signing contracts
- Individuals may be part of an image we have used for our website or a client website.
Data Storage Details
Onboarding a new client
When we take on a new client we create the following:
- We setup a new record on our accounts system. We use Sage.
- We may add the client details into Microsoft Outlook.
- We may create a new contract depending on the work. We may sign a client’s contract again depending on the work.
We use Sage for our accounting. Our Sage is on 2 local devices with secure password access.
This data is stored on our company email servers which utilise Office 365 and Google Suite. These emails are synchronised across devices, office computers, tablets owned by the business, and iPhones owned by the business. All devices are password protected.
Information gleaned from business cards is entered into our contacts database which sits within the server. This data is synchronised across devices, office computers, tablets owned by the business, and iPhones owned by the business.
All incoming invoices, whether paper or electronic, are printed and stored in a secure filing cabinet at our office premises. We need to keep a hard copy for our end of year accounts.
Word of Mouth
Any information noted down from word of mouth is entered into the appropriate system.
These are scanned and stored in the clients’ project folder.
We hold client information in several spreadsheets to manage areas invoices. All computers are password protected.
In the event your image appears in an image on our website or as part of hard copy document or brochures, we will delete these images upon request.
How We Secure Our Data
All computers, tablets and iPhones in the business have strong passwords, fingerprint recognition, or 6 digit pins PINs. All paper storage is contained in filing cabinets that are locked in the office. Only office staff who require the information as part of their job have access.
All passwords we use are a minimum of 8 characters and alpha numeric.
Cloud Storage and Data Backup
All company working data is stored in OneDrive. OneDrive is password protected. OneDrive synchronises this data across devices where it’s required. Files are stored that may no longer be required for daily use but possibly again in the future.
Customer and Supplier Accounting Information
We use Sage for our accounting. Each computer is password protected.
Emails, including form fills from our website, come into our Office 365 Outlook software and are stored in Outlook. All accounts are password protected as are the computers running the email client. We store long term information in Outlook folders. We run Office 365 to ensure our office software is up to date and secure. Office 365 is a cloud service, so all emails are synchronised with the Office 365 servers.
How we use your data
We store data to ensure our business can perform its services for our clients. These guidelines should always be followed when handling personal data:
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended and file storage containing data should remain locked with limited access at all times.
- Personal data should not be shared informally. In particular, it should never be sent by email, as this form of communication is not secure.
- Data must be encrypted before being transferred electronically.
- Personal data should never be transferred outside of the European Economic Area.
- Phoenix Drilling Ltd has identified and documented the potential impact on individuals’ privacy and taken this into account when installing and operating the CCTV system. We regularly review whether CCTV is still the best security solution.
- Phoenix Drilling Ltd has a policy and/or procedure covering the use of CCTV and has nominated Samantha McLeary who is responsible for the operation of the CCTV system.
- Phoenix Drilling Ltd has established a process to recognise and respond to individuals or organisations making requests for copies of the images on your CCTV footage and to seek prompt advice from the Information Commissioner where there is uncertainty.
- Phoenix Drilling Ltd trains its staff in how to operate the CCTV system and cameras (if applicable) and how to recognise requests for CCTV information/images.
- Phoenix Drilling Ltd only retains recorded CCTV images for long enough to allow for any incident to come to light to investigate it.
- Phoenix Drilling Ltd has ensured that the CCTV images are clear and of a high quality.
- Phoenix Drilling Ltd securely stores CCTV images, limits access to authorised individuals and regularly checks that the CCTV system is working properly.
- Phoenix Drilling Ltd clearly informs individuals of the use of CCTV via signage around the premises.
The act gives you the right to receive the personal data concerning you, which you have previously provided in a ‘commonly use and machine readable format‘ and have the right to transmit that data to another controller. In our case it’s not common for your data to be received in a machine readable format unless it’s from a website form completion.
We will report any unlawful data breach of information we are holding to all relevant persons and authorities within 72 hours of the breach if it is apparent that personal data stored in an identifiable manner has been stolen. We will provide the following information:
- What kind of data was stolen
- How many individuals this affected
- How many data records were compromised
- How we were alerted to the breach
- Who was responsible for the breach
Administering Subject Access Request (SAR)
Upon receipt of a SAR request from anyone whom which we store data about, we will respond with confirmation of the data we hold, send them a copy of that data, and inform them on how we have used that data. We will do this within 1 month of the request.
We will not make any charge for this service.
The data controller is Phoenix Drilling Ltd, a UK Private Limited Company with company number: SC370985 – Incorporated on 11 January 2010
Whose registered office is:
Unit 4B Gateway Business Park
Scotland, FK3 8WX
Data Protection Contact
Miss Samantha McLeary
General Manager, Phoenix Drilling Ltd
2 Nairn Road
Deans Industrial Estate
Telephone: 01506 411448