- Key Definitions
- Data Processing Agreements
- Data Security
- Marketing and Compliance
- Data Subject Access Requests
- Transfer and processing of data outside the EEA
- Staff Training
- Notification of breaches of policy
As an agency handling personal data on behalf of ourselves and our clients, we have a legal obligation to adhere to the requirements of the data protection legislation which exists in the UK. This document covers our current policies and procedures with regard to remaining compliant; all staff should act in accordance with the policies specified here.
Please note that this document is intended to address the specific needs of The Mission and is not a comprehensive guide to data protection legislation.
This policy document has been approved by The Mission Limited Board. Substantive changes may only be made with the further approval of the Board and will be reviewed annually. Department Heads take responsibility for ensuring adherence by their staff to company policy in this area.
- Personal Data – Any information held relating which can identify living individuals, which is held electronically, is intended to be held electronically, or is held physically in a logical filing system.
- This includes name and postal address, email address, telephone numbers, and any other details if these could identify the individual.
- Sensitive Data - Personal data consisting of information relating to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of any offence, proceedings for any offence.
- Data Processing – This includes receiving, uploading, copying, backing-up, amending, updating, deleting, disposing of personal data
- Data Controller - Organisation who owns/controls decisions regarding the data. The Mission is a data controller when dealing with its own data (e.g. HR, finance, payroll).
- Data Processor - Organisations who process data on behalf of Data Controllers, e.g. agency, bureau, mailing house. The Mission is a data processor when acting on behalf of a client.
- Data Subject: individual whose personal data is being processed.
- Third Party: a company or organisation related or unrelated to the organisation which collects and owns the personal data in question (e.g. a separate company within the same group as the data controller, or a completely unrelated company to which the data controller intends to sell or rent the personal data).
Data Processing Agreements
The data protection legislation requires us to have appropriate data processing agreements in place
with any client, where we are processing or handling personal data on behalf of that client.
These agreements can be on a project by project basis, or set up globally to cover all the data work we do for that client.
It is the responsibility of the client service team to check whether a data processing agreement is in
place, and if not, to liaise with the compliance officer to put one in place. A template for the standard agreement is available. Where we subcontract personal data processing or handling to a third party, we must also have a data processing agreement in place with that third party.
The Data Protection Act demands suitable levels of technical and organisation security in order to protect personal data against loss, theft or accidental access by the wrong people. The agency primarily addresses this requirement via the Information Security Policy. Meeting the organisational and individual requirements of that policy will be considered sufficient for compliance with the data protection regulations, along with the additional data security measures also outlined in this policy.
Storage of Personal Data
3.1.1 Categories of personal data
To assist in appropriate and secure storage of personal data, we have identified two categories of data
- Sensitive personal data
- Client customer or prospect files containing any or all of: name and address data, email data,
- telephone number, mobile phone number, a customer number or customer ID, or any user ID for a specific application
- Client customer files containing details of product holdings, account activity or financial data, where this can be linked to a living individual.
- Any other data files containing data comparable to the above.
- Any personal data file where there is a degree of sensitivity relating to the data, or where its loss or theft could lead to potential damages.
- CVs supplied by individuals seeking employment with the company
- Personal data relating to people who have appeared in advertising materials produced by the agency (e.g. models, testimonials, etc) where the individual concerned is aware that The Mission holds this information about them.
- Any other data files containing data comparable to the above.
3.1.2 Appropriate storage of personal data
- This should be stored in an encrypted network server folder
- For Norwich and London, this is the network Data Compliant server. For Leicester and Birmingham, this will be a data compliant folder within the relevant client folder.
- Access to the encrypted server area, or the secure folder within the client folder, is limited to those people who need it for work purposes; appropriate staff members will be authorised to access folders relating to clients they work on.
- If a new data compliant folder is required for a Leicester/Birmingham client, IT should be asked to set that folder up and set access permissions.
- Any copy of the personal data on a local device, or which is an email attachment on the local device, should be deleted securely (see section 3.4 below)
- This can be stored on a local device as long as security of the device meets the requirements of the Information Security Policy.
3.1.3 Temporary local storage of red category data
- Where it is essential to process red category personal data on a local device, this data must only be held on the local device whilst it is being processed.
- This data must be securely deleted from the local device as soon as the processing has been completed (see section 3.4 for information on secure deletion)
Transfer of data
3.2.1 Red data (see section 3.1 above)
- Incoming personal data from a client or other organisation can be received:
- Via WeTransfer.com, Hightail.com or via an SFTP
- Via email as long as the data is in a password protected file, and the password supplied in a separate email to the data.
- Outgoing personal data
- The recommended approach is for personal data to be transferred to a third party via WeTransfer.com or Hightail.com or an SFTP
- Where a client cannot receive personal data via the recommended approach, then it is acceptable to send the data via email, as long as the file has been password protected and the password sent in a separate email from the data.
- Where it is necessary for business purposes to transfer personal data on a USB, it must be held on a encrypted USB which has been supplied by IT. The encrypted USB will be password protected; the password must not be shared with individuals other than the intended recipient of the data.
- Personal data must not be held on CDs or any forms of portable data storage other than an encrypted USB
3.2.2 Green data (see section 3.1.1 above)
- Consideration should be given to any sensitivity in the data and what the recipient might think or expect, and password protection of this data should be considered if it is felt to be appropriate.
Sensitive Personal Data
3.3.1 Sensitive personal data
Relates to racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition, sexual life, commission or alleged commission of any offence, proceedings for any offence
To process sensitive personal data lawfully:
- We must have explicit opted-in consent from the data subject, or
- The processing must relate to: employment law; the vital interests of the data subjects; a non-profit association; legal claims; the justice system: statutory or crown requirements; medical purposes; ethnic monitoring
- Sensitive personal data should always be held in password protected files and treated as Red Data (see sections 3.1.1 and 3.1.2)
- A list of authorised users of the sensitive personal data should be drawn up at the start of processing of the data. Only names on this list will have access to the sensitive data
Deletion of Data
- Personal data must be securely disposed of when it is no longer required. Client services should agree a timeframe for deletion of personal data with their clients
- The CCleaner utility has been installed on all PCS. This will securely wipe all disks of the residue of deleted files on a daily basis. Staff must not disable CCleaner.
- MAC users must delete files containing personal data using Secure Empty Trash. This will be your responsibility to carry out.
- Where personal data has been stored or processed on a USB stick, the USB should be reformatted once the personal data is no longer required.
- Decommissioned and non-functioning computers will be securely disposed of in a way which will prevent unauthorised access to personal data.
- Where personal data exists in non electronic formats (such as live proofs which have a customer’s name and address printed on them), these should be shredded when no longer required.
Use of Personal Devices
- The use of personal smartphones, tablets and other devices for work purposes creates a significant number of complex problems in terms of data compliance and the security of agency and client confidential material.
- In light of this, the company policy is that personal devices must not be used for work purposes.
- This restriction excludes accessing work email accounts on a personal smartphone or tablet; however, if you install your work email account on a personal device, we will expect you to use a passcode on your device to prevent unauthorised access.
- The company issues mobile phones, tablets and of course computers to those staff who require them.
- Personal devices must not be physically connected to company computing devices or networks. This includes plugging phones, tablets or music players into devices in order to charge them or sync with software such as iTunes.
- Where a member of staff works at home on their own home personal computer or laptop, and where the work involves the processing of personal data and/ or company confidential material, this data or material must be stored on an IT supplied encrypted USB.
3.6 Company-issued smartphones, tablets and other mobile devices
- All company-issued smartphones, tablets and other mobile devices used to store or process personal data for work purposes must be passcode protected.
- Whilst the company does not prevent users from downloading and installing apps on their company-issued smartphones, tablets and other devices, these should only be from reputable sources. If you have any doubts as to the source or security of an app, speak to IT to have it checked out.
- Users of company-issued smartphones, tablets and other devices must install all software updates or patches to their devices as soon as they are prompted to. Users must not jailbreak their devices or take any actions which could compromise the security of their devices.
Personal dropbox accounts (and similar other technologies for cloud-based file sharing) must not be
installed on company devices or used for company purposes, nor must clients’ personal dropbox
accounts be used to access external files or data.
Marketing and Compliance
4.1. Obtaining consent for processing of personal data for marketing purposes
When obtaining consent, we must state who is collecting the personal data, what data will be collected, and the use which will be made of that data.
Where we intend to pass personal data to a third party, consent for that transfer must also be obtained. Please refer to Data Compliance Guidance: Consent for Marketing (Room 101/Data Compliance) for detail on the mechanics of obtaining consent for marketing.
Once we have consent, we should only contact people in relation to the products and services for which we obtained that consent. We cannot contact them for something completely difference without obtaining a new consent.
We also must only collect data which is relevant to our communications objectives, and not collect
excessive data in the hope that we might find a use for it in the future.
Informed consent must be obtained for every cookie which is placed on an individual’s device, apart
from strictly necessary cookies.
Please refer to Data Compliance Guidance: Consent for Cookies (Room 101/Data Compliance) for
detail on obtaining consent for using cookies.
4.4 Data Quality and Retention
It is a requirement of the data protection act that personal data is clean and up to date, and that
personal data is not kept longer than necessary.
4.4.1 Data Cleansing
This requires us to screen data against external sources before using it (where possible) in order to
suppress data which is no longer valid.
Following any marketing communication, we are likely to receive requests to unsubscribe or be
removed from future communications.
These must be actioned within specific timescales, and where the data in question came from a client or from a third party such as a list broker, those requests should be securely transferred to that organisation.
Where we manage and/or process personal data for a client, we should agree with the client
parameters for the return or secure deletion of that data, so that data is not held longer than necessary.
4.4.3 Please refer to Data Compliance Guidance: Data Quality and Retention (Room 101/Data
Compliance) for detail on data cleansing, suppression and retention
Data Subject Access Requests
Data subjects have the right under the data protection act to make a Subject Access Request (SAR). This gives them the right to see what personal data a company is holding and processing in relation to that individual data subject.
This request can come from members of the public or current or former employees of an organisation. Typically they will be requesting to see data held about themselves.
Once a SAR has been received, the organisation has 40 days to respond.
SARs received by the agency will typically relate to our clients. It is therefore essential that we
recognise them immediately so that we can take action.
Any member of staff who realises that they have received a SAR should inform a compliance officer
immediately; the compliance officer will then take responsibility for dealing with the SAR.
Transfer and processing of data outside of the
European Economic Area (EEA)
The EEA is defined as the countries of the European Union, plus Iceland, Liechtenstein and Norway.
Very specific rules apply to transfer of data outside the EEA. If such a transfer is needed, speak to the
compliance officer to establish how to approach this.
As part of the security requirements of the data protection act, the agency will train all staff
appropriately in data compliance. Initial training form part of staff induction.
Staff are required to be familiar with the contents of this document, and act in compliance with it.
Refresher staff training will be carried out on an appropriate basis.
Breaches of policy
Any member of staff who identifies a breach of data compliance policy which results in the loss,
accidental disclosure, or incorrect or inaccurate processing of personal data must notify the compliance
The compliance officer will maintain a register of all notifiable breaches. The compliance officer will
involve other members of staff as required in dealing with the breach.
The compliance officer will, in conjunction with the board of directors as necessary, decide on any
further appropriate courses of action to be taken in relation to each breach.
Where the breach in data compliance policy has arisen from behaviour by a member of staff who has not acted in accordance with this policy, then that member of staff could be subject to disciplinary action, up to and including termination of employment.
In certain circumstances, depending on the severity of the breach, the Information Commissioner’s
Office has the power to fine the agency, or prosecute directors and individual members of staff.