Privacy Policy

Deciduous Partners Ltd – Privacy Policy

V1.2 August 2018

 

Deciduous Partners Ltd is a privately-owned management consultancy practice based in the England, operating in the UK and sometimes further afield. Because we provide a variety of services to support clients across sectors our privacy policy encompasses our activities as both a Data Controller and as a Data Processor, or sub-processor.

The nature of the client engagements that we handle means that we are often in receipt of confidential personal and commercial information. This data is as important to us as it is to our clients, their customers, partners and staff.

We take strict measures to ensure that all the information that we are privileged and trusted to access are controlled in a secure and sensitive manner. We recognise the risks to individuals and organisations relating to their data. The threat from malicious activity and accidental disclosure grows on a daily basis. We operate in compliance with the EU General Data Protection Regulation and the UK Data Protection Act 2018, which have together strengthened the rights and freedoms of individuals in relation to their personal data.

Who we are: Deciduous Partners Ltd,

Our registered address is: Willand Barns, Millham Lane, Polscoe, Lostwithiel, Cornwall, PL22 0JA.

We are a limited company registered in the UK, company number 08445999.

We are registered as a Data Controller with the Information Commissioner’s Office, registration number ZA235910.

As a Data Controller, we determine what data is collected, how this data is going to be used and how this data is protected. For example, we handle the personal information of our staff and associates (including emergency contact details), in accordance with their employment contracts, employment law, health and safety and other regulatory requirements. On occasions, particularly collaborative projects, programmes and initiatives, we act as Joint Controllers (deciding together with another party, the purpose and manner in which personal data is collected), or Controllers in Common where we agree with the relevant parties to share pools of data which has been collected and processed independently, but ony where there is a lawful basis for doing so.

As a Data Processor, we may undertake the processing of personal data whereby our clients are identifiable as the Data Controller. Acting strictly under their direct instructions we may be requested to process a wide range of personal information, including that which may be classified as sensitive personal information. This personal information may be relating to their staff, suppliers, customers and others relevant to the particular efforts we are involved in undertaking.

As a Sub-Processor, we operate on the instructions provided to us by a Data Processor acting on behalf of a Data Controller. We obtain agreements with both the Processor and the Controller prior to any activities involving personal data, and agree to cease any processing such activities upon further instruction or the premature termination or expiry of any particular agreement which we have entered into.

Because of the high level of trust that our clients place in us, and the diversity of the information that we process we do not specify in this privacy policy the extent of the personal information that we obtain and process.

Where we are the Data Controller we usually obtain personal information directly from individuals or their direct associates.

  1. Via formal and informal face-to-face meetings, personal contact and the exchange of personal information such as names, telephone and mobile phone numbers, mail addresses, work or home addresses and other information such as business cards, websites, or social media profiles.
  2. Via information you provide when contacting us to make enquiries about our services and products in person, by telephone, post, email, our website or by any other means.
  3. Upon recommendation by a mutually known third party who feels there may be a benefit to either you or us in further discussions with a view to entering into a potential contract.

Our processing of information involves, the collection, manipulation, transmission, storage and ultimately the destruction of personal data:

Prior to collection, we endeavour to undertake Privacy Impact Assessments and appropriate Legitimate Interest Assessments to determine the potential risks of collecting and processing the information in the way it intended, and to ensure that the rights and freedoms of individuals are not adversely affected as a result of the activities expected during the data lifecycle under our (or our partners) custody.

Collection: As stated above may be undertaken directly or indirectly. Whenever personal information is collected, individuals are informed prior to collection via a relevant Data Privacy Notice, the specific  data which is to be collected, the purpose(s) for which it will be used, the legal basis for the collecting it, how it will be used, any third parties with whom it will be shared, how long their data will be retained, and how it will be disposed of when it is no longer required.

Manipulation or processing: Our methods of utilising individual’s data depends on the purpose for which it is collected, we use a variety of secure databases, spreadsheets, contact lists, and occasionally paper records. This may be

Transmission: whenever it is necessary for us to transmit information including personal data we ensure that all communications are encrypted. Once transmission has occurred and the data is in the possession of a third party, those third parties are required by means of a written agreement to process the information provided in accordance with strict secure methods.

Storage: Our infrastructure is secured. Wherever data is stored it protected by means of strong encryption, using access controls to prevent unauthorised access. Whether information is retained in the cloud, on site, on fixed or mobile devices such as laptops, tablets or mobile phones we use device level security features. For all data collected and stored we specify retention periods in accordance with business need taking legal and regulatory requirements into consideration.

Destruction and Disposal: It is fundamental to our operations that once personal and other secret information has reached the end of its useful life, dictated by related Privacy Impact Assessments, and Retention Policies, that it is securely destroyed, or (if kept for purposes of retrospective and historical analysis) anonymised or pseudonymised to prevent the re-identification of any individual. Paper records are generally destroyed by us using cross-cut shredders or contracted third parties where a certificate of destruction may be obtained, waste materials are then recycled in accordance with our environmental policy. Digitally stored data reaching expiry is erased from all known storage media including back-up locations.

Your rights as an individual: As specified in both the EU General Data Protection Regulation, and the UK Data Protection Act 2018, every individual who is a citizen of the EU, or the UK has the following data subject rights. We expect all our staff and third parties with whom we work to honour these rights and to be aware of them at all times.

The right to be informed:

We must inform you if we intend to use or are using your personal data. Usually this is done before we collect your information, but if we have obtained your information from a source other than directly from you, we must do this within 30 days of coming into possession of your data.

The right to access:

You have the right to obtain copies of the information we hold about you. The easiest way to do this is to email datapro@deciduouspartners.co.uk we will respond to your request within the 30 days currently required by law.

The right to rectification:

You may ask us to change or update the information we hold about you if you identify any inaccuracies in the records we hold.

The right to restrict processing:

You may request that we limit the ways in which we use your personal data.

The right to data portability:

You may ask us to provide your data to you in an accessible format, for example a document or csv file. If it is technically feasible you may also ask us to transfer your information directly to another organisation.

The right to be forgotten:

If you choose to, you may request that the data we hold about you is removed from our records entirely. (Provided that we are under no overriding legal obligation to retain this information, for example financial or health and safety records).

The right to request human intervention in automated decision making:

You may request this, however at present Deciduous Partners Ltd does not utilise any automated decision-making processes.

The right to complain:

You have the right to raise a complaint if you are concerned about the way in which we have used your data. If we are acting as a Data Processor or Sub Processor, we reserve the right to escalate your complaint to these other parties in order to address your concerns fairly. If following our investigations you decide that we have failed to address your concerns satisfactorily, you may raise this to the Information Commissioner’s Office who will investigate your complaint further on your behalf. They may be contacted via the contact details available on their website www.ico.org.uk

We do hope that you will be confident in our dedication to handling your information securely, sensitively and appropriately in a fair and open manner. We are proactive in responding to any request relating to your personal information that we hold.