This document sets out in detail the policy of Insolvency Support Services Ltd (“the Company”) on the protection of information relating to business contacts (“contacts”) and customers of our compliance training and related services (“customers”). Protecting the confidentiality and integrity of personal data is a critical responsibility that the Company takes seriously at all times. The Company will ensure that data is always processed fairly, in accordance with the provisions of relevant data protection legislation, including the General Data Protection Regulation (GDPR) and Data Protection Act 2018.
Data processing is any activity that involves the use of personal data. It includes obtaining, recording or holding information, or carrying out any operation or set of operations, including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.
Personal data is any information by which a living person to whom the data relates can be identified. Personal data can be factual (for example, a name, email address, location or date of birth) or an opinion about that person’s actions or behaviour, such as a disciplinary record. There are also “special categories” of more sensitive personal data which require a higher level of protection.
The Company necessarily collects personal data about its business contacts and customers and this Privacy Notice explains how we treat that personal data and your rights in relation to it.
This document is the Company’s Business Contacts and Customers Privacy Notice, it explains your rights in detail. This notice, together with the information contained in the Data Processing Register set out the information the Company holds about such contacts and customers, the purpose for which this data is held and the lawful basis on which it is held. The Company may process personal information without the client’s knowledge or consent, in compliance with this policy, where this is required or permitted by law.
The Business Contacts and Customers Privacy Notice and the Data Processing Register will be made available by way of a link contained within our first communication with the client. If the purpose for processing any piece of data about the contact/customer should change, the company will update the Business Contacts and Customers Privacy Notice and Data Processing Register with the new purpose(s) and the lawful basis for processing the data and will notify the contact/customer by email.
FAIR PROCESSING PRINCIPLES
In processing contacts’/customers’ personal data, the following principles will be adhered to. Personal data will be:
- Used lawfully, fairly and in a transparent way;
- Collected only for valid purposes that are clearly explained and not used in any way that is incompatible with those purposes;
- Relevant to specific purposes and limited only to those purposes;
- Accurate and kept up to date;
- Kept only as long as necessary for the specified purposes; and
- Kept securely.
COLLECTION AND RETENTION OF DATA
How is your personal information collected?
The Company will collect personal information about contacts/customers through the provision of training, compliance and related services and business networking activities and sign-ups to our information services, directly from contact/customer themselves. Additionally, we may sometimes access contact information that is in the public domain, such as on a potential customer’s website or other publicly accessible source (e.g. the Insolvency Service or AiB or R3 website).
We do not purchase lists of information from third parties. .
What information is collected about you?
We may collect, store, and use the following categories of personal information about you:
- Personal contact details such as name, job title, business addresses, telephone numbers, and email address;
- ISS courses and training events you have attended;
- Examination results (where examination training has been provided by us);
- On-site training and compliance service visits in which you have participated
How is information about you used?
Personal information will only be processed when there is a lawful basis for doing so. Most commonly, the Company will use personal information in the following circumstances:
- to fulfil any contractual obligations, we have to you or your company;
- to ask for your feedback on a product or service we have provided to you;
- to provide you with information about our other relevant products and services.
A list of each category of personal data we hold and the lawful basis we believe the Company to have for processing it may be found in the Data Processing Register.
The situations in which we envisage using your personal information are as follows:
- to liaise with you about your attendance at a course of event, such as by providing joining instructions or a feedback request;
- to liaise with you about internal training or on-site compliance work;
- to ask if you are interest in a future product or service;
Change of purpose
Information provided by you or collected from third parties will only be used for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
Please note that we may process your personal information without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Special categories (sensitive) personal data
Some categories of personal data are considered by law to be particularly sensitive and are therefore classed as “special categories” of personal data. These relate to a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data. This type of data is afforded additional protection.
We do not generally anticipate holding special category data in respect of contacts/customers, unless they have requested particular adjustments to meet a disability requirement. In such circumstances, this information is only processed in accordance with our Special Category Data Policy.
How long is information about you kept?
The Company will only retain contacts’/customers’ personal information for as long as necessary to fulfil the purposes it was collected it for, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements. Details of retention periods for different aspects of personal information are set out in the Data Processing Register and Data Retention and Destruction of Records Policy.
Where we have provided you with a product or service, we will retain a record of the service we provided to you for 5 years. We consider this to be consistent with our contractual obligations.
Where you are a business contact or potential customer of the Company, we will retain your basic contact information until such time as you ask us to erase it, which will occur promptly upon receipt of an erasure request.
Consent to data processing
Where you have signed up to our information services, you have consented to us contacting you for this purpose. All off our mailings contain the ability for you to amend your preferences or unsubscribe from future mailings.
DATA SECURITY AND SHARING
The Company has put in place appropriate security measures to prevent personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Details of these measures are contained in our Confidentiality and Data Security Policy.
The Company requires third parties to respect the security of personal data and to treat it in accordance with the law. Personal data about contacts/customers will only be shared to the it is lawful and necessary. Typically, this will be with our sole appointed marketing agency.
Occasionally, we may share your personal information with other third parties, for example in the context of the possible sale or restructuring of the business. We may also need to share your personal information with a regulator or to otherwise comply with the law.
Transfer of data outside the EU
We do not anticipate the transfer of your data outside the EU. The Company holds personal data in its physical files and on its internal servers, which are located at the Company’s registered office. Our servers are subject to off-site backup to a cloud service provider which is based within the EEA (in the Republic of Ireland). You will be notified in the event the Company intends to transfer your data outside of the EU.
CONTACTS’ AND CUSTOMERS’ RIGHTS
Accuracy of data
The Company will conduct regular reviews of the information held by it to ensure the relevancy of the information it holds. Contacts/customer are invited to inform the Company of any changes to their contact details.
Should you wish to request access, erasure, restriction to processing, transfer or otherwise object to our processing or your personal data, please contact us at firstname.lastname@example.org.
Accessing the information we hold
Contacts/customers will not normally have to pay a fee to access personal information (or to exercise any of the other rights). However, the Company may charge a reasonable fee if the request for access is clearly unfounded or excessive. Alternatively, the Company may refuse to comply with the request in such circumstances.
The Company may need to request specific information from the Client to help confirm their identity and ensure the right to access the information (or to exercise any of the other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
COMPLIANCE WITH DATA PROTECTION
The Company’s responsibility for compliance
Given the size of the Company, it has not been deemed necessary to formally appoint a Data Protection Officer. Oversight of data privacy throughout the Company and its operations rests collectively with our Directors.
Contacts/customers have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.
Data security breaches
The Company has put in place procedures to deal with any data security breach and will notify contacts/customers and any applicable regulator of a suspected breach where legally required to do so. Details of these measures are contained in the Company’s Data Breach Policy.
In certain circumstances, the Company will be required to notify regulators of a data security breach within 72 hours of the breach.
Privacy by design
The Company will have regard to the principles of this policy and relevant legislation when designing or implementing new systems or processes (known as “privacy by design”). The importance of data privacy has already been reflected and incorporated into all of our policies, processes and notices, including those in respect of:
- Confidentiality and Data Security Policy
- Data Breach Policy
- Data Retention and Destruction of Records Policy
- Data Subject Access Policy
- Data Protection in Formal Appointments Policy
- Privacy Notices
- Special Category Data Policy
- Supplier Oversight Policy
- Vulnerable Customers Policy
CHANGES TO THIS PRIVACY NOTICE
The Company reserves the right to update this privacy notice at any time, and we will provide you with access to a new privacy notice when we make any substantial updates.