Data Protection Policy

Contents
1. Introduction & Policy statement
1.1. Definitions
1.2. Responsibilities
1.3. Data Protection Principles
1.4. Notifying Data Subjects
1.5. Data Security
1.6. Data Retention & Destruction
1.7. Data Protection by Design and Default
1.8. Data Processing Obligations
1.9. Accountability
1.10. Risk Management
1.11. Data Subject Rights
1.12. Protection of Personal Data
1.13. International Data Transfers
1.14. Implementation & Policy Management
1.15. More information

If you have any queries regarding IIPCIC’s data protection policies please contact: gdpr@investorsinpeople.com.

1. Introduction & Policy statement

Introduction

This Data Protection Policy (this “policy”) sets out the obligations of Investors in People Community Interest Company (“IIPCIC”, “Investors in People”, “we”, ”us”, ”our”) regarding data protection and the rights of individuals whose Personal Data we collect, use and process in the course of our business activities.

This policy applies to all IIPCIC employees, workers and contractors (“personnel”, “you”, “your”). You compliance with this policy is mandatory. Any breach of this policy and our other data protection policies/procedures may result in disciplinary action, up to and including termination for serious offences.

This policy has been prepared with due regard to the data protection laws applicable to IIPCIC and our Personal Data Processing activities. These Data Protection Laws include the UK General Data Protection Regulation (“UK GDPR”) and the EU General Data Protection Regulation (“EU GDPR” ‐ EU Regulation 2016/679) (whichever is applicable) and the Data Protection Act 2018 (“DPA 2018”), (collectively referred to as the “Data Protection Law”).

This policy should be read together with the following related documents:

1. IIPCIC Data Protection by Design & Default Policy
2. IIPCIC Personal Data Retention and Destruction Policy
3. IIPCIC IT Policy
4. IIPCIC Data Subject Rights Procedure
5. IIPCIC Personal Data Breach Procedure
6. IIPCIC DPIA Procedure
7. IIPCIC Data Protection Monitoring Framework Guidance

 

Policy Statement

IIPCIC places high importance on respecting the privacy and protecting the Personal Data of individuals with whom we work including our clients, end customers and employees. We are committed to the fair, lawful and transparent handling of Personal Data and to facilitating the rights of individuals. Our policy is to comply not only to the letter of the law, but also to the spirit of the law.

This policy applies to all Personal Data processed by IIPCIC whether held in electronic form or in physical records, and regardless of the media on which that data is stored. It applies to Personal Data we process as a Data Controller and as a Data Processor.

IIPCIC is registered as a Data Controller with the Information Commissioner’s Office, registration reference: ZA286529

1.1. Definitions
The following definitions apply across all IIPCIC data protection policies, procedures and supporting documents:

 

Term	Description:
Accountability	A duty to answer to the success or failure of strategies, decisions, practices and processes.
Criminal Information	Personal Data relating to criminal convictions and offences, including Personal Data relating to criminal allegations and proceedings.
Data Controller	A person, entity or organisation that determines the purposes and means of processing Personal Data.
DPA 2018	Data Protection Act 2018
Data Protection Officer	The Data Protection Officer is responsible for overseeing data protection strategy and implementation to ensure compliance with Data Protection Law.
Data Protection Law	UK GDPR and the EU General Data Protection Regulation (“EU GDPR” ‐ EU Regulation 2016/679) (whichever is applicable) and the Data Protection Act 2018 (“DPA 2018”).
Data Processor	A person, entity or organisation that processes Personal Data on behalf of a Data Controller.
Data Subject	Any natural person (individual) whose Personal Data is being processed.
Data Protection Impact Assessment (DPIA)	A DPIA is designed to help an organisation assess the risks associated with data processing activities that could compromise the rights and freedoms of individuals. It can be used to identify and mitigate risk associated with a product, service, business process or other organisational change.
EU GDPR	EU Regulation 2016/679 General Data Protection Regulation
Legitimate Interest Assessment (LIA)	Determines if individual’s Personal Data is being used in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
Personal Data	Any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing	Any operation or set of operations that is performed on Personal Data, such as collection, recording, organising, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, combination, restriction or erasure.
Information Commissioner’s Office (ICO)	An independent public body established in the UK responsible for monitoring the application of the UK GDPR, Data Protection Act 2018 and the Privacy & Electronic Communications Regulations.
Sensitive Personal Data	Special Category Data and Personal Data relating to criminal convictions and offences.
Special Category Data	Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data, biometric data (where used to identify a data subject), data concerning health and data concerning a natural person’s sex life or sexual orientation.
UK GDPR	has the meaning given to it in section 3(10) (as supplemented by section 205(4)) of the Data Protection Act 2018

 

1.2. Responsibilities
Key data protection responsibilities within IIPCIC are as follows:

1. the IIPCIC Board is accountable for ensuring we meet our data protection obligations;
2. the Director of Finance and Business Services is responsible for implementing and enforcing this policy;
3. the Executive Team are responsible for ensuring that personnel under their management are made aware of adhere and to this policy;
4. all personnel working with Personal Data over which they have decision making authority are responsible for ensuring it is kept securely, is accessible only to those who need to use it and is not disclosed to any third party without the authorisation of a member of the Board; and
5. all personnel are required to read, understand, and adhere to this policy when processing Personal Data on our behalf.

 

You should speak with Business Operations Manager to ask a question, or raise a concern, relating to this policy or data protection.

1.3. Data Protection Principles
The following Data Protection Principles shall govern the collection, use retention, transfer, disclosure and destruction of Personal Data by IIPCIC:

a) Personal Data must be processed fairly, lawfully and in a transparent manner, in relation to the Data Subject.
b) Personal Data must be collected and processed for specified, explicit and legitimate purposes only.
c) Personal Data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
d) Personal Data must be accurate and kept up to date.
e) Personal Data which permits identification of Data Subjects (i.e. not anonymised) must be kept in a form which permits identification of data subjects for no longer than is necessary.
f) Processed in a manner that ensures appropriate security including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

 

1.4. Notifying Data Subjects
All Personal Data breaches must be reported immediately to the Finance Manager and must be added to the register of Personal Data breaches.

IIPCIC as a Data Controller
a) Where IIPCIC is the Data Controller, unless a Personal Data breach occurs which is unlikely to result in a risk to the rights and freedoms of Data Subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the relevant supervisory authority must be notified of the breach without delay, and in any event, within 72 hours after having become aware of it, if this is feasible. If the notification is not made within 72 hours, it should be made as soon as possible, together with reasons for the delay. The Information Commissioner’s Office (ICO) is the supervisory authority in the UK.
b) In the event that a Personal Data breach is likely to result in a high risk (that is, a higher risk than that described immediately above) to the rights and freedoms of Data Subjects, all affected Data Subjects are to be informed of the breach directly and without undue delay.

Irrespective of whether IIPCIC is a Data Processor or a Data Controller, all data breach notifications must be handled strictly in accordance with the IIPCIC Personal Data Breach Procedure and be added to the IIPCIC Personal Data Breach Register which are located on Sharepoint.

1.5. Data Security
We have put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction.

IIPCIC currently holds the Cyber Essentials Plus certification.

Security procedures include:

• Building entry controls. We work in a government secured building where only people with valid photo identification can enter and all entry and exit points to the building are manned by security personnel.
• Doors on each floor are electronically locked. Electronic access control cards are required to enter the floor. Staff only have access to the floor/Department in which they work.
• Becrypt security is on all staff laptops to prevent unauthorised log‐in.
• All IIPCIC staff must adhere to our internal IIPCIC staff data protection guidance policy – see s1.4 for a summary of staff responsibilities.

 

File storage: System security protocols

All personal data stored on the following are on servers located within the European Economic Area (EEA):

File storage: IIPCIC uses Slack, Zendesk and Microsoft Office 365:

• For Slack security protocols please see: https://get.slack.help/hc/en‐us/articles/202014843‐Slack‐data‐security‐and‐privacy‐policies
• For Zendesk security protocols please see: https://www.zendesk.com/company/customers‐partners/privacy‐and‐data‐
  protection/
• For Microsoft Office 365 see: https://support.office.com/en‐us/article/overview‐of‐security‐and‐compliance‐in‐office‐ 365‐dcb83b2c‐ac66‐4ced‐925d‐50eb9698a0b2

 

We Invest in People Online Survey
Survey data, including personal data, is stored securely within Amazon Web Services (AWS). The entire data application (instances, databases, snapshots, backups) is stored within the EU‐West‐1
(Dublin) data centres, and so adheres to EU controls limiting storage within the EEA. Direct access to the data (databases, snapshots) is limited to senior database architects using asymmetric key‐based authentication, and further secured with strict ACLs requiring access through secure Cisco VPNs.

For further information on AWS security, including physical access control, auto‐replication (redundancy), hypervisor security, and power/infrastructure redundancy, please see: https://aws.amazon.com/compliance/

Application passwords are managed using Drupal ‐ passwords are salted and re‐hashed multiple times. Plain‐text passwords are never stored in the database. Brute‐force attacks are mitigated by auto‐blocking login attempts after five failed attempts. Once logged‐in, the system supports full RBAC, with minimum‐granted permissions (user permissions are granted only when needed for a user account, rather than granting system‐wide access).

All communications with the site are via HTTPS, using HSTS and modern cipher suites (TLS1.0+).

Ciphers are reviewed regularly to ensure security compliance.

We Invest in Wellbeing Online Survey
This survey runs on dedicated resources and does not use Cloud based infrastructure. Its servers are located in the UK and it has a full support and security contract in place with its data centre provider covering firewalls, vulnerability scanning and intrusion detection. This also covers full infrastructure, platform, operating system and data support.

The data centre has a 24/7 on‐site security presence with internal CC‐TV monitoring. In addition, there are comprehensive security procedures in place including proximity access control and access to the data centre is restricted to a small number of data centre staff.

To cater for power outages, as well as a short‐term uninterruptible power supply, the facility has multiple generators in place with a minimum of 96 hours of fuel on site. Firewalls are actively monitored and there are regular vulnerability scans. The intrusion detection systems run in real‐ time.

Security policies only allow senior technical staff and server administrators to gain access to any sensitive data and all login attempts are recorded. Offsite backups are encrypted before transmission and stored in a secure area on site only accessible by senior staff.

All sensitive data such as passwords are stored in an encrypted format and this data is passed over secure SSL connections. Dependent on the level of subscription it can also pass all data including survey responses over SSL channels.

Regular automated scans of the server, software and application are run, and enhancements applied where appropriate.

Investors in People CRM
The Investors in People CRM is a web‐based application and follows the AWS security and storage controls as detailed in 1.3.3 above. The following data is held on the Investors in People CRM:

• Organisation name, address, telephone number(s) and generic email address.
• Client contacts names, email address(es), job title and phone number(s) of those who are working with Investors in People on an assessment or who have requested further information about Investors in People products and services.
• Dates to manage the organisation accreditation period including accreditation start date, end date and review dates.
• Other demographic information about Investors in People accredited organisations including sector (SIC code), size (number of employees) and industry sector (public, private, voluntary).

 

1.6. Data Retention & Destruction
We will not keep personal data longer than is necessary for the purpose or purposes for which they were collected. We will take all reasonable steps to safely and securely destroy or erase all personal data which is no longer required. This will vary dependent on what data has been collected and for what purpose. Please see our Website Privacy Notice and Client Privacy Notice for the various ways we process data.

1.7. Data Protection by Design and Default
IIPCIC shall ensure that the risks to rights and freedoms of Data Subjects associated with processing are key considerations when:

1. Designing, implementing and during the life of business practices and processes that involve the processing of personal data (“processing activities”); and
2. Developing, designing, selecting, procuring, and using applications, services, products and other IT systems and technologies for collecting, holding, sharing, accessing, and otherwise processing personal data (“processing systems”).

 

This risk led approach to processing activities and processing systems shall apply throughout the full lifecycle of the processing, from initial planning and setting of specifications, during use of processing systems, through to disposal of the personal data. It shall take into account both the likelihood and the severity of the potential harm to the rights and freedoms of Data Subjects.

Where the risk to rights and freedoms of Data Subjects is likely to be high, or where otherwise required by law or the relevant supervisory authority, a DPIA shall be performed in accordance with our DPIA procedure.

Safeguards and preventive measures shall be implemented into processing activities and processing systems from the outset and throughout the processing lifecycle, to mitigate the risks to data subjects and protect their rights. These safeguards and measures shall be proportionate to the risks and include organisational (e.g. policy, awareness, governance, and assurance) as well as technical measures (e.g. pseudonymisation). The objectives of such safeguards and measures shall include:

1. 1. data minimisation
   2. limiting the extent of the processing, storage, and access to what is strictly necessary
   3. ensuring transparency for data subjects regarding the processing activities; and
   4. ensuring the security of the personal data.

 

1.8. Data Processing Obligations

IIPCIC as a Data Controller

1. Where IIPCIC is the Data Controller, Data Subjects must be provided with information notifying them of the purposes for which IIPCIC will process their Personal Data (a “privacy notice”). When Personal Data is obtained directly, the privacy notice shall be provided to the Data Subject at the time of collection. When Personal Data is obtained indirectly, the privacy notice shall be provided to the Data Subject as soon as possible (and not more than one calendar month) after it is obtained from a third party. The privacy notice must explain what processing will occur and must also include the information set out at Schedule 1.
2. Use of the Personal Data by IIPCIC must match the description given in the privacy notice and be limited to what is necessary for the specific purposes stated. Where our lawful basis for processing is based on our legitimate interests, we may only process the Personal Data if our legitimate interests are not outweighed by the interests, rights and freedoms of the Data Subjects in question. A legitimate interests assessment must be performed to confirm this.
3. We must not collect or process any more Personal Data than is strictly necessary for the purposes of the processing (“data minimisation”), as set out in our privacy notice, and must ensure that data minimisation continues to be applied throughout the lifetime of the processing activities.
4. Personal Data must be kept accurate and up to date. The accuracy of Personal Data must be checked when it is collected and at regular intervals thereafter. Where any inaccurate or out‐of date data is found, all reasonable steps are to be taken without delay to amend or erase that data, as appropriate. Personal Data must not be kept for any longer than is necessary for the purpose for which that data was originally collected and processed. When the data is no longer required, all reasonable steps must be taken to securely erase or dispose of it without delay, as set out at Section 12 of this policy.
5. Personal Data must be kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction or damage.

 

1.9. Accountability
Only those personnel that need access to, and use of, Personal Data to carry out their assigned duties correctly will be permitted access to Personal Data we hold. All personnel handling Personal Data on behalf of IIPCIC must be:

• made fully aware of both their individual responsibilities and IIPCIC’s responsibilities under this policy and applicable law, and be provided with a copy of this policy;
• appropriately trained to do so and suitably supervised, with training to be provided upon starting with IIPCIC and refresher training to be provided at least annually; and
• bound to handle the Personal Data in accordance with this policy and the law by contract.
• The methods of collecting, holding and processing Personal Data by personnel, or other parties working on our behalf, are to be regularly evaluated and reviewed by the Head of Finance and Business Services.

 

All consultants, agencies and other parties working on our behalf and handling Personal Data must ensure that all of their employees who are involved in the processing of Personal Data are held to the same obligations as applicable to IIPCIC personnel arising out of this policy.

When using a Data Processor (or, where permitted, a sub‐Data Processor), a binding contract must be implemented between IIPCIC and the Data Processor setting out the subject matter and duration of the processing; the nature and purpose of the processing; the type of Personal Data and categories of Data Subject; and the obligations and rights of the controller. Processor contracts must also include the terms set out at Schedule 2.

IIPCIC will keep written internal records of processing activities in respect of all Personal Data collection, holding, and processing (“RoPA”). Where IIPCIC is a Data Processor, we will keep a Data
Processor RoPA and where we are the Data Controller, we will keep a Data Controller RoPA.

Data Controller RoPA
Where IIPCIC is the Data Controller, the RoPA will incorporate the following information:

• the name and contact details of the Data Controller, its point of contact for data related concerns] and any joint controllers;
• the purposes for which we process Personal Data;
• details of the categories of Personal Data collected, held, and processed by us; and the categories of Data Subject to which that Personal Data relates;
• details (and categories) of any third parties that will receive Personal Data from us;
• details of any transfers of Personal Data to countries outside the UK or European Economic Area (“EEA”) including all mechanisms and security safeguards;
• the envisaged retention periods for the different categories of Personal Data; and
• descriptions of the technical and organisational measures we have implemented to ensure the security of Personal Data.

 

1.10. Risk Management
IIPCIC will monitor the risks to Data Subjects associated with all existing and planned Personal Data processing activities and implement appropriate technical and organisational measures to safeguard Data Subjects and ensure the data protection principles set out in this policy are met. This risk led approach to data protection will be applied across all IIPCIC business activities to ensure data protection by design and by default, as set out in the IIPCIC Data Protection by Design & DPIA Policy.

Where the risks to rights and freedoms of Data Subjects associated with any existing or planned Personal Data processing to be carried out by IIPCIC are potentially high or where otherwise required by applicable law or a supervisory authority in country or territory in which we operate, IIPCIC will carry out a Data Protection Impact Assessment (“DPIA”). All DPIAs are to be undertaken as set out in the IIPCIC Data Protection by Design & DPIA Policy. A record of DPIAs shall be kept, to include details of the outcome, the names of the parties signing off the DPIA recommendations and the date of next review.

Where a Data Controller carries out a DPIA in relation to a processing activity in which IIPCIC is a Data Processor, we will provide all information and assistance to the Data Controller as is reasonably required for the purpose of the DPIA.

1.11. Data Subject Rights
Data subjects have the following rights regarding Personal Data processing and the data that is collected and held about them:

• the right to be informed;
• the right of access;
• the right to rectification;
• the right to erasure (also known as the ‘right to be forgotten’);
• the right to restrict processing;
• the right to data portability;
• the right to object;
• rights with respect to automated decision‐making and profiling.

 

Requests by Data Subjects to exercise their rights must be facilitated as set out in the IIPCIC Data Subject Rights Procedure and the IIPCIC Subject Access Request Policy.

Where IIPCIC is the Data Controller, we are responsible for facilitating Data Subjects’ rights. Where we are a Data Processor, we must assist the Data Controller to facilitate Data Subjects’ right as
appropriate.

1.12. Protection of Personal Data
All personnel must comply with the following when working with Personal Data:

• Personal Data must be handled with care at all times and must not be shared with any colleague, who does not have access to it, or with any third party without authorisation;
• physical records must not be left unattended or on view to unauthorised employees, agents, contractors or other parties at any time and must not be removed from the business premises without authorisation
• if Personal Data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it;
• all physical copies of Personal Data, along with any electronic copies stored on physical, removable media should be stored securely in a locked filing cabinet, drawer, box or similar;
• all electronic copies of Personal Data are to be stored securely using passwords which are changed regularly, and which do not use words or phrases that can be easily guessed or otherwise compromised;
• Personal Data must not be transferred to any device personally belonging to an employee or transferred or uploaded to any personal file sharing, storage, communication or equivalent service (such as a personal cloud service);
• Personal Data may only be transferred to devices belonging to agents, contractors, or other parties working on our behalf where the party in question has agreed to comply fully with the letter and spirit of this policy and the Data Protection Law and all other applicable law (which may include demonstrating that all suitable technical and organisational measures have been taken and entering into a Data Processor contract with IIPCIC);
• all Personal Data stored electronically shall be backed‐up regularly and securely; and
• under no circumstances must any passwords be written down or shared between any employees, agents, contractors, or other parties working on our behalf, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method.

 

In addition to the obligations set out above, all personnel involved in processing Personal Data are required to read and adhere to the IIPCIC Information Security Policy.

1.13. International Data Transfers
We will only transfer (‘transfer’ includes making available remotely) Personal Data from countries in the UK/EEA to countries outside of the UK/EEA where:

• the transfer is to a country (or an international organisation) that the UK government/European Commission has determined ensures an adequate level of protection (“Adequacy”);
• standard contractual clauses(or UK equivalent) adopted by the UK government/European Commission have been put in place between the entity in the UK/EEA and the entity located outside the UK/EEA;
• binding corporate rules have been implemented, where applicable; or where
• the transfer is otherwise permitted by the law.
• Where IIPCIC is a Data Processor, transfers of Personal Data outside the UK/EEA shall only be made with the controller’s agreement.

 

Where a transfer is not based on Adequacy, we will undertake a transfer impact assessment (“TIA”) or transfer risk assessment (“TRA”) to ensure that Data Subjects (whose Personal Data is transferred) continue to have a level of protection essentially equivalent to that under the UK or EU GDPR (whichever is applicable). If the outcome is that the appropriate safeguard does not provide the required level of protection, we will implement supplementary measures e.g. encryption.

1.14. Implementation & Policy Management
This policy shall be deemed effective as of 16 December 2022. No part of this policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This policy will be reviewed by Business Operations Manager and the Head of Finance & Business Services annually and following any Personal Data breach.

1.15. More information
If you have any queries regarding IIPCIC’s data protection policies please contact: gdpr@investorsinpeople.com.

Schedule 1

Privacy Notices
Privacy notices for Data Subjects shall include:

1. the identity and contact details of the Data Controller including, but not limited to, the identity of its Data Protection Officer and EU representative, where applicable
2. the purpose(s) for which the Personal Data is being collected and will be processed and the legal basis justifying that collection and processing;
3. where applicable, the legitimate interests upon which IIPCIC is justifying its collection and processing of the Personal Data;
4. where the Personal Data is not obtained directly from the Data Subject, the categories of Personal Data collected and processed;
5. where the Personal Data is to be transferred to one or more third parties, details of those parties;
6. where the Personal Data is to be transferred to a third party that is located outside of the UK/EEA (whichever is applicable), details of that transfer, including but not limited to the safeguards in place;
7. details of the length of time the Personal Data will be held (or, where there is no predetermined period, details of how that length of time will be determined);
8. details of the Data Subject’s rights;
9. where applicable, details of the Data Subject’s right to withdraw their consent to the processing of their Personal Data at any time;
10. details of the Data Subject’s right to complain to a supervisory authority;
11. where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the Personal Data and details of any consequences of failing to provide it; and
12. details of any automated decision‐making that will take place using the Personal Data (including but not limited to profiling), including information on how decisions will be made, the significance of those decisions and any consequences.

 

Schedule 2

Processor Contracts
Contracts with Data Processors who will process the Personal Data must set out the subject matter and duration of the processing; the nature and purpose of the processing; the type of Personal Data and categories of Data Subject; and the obligations and rights of the controller. They must also include terms requiring the Data Processor to:

1. only act on the written instructions of the controller;
2. ensure that people processing the data are subject to a duty of confidence;
3. take appropriate measures to ensure the security of processing;
4. only engage sub‐Data Processors with the prior consent of the Data Controller and under a written contract;
5. assist the Data Controller in providing subject access and allowing Data Subjects to exercise their rights under the UK GDPR and/or the EU GDPR (whichever is applicable) ;
6. assist the Data Controller in meeting its UK GDPR and/or EU GDPR (whichever is applicable) obligations(or obligations under other applicable laws) in relation to the security of processing, the notification of Personal Data breaches and data protection impact assessments;
7. delete or return all Personal Data to the Data Controller as requested at the end of the contract; and
8. submit to audits and inspections, provide the Data Controller with whatever information it needs to ensure that they are both meeting their data protection obligations, and tell the Data Controller immediately if it is asked to do something infringing the Data Protection Law (or other applicable legislation)