COMPANY DATA PROTECTION POLICY (INC. SECURITY AND STORAGE)

Policy brief & purpose

Our Company Data Protection Policy refers to our commitment to treat information of employees, customers, stakeholders and other interested parties with the utmost care and confidentiality.

With this policy, we ensure that we gather, store and handle data fairly, transparently and with respect towards individual rights.

General provisions

  1. This policy applies to all personal data processed by MM-Eye Ltd
  2. The DPO shall take responsibility for MM-Eye’s ongoing compliance with this policy.
  3. This policy shall be reviewed at least annually.
  4. MM-Eye Ltd shall register with the Information Commissioner’s Office as an organisation that processes personal data.

Our current DPO is Deborah Fitzpatrick Deputy MD at MM-Eye Ltd.

Scope

This policy refers to all parties (employees, job candidates, customers, suppliers etc.) who provide any amount of information to us.

Who is covered under the Data Protection Policy?

Employees of our company must follow this policy. Contractors, consultants, partners and any other external entity are also covered. Generally, our policy refers to anyone we collaborate with or acts on our behalf and may need occasional access to data.

Data protection principles

MM-Eye Ltd is committed to processing data in accordance with its responsibilities under the GDPR.

Article 5 of the GDPR requires that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals;
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals;
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”

Policy elements

As part of our operations, we need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses, usernames and passwords, digital footprints, photographs, social security numbers, financial data etc.

Our company collects this information in a transparent way and only with the full cooperation and knowledge of interested parties.

All data processed by MM-Eye Ltd must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).

Where consent is relied upon as a lawful basis for processing data, evidence of opt-in  consent shall be kept with the personal data.

Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available.

Once this information is available to us, the following rules apply.

Our data will be:

  • Accurate and kept up-to-date
  • Collected fairly and for lawful purposes only
  • Processed by the company within its legal and moral boundaries
  • Protected against any unauthorized or illegal access by internal or external parties

Our data will not be:

  • Communicated informally
  • Stored for more than a specified amount of time
  • Transferred to organizations, or countries that do not have adequate data protection policies
  • Distributed to any party other than the ones agreed upon by the data’s owner (exempting legitimate requests from legal authorities)

In addition to ways of handling the data the company has direct obligations towards people to whom the data belongs. Specifically we must:

  • Let people know which of their data is collected
  • Inform people about how we’ll process their data
  • Inform people about who has access to their information
  • Have provisions in cases of lost, corrupted or compromised data
  • Allow people to request that we modify, erase, reduce or correct data contained in our databases

Actions

To practice data protection we’re committed to:

  • Restrict and monitor access to sensitive data
  • Develop transparent data collection procedures
  • Train employees in online privacy and security measures
  • Build secure networks to protect online data from cyberattacks
  • Establish clear procedures for reporting privacy breaches or data misuse
  • Include contract clauses or communicate statements on how we handle data
  • Establish data protection practices (document shredding, secure locks, data encryption, frequent backups, access authorization etc.)

Our data protection provisions appear on our website as part of our Privacy Policy.

Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, MM-Eye Ltd  shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).

 

Further policies related to Data management

Data and Network Security Policy

Policy brief & purpose

The company must restrict access to confidential and sensitive data to protect it from being lost or compromised in order to avoid adversely impacting our customers, incurring penalties for non-compliance and suffering damage to our reputation. At the same time, we must ensure employees can access data as required for them to work effectively.

It is not anticipated that this policy can eliminate all malicious data theft. Rather, its primary objective is to increase employee awareness and avoid accidental loss scenarios, so it outlines the requirements for data breach prevention.

Scope

This data security policy applies all customer data and personal data as well as the network security of the IT set up. Therefore, it applies to every server, database and IT system that handles such data, including any device that is regularly used for email, web access or other work-related tasks. Every employee who interacts with company IT services is also subject to this policy.

Policy elements

Our company shall provide all employees and contracted third parties with access to the information they need to carry out their responsibilities as effectively and efficiently as possible.

  • All employees and contractors shall be identified by a unique user ID so that individuals can be held accountable for their actions.
  • The use of shared identities is permitted only where they are suitable, such as training accounts or service accounts.
  • All employees and contractors shall read this data security policy and sign a statement that they understand the conditions of access.
  • Records of employee access may be used to provide evidence for security incident investigations.
  • Access shall be granted based on the principle of least privilege, which means that each program and employee will be granted the fewest privileges necessary to complete their tasks.
  • Access will be immediately revoked upon leaving MM-Eye Ltd.

Access to company IT resources and services is managed by Curo, our external IT provider and they have responsibility for ensuring network security and therefore who has access to our network.

  • All employees and contractors shall be given network access and granted access to the data and applications required for their job roles. The access levels are dependent on individual, their job function and are determined by the Board of Directors. This information is communicated to Curo when a new employee commences employment.
  • All employees and contractors who have remote access to company networks shall be authenticated using the VPN authentication mechanism only.
  • All employees and contractors must keep their passwords confidential and not share them.
  • All employees and contractors shall access sensitive data and systems only if there is a business need to do so and they have approval from management.
  • Access to data classified as ‘Confidential’ or ‘Restricted’ shall be limited to authorized persons whose job responsibilities require it, as determined by management.
  • Information is provided to Curo when a staff member leaves to ensure Network access is revoked.

Curo are responsible for highlighting any security incidents that relate to a potential data breach and need to be investigated by the DPO or escalated internally to the Board of Directors as they relate to overall network security.

Asset management:

Policy brief & purpose

The company must restrict use of out of date equipment which could result in possible security breaches incurring penalties for non-compliance and suffering damage to our reputation. At the same time, we must ensure employees can access hardware as required for them to work effectively.

Policy elements

Our company shall provide all employees and contracted third parties with access to the hardware and software they require to carry out their responsibilities as effectively and efficiently as possible:

  • All employees and contractors shall be given access to hardware and software applications required for their job roles.
  • Curo will provide an annual summary of all hardware assets.
  • All hardware will be replaced as soon as the warranty has ceased.
  • Software licenses will be upgraded as appropriate based on functionality needs.
  • All assets including hardware such as laptops, monitors etc. will be returned to management when a staff member leaves MM-Eye Ltd.

Data storage policy

Policy brief & purpose

The purpose for data storage is to ensure that all data and information – in electronic or hard-copy form – needed by MM-Eye Ltd in the performance of its work are stored in a secure repository when not in current use or when archived for future use, such that they are available when needed, are accessible and usable by employees and contractors, and are maintained in secure, protected environments until they are retrieved for use, archived or destroyed.

Policy

Our company will ensure that our data and information – whether in electronic or hard-copy formats – is stored in a secure manner and be managed so we:

  • Meet legal standards for data storage, retrieval and protection.
  • Establish procedures for data storage activities, provide training on the policy as part of the new employee onboarding, provide refresher training as needed, and review and update the procedures as needed.
  • Protect the data privacy of employees, customers and others as required by law.
  • Optimizes the use of primary data storage facilities to facilitate the timely and secure retrieval of data from storage when needed.
  • Establish rules for the use of employee-owned storage devices and monitors that usage – none can be used without management authorisation.
  • Address security issues associated with data storage on company-owned facilities and third-party managed storage services, as well as employee-owned storage devices, to minimize the potential for unauthorized access to company data and information.
  • Plan for and budget for data storage technology, whether on site or remote.
  • Regularly review and adjust data storage facilities to promptly accommodate changes in storage requirements.

Data retention and destruction schedule:

Unless different agreements exist with staff member, or a client personally identifiable data will only be retained for the following time periods:

What: When to erase:
Staff details ie passport, photos, personal information Latest 3 months after leaving
Client customer sample As soon as project reporting is complete and agreed by the end client
Recruitment grids Latest 6 months after project completion
Respondent photographs Latest 3 months after project completion
Incentive payment details IMMEDIATELY after payment
Transcripts As soon as project reporting is complete and agreed by the end client approx. 3 months post project completion