Information collection and use
COUTTS Consultancy is strongly committed to protecting the privacy of users of its products and services as well as respecting the Data Protection Acts 1984 and 1998 and the Data Protection Act 2018 (the DPA 2018) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security.
We have a duty to notify anyone whose data we have collected or may collect of the information contained in this policy.
The information that you may provide us with, or that is gathered automatically helps us to monitor our web site service and provide you with the services that you may be interested in as a visitor to our website.
At present, we only collect non-personal information on our website – such as IP address (the location of the computer on the internet), pages accessed and files downloaded. This helps us to determine how many individuals use our sites, how many people visit on a regular basis, which pages are most popular, and which pages are least popular. This information doesn’t tell us anything about who you are or where you live, it simply allows us to monitor and improve our service.
While we strive to keep the information that you supply directly or indirectly secure, please be aware that the Internet is not a fully secure medium.
Cookie information can be found in this policy. We also gather e mail addresses given by visitors to our contact form in order to answer any queries or enquiries they ask us about.
The business has controls in place to protect the security of personal data. Further information can be obtained from the business Data Protection Officer by e mailing firstname.lastname@example.org.
The business will hold data in accordance with this Data Retention Policy. We will only hold data for as long as necessary for the purposes for which we collected it.
The business is a ‘data controller’ for the purposes of personal data. This means that we decide the purpose and means of the processing of any personal data we may collect during conducting our business. ‘data processor’ means a person who processes personal data under the data controller’s instructions, for example a service provider.
We act as a data processor in some circumstances and we may ask our contractors to act as data processors also, we will let the data owner know when we do this.
This policy explains how the business will hold and process personal information. It also explains personal data rights as a data subject. We have also explained the obligations of contractors and partners when obtaining, handling, processing or storing personal data in the course of working for, or on behalf of our business.
Our objective is that this policy is fully compliant with the DPA 2018 and GDPR, should any conflict become evident between the DPA 2018 and GDPR law and this policy, the business will comply with the DPA 2018 and the GDPR law.
Data Protection Six Principles
Personal data must be processed in accordance with six ‘Data Protection Principles.’ It must:
- Be processed fairly, lawfully and transparently;
- Be collected and processed only for specified, explicit and legitimate purposes;
- Be adequate, relevant and limited to what is necessary for the purposes for which it is processed;
- Be accurate and kept up to date. Any inaccurate data must be deleted or rectified without delay;
- Not be kept for longer than is necessary for the purposes for which it is processed; and be processed securely.
- We are accountable for these principles and can show we are compliant.
How we Define Personal Data
‘Personal data’ means information which relates to a living person who can be identified from that data (a ‘data subject’) on its own, or when taken together with other information which is likely to come into our possession. This includes any expression of opinion about the person and an indication of the intentions of us or others, in respect of that person. It does not include anonymised data.
This policy applies to all personal data whether it is stored electronically, on paper or on other materials. This personal data might be provided to us by the data owner, or someone else or it could be created by us. It could also be provided or created during the recruitment or engagement of contractor’s process or during the course of any contract of service or after its termination.
Data we Collect
We collect data from different groups of people for different purposes, these are outlined here:
Contractors / Partners / Collaborators:
- Recruitment information such as application details and CV, references, qualifications and membership of any professional bodies and details of any pre-employment assessments;
- Contact details and possibly date of birth if it is on a CV or any application made to us;
- Contact details for emergency contacts;
- Marital status and family details should the data owner choose to share these;
- Information about any service contract including start and end dates of engagement, role and location, if applicable,
- Details of remuneration or fees (including details of previous remuneration) if applicable.
- Bank details, in the event we engage any contractor
- Identification documents including passport and driving licence and information in relation to any Contractor ‘s, Partner’s or Collaborator’s immigration status and right to work with us, if appropriate;
- Information relating to the performance of Contractors, Partner or Collaborator whilst working with us;
- Training or development records for Contractors, Contributors and Partners;
- Electronic information in relation to use of IT systems / telephone systems, as appropriate;
- Images (whether captured on CCTV, by photograph or video) and;
- Any other category of personal data which we may gather to deliver an agreed service, and which we may notify Contractors, or Partners of from time to time.
Visitors to our website:
- Comments made on posts we may make.
- Information gathered by Cookies to allow us to analyse the performance of our website in accordance with the legal parameters of cookies on websites.
- E mail addresses for any customers contacting us via our Contact Us form for the purposes of replying to them.
- Payment history for services provided by us.
- Contact information including address / telephone / e mail.
- Details about the Customer’s business gathered for the purposes of conducting service work with and or for them.
- Details of services provided.
- Recent contract agreements if details are still live or being delivered.
- Data provided and in use for effective delivery of services.
- Examples of work undertaken for our use in the event of work continuing with customers.
- Trading references for the Customer if requested.
How we Define Special Categories of Personal Data
Special categories of personal data’ are types of personal data consisting of information such as:
- a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; genetic or biometric data; health; sex life and sexual orientation; and any criminal convictions and offences.
We may hold and use any of these special categories of personal data in accordance with the law if they are needed to conduct the service delivery we offer.
How we Define Processing
‘Processing’ means any operation which is performed on personal data such as:
- collection, recording, organisation, structuring or storage; adaption or alteration; retrieval, consultation or use; disclosure by transmission, dissemination or otherwise making available; alignment or combination; and restriction, destruction or erasure. This includes processing personal data which forms part of a filing system and any automated processing.
How we Process Personal Data
We will process personal data (including special categories of personal data) in accordance with our legal obligations.
How we Use Personal Data
- Whilst performing the contract of engagement or service delivery agreed with a Customer;
- Complying with any legal obligation; or if it is necessary for our legitimate interests (or for the legitimate interests of someone else related to the delivery of the service). However, we can only do this if the data owner’s interests and rights do not override ours.
- Data owners have the right to challenge our legitimate interests and request that we stop this processing.
- We can process personal data for these purposes without the person’s knowledge or consent. We will not use personal data for an unrelated purpose without telling the owner about it and the legal basis that we intend to rely on for processing it.
- If someone chooses not to provide us with certain personal data, they should be aware that we may not be able to carry out certain parts of the contract between us. For example, if contractors or partners do not provide us with their bank account details we may not be able to pay them for work carried out for us. If visitors to our website do not provide their correct e mail address when making an enquiry, we will not be able to contact them to reply to their enquiry.
When we Process Personal Data
We will process personal data in various situations during engagement, partnership or collaboration and following termination of engagement or services.
We will not collect data from anyone without permission for one or more of the following purposes:
- Service Delivery: To process the Customer information to deliver any contract entered into between us and our Customers;
- If processing the information is needed as the data controller for us to carry out our obligations under any agreements and contracts;
- If processing the information is needed for our legitimate business interests to provide our services to our Customers or potential Customers;
- To decide the fees we will pay Contractors, and the other terms of any agreement or service contract which we may or have agreed;
- Legal Reasons: If processing the information is needed to meet our legal obligations as data controller;
- Security Reasons: To monitor and protect the security of our Business, Customers, Contractors, Partners, and others;
- To Protect Safety: If processing the information is needed to protect the data owner’s interests and safety;
- Engagement of Contractors or with Customers: To decide whether to engage a Partner, Contributor, or Contractor, or work with a Customer;
- Legal Working Rights Compliance: To check legal rights to work with us;
- Training: For training and review of performance;
- Management of Contractors: To manage Contractor or Partner performance, absence or conduct;
- Equality & Diversity Delivery: To monitor diversity and equal opportunities;
- Payment Organisation: To pay Contractors, Partners or Collaborators in accordance with the contract between us;
- References: To provide a reference upon request from another employer or Collaborator;
- For monitoring Compliance: by Contractors, Partners and Customers, us and others with our policies and our contractual obligations;
- Legal Compliance: for employment, immigration & health and safety compliance , tax law and other laws which affect us;
- Insurance Organisation: To fulfil any questions from insurers in respect of any insurance policies which may relate to Customers or the work they are undertaking with us;
- Strategy Organisation: To run our business and plan future strategy;
- Fraud Detection: For the prevention and detection of fraud or other criminal offences;
- Legal Defence: To defend the Company in respect of any investigation or litigation and;
Other Reasons As Informed: For any other reason which we may inform our Customers or potential Customers or data owners about from time to time.
- We will only process special categories of personal data in situations in accordance with the law.
- We can do this if we have the data owner’s explicit consent.
- If we ask for the data owner’s consent to process a special category of personal data, we will explain the reasons for our request.
- Consent does not need to be given and can be withdrawn later by contacting the Data Protection Officer.
We do not need the data owner’s consent to process special categories of their personal data when we are processing it for the following purposes, which we may do:
- Employment Legal Compliance: Where it is necessary for carrying out rights and obligations under employment law if that applies;
- Protection of Vital Interests: Where it is necessary to protect the vital interests of the data owner, or those of another person where they are physically or legally incapable of giving consent;
- Public Data: Where the data owner has made the data public;
- Legal Defence: Where processing is necessary for the establishment, exercise or defence of legal claims; and
- Assessment of Working Capacity: Where processing is necessary for the purposes of occupational medicine or for the assessment of the data owner’s working capacity.
Sharing Personal Data
We may on occasions share personal data with our Providers, Contractors and Agents to carry out our obligations under our contract with our Customers or for our legitimate interests.
Security of Data with Third Parties
Third Party Agreement: We require any companies or people collaborating or working with us to keep personal data confidential and secure and to protect it in accordance with the Data Protection law and GDPR and our policies. They are only permitted to process your data for the lawful purpose for which it has been shared and in accordance with our instructions. We ask our contractors to sign an agreement to adhere to the same policy as we adhere to in processing data.
Subject Access Requests
Data subjects can make a ‘subject access request’ (‘SAR’) to find out the information we hold about them. This request must be made in writing.
If you would like to make a SAR in relation to your personal data, you should:
- Make this in writing to the Data Protection Office.
- We must respond within one month unless the request is complex or numerous in which case the period in which we must respond can be extended by a further two months.
- There is no fee for making a SAR. However, if your request is unfounded or excessive we may charge a reasonable administrative fee or refuse to respond to your request.
- If you are a customer of the business and have made contact with us to ask for access to your data, we will reply within 48 hours to acknowledge your enquiry.
Data Provision within One Month of Request
- By law we are obligated to respond to all ‘data subject access’ requests within one month with the information requested.
- Our Data Protection Officer will agree what fee if any is appropriate on a case by case basis and can progress with extracting and copying the data requested to provide to the you as per your request within a month of request date.
- As a business, we are obliged to accept data subject access requests via e mail, phone call or web contact forms.
Data Provision Process
As soon as we receive a data request we will forward it to our Data Protection Officer.
- The data subject can request all data held on them.
- We have a Data Request form which will be given to the Data Subject, a copy of which can be obtained from the DPO.
The DPO will ensure the data subject specifies to the business a specific set of data held by us on their subject request (SAR).
The DPO will record the date the identification checks are made on the person requesting data, and the specification of the data requested.
- The business must provide the requested information to the data subject within one month of the receipt of the request.
- Failure to do this is a breach of Data Protection law.
Data Subject Rights
- Right to Information: You have the right to information about what personal data we process, how and on what basis as set out in this policy.
- Right of Subject Access: You have the right to access your own personal data by way of a subject access request as described above.
- Right to Rectification: You can correct any inaccuracies in your personal data.
- To do this you should contact the Data Protection Officer.
- Right to be Forgotten: You have the right to request that we erase your personal data where we were not entitled under the law to process it or it is no longer necessary to process it for the purpose it was collected. To do so you should contact the Data Protection Officer.
- Right to Restriction of data use: While you are requesting that your personal data is corrected or erased or are contesting the lawfulness of our processing, you can apply for its use to be restricted while the application is made. To do so you should contact the Data Protection Officer.
- Right to Data Portability: the right to receive the personal information you provided us in a readable format and or transmit that data to a third party in certain situations.
- Right of Obligation to Tell Third Parties: If you ask us to erase or rectify your data, we have to inform third parties we may have shared your data with.
- Right to Object: You have the right to object to data processing where we are relying on a legitimate interest to do so and you think that your rights and interests outweigh our own and you wish us to stop. You have the right to object if we process your personal data for the purposes of direct marketing.
- Right to a Copy: You have the right to receive a copy of your personal data and to transfer your personal data to another data controller. We will not charge for this and will in most cases aim to do this within one month.
- Right not to be evaluated via Automatic Processing: With some exceptions, you have the right not to be subjected to automated decision-making.
- Right to be Notified: You have the right to be notified of a data security breach concerning your personal data.
In most situations we will not rely on your consent as a lawful ground to process your data. If we do however request your consent to the processing of your personal data for a specific purpose, you have the right not to consent or to withdraw your consent later. To withdraw your consent, you should contact our Data Protection Officer.
- Right of Complaint: You have the right to complain to the Information Commissioner. You can do this by contacting the Information Commissioner’s Office directly. Full contact details including a helpline number can be found on the Information Commissioner’s Office website (www.ico.org.uk). This website has further information on your rights and our obligations.
Precautions in Handling Data
- Contractor & Partner / Owner Responsibilities: All individuals engaged by us or who work for, or on behalf of us have some responsibility for ensuring data is collected, stored and handled appropriately, in line with this policy and the Business’s Data Security and Data Retention policies.
- Data Protection Officer (DPO): Our Data Protection Officer is responsible for reviewing this policy and updating the other Owners and Partners of the business on the data protection responsibilities and any risks in relation to the processing of data.
- Questions: Any queries in relation to this policy or data protection should be directed to to our DPO.
- Restricted Access to Data: Access to personal data covered by this policy is only permitted if it is needed for the work being undertaken, or on behalf of the Business and only when authorised to do so. Use of the data is only permitted for the specified lawful purpose for which it was obtained.
- External Contractors GDPR Compliance Agreement: We have appropriate measures to ensure our Contractors abide by GDPR law, we have an agreement all Contractors must sign and monitor.
- No Sharing without Valid Reason: No one should share personal data informally, we do not allow this. Everyone should keep personal data secure and not share it with unauthorised people.
- Accuracy & Checks: We will regularly review and update personal data we are using for our work and we expect our Contractors to do the same. We require our Contractors to advise us if their own details change so that we can maintain accurate confidential records.
- Limited Copies: We will not make unnecessary copies of personal data and will ensure our Contractors and Partners commit to this too. We will also ensure our Contractors and Partners keep and dispose of any copies securely.
- Password Protection: We will ensure that all Contractors and Partners commit to the use strong passwords as we do and before we share any data for authorised reasons, we will ensure all Contractors and Collaborators have signed our GDPR compliance agreement for external partners.
- Computer Screen Security: We ensure all computer screens are locked when desks are unattended and ask our Contractors to commit to the same.
- Anonymising Data: Where possible we anonymise data so that the data subject cannot be identified.
- Safe Data Disposal: Personal data on paper is disposed of securely via shredding.
- Reporting of Non Compliance to Policy: We ask our Contractors and Partners to advise of any practise seen which is not in keeping with this policy or the Data Protection law.
Customer Data Handling & Security
To enable us to comply with GDPR regulations any payment details from Customers will be entered into our password protected filing system directly. We do not sell online or take credit card payments, or operate pop up shops.
COUTTS Consultancy commits to respecting the privacy of all its customers and to protecting any customer data from outside parties. All Partners, Contractors and Contributors will be committed to maintaining a secure data environment so that the business can meet this commitment.
Dispatch Data Collection
Details collected for sending goods or services to customers or collaborators will be password protected.
In the event of a data breach we will follow our ‘Incident Response – Disaster Recovery Plan’ starting with a data breach assessment meeting to make a plan of response within legal expectations, the rest of the process is outlined below under ‘Response / Disaster Recovery Plan Handling’.
Contractor Compliance Agreement
As we have outlined, we ask all external contractors to sign a Data Protection Agreement. We will prepare the contract GDPR compliance statement / agreement with the contractor’s name and contact details on it before engaging them and ensure correct date and signature is obtained before work is confirmed. We will gather a hard copy and a digital one.
We confirm that at the end of any employment or contract with COUTTS Consultancy, we will obtain the return of all information shared or provided during the course of the work and no longer needed. All Contractors understand that they are not authorised to use sensitive information for their own purposes, or to provide this information to third parties without the express written consent of one of the Co Owners and Partners of COUTTS Consultancy.
Safe Storage of Data
We will ensure the hard, signed copy is kept securely with the business signed contract with the contractor in both password protected and locked paper locations.
Erasure of Data Post Work & Payment
We ensure that when the work is completed with any Contractor or Partner and the Partner or Contractor is no longer working with us that the relevant data collected on the Contractor in hard copy and digital format is removed from the records and safely deleted within 6 years of the contractor completing the work and being paid this is to comply with HMRC needs.
We will delete payment information after 6 years also.
We will keep the name of the contractor in case of needing to work with them again and any contact details for them in the public domain.
Response / Disaster Recovery Plan Handling
To enable us to comply with GDPR regulations, we will follow the process outlined here:
Data Protection Officer: The Data Protection Officer is a Partner and Co Owner of the business and can be reached on email@example.com
Recognising an Incident: An incident is any security breach, attempted security breach or suspicious activity within the COUTTS Consultancy system or website.
This plan discusses the steps taken during an incident response plan. To create the plan, the steps outlined below will be followed:
- Reporting a personal data breach:
- The person who discovers the incident will contact the Data Protection Officer and if they are not available the other Co Owner of the business will be contacted.
- Decision whether to notify authorities: The Data Protection Officer will decide whether any supervisory authorities need to be notified of the breach, depending on the nature of it after a response team meeting if appropriate.
- Notification to the authorities will take place within 72 hours of the breach.
- Report if unsure: If anyone working with us or along side us is unclear as to whether there has been a breach, but they think there may have been we ask that you please report it anyway to the Data Protection Officer.
- Limit the Breach: The risk to the Business and the Individual(s) whose data may have been breached must be limited immediately with an action plan.
The process to be followed by the Data Protection Officer and by you if you have discovered a breach is outlined in the ‘Data breach process and register’. A copy of this document can be obtained from the DPO.
Company Property & Security Protection
We will not permit the installation of any unauthorised software or hardware, including modems and wireless access unless users have explicit approval from the Business Partners
We will ensure safe filing of business sensitive, contractor, employee and or partner and customer data information – ensuring data security in line with this policy.
We will ensure the safe deletion of all un-necessary data on a continuous basis
Consequences of Non-Compliance
Non-compliance of any of the obligations set out in this agreement and in particular the misuse of any data collected by any employee, contractor or collaborator could result in legal or criminal action and will breach any existing contract with COUTTS Consultancy.
Data Retention Policy
This Policy has been designed to help and encourage all collaborators, contractors or employees of COUTTS Consultancy to achieve and maintain expected standards of conduct related to Data Protection laws. It applies to everyone working for or with the Business. We aim is to ensure consistent and fair practice and treatment. The Company may at any time amend this policy without consultation or prior notice.
This policy co-exists with the Data protection policy, both of which are outlined here.
Purpose and Scope
COUTTS Consultancy is committed to managing and handling personal data in line with best practice and data protection principles. This Policy details the procedures to use to ensure timely and secure disposal of documents and records that are no longer required for business purposes.
The Business holds a variety of personal data for workers, collaborators and contractors, as well as financial data, HR data, marketing data and customer data including personal data. This data is held in various formats including letters, emails, contracts, forms, software systems in both hard copy and electronic form. All data will be held safely as outlined in the paragraphs above in the Data Protection Policy.
Premature destruction of documents could result in an inability to defend claims, business difficulties and failure to comply with data protection legislation. Appropriate destruction and disposal as we have committed to will ensure compliance.
This policy applies to all the information held by the Business and any personal data that may be held by any data processors (service providers) where they are processing information on the Business’s behalf.
Data Retention Periods
Data is retained according to the following guide lines:
- Contractor Fee Data: For any employees / collaborators / contributors and contractors payment details will be retained for 6 years to comply with HMRC regulations in the UK.
- Employees: In the event that employees were engaged on a payroll, we would hold their Income Tax and NI and personal data about their attendance for 3 years in line with legislation.
- Recruitment information: is held by us for our Customers when we are involved in supporting them in this for 1 year after recruitment activity in case of any claims made to our customers so that we can support them in this.
- Data related to any legal advise: gathered for Customers will be held for as long as the matter is live and legally binding and for 3 years after that. In some cases Non disclosure agreements are in perpetuity.
- Litigation action: matters of which there have been none – would be held for at least 3 years after the action in case of follow up queries to protect the business.
- Folio examples of work: – in order to market COUTTS Consultancy services examples of design and technical work will be retained with customer names removed and may be shown to prospective customers if it does not breach any Non disclosure agreements signed. These could be kept in perpetuity if held as relevant and anonymous of personal data.
- Customers: Purchase of services data will be kept for 6 years to comply with HMRC UK laws. Purchase of services overseas will also be kept for 6 years.
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.
Depending which cookies you disable, in general the website may not operate as fast or efficiently if cookies are switched off.
How to Disable Cookies
If you want to disable cookies you need to change your website browser settings to reject cookies. How you can do this will depend on the browser you use. Further details on how to disable cookies for the most popular browsers are set out below:
For Mozilla Firefox:
1.Choose the menu “tools” then “Options”
2.Click on the icon “privacy”
3.Find the menu “cookie” and select the relevant options
For Opera 6.0 onwards:
1.Choose the menu “Files”> ”Preferences”
For Microsoft Internet Explorer:
1.Choose the menu “tools” then “Internet options’
2.Click on the “Privacy” tab
3.Select the appropriate setting
For Google Chrome:
1.Choose settings >Advanced
2.Under “Privacy and security” click “Content settings’.
1.Choose “Preferences” > Privacy
2.Click on “Remove all website data”
If you have any questions about how we use your data which we have not answered here, or if you want to exercise your personal data rights please contact us by e mail or telephone both of which can be found in the ‘Contact Us’ section of our website.
Policy acceptance and changes
Last Updated: January 2020