The purpose of this policy is to illustrate the types of personal information hps group collect, why and how we use it and how it’s shared. In order for hps group to perform our day to day business activities, we need to collect and store certain personal and sensitive data on its employees, system users and potential clients. This policy outlines the steps hps group takes in order to meet privacy and data protection obligations as a core function throughout the organisation.
This policy applies to all hps group employees and affiliates and includes all services and all personal data handled when performing business activities whether that is conducted by staff or suppliers of hps group
3.1. information we collect
Usually, the only information hps group holds surrounding data subjects comes directly from them by signing up to any of the services/products hps group offers. Whenever this information is collected, hps group ensures that only the information required to fulfil a purpose is collected so as to not hold ‘excessive’ data. Information collected is stored securely on our computer systems and access is restricted to persons who have a need for that information. All of our staff are trained in the correct way to handle and dispose of personal information.
3.2. information our customers provide
Our customers typically provide us with the following information: name, email address, postal address and telephone number. Unless opted out, hps group will store this information to use for future marketing communications that may be relevant to that customer for a limited amount of time before being destroyed.
3.3. information we share
3.3.1. with consent
When our customers share information with us, for example when they sign up to marketing communications via our website, hps group can use that information to communicate relevant content to them.
3.3.2. third party system operators
We may upload personal information, supplied to us by our clients or customers, into a third party system for the purposes of marketing communication deployment. The information shared in these instances are not used for any other purpose by such third parties.
3.3.3. external processing
hps group provide some personal data to our trusted affiliates, contractors and suppliers to facilitate further processing, to meet an end goal (such as printers, etc.). All data is processed in accordance with our instructions and in line with all relevant compliance and security measures.
3.3.4. our legal obligation to share information
hps group will not divulge personal information without the subject’s consent, however, in some circumstances hps group may be required to supply such information to third parties to comply with the law, regulation or enforceable governmental request to which hps group are legally required to respond.
3.4. our website
We collect information about the services you use, pages you visit and how you interact with them.
hps group processes personal information captured via our website for the purposes of:
- relevant marketing communications
- to offer masterclasses and other events of interest
Cookies do not contain any information that personally identifies you, but information that we store about you may be linked, by us, to the information stored in and obtained from cookies.
We use the information we obtain from you for the following purposes:
- to recognise your computer when you visit our website
- to track you as you navigate our website
- to improve the website’s usability
- to analyse the use of our website.
We don’t sell the information collected by cookies, nor do we disclose the information to third parties, except where required by law (for example to government bodies and law enforcement agencies).
3.5. how we use the information we collect
When handling the information hps group collects, we commit ourselves to:
- comply with both the law and good practice
- respect individuals’ rights
- be open and honest with individuals whose data is held
- provide training and support for staff and independent contractors who handle personal data, so that they can act confidently and consistently.
hps group recognises that its first priority under the Data Protection Act is to avoid causing harm to individuals. In the main this means:
- keeping information securely in the right hands
- holding good quality information.
Secondly, the Data Protection Act aims to ensure that the legitimate concerns of individuals, about the ways in which their data may be used, are taken into account. In addition to being open and transparent, hps group will seek to give individuals as much choice as is possible and reasonable, over what data is held and how it is used.
hps group is committed to ensuring that in principle, data subjects are aware that their data is being processed and:
- for what purpose it is being processed
- what types of disclosure are likely
- how to exercise their rights in relation to the data.
For further information, please see our data protection policy.
3.7. information security
For further information in regards to the security measures surrounding the personal data hps group handles, please see our ‘information sensitivity policy’ and our ‘security policy’.
3.1. communicating our data protection processes
There are a number of ways in which hps group communicates its commitment to the effective management of data protection. There’s a variety of guidance that is issued to all employees to ensure adherence to these commitments. The guidance that is currently issued, and updated regularly, consists of:
- Data Protection induction (and accompanying guidance documents sent to attendees post-induction)
- IT Security induction
- IT Security policy issued to all new starters to read and sign/accept via Octopus
- Team crib sheets
- Ad hoc communications via emails, Team Heads briefings and to individual project teams in project meets
The compliance team also maintains a ‘Cyclic Reviews Log’ which plots all cyclic compliance processes and/or review timeframes. This includes reviewing internal documents and guidance that the agency follows, such as: Privacy Notices (web form Ts & Cs template), Data Processing Agreements, Non-Disclosure Agreements, DPIAs, PIAs, etc.
3.2. access to personal information
Under the Data Protection Act 1998, hps group will respond to ‘subject access requests’ within the legal time frame of calendar 40 days (under current legislation). This time frame is soon to be lessened to a period of 1 month following the implementation of the General Data Protection Regulation (GDPR) and the time taken to respond to these requests will reflect these changes.
‘subject access requests’ must be submitted in writing and will be handled by the data protection officer, who is responsible for ensuring that such requests are handled in compliance with the local legislation.
To make a compliant, or to know more about the information hps group holds on an employee, service user or potential client, please contact firstname.lastname@example.org or alternatively, contact the Information commissioner’s office (ICO).