Policy information

Organisation

Eastpac are the Data Controlling Officer, and the responsible person or persons will decide how data is to be processed and by what means- whether electronic or other, under legitimate grounds and for what purposes. This may be reviewed from time to time. Any data processed is purely in view of maintaining a commercially successful business operation handling goods not for resale.

Scope of policy

The policy applies to all Eastpac operations and offices; Eastpac is UK based and does not have business operations outside of the country. There may be suppliers who are outside of the EEA; where necessary we will request evidence of their compliance to GDPR in so far as it affects them.

Data Processors may be involved in some operations whether it be staff records payment processing IT backup and website support amongst others; these Processors will only handle any data as needed and only on our instruction. While all these are UK based they themselves may have offices on third countries over which Eastpac has no control- all these companies will have their own Data Protection Policies and should be contacted in their own right.

Policy operational date

This policy comes into effect at the date it is completed, Eastpac are in any case GDPR compliant and this policy will be in force on the 24th May 2018 in time for the due date of 25th May. This policy with others may be reviewed from time to time.

Policy prepared by

This policy is prepared for and on behalf of the Data Controlling Officer and is part of the suite of policies which cover Eastpac compliance to the new law. All GDPR policies are approved by the Board and as fully set out in the individual documents. All documents are cross referenced and set out in the same plain English format.

Introduction

Purpose of policy

The reasons for this policy include compliance with the new GDPR law; following good practice which include openness and transparency; protecting clients, staff and data subjects; and protecting the rights and integrity of the company amongst others.

Types of data

Eastpac does not handle sensitive or personal data— in fact only as little as possible business data for purely commercial reasons. Note; nearly all of the data we hold is available on the open web such as contacts business and other details. Data controlled includes name, contact details including email invoicing and business addresses and other on various databases; staff details as far as is necessary to hold them; supplier contact and payment details, and any others necessary for purposes of conducting a successful business model.

While some data do not fall within the scope of the new law Eastpac view them as requiring handling to the same standards as if they did fall under the law.

Policy statement

Eastpac are committed to complying with both the law and other good practice requirements; respect individuals’ rights whether customers, suppliers or staff; be open and honest with individuals whose data is held; provide training and support for staff so that they can act confidently and consistently; notify the Information Commissioner voluntarily if necessary, even if this is not required in case of any alleged or actual security or data breach; we undertake to notify the Information Commissioners Office ICO within 72 hours as laid down of any breach becoming known to us, and to cooperate fully with them in handling any such occurrence; full details of Eastpac policy are more fully set out in the individual policy documents.

Key risks

The company identifies the main risks as falling in key areas such i) as information about data subjects getting into the wrong hands whether by hostile action or other means, and ii) individuals’ data being inaccurate or insufficient to operate the Eastpac business model.

Responsibilities

The Board or Company Directors have overall responsibility for ensuring that we comply with all legal and business obligations.

Data Protection Officer

The Data Protection Officer is a member of senior management and their responsibilities (some of which they may delegate) include amongst others: Briefing the Board on Data Protection responsibilities; Reviewing Data Protection and other related policies; Advising staff on Data Protection issues as necessary; Ensuring that Data Protection induction and training takes place for both new and current staff; Notification to the ICO should this become necessary; Handling subject access requests; Approving disclosures of personal data; Approving contracts with Data Processors where they fall outside of the company and any other duties as they may arise from time to time.

Employees

Eastpac has no volunteer workers, all staff are either full time or agency based. All full time staff depending on their post and duties are required to read understand and accept any

training policies and procedures that relate to the personal data they may handle in the course of their work.

Enforcement

Eastpac may hold any staff member accountable for and may initiate any disciplinary procedure in case of any security or data breach. Data security training is provided and staff are required to report on completion of training. Internally staff may report any attempts to breach Eastpac security policies. Security levels differ for the various types of data held by Eastpac and is dependent on individual staff clearances for use or access. All data access is password protected with several areas accessible only to those on Administrator clearance level.

Security

Security measures

Data Security is not only a Data Protection issue. Business Continuity is viewed extremely seriously and all possible steps are and will be taken to ensure the forward continuity of Eastpac. All files are backed up daily both automatically and on password protected and encrypted memory sticks and some of these are held off site at various locations. Full details of back-up systems are confidential but the foregoing should suffice.

Confidentiality levels are high and the security measures followed include amongst others such as password protection, entry control, and site security by means of CCTV, administrator level access, top level firewall and anti –virus malware protection, and a protective whitelist system to prevent contact with possibly damaging or spurious websites. Eastpac are aware of our responsibilities for physical and environmental security and have put means in please to effect this.

Eastpac were GDPR compliant before 25th May 2018. The company technical and organisational security measures include privacy by design, full employee security consciousness, and an independent facility where malware attacks are listed and if necessary patched. Eastpac operate a very advanced firewall and have a high grade anti- virus system, these are believed to be the best malware and intrusion security. All possible open computer ports have been closed by means of firewall policy.

We may look at risk analyses, our policies and our technical measures, and may take into account additional requirements about the security of all processing- we may conduct penetration testing to check on any vulnerabilities and exploitable openings. This also covers computer and network security. Penetration testing may be based on using a worlds’ best system across all our websites.

Card payments are transmitted by wireless and encrypted, all done to PSI-CSS industry standard.

This policy also covers security of Intellectual Property Rights and Eastpac will use Legal means to fulfil our security policies as necessary. We will fulfil legal requirements as they

become known to us or are changed, following the ICO and other Government guidelines and will appeal to them for assistance as required.

No staff work from home and some endpoint user equipment is used during client visits- however this is all encrypted and password protected in line with company policy. All computers laptops phones and other devices which have access to company data are password protected and company data is encrypted. In the case of a compromise or loss the access is immediately disabled and the device cleansed.

Phishing attacks are usually prevented by our top level firewalls and spam filters, however staff are aware and will report any such activity. A Group wide alerts policy is in place and assists in this defence. While data may be given over the phone this is purely in accord with normal business activity and efficiency, and only to known persons or customers under relationship- Eastpac do not hold private data.

Data recording and storage

Accuracy

Where information is taken over the telephone, it is checked back with the individual for correctness at the time of giving. Where information is supplied by a third party to Eastpac our standard procedures ensure its accuracy; this includes using only trusted sources for data sourcing including database purchases only from registered practitioners, data from sister companies who have verified its accuracy, and our own proofing systems which includes correcting any data that changes with time, e.g. staff changes as they become known with passage of time.

Updating

There is a regular cycle of checking, updating or discarding old data in accordance with the provisions of the GDPR including but not limited to and which is dependant variously on date since last contact, customer unsubscribe, customer preference request, data no longer needed, data updated from current customer contact, data minimisation and pseudonymisation, done in such a way that ‘confidentiality, integrity and availability’ of our systems and services and the personal data are ensured.

Separate requirements provide for other data; and for staff data certain documents cannot be held for more than 6 months without express permission.

Retention periods

Retention periods differ for the different types of data; some staff records may not be kept more than six months; some customer contact details may not be kept longer than Eastpac normal business cycle; other transaction or business records need to be kept for the current year plus six more for a total of seven years. Further, some business records may be kept even longer for research purposes.

Archiving

Hardcopy records where they still exist are securely shredded as soon as possible after their retention periods in accord with data minimisation requirements.

Right of Access

Responsibility

The company Data Controlling Officer is responsible for ensuring that right of access requests are handled within the legal time limit which is one month. Eastpac will view these requests in the light of the Regulation as opened up by the Information Commissioners Office ICO. There may be a charge for such a request and the ICO allow for taking into consideration the difficulty of achieving the time constraint given the possible complexity of compiling the information. In any case it may only be possible to show the time and date of emails and not the content of the messages themselves due to the type of IT equipment currently operated. If the request is made electronically, we will provide the information in a commonly used electronic format. All requests must however be made in writing.

Charging

The fee may be based on the administrative cost of providing the information and any further costs that may be incurred recovering such information

Procedure for making request

Right of access requests must be in writing, Eastpac have such a form as laid down by the ICO. All employees have a clear responsibility to pass on anything which might be a subject access request to the appropriate person/s without delay.

It is worth noting that such requests may entail and require taking legal advice.

Provision for verifying the identity

Where the person managing the access procedure does not know the individual personally there is provision according to the law for checking their identity before handing over any information; this may require some forms of proof of identity typically to be sent by post.

Such requests for the information can be provided free of charge. However Eastpac may charge a ‘reasonable fee’ when a request is manifestly unfounded or excessive, particularly if it is repetitive, and may also charge a reasonable fee to comply with requests for further copies of the same information. This does not mean that we may charge for all subsequent access requests.

Transparency

Commitment

The company has a commitment to ensuring that Data Subjects are aware that their data is being processed, for what purpose it is being processed, and how to exercise their rights in relation to the data Eastpac hold.

Lawful Basis

Underlying principles

GDPR states that we must record the lawful basis for acquiring the personal data we hold. The Lawful Basis used by Eastpac is Legitimate Interest, and not Consent. As a trading company we have a legitimate interest in getting and using personal data in view of current and possible future transactions.

Opting out

Even though we do not rely on consent, Eastpac gives people the opportunity to opt out of their data being used, and will take notice of persons whose details appear on any TPS telephone preferential service or have requested a limitation in how their data is used. We acknowledge that, once given, consent can be withdrawn. There may be occasions according to data retention laws where we have no choice but to retain data for a certain length of time, even though consent for actively using it has been withdrawn. Eastpac will make every effort to honour these requests.

Employee training & Acceptance of responsibilities

All new employees who have access to personal data have their responsibilities outlined during their induction procedures. Current staff members in situ at the commencement of GDPR have undergone training to introduce them to their responsibilities. In-house training is provided from time to time with various media being used, and how employees show their acceptance of their responsibilities to Data Protection training by completing a smart sheet. This implies their acceptance of the Regulation. Will the policy be included in the Company Handbook etc. Staff are encouraged to ask for help where needed.

Policy review

The Data Controlling Officer has responsibility for carrying out the next policy review taking into account conditions as they will be at that time.