| | 1.4 Supplier
02. Subject Access Request | | |
|---|
| 1.4.02 Subject Access Request: | | 1. People have the right to ask for a copy of information held about them and have other rights to have such information corrected or deleted. | | 2. The right of subject access under the Data Protection Act (and GDPR) enables people to request a copy of information (on paper and computer) held about them. The information requested if any should be provided within thirty days. |
| Business System: | | 1. Bespoke Application Service includes a Subject Access Request (SAR) facility where each SAR request is recorded as it is received. An acknowledgement message is returned to the person using email or telephone. Checks and due diligence is undertaken to ensure that the person making the request is the person they say they are. The person is given direct online access to their personal SAR record and may add notes if they wish. As data is accumulated, it is indexed by the SAR facility and the person kept up to date with progress. When an estimate is made as to when all the data will be accumulated, the person is informed of the estimated date. | | 2. SAR may be recorded as data is received. | | 3. SAR will begin with a detailed check that the person requesting the data is in fact the person named in the SAR. | | 4. SAR data is accumulated and must purposefully exclude all data about matters that are not diectly related to the named person. | | 5. SAR data is simplified - that is technical codes and abreviations are changed to common terms. | | 6. SAR data is documented at the field level with a purpose for each and every field - why it was captured, why it was stored and how it was used. | | 7. SAR data is made intelligible so i can be read and understood by the average person. | | 8. SAR email data is only provided where the subject can identify the date and email addresses of the applicable emails. Information involving named third parties cannot be disclosed. |
| SAR Data: | | Subject Name. | | Alias Name. | | Full postal address. | | Company, Job Title. | | Email address, Telephone number. | | Date of initial correspondance, start search date, end search date. | | Account number, customer number, Reference number. | | 1. Data requested, From Date, To Date, Place. | | 2. Data requested, From Date, To Date, Place. | | 3. Data requested, From Date, To Date, Place. | | Verification of subject name and person requesting the data. | | Links to relevent data. | | Links to relevent meta data documentation showing purpose and source. | | Special disability allowances to be made in compliance with the Equality Act and Disability Discrimination Act, including verbal requests and other language requests. |
| Procedure: | | 1. Write to the "data owner" as named in the privacy policy or contact-us web page. | | 2. Include your full name, address, telephone number and/or email address. Include any information used to identify or distinguish people from one another such as place, account numbers or reference numbers. | | 3. Specify details of the information that is required between any relevant dates. It may be an advantage to include reference to the thirty day deadline and the Data Protection Act. | | 4. Every company must have a Data Protection Officer (DPO) appointed to handle such Subject Access Requests. |
| Reference: | | 1. The Information Commissioners office (ICO) will be able to assist with any ad-hoc queries. | | 2. See www.ico.org.uk. | | 3. Where a company does not provide a copy of the requested data within the appointed thirty days, then a reminder letter may be applicable before passing the matter on the ICO. |
| Automation: | | 1. People have the right to ask about any logic involved in any automated decisions made about a person. For example, where data is automatically destroyed 120 days after it is captured, then this fact may be relayed to the person upon request. Where video data is requested, the amount of data that can be provided by a single request must be reasonable and appropriate. It would not be reasonable to ask for a copy of all video from all cameras for the last six years. | | 2. People have the right to ask that technical terms and abbreviations are fully explained. | | 3. People have the right to ask where information about them was sourced from - where did it come from. | | 4. People have the right to ask if the data is shared with any other party. |
| Complaint Management System: | | 1. Bespoke Application Service includes a full Customer Complaint Service (CCS) and Action Plan Service (APS). A complaint will typically begin with personal information from the complainant but as the complaint is investigated and driven to a conclusion, much of the data becomes company confidential. An SAR request may have a copy of the original complaint that pertains to the person, but all company confidential data does not need to be disclosed. An Action Plan may be created to work through with the customer to arrive at a satisfactory conclusion, where the person is involved, then that data must be disclosed. Where the Action Plan specified internal actions, disciplinary actions on staff and changes to standard procedures then this is secret and must not be disclosed. | | 2. The company has absolute discretion to decide what is personal and must be disclosed and what is confidential and will not be disclosed. Opinions offered by staff about a person are not personal data to be disclosed to that person - but take great care to get this right. Be very mindful that a complaint by one person against one or more other named people may be personal data that is owned by more than one person. |
| Policy and Guidelines: | | 1. Bespoke Application Service includes many policies and guidelines that define procedures and processes that are used, however these are internal documents that do not identify any person. Where the company chooses to do so, a copy of a policy or procedure may be provided to a person to help explain their personal data and how it was used. Where the company chooses to do so, and internal policy may be secret and confidential and may not shared with any external person. |
| Form | | I am making a formal Subject Access Request for you to provide me with a complete copy of all my Personally Identifiable Information. | | Name : _____ | | Email : _____ | | Phone : _____ | | Address : _____ | | Consent : I agree that this information can be disclosed. | | . | | SAR REPLY | | Name : __________ | | Email : _________ (lower case) | | Phone : _________ (just digits) | | Address : ________________ (space separated) | | SAR Number : 123456 | | SAR Officer : Tim Smythe | | SAR Arrival Date : 5 Aug 2018 | | SAR Arrival Time : 12:34 | | SAR Arrival Method : SAR Form | | SAR Verified Date : 5 Aug 2018 | | SAR Verified Time : 20:24 | | SAR Verified Method : Search Retrieval | | SAR Reply Date : 6 Aug 2018 | | SAR Reply Time : 04:53 | | SAR Reply Method : SAR Form | | . | | Statement | | Personal information such as gender, date of birth, ethnicity, marital status, place born, religion, salutation, disability, etc., are not retained as they would serve no legal purpose. | | Company phone and address information is not considered to be personally identifiable information and will not be disclosed in a SAR reply where it could be changed or deleted. |
| Process: | | 1. Where a person wishes to make a Subject Access Request, they are asked to self-register with the online SAR service. This enables people to register their requirements without disclosing their personally identifiable information to any other person. Registration enables the person to be assigned a secret access code that must be use to view the SAR reply. | | 2. Where a person makes a telephone call, the telephone call must be assumed to be a phishing attack and the person is asked to self-register with the online SAR service. Where the person is not able to use the online self-registration service, then they are directed to the call center where an agent will manually fill in the registration data via a long telephone call.. | | 3. Where the person applies by post, it is likely that the information provided is not enough to match retained information and the person is asked to use the online self-registration SAR service to provide the additional identification needed. Just the name of a person is not adequate identification to disclose information to a postal address that is unknown. | | 4. When a person self-registers, they are assigned an access code that must be used to access their SAR reply in ten days time. If the person forgets therir access code, they are asked to self-register again where they will be assigned a new access code. The SAR reply is available to be viewed, changed and deleted after ten days and for the next thirty days. It may be illegal to retain the SAR reply for longer than it is needed and thirty days may be adequate. | | 5. The online SAR reply grants the person several rights such as: | | (1) The right to view their personally identifiable information - information that is owned by the person. | | (2) The right to download a copy of their personally identifiable information. | | (3) The right to print their personally identifiable information. | | (4) The right to correct, amend, alter or update their personally identifiable information. | | (5) The right to delete their personally identifiable informationand and withdraw consent for it to be used. |
| Plan: | | 1. It is possible that on one day, several thousand SAR requests will arrive by email, phone and post. As a policy, all phone calls are assumed to be phishing attacks and the person may be directed to use the online SAR self-registration service. As a policy, all emails calls are assumed to be phishing attacks and a standard reply will ask the person to use the online SAR self-registration service. Most postal applications will not contain unique identifing information and a postcard reply will ask the person to use the online SAR self-registration service or to provide the equivalent information by post. | | 2. Every SAR reply is scheduled to be made available online, ten days after the request is registered. To view the SAR reply, the person must enter their access code that was issued when their registration was made. If a person forgets their access code, they are asked to self-register again and be issued with a new access code. | | 3. The access code has the persons name encrypted within it so a person cannot guess an access code for another person. Access codes look like Monaco (+28) telephone numbers without letter case that will cause data entry errors. | | 4. It is not permitted to communicate any personally identifiable information by email or phone where it will be recorded and processed by other parties. |
| Liability: | | 1. The cost of SPAM will be seen as insignificant in relation to the cost of SAR. How does a company verify that the person is who they say they are? This could be a criminal gold mine to gather Personally Identifiable Information from hundreds of sources, consolidate each part of the jigsaw and sell the resultant picture of a persons life style. By discovering that the person does NOT have a BA Executive Travel Card can be a major piece of information about an executive. By discovering that the person does NOT have their details retained by a recruitment agency can be a major piece of information about a manager. | | 2. The marketing and recruitment agency with thousands of CVs may choose to delete information when a SAR is received so they can always reply that they have only the SAR information. To reply that some PII exists, but other PII is overlooked will create a liability. | | 3. Every SAR received by an Application Service Provider by post with only a name and address will cost many pounds to handle. A search on the name will be followed by a replacement of the name by an alternative spelling of the name. A SAR postal reply will be sent out stating that no such PII has been discovered but the SAR handling evidence has been retained. Where a phone or email address is provided, then a simple reply can be made by phone or email with a lower cost. | | 4. Evidence must be retained every step of the way and MUST be part of any disclosure. |
| Verification: | | 1. A Subject Access Request has been received from a person with your name and before your Personally Identifiable Information can be disclosed, it is important that you formally consent to this procedure. You have been given a unique Subject Access Request access code as 987634560192 that you can use to confirm that you are the person who provided the Subject Access Request. Your Subject Access Request access code must be used before 7 Aug 2018 when it will expire because you have not consented to have your Personally Identifiable Information disclosed. If you were not the person who provided the Subject Access Request then you should be aware that a person with your name has requested a copy of your Personally Identifiable Information. By not using your Subject Access Request access code your Personally Identifiable Information will not be disclosed. | | 2. The Subject Access Request Access Code must be 12 characters to demonstrate a high level of security and the foil criminal attacks. Three attempts and the criminal attack must be blacklisted for the rest of the day. The access code must have a published expiry date. | | 3. The access code may be algorithmically derived from the persons name, primary key and token. A benefit is that the access code is not stored so it cannot be lost or stolen. First two characters of first name and first four characters of family name as 6 character reverse look up to 12 digits. Merge primary key and token digits with simple CRC digits - these fields are not knowable. |
| Staff who have Left: | | 1. When a person has left, they can no longer sign in to view and correct their Personally Identifiable Information. The persons data must be retained in the HR table as it is used to identify who did what and when. | | 2. A Subject Access Request from a person who has left must be given an access code so they can view, change and delete their details. Where PII is changed or deleted, the underlying record remains and the primary key is retained to imply who was responsible. | | 3. A different kind of access code is used to identify that the object of the data is an old HR record, rather than a customer record. The same king of encryption can be used, but the leading character may be a P or a C. First two characters of first name and first four characters of family name as 6 character reverse look up to 12 digits. Merge primary key and token digits with simple CRC digits - these fields are not knowable. |
| Scope: | | 1. Staff: approved person is given an (type S) access code by email to process their PII. PII form to process HR record and associated support requests via normal domains. | | 2. Ex-Staff: person who has left is given an (type E) access code by email (or phone) to process their PII. PII form to process HR record (and associated support requests) via special SAR domain. | | 3. Contact: person is given an (type C) access code by email (or phone) to process their PII. PII form to process customer record and associated concerns via special SAR domain. | | 4. Ex-Contact: person is given an (type X) access code by email (or phone) to process their PII. PII form to process an inactive customer record and associated concerns via special SAR domain. |
| Quotations: | | 1. Do people have a legal right to view all the quotations that have been sent to them? NO. People only have a legal right to view their own Personally Identifiable Information and have no right to view associated business data. | | 2. In practice, it would be good business practice to give people read-only access to a history of all quotations that they have been sent. Customer satisfaction can be increased by sharing information that the customer has already been sent. |
| Complaints: | | 1. Every business has a customer complaint (concern) procedure and those complaints may become a reason for a SAR. The majority of complaint data will not be Personally Identifiable Information and not subject to data protection regulations. | | 2. Great care must be taken to omit peoples names from free-formatted text fields. Even more care must be taken not to introduce another persons name into the record such as "joe said it was damaged". Where third party names are used, those names must be manually redacted before the data is disclosed because the third party has not given consent for their name to be disclosed. |
| Profiling: | | 1. Eliza has a host of profiling capabilities related to behaviour, performance at work, mental agility, location, movement, typing skills and a rudimentary health profile. When processing such profile data, results are transient and so it is plausible to state that profiling data is not stored. | | 2. Eliza keeps detailed information about what and when a person does specific things and when they fail to do specific things. The scope for profiling is increasing, but it is hard to imagine how these facts could be treated as discriminatory or detrimental to the person. |
| General Data Protection Regulation: | | 1. GDPR become law in the UK on 24 May 2018 and virtually the same regulations become law in most first-world countries. A benefit is that the same set of regulations apply to all people in all parts of the world. GDPR does not just apply to Internet services, it applies to paper records, local spreadsheets, diary entries and all information in all places. | | 2. GDPR simply means that people own their own data and people may consent for their data to be shared with companies and other people, but that consent can be revoked at any time. The idea that a company owns all their business data is no longer true where some of that data is about people. Data includes paper forms, diaries, spread sheets, notes, emails, messages and transactions, but may not include photographs, videos and some audio recordings. | | 3. The Application Service Provider includes as part of the service, a qualified and experienced Data Protectiion Officer (DPO) who strategically directs all data protection issues in full compliance with GDPR and in consultation with the Information Commissioners Office (ICO). The Data Protection Impact Assessment (DPIA) os the key document that the DPO uses to direct the Information Security Manager (ISM) who deploys applicable security measures. |
| Human Rights: | | 1. People have common privacy rights that cannot be revoked (or given up by terms and conditions) to include:- | | (1) The right to be Informed. | | (2) The right of Access. | | (3) The right to Rectification. | | (4) The right to Erasure. | | (5) The right to restrict Processing. | | (6) The right to data Portability. | | (7) The right to Object. | | (8) The right to change Profiling. |
| Informed: | | 1. People have a common right to be informed via a privacy notice and other means, how amd why a persons data is used. | | 2. The privacy notice must be concise, transparent, intelligible and easily accessible. | | 3. The privacy notice must be written in clear and plain language. | | 4. The privacy notice must be provided free of charge. | | 5. The following privacy information must be provided:- | | (1) Identity and contact details of the Data Protection Officer. A "contact us" like form is provided aimed at the DPO. | | (2) Purpose of holding and legally processing the information. Every field must be documented with one and only one purpose. | | (3) The business interests of holding the information. | | (4) The categorisation of data being held and processed. | | (5) The recipients of the data being held. | | (6) Details of any transfers to any other country with applicable safeguards. | | (7) Data retention periods, criteria used to determine the retention periods and method of data destruction. | | (8) The existence of each persons rights. | | (9) The right to withdraw consent at any time where applicable. | | (10) The right to lodge a complaint with the Information Commissioners Office. | | (11) The origin of the data and if it is in the public domain. | | (12) If the data is part of a statutory or contractual obligation with possible consequences. Gender may be an obligation for Government reporting purpose, but it should have no business purpose. | | (13) The existence of automated decision making and profiling. How decisions are made, the significance and consequences. People can have this stopped so it must be optional. |
| Personally Identifiable Information: (PII) | | 1. The following data is Personally Identifiable Information that must be encrypted and replicated to ensure that it cannot be lost or stolen. | | Persons Name. | | Persons Email Address. | | Persons Telephone Number. | | Persons Postal Address. | | Persons Driving Licence Number. | | Persons Date of Birth. | | Persons Place of Birth. | | Persons Gender. | | Persons Ethnicity. | | Persons Last Contact Date? | | 2. The DPO has directed that each and everyone of these PII fields must be pseudonymised, that is, replaced with a token in the record and the token used indirectly to lookup the original field value. This pseudonymise business rule is a natural extension of the proven code-description business rule with the description stored as a long number. | | 3. Not all bespoke application services store and use all the PII fields identified, but this category of data must be protected using approved "Security-by-Design" measures. It is plausible to state that PII is not stored because nobody can identify any PII field value in any record of any database - this means that PII cannot be stolen and cannot involved in a reportable data breach. | | 4. The persons SAR must be help electronically and be part of any SAR reply, including evidence of the dates the SAR was requested and replied. Where the persons last contact date exceeds the PII life cycle, then the persons PII is destroyed. |
| Verification: | | 1. The company must verify the identity of the person making a Subject Access Request using "reasonable" means. In the world of the bespoke Application Service Provider, that means by electronic means with the person providing the information commonly used in electronic format. | | 2. GDPR recital 63 specifically introduces a secure self-service application that grant the person authenticated access to the PII. An access code is derived from the customer key, date, time and contact name, so the access code does not need to be stored, but can be derived as and when needed. The person making a subject Access Request is given the access code and told to sign-in using www.sar2.co.uk with their name, email address and access code. The person shown a bespoke form that shows the persons PII and the persons original SAR message with date and time and evidence that it was responded to within a month. A download button must be provided to download the data as a CSV. | | 3. When a person views their PII, they may download the data, may change (correct) the data or may delete the data. A history of every change made must be kept with the date and time of the change. | | 4. The person may save the access code and may reuse it from time to time to change and review their own data. When a person deletes their name, then they can no longer sign in and their PII is no longer usable. | | 5. Verification must be 100% complete and correct - it would be illegal and subject to a fine to provide PII to the wrong person. With the past experience of SPAM, it must be expected that 90% of SAR will be fake phishing attacks. Never reply to a postal address that is not a stored PII field. Never accept that a person has changed their address in a SAR. | | 6. Focus is on:- | | Persons Name. | | Persons private Email Address. | | Persons direct or mobile Telephone Number. | | Persons home Postal Address but this may not be unique and may not be PII. | | 7. Where the person is a customer contact or supplier contact, then extra information is needed as:- | | Company Name that the person represents. | | Business Name that the SAR is to search. | | Date of last contact between the person and the business. |
| Demonstrable: | | 1. The company must be able to demonstrate that it complies and it is guilty of non compliance if it cannot prove that it does comply. | | 2. The company MUST implement appropriate technical and organisational measures to ensure and demonstrate that the company complies. The company MUST provide internal training session, internal audits, external security audits and reviews of HR policies. | | 3. The company MUST document its data processing activities. A data dictionary to define every field with its purpose, life cycle, categorization, privacy, security, origin and destruction. | | 4. The company MUST appoint an internal or external Data Protection Officer. | | 5. The company MUST implement data protection by design and data protection by default - and prove it. | | Data Minimisation. | | Pseudonymisation. | | Transparency. | | Allow people to access their PII. | | Continual improvement of security by design. | | 6. The company MUST prepare and implement a Data Protection Impact Assessment (DPIA). |
| Post: | | 1. The Application Service Provider operates an electronic business model that is not able to handle any SAR by post. The ASP provides online forms as a contact us and SAR request form that may be used. Customers will have no way to know the domain name used by the Bespoke Application Service (BAS). Staff and ex-staff may use the public SAR forms or may be directed to use the "SAR2" web site. The ASP registered company address is not monitored and is not provided for the purpose of supporting SAR. | | 2. Bespoke Application Service (BAS) Owners will have the cost of handling SAR by post, telephone and email. In all cases, the SAR is added into the BAS as a new SAR transaction including a scan and upload of any paper documents. The owner is recommended to tell the person to use the online "SAR2" web site that has been specifically designed for that purpose. | | 3. People making a SAR have a legal duty to provide adequate evidence of their identification and demonstrate that it is not a fake SAR. PII is only stored for a limited time for a limited purpose, then it is destroyed. Where a person has not been in contact with the company for the last 12 months, then it is reasonable and correct that no PII has been retained. |
| SAR2 Application Service: | | It is a business requirement that the domain name does not infer any specific company, trade or business. "www.sar2.co.uk" and "www.w19.co.uk" as examples. One web site can act as a clearing house for all Bespoke Application Services and even other customers. | | 1. Enter new SAR procedure. | | 2. Contact DPO procedure. | | 3. Sign-in with access code to view your PII. Three invalid access code attempts and the person is blocked for the rest of the day to prevent guessing. | | 4. Document: please use the SAR2 application service to submit your SAR. | | 5. Document: please use the SAR2 application service with the enclosed access code to view your PII. | | 6. Document: sorry your identification details are not known - no information exists for you. |
| SAR2 Access Code: | | 1. The access code is derived and not stored so it cannot be stolen. The access code is 12 to 17 digits derived from the first few characters of the persons first name, the first few characters of the persons family name, the customer primary key, the date and time that the customer record was first created and a CRC check that is merged and scrambled using different algorithms based on time of day. The access code can only be used in conjunction with the persons name and email address (or telephone number if email is not known). | | 2. Depending on when the access code is derived, ten different methods are used to create unique access codes that can be identified by an imbedded digit for decryption. If any one digit is changed in the access code, this is detected by the CRC check. | | 3. More criminal attacks are expected on the SAR2 application that all other applications - it must be very safe. |
| Unstructured Data: | | 1. The Application Service Provider is responsible for structured business data that is encrypted and replicated. The ASP does not store and by design will never store any unstructured data in a document, spreadsheet or email. | | 2. If an email is sent to the ASP, that email is copied or uploaded as a support request and then the email is deleted within a few hours. As part of the privacy policy, the ASP has informed people that unstructured data such as emails are never stored for more than a few hours. | | 3. If an email is sent by the ASP to a person, that email authored and sent from a bespoke application service (BAS) and retained as structured data within the BAS. Any sent email is deleted within the hour from any email server because email servers are the primary target for criminal attacks. | | 4. Documents and spread sheets are generated by a BAS as derived data that may or may not be stored. Every document and spread sheet is a significant security liability that must be physically destroyed as soon as it is used and within 24 hours. Any document or spread sheet provided to the ASP is either deleted or uploaded as an attachment to a support request. | | 5. As a privacy policy, the ASP shall never store any unstructured data outside the BAS for more than a few hours before it is physically destroyed. The BAS Owner will have a different privacy policy that they must comply with and inform their business associates. |
| What must be disclosed: | | 1. In the strict sense, people only have the right to view, change and delete their own Personally Identifiable Information. However a person may request a copy of all emails or a copy of all quotation/booking/shipment documents. | | 2. It must be good practice and it is expected that customer will evolve to expect online access to their history of business transactions with any company. Where a person has requested many documents in the past year, it is reasonable to grant that person access to view in read-only their history of documents for the last 12 months. Quotations, bookings, shipments, contracts and similar business documents that have already communicated with the person can and should be provided as part of the normal way of doing business. | | 3. When any document is communicated with a person, that communication MUST include an unsubscribe button and could include a history button to give the person read access to what other documents have been communicated in the recent past. Subscription management is mandated by law and so it is a small step to grant the person the right to view documents that they have already viewed. |
| Person Categorization: | | 1. Staff are a type of person who can be given online access to view their PII using their normal BAS. Personnel who sign-in must have the right to view and change their own PII. | | 2. Ex-Staff are a type of person who can be given online access to view their PII using the SAR2 online service - they must not be permitted to use a normal BAS. Ex-Staff can be given an access code that will permit them to sign-in to the SAR2 online service. | | 3. Contact are a type of person who can be given online access to view their PII using the SAR2 online service. Customer and supplier contact people can be given an access code that will permit them to sign-in to the SAR2 online service. | | 4. Ex-Contact are a type of person who can be given online access to view their PII using the SAR2 online service. Contact people who are no longer contact names will be informed that no impormation about them has been retained. |
| Subject Access Request (SAR): | | 1. Every person, including every criminal in the world has the right to submit a Subject Access Request (SAR). Every company have a legal obligation to respond to a SAR and provide the personal information requested. A company that chooses to do this manually may be taking on unreasonable extra costs and risk fines and class action compensation for any delays. | | 2. A company cannot reply that it has no information about the person, because the company must have recorded the SAR, analysed the content and replied to the SAR. A more effective way to handle the very large number of phishing SAR messages is to reply to the person asking for them to self-register with enough information for them to be uniquely identified. | | 3. The person is given a PIN and can view their own Personally Identifiable Information (PII) as is their legal right. The person has a legal right to change, download and delete their PII. When a persons name or email address is deleted, their PIN is disabled so they can never sign in again with that PIN. | | 4. FACT: the act of submitting a SAR means that the company have information about the person and must reply in a positive way. It is reasonable to ask every person sending in a SAR to self-register so they can be given a PIN to access their PII. |
| Personally Identifiable Information (PII): | | 1. By definition, Personally Identifiable Information is data provided by a living person with consent to use that data for a documented purpose. Personally Identifiable Information does not include business data that does not identify a living person. | | 2. When a person self-registers, if the persons name entered is not a perfect match to a customer or supplier contact name, then it is reasonable to state that no match has been made with customer or supplier data. A person must provide evidence that matches with at least two other data fields as well as the persons name. Company email and company telephone number may be in the public domain and are not evidence that a person is who they say they are. Personal postal address may not be stored in a CRM and so cannot be used to identify a person named in the CRM. |
| Data Protection: | | 1. As a policy, the company chooses not to retain any CV or recruitment information for more than a few hours. Business data is encrypted to a degree where it is reasonable and plausible to state that business data does not exist. The company cannot be liable for not disclosing personal recruitment information where it can be stated that no such data exists. | | 2. As a policy, the company chooses not to retain any Email for more than a few hours. Support requests are encrypted to a degree where it is reasonable and plausible to state that support requests do not exist. The company cannot be liable for not disclosing personal support information where it can be stated that no such data exists. | | 3. As a policy, the company chooses not to do business with any person who is not an adult. Business cannot be undertaken with a person who needs parental or guardian consent to use their personally identifiable information. | | 4. As a policy, the company chooses not hold any information that may imply: gender, religion, date of birth, culture, ethnicity, sexual orientation, colour, disabilities, place of birth, belief or any factor that can only be used to discriminate. Business can prove that it does not discriminate by not holding any information that could be used to discriminate. | | 5. An agency will serve a court order for business data together with a non-disclosure notice to prevent knowledge of the court order from being disclosed to other parties. The court order is served on an Officer of a company who will have no knowledge of who any customer may be, where any data may be stored and will have no business data stored on any computing device. All computer equipment in all company offices may be physically removed, but such computers never stores any business data for more than a few hours before it is transcribed to an encrypted application service. Encrypted fragments of data are replicated to a very large number of secure data centres so it is a fact that business data is not stored and it is plausible to deny that business data exists. |
| Document Control: | | 1. Document Title: Subject Access Request. | | 2. Reference: 161402. | | 3. Keywords: Supplier Director, Subject Access Request. | | 4. Description: Subject Access Requests are managed by a Bespoke Application Service. | | 5. Privacy: Public education service as a benefit to humanity. | | 6. Issued: 2 Aug 2017. | | 7. Edition: 3.2. |
|
|