Data Use, Security and Retention Policy
Mobivate stores and processes certain information about its employees, customers, suppliers and contacts. To comply with legal requirements, any personal data that Mobivate collects must be collected and used fairly, kept secure and not be unlawfully disclosed to any other person.
At a high level, personal data is any information that identifies a living individual or could be used to identify that person. It includes first name and surname, mobile / office / home phone number, email address, address, date of birth, photographs, CCTV images, right to work documentation, marriage certificates, National Insurance number, medical history and political and religious views and, in some cases, documented opinions.
To ensure that Mobivate complies with its legal obligations, Mobivate’s staff and other individuals who process personal data on behalf of Mobivate will ensure they follow the principles set out in this policy. If you consider that this policy has not been followed in respect of your own personal data, please raise the matter with email@example.com
This policy covers three key principles that is complied with by Mobivate staff:
- Data use;
- Data retention; and
- Data security.
Key Principles of GDPR
Under the General Data Protection Regulation (GDPR) there must be a lawful basis for processing personal data. This policy focusses on four grounds that are most likely to apply in respect of Mobivate’s day-to-day processing of personal data:
- Legitimate interest of the data controller or a third party;
- Performance of a contract;
- Legal obligation; and
- Consent from the data subject.
Much of the internal processing carried out by Mobivate (for example in respect of employees), as well as the processing of Mobivate’s clients’ data, will be on the grounds of legitimate interest. At a high level, legitimate interest means the data subject would reasonably expect Mobivate to process its data in the manner it is being processed.
Legitimate interest will also apply to much of the ancillary processing of personal data carried out by Mobivate, for example, processing the individual names and email addresses of contacts at Mobivate’s suppliers.
Legitimate interest will not apply where the interests of Mobivate are overridden by the interests, rights or freedoms of the data subject, or where the data subject wouldn’t necessarily anticipate their data being used in a particular way.
Performance of a Contract
Mobivate is entitled to process personal data without obtaining consent if it needs to process the personal data to perform a contract or fulfil an order with the data subject. It therefore doesn’t need to obtain consent from its clients to process personal data when the processing is necessary to provide services to a client.
Mobivate is entitled to process personal data without obtaining consent where it is required to process data to comply with a legal obligation. This will apply, for example, to obtaining right to work documentation from employees and to processing personal data to meet HMRC requirements.
If none of the other grounds applies to the processing of personal data, Mobivate must obtain express consent from the data subject to process the data. Consent does not have to be obtained if Mobivate is able to rely on legitimate interests, legal obligation or fulfilment of a contract.
In some scenarios, for example the sending of emails to employees, Mobivate obtains consent from the employee. In other scenarios, Mobivate is reliant on its clients having obtained consent from the end customer. Mobivate has processes in place to ensure records of consent that it obtains are kept, and to ensure it has contractual commitments from its clients that consent has been obtained, where appropriate.
One example for which consent is needed to be obtained is the sending of 3rd party marketing communications to Mobivate’s clients. Mobivate is able to rely on the grounds of legitimate interest where it sends marketing communications about its own products and services to existing clients and communications that are sent in a business to business environment.
If Mobivate wishes to send electronic marketing (emails, texts, social media etc.), it will also comply with the Privacy and Electronic Communication Regulations 2003 (“PECR”). The requirements in PECR are akin to those set out in GDPR.
Under GDPR, consent must be a “freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she by statement or clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.
This means that consent must relate specifically to the purpose for which Mobivate wishes to process the personal data and the giving of consent must be a positive action. Implied or negative consent is not sufficient.
Special Categories of Personal Data (Art 9)
GDPR specifies a number of special categories of personal data, known as “sensitive personal data” under the Data Protection Act 1998. They include, for example, religious and political views, racial or ethnic origin, medical records and history, sexual orientation, genetic data and biometric data.
In many situations, explicit consent will be required to process special categories of data. Special categories of data may be processed without obtaining explicit consent if the processing is necessary in the field of employment, which will capture the processing of special categories of data (e.g. medical / health questionnaires and records) by Mobivate’s HR department.
At a high level, Mobivate is required to keep personal data for no longer than is necessary to achieve the purpose for which the data was collected. If Mobivate no longer requires the personal data once it has finished using the data for the purposes for which it was obtained, Mobivate will delete the data. If it has legitimate business reasons for retaining the personal data for a longer period, or if there is a statutory requirement to retain the personal data for a longer period (for example, to satisfy HMRC requirements), Mobivate is entitled to retain the data for such longer period.
The retention periods for different types of personal data held by Mobivate will vary from client to client, and Mobivate will determine centrally the applicable retention periods for the data it holds.
- are responsible for ensuring that they do not store emails containing personal data for longer than necessary. It is recommended that they review emails on a regular basis, deleting any that are no longer required.
- refrain from taking and keeping copies of documents containing personal data unless strictly necessary. All copies that are no longer required should be deleted or destroyed.
- do not keep paper documents containing personal data for any longer than is necessary, particularly if they are not stored securely.
- destroy any documents they no longer need or, if the documents need to be retained, ensure they are secured in line with the guidelines set out below.
- use their Mobivate business email address and Mobivate business phone in accordance with Mobivate’s Acceptable Use Policy.
If Mobivate receives a subject access request, any personal messages sent from a business email address or phone may be captured by the request, or may have to be reviewed to ensure they are not captured by the request.
Data will be kept & archived for a default period before being deleted (unless otherwise requested by client). Some data will be backed up in archives, in which case access to those archives will be restricted and, if possible, the personal data encrypted or anonymised.
Paper documents, will be placed in a shredding bin.
All staff ensure that personal data they hold is kept securely and not disclosed either on purpose or accidentally, whether orally or in writing, to anybody who shouldn’t have access to that information. In some situations, there may be legitimate reasons to disclose the personal data, or the relevant individual may have provided their consent for their personal data to be disclosed.
If personal data may have been unlawfully disclosed or accessed, staff will immediately notify their manager and also comply with Mobivate’s Breach Notification Policy as updated from time to time.
To ensure personal data is secure, paper copies of documents that contain personal data are:
- kept in a locked filing cabinet or a locked drawer;
- accessed only by those who need to know / review the personal data for legitimate business reasons; and
- retained in line with Mobivate’s data retention guidelines, after which documents should be shredded as confidential waste or otherwise destroyed or returned to the relevant individual or client.
If personal data is stored electronically (either on store / office computers, laptops, phones, tablets or otherwise), it will be:
- password protected; and
- where possible, encrypted.
All business phones, computers, laptops, and tablets should be password protected in accordance with Mobivate’s password standards (no less than 8 characters with a combination of letters, numbers and special characters).
Where possible, Mobivate avoids storing personal data on portable media such as USB devices. If the use of portable media can’t be avoided, Mobivate and staff ensure the USB device (or similar) is password protected or encrypted and that each document stored on the device is also password protected or encrypted.
Staff take care when sending text messages and using messaging apps, such as Skype, WhatsApp and Sametime Instant Messaging. All personal data sent via business phones, computers, laptops and tablets may be captured by GDPR, depending on the content and context of the message. If staff send personal data by text or other messaging services, they are comfortable that the personal data may be captured by GDPR and may be provided pursuant to a subject access request.
Working away from Mobivate
Where possible, staff avoid removing or transferring personal data away from Mobivate’s premises. If this cannot be avoided, all guidance in this policy will be followed:
- any copies of personal data that are made (for example, transfer of personal data on to a local desktop or hard drive) will be deleted, destroyed or returned to their usual location as soon as those copies are no longer required
- where possible, personal data will be accessed from a central location using a remote access process or similar
- personal data will never be stored for any length of time at home or otherwise outside of its usual business storage location.
Loss of device
All staff take care not to lose or misplace (whether temporarily or permanently) any paper documents, phones, laptops, tablets or other devices that contain or may contain personal data.
If Mobivate requires a third party to process personal data on its behalf, there will be appropriate documentation in place (for example, terms and conditions or a contract) that govern the processing. All such documentation will be GDPR compliant.
Contact Information – firstname.lastname@example.org