Barry Bennett Privacy policy

Barry Bennett Privacy policy

Purpose
This policy is intended to provide guidance for establishing, implementing, and maintaining a privacy information management system for the processing of (PII) Personally Identifiable Information.

This Policy helps to protect Barry Bennett Limited (from hereon in referred to as the Company) and its clients and aids in meeting our legal obligations under GDPR and ISO27001.

Responsibilities
Antony Bennett is the Managing Director with overall responsibility for IT security strategy. Louise Hughes is the Service Delivery Director and has day-to-day operational responsibility for implementing this Policy.

Review Process
This Policy should be reviewed no less than annually or, immediately should key factors change.

Information Classification
Unclassified

Information which can be made public without any implications for the Company, such as information already in the public domain.

Company confidential
Contains contracts, source codes, business plans, passwords for critical IT systems, client contact records and accounting information.

Client confidential.
Personally identifiable information such as name or address, passwords to clients’ systems, clients’ business plans, new product information and market sensitive information.

Type of information Systems involved Classification level
Customer records Axis Diplomat Client confidential
Supplier records Axis Diplomat Company confidential
Student records CUDOS Client confidential
Support worker records CUDOS Company/client confidential
Officer records CUDOS Client confidential
Invoice records CUDOS Client confidential
Student records Portal Client confidential
Officer records Portal Company confidential
PII Personal Identifiable Information
PII Collected  
Telephone number Yes Back office and online portal
Date of birth No  
Postal Address Yes Back office use only
Driver license number No  
Social Security number No  
Credit card number No  
Email address Yes Back office and online portal
Passport number No  
Name Yes Back office and online portal
Biometrics No  
Full name Yes Back office and online portal
Gender No  
Race No  
Medical records No  
Place of birth No  
Account numbers No  
IP address Yes Portal only used only for security reasons
Religion No  
Ethnic origin No  
Fingerprint or other biometric data No  
Postcode Yes Back office and online portal
Financial information No  
Login details Yes  
Medical information Yes Only where needs assessment required

Data storage locations
The Company’s back-office system is located on a Windows Server in our head office. Data is stored securely and encrypted in a Microsoft SQL server database.

The CUDOS and Portal databases are stored securely and encrypted in a Tier 3 data centre in Reading UK.

Storage of any customer data elsewhere is forbidden by company policy and enforced with Microsoft group policies/systems

Data security protocols
Data at rest and in transit is TLS1.2 and above.

Access Controls
Internally, as far as possible, the Company operates on a ‘need to share’ rather than a ‘need to know’ basis with respect to company confidential information. This means that our bias and intention is to share information to help people do their jobs rather than raise barriers to access needlessly.

As for client information, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Furthermore, we shall provide upon request, a copy of their personal data, free of charge in electronic format.

We also allow data subjects to transmit their own personal data to another controller. However, in general, to protect confidential information we implement the following access controls:

  • Microsoft Active Directory user account control, Systems: Axis Diplomat
  • CUDOS (Internal UAC)
  • Portal (Internal UAC)
  • Trusted admin users: Alex Hooton (IT Manager) and Ashley Cook (Development Support Engineer)

In addition, admin privileges to company systems will be restricted to specific, authorised individuals for the proper performance of their duties as follows: Alex Hooton (IT Manager) and Ashley Cook (Development Support Engineer).

Employees Joining and Exiting
The Company operates an ISO approved Joiners, Leavers, and Mover’s system. This ensures access to systems is dependent on role and leavers have credentials and access to systems disabled/removed on exit.

Training is provided to all new staff and existing staff to implement the Policy. Training includes:

  • Introduction to IT security, covering risks and basic security measures, company polices and where or from whom to get help
  • Training on how to use company systems and security properly
  • GDPR awareness training

Data Retention
Data is retained for processing purposes in our back-office system for 7 years in accordance with HMRC rules. Where a request for erasure under GDPR has been actioned, all personal information is destroyed with the exception of financial data in accordance with HMRC rules.

Data Sharing, Transfer, and Disclosure
The Company does not sell, distribute or lease personal information to third parties unless we have permission or are required by law to do so.

Data Transfer Upon Termination or Expiration
The Company will implement its exit plan and take all necessary actions to ensure a smooth transition of data with minimal disruption to the client. As mutually agreed upon and as applicable, The Company will work closely with its successor to ensure a successful transition, with minimal downtime and effect on the client, all such work will be coordinated and performed in advance of the formal, transition date.

GDPR Obligations
Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we will notify the customers and data controllers within 72 hours after becoming aware of it.

ICO registration reference: Z8070841

Key Personnel Contact Information
Name Title Telephone Email
Antony Bennett Managing Director 01204 534 311 [email protected]
Alex Hooton IT Manager 01204 534 311 [email protected]
Louise Hughes Service Delivery Director 01204 534 311 [email protected]