We want to ensure that you are satisfied with how Sixfold International Ltd is operating to ensure compliance with the GDPR. This is our policy which we will operate for all your personal data.
What Are Our Roles
GDPR requires Sixfold to operate in two roles:
- As the “Controller” of the personal data, you provide to us. We only collect basic personal data about you. This may include your name, addresses, emails, and phone numbers.
- As a “Processor” undertaking the activities we are required to do on your behalf as a service provider and which relate to the data where you are the “Controller”. This includes personal data relating your clients or staff, where Sixfold may store it, back it up or support its transport across networks to reasonably support our services to you.
What We Do and Don’t Do As “Processor”
In providing services such as data back-ups or data storage of the data you generate, we will gather and potentially store your data in the performance of our contractual services which may be required or maintained under a Sixfold contract. This will include such personal data which we need to maintain contact between us for email and other services which you have opted in to receive from us.
Sixfold may host or support the computers, servers and networks which store and transport the data between devices, users and locations. At all times we will keep devices we maintain and support at the highest reasonable level of available software and suitably configured to minimise access by unauthorised 3rd parties.
Sixfold has access to your data for the sole purpose of providing support for you and managing our relationship with you. Sixfold does not access customer data for any purposes other than to provide services for you at your request.
Why We Require Your Specific Personal Data
We need to know your basic personal data to create your account, get in touch with you or to provide you a service or services within our any contract or agreement between us. We will not collect any personal data from you which we do not need in order to provide and oversee our agreed services to you.
How We Use Your Personal Data
All the personal data we process is processed by us in the United Kingdom and resides on our computers, our servers and cloud based servers.
We use a cloud-based database and hosted Microsoft Exchange servers to store some personal information. Here, the provider acts as a processor and makes no use of the data held other than to deliver database services on behalf of ourselves.
No 3rd parties have or will have access to your personal data unless the law allows them to do so.
We take all reasonable steps to ensure that your personal data is processed securely, including isolated servers, robust firewall and a system designed with security in mind.
How Long We Retain Your Personal Data
We are required under UK tax law to keep your basic personal data (name, address, contact details) for a minimum of 6 years after which time it may be destroyed. Any information we use for marketing purposes (with your consent only) will be kept with us until you notify us that you no longer wish to receive this information.
What Are Your Rights
If at any point you believe the information we retain or process for you is incorrect or inaccurate you can request to see this information and have it corrected or deleted. If you wish to raise a complaint on how we have handled your personal data, you can contact us to have the matter investigated on any of our advertised email or telephone numbers.
If you are not satisfied with our response, or believe we are processing your personal data outside our legal contracted right to do so, you can complain to the Information Commissioner’s Office at https://ico.org.uk/. Please give us 30 days to respond to your complaint before doing so.
If you need any more information please contact us on 01227 860375
Data Breach Response
PURPOSE
This policy establishes how Sixfold International Ltd and Maypole Airfield will respond in the event of a data breach, and also outlines an action plan that will be used to investigate potential breaches and to mitigate damage if a breach occurs. This policy is in place to both minimise potential damages that could result from a data breach and to ensure that parties affected by a data breach are properly informed of how to protect themselves.
SCOPE
This policy applies to all incidents where a breach of customer or employee personal identifying information is suspected or confirmed.
DEFINITIONS
Personal data (PD) – Any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. PD includes, but is not limited to, any of the following:
- Credit card information (eg credit card numbers – whole or part, credit card expiry dates, cardholder names, cardholder addresses)
- VAT identification numbers, business identification numbers and employer identification numbers
- Biometric records (eg fingerprints, DNA, or retinal patterns and other measurements of physical characteristics for use in verifying the identity of individuals)
- Payroll information (eg pay cheques or pay stubs)
- Medical information for any employee or customer (eg doctor names and claims, insurance claims, prescriptions or any related personal medical information)
- Other personal information of a customer, employee or contractor (eg dates of birth, addresses, phone numbers, maiden names, names or customer numbers)
Breach – Any situation where PD is accessed by someone other than an authorised user for anything other than an authorised purpose.
POLICY GUIDELINES
Upon Learning of a Breach
A breach or a suspected breach of PD must be immediately investigated. Since all PD is of a highly confidential nature, only personnel necessary for the data breach investigation will be informed of the breach. The following information must be reported to appropriate management personnel:
- When (date and time) did the breach happen?
- How did the breach happen?
- What types of PD were obtained? (As detailed as possible: name, account number, password, etc) How many customers were affected?
Management will then make a record of events and people involved, as well as any discoveries made over the course of the investigation and determine whether or not a breach has occurred.
Perform a Risk Assessment
Once a breach has been verified and contained, perform a risk assessment that rates the:
- Sensitivity of the PD lost (customer contact information alone may present much less of a threat than financial information)
- Amount of PD lost and number of individuals affected
- Likelihood PD is usable or may cause harm
- Likelihood the PD was intentionally targeted (increases chance for fraudulent use)
- Strength and effectiveness of security technologies protecting PD (eg encrypted PD on a stolen laptop is technically stolen PD but with a greatly decreased chance of access)
- Ability of Sixfold International Ltd and Maypole Airfield to mitigate the risk of harm
All information collected during the risk assessment must then be compiled into one report and analysed. The risk assessment must then be provided to appropriate Sixfold International Ltd and Maypole Airfield personnel in charge of data breach response management. Sixfold International Ltd and Maypole Airfield will keep a record of any personal data breach, regardless of whether there is a requirement to notify affected parties.
Notifying Affected Parties
Responsibility to notify is based both on the number of individuals affected and the nature of the PD that was accessed. Any information found in the initial risk assessment will be turned over to a competent legal professional of Sixfold International Ltd and Maypole Airfield who will review the situation to determine if, and to what extent, notification is required.
Notification should occur in a manner that ensures the affected individuals will receive notice of the incident. Notification will be made in a timely manner, but not so soon so as to unnecessarily compound the initial incident with incomplete facts or to make identity theft more likely through the notice. By law, Sixfold International Ltd and Maypole Airfield will report certain types of types of data breach to the Information Commissioner’s Office (or the appropriate supervisory authority) within 72 hours, where feasible. The 72-hour period begins once the organisation becomes aware of the breach.
In the case that notification must be made:
- Only those that are legally required to be notified will be informed of the breach. Notifying a broad base when it is not required could raise unnecessary concern in those who have not been affected.
- Individuals who are in a high risk to be adversely affected will be notified without undue delay.
- A physical copy will be posted to the affected parties no matter what other notification methods are used.
- A helpline will be established for those who have additional questions about how the breach with affect them.
The notification will include:
- A brief description of the incident, including (when possible):
- The approximate date it occurred;
- The categories and approximate number of individuals concerned; and
- The categories and approximate number of personal data records concerned;
- A description of the type(s) of PD that were involved in the breach (the general types of PD, not an individual’s specific information);
- A description of the likely consequences of the personal data breach;
- Explanation of what Sixfold International Ltd and Maypole Airfield is doing to investigate the breach, mitigate its negative effects and prevent future incidences;
- Contact information for Sixfold International Ltd and Maypole Airfield’s data protection officer (if applicable) or other contact point where more information can be obtained; and
- Steps the individual can take to mitigate any potential side effects from the breach.
Mitigating Risks
Based off the findings of the risk assessment, a plan will be developed to mitigate risk involved with the breach. The exact course of action will be based on the type of PD that was involved in the data breach. As with any security incident, you should investigate whether or not the breach was a result of human error or a system issue and see how a recurrence can be prevented—whether this is through better processes, further training or other corrective steps.
The course of action will aim to minimise the effect of the initial breach and to prevent similar breaches from taking place.
- Affected individuals will be notified as soon as possible so they can take their own steps to mitigate potential risk.
- If there is a substantial concern for fraudulent use of PD, Sixfold International Ltd and Maypole Airfield will offer affected individuals free access to a credit monitoring service.
Sixfold International Ltd and Maypole Airfield will also provide steps to mitigate risks that can be taken by affected individuals. The steps provided to affected individuals will depend on the nature of the data breach. If the breach has created a high risk for fraudulent use of financial information, customers may be advised to:
- Monitor their financial accounts and immediately report any suspicious or fraudulent activity.
- Contact credit bureaus and place an initial fraud alert on their credit reports. This can be extremely helpful in situations where PD that can be used to open new accounts.
- Avoid attempts from criminals that may see the breach as an opportunity to pose as Sixfold International Ltd and Maypole Airfield employees in an attempt to deceive affected individuals into divulging personal information.
- File a report with appropriate agencies, regulators, local police or in the community where the breach took place.
- If required, complete an Information Commissioner’s Office Security Breach Notification Form found at: https://ico.org.uk/for-organisations/report-a-breach/
Instructions on what steps a customer can take to reduce their risk will be included in the notification. In addition to the information listed above, appropriate Sixfold International Ltd and Maypole Airfield personnel, when possible, will provide additional information tailored to the individual breach.