PUBLIC’s Data Protection Officer is Andy Richardson, Chief Technology Officer.
Who is collecting the data?
Data is collected by PUBLIC Group International Ltd. Address: Eccleston Yards, 25 Eccleston Place, London SW1W 9NF. Email: email@example.com. Company No.: 10608507
What data is being collected?
The data collected on a data subject will vary depending on the action in question. This may include the personal information. The information being collected will be clearly displayed on the sign-up or registration form in question.
How is data being collected?
Data is collected by PUBLIC Group International Ltd newsletter sign-up forms or via another registration form process where consent for their data to be collected is clearly indicated (for example, via a tick box opting into the PUBLIC newsletter in a sign-up process for a PUBLIC event.)
Why is data being collected & how are we using it?
Data is being collected to be able to send newsletters and marketing materials via email, text & phone call to individuals who have indicated and provided consent for PUBLIC Group International Ltd to provide this information.
Who has access to the data?
Employees of PUBLIC Group International Ltd and group companies have access to the data, provided they have been been given the correct instruction as to using data responsibly.
Who is the data shared with?
PUBLIC reserves the right to share appropriately collected data with its group companies and partners. PUBLIC will make appropriate efforts to ensure that data shared will be done safely and will be minimised to what is deemed necessary.
How do we keep data safe?
PUBLIC shall ensure that personal data is stored securely using modern software that is kept-up-to-date. Access to personal data shall be limited to personnel who need access. Appropriate security will be used to avoid unauthorised sharing of information. Appropriate back-up and disaster recovery solutions shall be in place.
How long do we keep data for?
PUBLIC will only hold onto data for as long as it is needed, after which time PUBLIC will securely erase or delete this data. PUBLIC will also delete data after an appropriate period of time.
How can individuals ask for their data to be provided, deleted, or raise a complaint?
Individuals should contact PUBLIC Group International Ltd at Eccleston Yards, 25 Eccleston Place, London SW1W 9NF or via email at firstname.lastname@example.org
POLICY – IN FULL
For simplicity, PUBLIC Group International will be referred to as ‘PUBLIC’ in the below policy.
1. Data protection principles
PUBLIC is committed to processing data in accordance with its responsibilities under the Data Protection Act of 2018.
Article 5 of the Data Protection Act requires that personal data shall be:
a. processed lawfully, fairly and in a transparent manner in relation to individuals;
b. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
c. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
e. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
f. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General provisions
a. This policy applies to all personal data processed by PUBLIC.
b. The Data Protection Officer shall take responsibility for PUBLIC’s ongoing compliance with this policy.
c. This policy shall be reviewed at least annually.
d. PUBLIC shall register with the Information Commissioner’s Office (ICO) as an organisation that processes personal data.
3. Lawful, fair and transparent processing
a. To ensure its processing of data is lawful, fair and transparent, PUBLIC shall maintain a Register of Systems, that will include the data we collect, how the data is stored and who can access it, the purposes for which data is used, situations where the sharing of data is permitted and to whom, process for data removal and archiving.
b. The Register of Systems shall be reviewed at least annually.
c. Individuals have the right to access their personal data and any such requests made to PUBLIC shall be dealt with in a timely manner.
4. Lawful purposes
a. All data processed by PUBLIC must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
b. PUBLIC shall note the appropriate lawful basis in the Register of Systems.
c. Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
d. Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in PUBLIC’s systems.
5. Data minimisation
a. PUBLIC shall ensure that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
b. PUBLIC shall ensure that data shall be reviewed annually and data considered no longer relevant or adequate will be removed.
a. PUBLIC shall take reasonable steps to ensure personal data is accurate.
b. Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Archiving / removal
a. To ensure that personal data is kept for no longer than necessary, PUBLIC shall put in place an review data annually and ensure that out-of-date or irrelevant data is securely erased and deleted.
a. PUBLIC shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
b. Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
c. When personal data is deleted this should be done safely such that the data is irrecoverable.
d. Appropriate back-up and disaster recovery solutions shall be in place.
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, PUBLIC shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (further information is provided on the ICO website).