[et_pb_section fb_built=”1″ _builder_version=”3.21.4″ custom_padding=”54px|0px|0|0px|false|false” global_module=”99″][et_pb_row custom_padding=”0|0px|0|0px|false|false” _builder_version=”3.21.4″][et_pb_column type=”4_4″ _builder_version=”3.21.4″][et_pb_text _builder_version=”3.21.4″ _dynamic_attributes=”content” text_font=”||||||||” text_font_size=”30px” header_font=”||||||||” header_text_align=”center” text_orientation=”center”]@ET-DC@eyJkeW5hbWljIjp0cnVlLCJjb250ZW50IjoicG9zdF90aXRsZSIsInNldHRpbmdzIjp7ImJlZm9yZSI6IiIsImFmdGVyIjoiIn19@[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section][et_pb_section fb_built=”1″ _builder_version=”3.21.4″][et_pb_row _builder_version=”3.21.4″][et_pb_column type=”4_4″ _builder_version=”3.21.4″][et_pb_text _builder_version=”3.21.4″]
Evidence To Action Limited
Last Updated: 02/04/2019
[/et_pb_text][et_pb_text _builder_version=”3.21.4″]
Definitions
|
Company |
means Evidence To Action Limited, a Private Limited Company. Registered address: Devonshire House, 582 Honeypot Lane, Stanmore, Middlesex, HA7 1JS. Registered in England. Company number 06938748 |
|
GDPR |
means the General Data Protection Regulation. |
|
Responsible Person |
means Mr Peter Dalton, Data Controller. |
|
Register of Systems |
means a register of all systems or contexts in which personal data is processed by the Company. |
1. Data protection principles
Evidence To Action Limited is committed to processing data in accordance with its responsibilities under the GDPR.
Article 5 of the GDPR requires that personal data shall be:
processed lawfully, fairly and in a transparent manner in relation to individuals;
collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes;
adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.”
2. General provisions
This policy applies to all personal data processed by Evidence To Action Limited.
The Responsible Person shall take responsibility for Evidence To Action Limited’s ongoing compliance with this policy.
This policy shall be reviewed at least annually.
Evidence To Action Limited is registered with the Information Commissioner’s Office as an organisation that processes personal data.
3. Lawful, fair and transparent processing
To ensure its processing of data is lawful, fair and transparent, Evidence To Action Limited shall maintain a Register of Systems.
The Register of Systems shall be reviewed at least annually.
Individuals have the right to access their personal data and any such requests made to Evidence To Action Limited shall be dealt with in a timely manner.
4. Lawful purposes
All data processed by the Evidence To Action Limited must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests (see ICO guidance for more information).
Evidence To Action Limited shall note the appropriate lawful basis in the Register of Systems.
Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
4a. Obtaining consent
Before asking you to share personally identifiable information, we will seek to obtain your consent.
Consent will be sought verbally, in writing or via questionnaire as most appropriate to the research/evaluation methods used in each case.
You may withdraw your consent or restrict data processing at a later stage by sending a request to the Data Controller.
In some cases, the findings of our research are released publicly. When such findings contain personally identifiable information, we will explicitly seek consent from you before publishing the findings. You have the right to withdraw your consent at any point prior to the findings being made public.
4b. Unsolicited emails and opt-out
We might get in touch with you to ask for participation in a research or evaluation activities e.g. surveys, interviews, focus groups. When we do so, we genuinely believe that you could strongly contribute to our research and we would normally contact you following a recommendation from a client.
Participation in our research and evaluation activities is always optional and voluntary. Should you wish to opt out of the research or evaluation, you are welcome to do so by getting in touch with the contact person in the instructions in the invitation email.
4c. Sharing information
We will not share personal information with any third-party organisation, except as outlined in paragraph 4c. b, unless we are obliged to do so by contract, by law, or the disclosure is ‘necessary’ for purposes of national security, taxation and criminal investigation, or we have your consent.
Evidence to Action Limited often works with associates to conduct research and consultancy projects. When this happens, access to the information we collect may be granted to them for the duration of the project. Should this be the case, our interactions with associates will be regulated by a contract, and they will be considered data processors, who are therefore obliged to comply with the relevant obligations outlined in the GDPR. Associates’ access to project data will be terminated once the project ends.
When conducting research on a behalf of a client we will be clear about who has commissioned the research and how we plan to share information with them.
4d. Our Processing Partners
We use the following third-party providers for data processing all of which have their own compliant data processing policies:
Google Analytics Aggregated Site Visitor Data Analysis
Mailchimp Email / Newsletter Provider
PCloud Secure online Data Storage
Gmail Suite Email
Survey Monkey Online Survey Software
5. Data minimisation
Evidence To Action Limited shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
6. Accuracy
Evidence To Action Limited shall take reasonable steps to ensure personal data is accurate.
Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
7. Data retention/removal
We may retain some information indefinitely for research purposes. However, this information will be fully anonymised so as to prevent identification of the data subjects. For more information on anonymised data see: Regulation (EU) 2016/679, Preamble, paragraph (26).
Evidence To Action Limited will not keep personal data longer than necessary to fulfil its legal or contractual obligations. This means that, unless otherwise indicated when seeking consent from project participants, we will delete personal data no later than 24 months after the conclusion of a project. Should we wish to prepare an academic article including information used in a project, we would hold the information collected until the article’s publication date. This is permitted by the GDPR, which allows organisations that process personal data under a lawful basis to process it for a secondary research purpose, too, if appropriate safeguards are implemented.
Where the lawful basis to process personal information is contractual rather than by consent, we will delete the personal information once the objective(s) stated in the contract have been achieved.
This policy does not apply to data about legal entities, which does not constitute personally identifiable information.
8. Security
Evidence To Action Limited shall ensure that personal data is stored securely using modern software that is kept-up-to-date.
Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information.
When personal data is deleted this should be done safely such that the data is irrecoverable.
Appropriate back-up and disaster recovery solutions shall be in place.
9. Breach
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Evidence To Action Limited shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO (more information on the ICO website).
10. Contact Information
Data Protection Officer
If you have any questions regarding Processing your Personal Data, your rights regarding your Personal Data or this Privacy Policy, contact our Data Controller Peter Dalton at petedalton@evidencetoaction.co.uk
Supervisory Authority
Email: international.team@ico.org.uk
11. Changes to this Policy
We reserve the right to make change to this Privacy Policy.
[/et_pb_text][/et_pb_column][/et_pb_row][/et_pb_section]