Data Protection Policy

 

Context and Overview

---

Introduction

We hold personal data about our employees, clients, linguists, suppliers and other individuals for a variety of business purposes. The aim of the Data Protection Policy is to ensure that as an organisation, we comply with the requirements of data protection legislation, including the Data Protection Act (DPA) 2018, the UK General Data Protection Regulation (GDPR) and the EU GDPR.  Data protection legislation places a duty on us as a business to protect the personal information held on our employees and clients, and any other individual.

This policy sets out how we seek to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Lead be consulted before any significant new data processing activity is initiated to ensure that the relevant compliance steps are addressed.

 

Definitions

Term                                                   Definition

Business Purposes                            The purposes for which personal data may be used by us, including:

• • • • • • • Personnel
            • Administrative
            • Financial
            • Regulatory
            • Payroll
            • Business development
            • Marketing

 

                                                          Business purposes include the following:

• • • • • • • Compliance with our legal, regulatory and corporate governance obligations and good practice
            • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
            • Ensuring business policies are adhered to (such as policies covering email and internet use)
            • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information and client information
            • Investigating complaints
            • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
            • Monitoring staff conduct, disciplinary matters
            • Marketing our business
            • Improving services

Personal Data         Special Categories of Personal Data         Data Controller           Data Processor               Processing                         Supervisory Authority

“Personal Data” is any information (for example, a person’s name) or combination of information about a living person (such as name and address and date of birth) which allows that living person to be identified from that information and which relates to them, such as the job application of “Joe Green” with his address and date of birth, or the appraisal record of “Sam Brown” with similar details. If in doubt, individuals’ details should be treated as Personal Data.   “Special Categories of Personal Data” include Personal Data about a person’s race or ethnicity, their health, their sexual preference, their medical information, their religious beliefs, their political views, trade union membership or information accusing an individual of any crime, or about any criminal prosecution against them, and the decision of the court and any punishment. The Data Protection Lead can provide further information on what is, and the handling of, Special Categories of Personal Data     The legal person or entity, company, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data, where the purposes and means of such processing are determined by law. Conversis is a Data Controller.   A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Data Controller. Data processors who process data on behalf of Conversis include (but are not limited to): Xero for accounting Critchleys Oxford for accounting and payroll HubSpot to manage prospect data MS Office 365 for data storage and email communications CitrusHR for recruitment and HR purposes Get Support IT for IT support services   Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as: collection recording structuring storage adaptation or alteration retrieval consultation use disclosure by transmission dissemination or otherwise making available alignment or combination restriction erasure or destruction.   The national body responsible for data protection. The supervisory authority for Conversis is the Information Commissioner’s Office (ICO).

Why this policy exists

This data protection policy ensures that Conversis:

• Complies with data protection law and follows best practice
• Protects the rights of staff, clients, and suppliers
• Is transparent about how it stores and processes individuals’ data
• Protects itself from the risks of a data breach

This policy supplements the other policies in place for the organisation. We may supplement or amend this policy by additional policies and guidelines from time to time.

 

The Principles of Data Protection

Data protection is about protecting people from misuse of their personal information. Conversis regards the lawful and correct treatment of personal information as very important to successfully achieving the aims of the organisation, and to maintaining stakeholder trust and confidence.

These rules apply regardless of whether data is stored electronically or on paper. To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The UK GDPR requires that data:

• Is processed fairly, lawfully and in a transparent manner;
• Is collected and processed only for specified, explicit and legitimate purposes, and not further processed in a manner that is incompatible with those purposes;
• Is adequate, relevant and limited to what is necessary for those purposes;
• Is accurate, up to date and not kept in an identifiable form for longer than necessary for the purposes for which it is processed;
• Is processed in accordance with the data rights of individuals;
• Is securely held, including protection by technical and organisational measures, against unauthorised or unlawful processing and against accidental loss, destruction or damage.

The UK GDPR also gives individuals the right to access, delete, correct or receive in an easily transferable format, where applicable, personal information held by the organisation upon request.

 

People, Risks and Responsibilities

---

Policy Scope

The policy applies equally to full time and part time employees on a substantive or fixed term contract and to associated persons who work for Conversis, such as agency staff, Board Members, contractors, linguists, and others employed under a contract of service. It stipulates their duties and responsibilities for the effective handling of personal and sensitive data, in order to comply with the policy and legislative, financial and best practice requirements.

The policy applies to all personal and sensitive data collected, handled and stored by Conversis, in electronic and paper formats.

 

Data Protection Risks

This policy helps to protect Conversis from some very real data security risks, including:

• Breaches of confidentiality. For instance, information being given out inappropriately.
• Failing to offer choice. For instance, all individuals should be free to choose how Conversis uses data relating to them.
• Reputational damage. For instance, Conversis could suffer signifant reputational damage if hackers successfully gained access to sensitive data.
• Financial damage. For instance, if a significant personal data breach were to occur the ICO may impose a substantial financial penalty on the organisation.

 

Responsibilities

Everyone who works for or with Conversis must process personal data fairly and lawfully in accordance with individuals’ rights.

Each member of staff that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.

However, these people have key areas of responsibilities:

• The senior management team is ultimately responsible for ensuring that Conversis meets its legal obligations.
• Charlotte Terry will fulfil the role of Data Protection Lead. The Data Protection Lead, is responsible for:
  • Keeping the board updated about data protection responsibilities, risks and issues.
  • Reviewing all data protection procedures and related policies, in line with an agreed schedule.
  • Arranging data protection training and advice for the people covered by this policy.
  • Handling data protection questions from staff and anyone else covered by this policy.
  • Dealing with requests from individuals, such as members and employees, to see the data Conversis holds about them (also called Subject Access Requests).
  • Checking and approving any contracts or agreements with third parties that may handle Conversis’ sensitive data.
  • Ensuring that the Register of Processing Activities is periodically reviewed (at least annually) to determine whether any retention periods applying to an Information Asset has expired.
  • Ensuring that once the retention period has expired, the record must be reviewed and a ‘deletion action’ agreed upon.
  • Leading on responding to and managing a data protection breach.
  • Liaising with the ICO to report and investigate personal data breaches if required.
• Ian Barrow will fulfil the role of IT Manager, with support from Get Support IT as required. The IT Manager, is responsible for:
  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third-party services Conversis is considering using to store or process data. For instance, cloud computing services, online accounting packages, online customer relationship management (CRM) systems or other similar systems.
• Craig Harrison will fulfil the role of Marketing Manager. The Marketing Manager, is responsible for:
  • Approving any data protection privacy statements attached to communications such as emails and letters, in conjunction with the Data Protection Lead.
  • Addressing any data protection queries from clients, target audience, journalists or media outlets like newspapers.
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
  • Ensuring that only personal data with the appropriate legal basis for processing for marketing activities is used.

Any questions relating to this Policy or to Data Protection Law should be referred to the Data Protection Lead. In particular, the Data Protection Lead should always be consulted in the following cases:

• if there is any uncertainty relating to the lawful basis on which personal data is to be collected, held, and/or processed;
• if consent is being relied upon in order to collect, hold, and/or process personal data;
• if there is any uncertainty relating to the retention period for any particular type(s) of personal data;
• if any new or amended privacy notices or similar privacy-related documentation are required;
• if any assistance is required in dealing with the exercise of a data subject’s rights (including, but not limited to, the handling of subject access requests);
• if a personal data breach (suspected or actual) has occurred;
• if there is any uncertainty relating to security measures (whether technical or organisational) required to protect personal data;
• if there are any questions relating to the implementation and maintenance of security measures in a home working environment;
• if personal data is to be shared with third parties (whether such third parties are acting as data controllers or data processors);
• if personal data is to be transferred outside of the UK and there are questions relating to the legal basis on which to do so;
• when any significant new processing activity is to be carried out, or significant changes are to be made to existing processing activities, which will require a Data Protection Impact Assessment;
• when personal data is to be used for purposes different to those for which it was originally collected;
• if any automated processing, including profiling or automated decision-making, is to be carried out; or
• if any assistance is required in complying with the law applicable to direct marketing.

 

General Staff Guidelines

---

 

• The only people able to access data covered by this policy should be those who need it for their work.
• Data should not be shared informally. If an employee requires access to confidential information for a specific purpose, they can request access to it from their line manager or the Data Protection Lead.
• Conversis will provide training to all employees to help them understand their responsibilities when handling personal data.
• Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
• In particular, strong passwords must be used and they must never be shared outside of Conversis. They must not be stored centrally, in personal files or on paper. Use of a Password Manager is recommended.
• Personal data must not be disclosed to unauthorised people, either within Conversis or externally.
• Data must be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and securely disposed of.
• Employees must request help from the Data Protection Lead if they are unsure about any aspect of data protection.

 

Our Procedures

---

Fair and lawful processing

Conversis must process personal data fairly and lawfully in accordance with individuals’ rights under the first principle. If we cannot apply a lawful basis as outlined below, our processing does not conform to the first principle and will be unlawful. Individuals have the right to have any data unlawfully processed erased. We will ensure that any new processing activities are assessed with a privacy by design approach prior to undertaking the processing. The following procedure will ensure that we meet this requirement of the regulation.

 

Lawful basis for processing data

Conversis must establish a lawful basis for processing data. Employees must ensure that any data they are responsible for managing has a documented lawful basis approved by the Data Protection Lead in the Register of Processing Activities. It is each employee’s responsibility to check the lawful basis for any data they are working with and ensure all of their actions comply with the lawful basis. At least one of the following conditions must apply whenever we process personal data:

1. Consent: we hold recent, clear, explicit, and defined consent for the individual’s data to be processed for a specific purpose.
2. Contract: the processing is necessary to fulfil or prepare a contract for the individual.
3. Legal obligation: we have a legal obligation to process the data (excluding a contract).
4. Vital interests: processing the data is necessary to protect a person’s life or in a medical situation.
5. Public function: processing necessary to carry out a public function, a task of public interest or the function has a clear basis in law.
6. Legitimate interest: the processing is necessary for our legitimate interests and does not outweigh the individual’s rights.

 

Deciding which condition to rely on

When Conversis is making an assessment of the lawful basis, we will first establish that the processing is necessary. This means the processing must be a targeted, appropriate way of achieving the stated purpose. We cannot rely on a lawful basis if we can reasonably achieve the same purpose by some other means.

Where more than one lawful basis applies, Conversis will rely on what will best fit the purpose, not what is easiest.

We will always consider the following factors and document the answers:

• What is the purpose for processing the data?
• Can it reasonably be done in a different way?
• Is there a choice as to whether or not to process the data?
• Who does the processing benefit?
• After selecting the lawful basis, is this the same as the lawful basis the individual would expect?
• What is the impact of the processing on the individual?
• Are you in a position of power over them?
• Are they a vulnerable person?
• Would they be likely to object to the processing?
• Are you able to stop the processing at any time on request, and have you factored in how to do this?

Conversis’ commitment to accountability and transparency requires that we document this process and show that we have considered which lawful basis best applies to each processing purpose, and fully justify these decisions.

We must also ensure that individuals whose data is being processed by us are informed of the lawful basis for processing their data, as well as the intended purpose. This will be achieved via a privacy information notice. This applies whether we have collected the data directly from the individual, or from another source.

Employees who are responsible for making an assessment of the lawful basis and implementing the privacy notice for new processing activities must have them approved by the Data Protection Lead.

 

Data Storage

These rules describe how and where data will be safely stored. Questions about storing data safely can be directed to the Data Protection Lead.

Conversis mainly use electronic systems to manage data.  In the limited circumstances that data is stored on paper, it will be kept in a secure place where unauthorised people cannot see it until the point of destruction. Conversis shall provide suitable guidance about storage equipment and/or furniture to any employees, agents, contractors, or other parties working on behalf of Conversis working from home who are likely to be processing personal data.

These guidelines also apply to data that is usually stored electronically but has been printed out for some reason.  Where possible, employees should avoid printing out information which includes personal data.  If it is unavoidable, these guidelines must be followed to avoid a personal data breach:

• When not required, the paper or files must be kept out of sight in a drawer or filing cabinet locked where possible.
• Employees must make sure paper and printouts are not left where unauthorised people could see them, like on a printer, on a desk in a shared office space, left on a table at the end of a meeting or on display in a hotel room.
• Printouts must be disposed of securely, preferably with a cross-cut shredder. They must never be placed in household rubbish, recycling or in the waste bins in hotels or meeting rooms.

 

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

• Personal data must be protected by strong passwords and never shared between employees.
• Removable media (like a CD, USB drive or external hard drive) must not be used to store or transfer personal data, unless the device is encrypted and has been approved by the CTO.
• Personal Data must only be stored on our designated folders on our server, approved cloud storage (MS Office 365) and software systems. Personal data must not be uploaded to unapproved external cloud computing services or software.
• Personal data will be backed up frequently. These backups will be tested regularly.
• The storage of personal data on mobile devices (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to Conversis or otherwise, should be limited to the extent absolutely necessary for the performance of the relevant work.
• If personal data is stored on laptops or tablets for ease of access while working on a document, regular reviews must be undertaken to ensure the accuracy of the documents on the server, and copies stored on other devices are securely destroyed once they are no longer needed for remote access purposes.
• Personal data may only be transferred to, stored on, accessed from, or processed on devices personally belonging to employees with the authorisation of Conversis’ Data Protection Lead, only to the extent that it is absolutely necessary for the performance of the relevant work. In the case of devices belonging to agents, linguists, contractors, or other parties working on behalf of Conversis, personal data may only be transferred to, stored on, accessed from, or processed on such devices where the party in question has agreed to comply fully with the letter and spirit of this Policy and UK Data Protection Law (which may include demonstrating to Conversis that all suitable technical and organisational measures have been taken).
• All computers used to access or store data will be protected by approved security software and a firewall, including those owned by linguists or third-parties working on behalf of Conversis.
• All devices used to access personal data, whether owned by Conversis or the individual, will be managed through a device management system, which supports the ability to remote-wipe data in case of loss or theft. Linguists or third-parties must report immediately any loss of device storing or providing access to data that Conversis is responsible for. Refer to the Data Breach section of this policy for more details.
• Get Support IT are responsible for installing updates on employees devices, for operating systems and software packages, as these often contain important security updates. Linguists and other relevant third-parties working on behalf of Conversis must also ensure that they apply device, operating system and software updates in a timely manner to ensure appropriate protection is in place when working on projects for Conversis.  Personal data could be at risk if employees or linguists are not timely in applying updates.

 

Data Use

Personal data is of no value to Conversis unless the organisation can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:

• When working with personal data, employees must ensure the screens of their computers are always locked when left unattended, whether working at home, in the office or in a co-working space.
• Personal data must not be shared informally. In particular, careful consideration must be taken before sharing personal data via email, as this form of communication is not secure. Additional checks to verify that the email is only being sent to individuals who have permission to see the data must be in place.
• Personal data must never be transferred outside of the United Kingdom or European Economic Area (EEA) without informing the individual. Checks must be made before using new cloud storage solutions to ensure that the servers are located within the UK or EEA. We will be clear about any software which involves transferring personal data outside of the UK or EEA in our privacy policy.
• Employees must not save or store copies of personal data to their own computers. Always access and update the central copy of the data in the relevant folder or software package.
• When working in public areas (e.g. co-working spaces, cafes or on public transport) employees must make an assessment of the environment and avoid working on confidential or personal data where there is a high risk of information being seen by other people nearby.
• Employees must give careful consideration to their location when talking on the phone or meeting with others when discussing personal or confidential details. The communal areas of the Conversis office, public places, and public transport are not suitable locations to hold confidential conversations.  Consider booking a meeting room to improve the level of privacy for the duration of the conversation.
• When travelling for work purposes, employees must be aware of the security of their laptop (and other devices). Laptops should remain in your possession as much as possible, for example, do not leave your laptop unattended on a train or in a café in order to visit the buffet or facilities.  Ensure your device is locked when you are not using it.
• Under no circumstances should laptops, devices or paperwork be left unattended in a parked vehicle.
• All employees, linguists, agents, contractors, or other parties working on behalf of Conversis working from home must ensure that they use all reasonable efforts to comply with this Policy including, for example, setting aside a specific room or part of their home (ideally behind a lockable door, with lockable storage such as drawers or filing cabinet) for home working, particularly when handling personal data. Conversis recognises that home workers may not always be able to ensure a degree of security that would be comparable with an office environment, but all reasonably practicable efforts should be made to ensure the best security possible in the circumstances.

 

Data Retention and Disposal

Conversis will ensure that data will be stored for only as long as it is needed or in line with required statute or business need, and will be disposed of appropriately.

• This approach is supported by its data retention schedule, which outlines Conversis’ requirements under this section of the policy and can be found within the Register of Processing Activities.
• Conversis will log all data assets on the Register of Processing Activities, which will be reviewed and updated every year to monitor compliance with the retention and disposal schedules.
• It is the Data Protection Lead’s responsibility, supported by the IT manager, to ensure all personal and company data is non-recoverable from any computer system previously used within Conversis, which is to be passed on/sold to a third party.
• Data must be updated as inaccuracies are discovered. For instance, if a client can no longer be reached on their stored telephone number or email address, it will be removed from the database and we will try to establish what the correct details are.
• Effective management of disposal of data is the responsibility of all staff and applies to all mediums including paper records, databases, Microsoft Word, Excel spreadsheets, PowerPoint presentations, webpages, emails, photographs, scanned images and digital video.
• Review the information assets listed on retention schedule every year in order to support a deletion decision.
• When making the ‘deletion decision’ the Data Protection Lead will ensure that:
  • The Information Asset is no longer required by any part of the business;
  • No work is outstanding by any part of the business;
  • No litigation or investigation is current or pending which affects the Information Asset;
  • There are no current or pending Subject Access Requests which affect the Information Asset.
• Deletion decisions must not be made with the intent of denying access or destroying evidence.
• Paper records will be destroyed with the level of security required by the confidentiality of their contents. If paper records contain personal data, they must be shredded using a cross-shredder.
• Employees, linguists, agents, contractors, or other parties working on behalf of Conversis working from home should only dispose of personal data stored in hardcopy form at home if it is possible to do so as described above. Personal data should under no circumstances be disposed of in normal household rubbish, recycling, hotel room waste paper bins, or meeting room paper bins.
• Any outsourced shredding contractors, will comply with BS8470, the British Standard that specifies the disposal of confidential material, BS 7858, the British Standard that specifies a code of Practice for security screening of individuals and third-party individuals and be members of the United Kingdom Security Shredding Association.
• With digital records the deletion from a server or hard drive may not be sufficient. The digital records may no longer be visible, but they are not beyond any possibility of recovery.  More extreme measures may be needed to achieve full destruction, e.g. overwriting with random digital code enough times to eliminate the data.  Examples include, but are not limited to, Killdisk and Gdisk.  Destruction will include back-up copies and duplicate copies.
• If an external contractor or third-party supplier is being used to destroy the equipment, ensure that the contract or terms of business set out how digital data will be securely destroyed. The contractor/third-party will be asked to supply a certificate of destruction.
• Electronic media such as rewritable DVDs, USB Drives and digital files will be reformatted if the media type allows it or erased or destroyed if formatting is not possible.
• It is the Marketing Manager’s responsibility to ensure marketing databases are checked against relevant industry suppression files (e.g. Telephone preference service or Corporate Telephone Preference Service) every six months or prior to any new campaigns.
• It is the Marketing Manager’s responsibility to ensure that personal data is used for marketing purposes in accordance with the documented legal basis in place for each person. Processes will be put in place to ensure that checks are made against the marketing database to ensure consent has not been withdrawn, where consent is relied upon, and no objection has been made, where legitimate interests are relied upon.

 

Data Accuracy and Relevance

Conversis will ensure that any personal data that is processed is accurate, adequate and relevant and not excessive, given the purpose for which it is obtained. Conversis will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

It is the responsibility of all employees who work with personal and or personal sensitive data to take reasonable steps to ensure it is kept accurate and up to data as possible.

• Data will be held in as few places as necessary. Staff must not create any unnecessary additional data sets.
• Staff will take every opportunity to ensure that data is updated. For instance, by confirming a client’s details if they call.
• If an individual identifies that personal data held by Conversis is inaccurate and requests that Conversis updates the information, Conversis will review the data and make the appropriate updates without undue delay and within one calendar month of the request.
• Staff must take reasonable steps to ensure that personal data that Conversis holds on them is accurate and updated as required, for example if their personal circumstances change or they change address, they should update their HR record.

 

Transferring Personal Data to a Country Outside the UK

Conversis may, from time to time, transfer (‘transfer’ includes making available remotely) personal data to countries outside of the UK. The UK GDPR restricts such transfers in order to ensure that the level of protection given to data subjects is not compromised.

Personal data may only be transferred to a country outside the UK if one of the following applies:

• The UK has issued regulations confirming that the country in question ensures an adequate level of protection (referred to as ‘adequacy decisions’ or ‘adequacy regulations’). From 1 January 2021, transfers of personal data from the UK to EEA countries continue to be permitted and the EU granted an adequacy decision to the UK in June 2021.
• Appropriate safeguards are in place including binding corporate rules, standard data protection clauses approved for use in the UK ( this is either the International Data Transfer Agreement or the International Data Transfer Addendum, which makes the EU Standard Contract Clauses approved on 4^th June 2021 valid under the UK GDPR), an approved code of conduct, or an approved certification mechanism.
• From October 2023, organisations transferring personal data from the UK to the USA may be able to rely on the UK Extension to the EU-US Data Privacy Framework, if the receiving organisation has self-certified compliance with the Framework (check via www.dataprivacyframework.gov).  Where the organisation has not self-certified, we will handle the transfer in the same way we would other third country transfers (see previous paragraph).
• The transfer is made with the informed and explicit consent of the relevant data subject(s).
• The transfer is necessary for one of the other reasons set out in the UK GDPR including:
  • the performance of a contract between the data subject and Conversis;
  • public interest reasons;
  • for the establishment, exercise, or defence of legal claims;
  • to protect the vital interests of the data subject where the data subject is physically or legally incapable of giving consent;

or, in limited circumstances, for Conversis’ legitimate interests.

Conversis undertake a Transfer Risk Assessment prior to transferring personal data to non-adequate countries and use the International Data Transfer Agreement with their linguists based in third countries. If a translation project includes special categories of personal data (e.g. health-related data) or includes more than the basic contact information typically included in client’s documents, Conversis will undertake a Transfer Risk Assessment for the relevant countries prior to making the transfer to linguists in those countries.

 

Accountability and Record-Keeping

The Data Protection Lead is responsible for administering this Policy and for developing and implementing any applicable related policies, procedures, and/or guidelines.

Conversis shall follow a privacy by design approach at all times when collecting, holding, and processing personal data. Data Protection Impact Assessments (DPIAs) shall be conducted if any processing presents a significant risk to the rights and freedoms of data subjects (please read the next section for more information on DPIAs).

All employees, agents, contractors, or other parties working on behalf of Conversis shall be given appropriate training in data protection and privacy, addressing the relevant aspects of Data Protection Law, this Policy, and all other applicable Company policies.  This will be provided as part of the induction training programme and then refreshed on an annual basis.

Conversis’ data protection compliance will be regularly reviewed and evaluated by means of Data Protection Audits.

Conversis will keep written internal records of all personal data collection, holding, and processing (Register of Processing Activities), which shall incorporate the following information:

• the name and details of Conversis, its Data Protection Lead, and any applicable third-party data transfers (including data processors and other data controllers with whom personal data is shared);
• the purposes for which Conversis collects, holds, and processes personal data;
• Conversis’ legal basis or bases (including, but not limited to, consent, the mechanism(s) for obtaining such consent, and records of such consent) for collecting, holding, and processing personal data;
• details of the categories of personal data collected, held, and processed by Conversis, and the categories of data subject to which that personal data relates;
• details of any transfers of personal data to non-UK countries including all mechanisms and security safeguards;
• details of how long personal data will be retained by Conversis;
• details of personal data storage, including location(s);
• detailed descriptions of all technical and organisational measures taken by Conversis to ensure the security of personal data.

 

Data Protection Impact Assessments and Privacy by Design

In accordance with the privacy by design principles, Conversis shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data which involve the use of new technologies and where the processing involved is likely to result in a high risk to the rights and freedoms of data subjects.

The principles of privacy by design should be followed at all times when collecting, holding, and processing personal data. The following factors should be taken into consideration:

• the nature, scope, context, and purpose or purposes of the collection, holding, and processing;
• the state of the art of all relevant technical and organisational measures to be taken;
• the cost of implementing such measures; and
• the risks posed to data subjects and to Conversis including their likelihood and severity.

Data Protection Impact Assessments shall be overseen by the Data Protection Lead and shall address the following:

• the type(s) of personal data that will be collected, held, and processed;
• the purpose(s) for which personal data is to be used;
• Conversis’ objectives;
• how personal data is to be used;
• the parties (internal and/or external) who are to be consulted;
• the necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed;
• risks posed to data subjects;
• risks posed both within and to Conversis; and
• proposed measures to minimise and handle identified risks.

The Data Protection Lead will use the DPIA Screening Form ( GDP_FO_DPIA Screening Form Master)available in our GDPR SharePoint folder to first establish if a Data Protection Impact Assessment is necessary.  If so, the DPIA Full Assessment, which covers all of the areas above, will then be completed and used to support decision-making about whether the project goes ahead and monitoring of ongoing risks during implementation.  Finalised Data Protection Impact Assessments will be stored in the GDPR SharePoint folder to support any future audit or query.

 

Data Breach Notification

All personal data breaches must be reported immediately to Conversis’ Data Protection Lead. This includes personal data breaches which relate to personal data being handled by employees, linguists, agents, contractors, or other parties working on behalf of Conversis from home, using either personal computers or devices or those provided by Conversis.

If an employee, linguist, agent, contractor, or other party working on behalf of Conversis becomes aware of or suspects that a personal data breach has occurred, they must not attempt to investigate it themselves. Any and all evidence relating to the personal data breach in question should be carefully retained.

If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the Data Protection Lead must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.

In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Lead must ensure that all affected data subjects are informed of the breach directly and without undue delay.

Data breach notifications shall include the following information:

1. The categories and approximate number of data subjects concerned;
2. The categories and approximate number of personal data records concerned;
3. The name and contact details of Conversis’ Data Protection Lead (or other contact point where more information can be obtained);
4. The likely consequences of the breach;
5. Details of the measures taken, or proposed to be taken, by Conversis to address the breach including, where appropriate, measures to mitigate its possible adverse effects.

Conversis will log all personal data breaches, including minor breaches that do not need reporting to the ICO.  In addition, we will learn from minor breaches to understand the reasons behind the breach and how we can improve our processes to reduce the risk of a similar or larger breach occurring in the future.  Conversis Data Breach Log can be found in the GDPR Records folder on SharePoint and will be reviewed by the Data Protection Lead and summary risk reviewed regularly at Board Meetings.

 

Individuals’ Rights

Conversis will ensure any use of personal data is justified using at least one of the conditions (e.g. consent, legitimate interest, performance of a contract, legal obligation) for processing and this will be specifically documented within the Register of Processing Activities.  All staff that are responsible for processing personal data will be aware of the conditions for processing.  The GDPR provides the following rights for individuals:

• The right to be informed
• The right of access
• The right to rectification
• The right to erasure
• The right to restrict processing
• The right to data portability
• The right to object
• Rights in relation to automated decision making and profiling.

 

Subject Access Requests

All individuals who are the subject of personal data held by Conversis are entitled to:

• Ask what information the organisation holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed how the organisation is meeting its data protection obligations.

If an individual contacts the organisation requesting this information, this is called a subject access request.

Subject access requests from individuals can be made by email, addressed to the Data Protection Lead at: Charlotte.Terry@conversis.com or in writing to: Data Protection Lead, Conversis, Kirtlington Business Centre, Kirtlington, Oxfordshire, OX5 3JA.  They may also make the request verbally in person or via telephone: (+44) 01869 255820

Conversis can supply a standard request form, although individuals do not have to use this.  If a subject access request is sent directly to another Conversis employee, they must pass it immediately to the Data Protection Lead to handle.

The Data Protection Lead will always verify the identity of anyone making a subject access request before handing over any information.  We will ask for proportionate confirmation, and only when necessary, one of the following forms of ID may be required:

• Passport
• Photocard Driving Licence

Conversis will aim to provide the relevant data without delay, and certainly within one calendar month of the request.  Where the request is more complex, we will notify the individual making the request of any likely delay and extension period required.  Details of subject access requests are logged in the GDPR Records folder (Subject Access Request Log)in SharePoint  to comply with the accountability principle, to monitor for repetitive requests and to evidence our response in case of future complaint from the individual.

 

Data Portability

Individuals have the right to obtain and reuse their personal data for their own purposes across different services.  The right to portability only applies:

• to personal data that the individual has provided to Conversis
• where the processing of personal data is based on the individual’s consent or for the performance of a contract
• when processing is carried out by automated means (i.e. electronically)

Requests from individuals can be made by email, addressed to the Data Protection Lead at: Charlotte.Terry@conversis.com  or in writing to: Data Protection Lead, Conversis, Kirtlington Business Centre, Kirtlington, Oxfordshire, OX5 3JA. They may also make the request verbally in person or via telephone: (+44) 01869 255820

The Data Protection Lead will always verify the identity of anyone making a request under the right to portability their personal data before handing over any information.  We will ask for proportionate confirmation, and only when necessary, one of the following forms of ID may be required:

• Passport
• Photocard Driving Licence

These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.  A data subject may also request that their data is transferred directly to another system.  This must be done for free.  The data will be provided to the individual in a structured, commonly used and machine-readable format, e.g. a csv file, and will be transferred to them securely.

 

Right to Erasure

In certain circumstances, an individual may request that any information held on them by Conversis is deleted or removed, and any third parties who process or use that data must also comply with the request.

An individual has the right to have their information erased if:

• the personal data is no longer necessary for the purpose which we originally collected or processed it for
• the legal basis on which the organisation is holding the personal data is consent, and the individual withdraws their consent
• the legal basis on which the organisation is processing the data is legitimate interests, and the individual objects to the processing of that data, and the organisation is unable to demonstrate that overriding legitimate interests to continue this processing exists
• the organisation has processed the personal data unlawfully
• the organisation must delete the data in order to comply with a legal obligation

An individual does not have the right to have their information erased if the processing of their personal data by Conversis is necessary for one of the following reasons:

• to exercise the right of freedom of expression and information
• to comply with a legal obligation
• for the performance of a task carried out in the public interest or in the exercise of official authority
• for the establishment, exercise or defence of legal claims

Requests from individuals can be made by email, addressed to the Data Protection Lead at: Charlotte.Terry@conversis.com or in writing to: Conversis, Kirtlington Business Centre, Kirtlington, Oxfordshire, OX5 3JA.  They may also make the request verbally in person or via telephone: (+44) 01869 255820

Conversis will aim to provide the relevant data without delay, and certainly within one calendar month.  Where the request is more complex, the Data Protection Lead will notify the individual making the request of any likely delay and extension period required.

In the event that any personal data that is to be erased in response to an individual’s request has been disclosed to third parties, the Data Protection Lead will inform those parties of the erasure (unless it is impossible or would require disproportionate effort to do so).

 

Disclosing Data for Other Reasons

---

In certain circumstances, the Data Protection regulation allows personal data to be disclosed to law enforcement agencies without consent of the individual.

Under these circumstances, Conversis will disclose requested data. However, the Data Protection Lead will ensure the request is legitimate, seeking assistance from the board and from Conversis’ legal advisers where necessary.

 

Providing Information (Privacy Notices)

---

Being transparent and providing accessible information to individuals about how Conversis will use their personal data is important to us. To these ends, Conversis has a privacy policy, setting out how data relating to individuals is used by the organisation. A version of this privacy statement is also available on our website: https://www.conversis.com/privacy

Conversis will also include appropriate privacy information notices at the point where personal data is collected from individuals.

 

Policy Compliance

---

If any employee is found to have breached this policy, they may be subject to Conversis’ disciplinary procedure, as described in the staff handbook. If a criminal offence is considered to have been committed further action may be taken to assist in the prosecution of the offender(s).

Any unauthorised disclosure of personal data to a third party by an employee will be viewed seriously and may result in disciplinary proceedings.

 

Review and revision

This policy must be reviewed every 12 months and, if appropriate, will be amended to maintain its relevance. Further reviews will be undertaken to reflect changes in legislation or standards. The Data Protection Lead will undertake policy review.

 

Questions on this Policy

If you have any questions about this Data Protection Policy, please contact the Data Protection Lead, Charlotte Terry via email: Charlotte.Terry@conversis.com or Telephone: 01869 255820