Corporate Data Protection Policy

Agilysis is fully committed to transparency in how it handles personal data. The company takes all the essential measures ensure that information it holds remains private and secure and is processed with total confidentiality.

The lawful basis upon which Agilysis handles personal data is Legitimate Interest as defined under the Data Protection Act 1988 (DPA). The company has completed a Legitimate Interest Assessment to support this basis. We only hold data with minimal privacy impact which is used in the manner our clients and other contacts would reasonably expect. We respect all individual rights with respect to their personal data and offer the right to opt out to everyone whose data we hold.

Agilysis only holds personal information supplied to it directly by the person concerned, or in the case of organisations with which Agilysis has an existing commercial relationship by professional colleagues of the person concerned.

Agilysis’ general purpose in storing personal information is to facilitate professional contact with persons and organisations who use Agilysis products or otherwise engage in a commercial relationship with the company. We only collect and store information that is necessary and relevant to this purpose. We make every reasonable effort to ensure that it is accurate, correcting or deleting data if necessary.

If Agilysis ever needs to collect information for any other specific purpose, or if we act as a data processor for another organisation, we will transparently inform the affected individuals.

Agilysis never has and never will store any sensitive personal data in the meaning of the DPA, except about its own employees for diversity and equality monitoring purposes.

Agilysis never has and never will store any information about persons under the age of 16.

Agilysis never has supplied, and never will supply, personal data to any third parties; with the sole exception of Road Safety Analysis Ltd (RSA). RSA is a company limited by guarantee which is under common control with Agilysis, and contracts Agilysis to provide it with certain services. RSA operates to the same strict Data Protection standards as Agilysis and operates with Agilysis as a joint data controller.

These principles are enshrined in a series of related procedures which document the flow of personal data and who is responsible for implementing each step.


Agilysis has no requirement for a Data Protection Officer, as the company does not hold or process substantial volumes of personal data or conduct extensive direct marketing activities.

An Agilysis Director is designated as the company’s Data Process Auditor. The Data Process Auditor is in overall charge of implementing this code of conduct and related procedures and administers the Data Protection Archive.


Agilysis uses five systems which may be used for processing personal data:

  • Customer Relationship Management (CRM) software (contact information for people who are or have been users of Agilysis or RSA online services and/or are legitimate business contacts of Agilysis or RSA Where paper records are also held and referenced in the CRM, including MAST User Licences, these are held securely in the company’s offices)
  • Online payment system (contact information for people who have conducted financial transactions with Agilysis or RSA, including paper records referenced in the payment system such as invoices and POs)
  • Personnel data (personal information about persons under contract to Agilysis only, stored electronically in internal IT infrastructure to which access is restricted to directors, managers and key staff identified by the Executive Team, with hard copies stored under lock and key by the Head of Finance)
  • Project folders in internal IT infrastructure (which may contain contractual or project documents which refer to individuals)
  • Data provided online to apps accessed via smartphones and websites (personal information about persons who purchase, subscribe to, or use apps published by Agilysis are maintained on secure servers, protected by industry standard security protocols in accordance with the Security section of the company’s IT Management Policy)


Data Protection Training will be provided for all staff involved in handling personal data for:

  • Users of online assets
  • Suppliers of services to Agilysis
  • Agilysis employees
  • Clients with whom Agilysis has a contractual relationship, and/or
  • Marketing to existing or potential clients.

This training will be included during induction for new starters. The Data Process Auditor is responsible for ensuring training is delivered.

The training will ensure familiarity with the attached procedures which are relevant to their job roles. The privacy notice procedure is required for all staff; the information request and deletion procedures are only required for designated Data Processors.

Annual Audit

The Data Process Auditor will conduct an annual audit of Agilysis’ Data Protection structures. This audit will:

  • Audit the contents of Agilysis’ data systems and the Data Protection Archive and destroy any information held therein which is no longer required for legal, compliance, statistical or research purposes
  • Consider information about projects or clients which have been dormant throughout the previous year, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance, accounting, statistical or research purposes
  • Consider financial records in or related to the payment gateway which have been held for more than six years, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance or accounting purposes
  • Check personnel data for information held on past employees, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance or accounting purposes
  • Review the contents of this code of conduct and related procedures, including any changes to the purposes for which Agilysis stores personal data and whether they are compatible with the original purpose, and make recommendations to the Board on any revisions which may be necessary

Policy updated: 26th January 2021