Data Protection Code of Conduct v0.4
Corporate Data Protection Policy
Agilysis is fully committed to transparency in how it handles personal data. The company takes all the essential measures ensure that information it holds remains private and secure and is processed with total confidentiality.
The lawful basis upon which Agilysis handles personal data is the Data Protection Act 1988 (DPA).
Agilysis only holds personal information supplied to it directly by the person concerned, or in the case of organisations with which Agilysis has an existing commercial relationship by professional colleagues of the person concerned.
Agilysis never has and never will store any sensitive personal data in the meaning of the DPA, except about its own employees for diversity and equality monitoring purposes.
Agilysis never has and never will store any information about persons under the age of 16.
Agilysis never has supplied, and never will supply, personal data to any third parties; with the sole exception of Road Safety Analysis Ltd (RSA). RSA is a company limited by guarantee which is under common control with Agilysis, and contracts Agilysis to provide it with certain services. RSA operates to the same strict Data Protection standards as Agilysis.
These principles are enshrined in a series of related procedures which document the flow of personal data and who is responsible for implementing each step.
Agilysis has no requirement for a Data Protection Officer, as the company does not hold or process substantial volumes of personal data or conduct extensive direct marketing activities.
Some Agilysis staff are designated as Data Processors. An Agilysis Director is designated as the company’s Data Process Auditor. The Data Process Auditor is in overall charge of implementing this code of conduct and related procedures and administers the Data Protection Archive.
Agilysis uses four systems which may be used for processing personal data:
- Salesforce (including paper records referenced in Salesforce such as MAST User Licences)
- Sage (including paper records referenced in Sage such as invoices and POs)
- Personnel data (personal information about persons under contract to Agilysis only, stored electronically in a folder to which access is restricted to managers and directors, with hard copies under lock and key)
- Project folders (which may contain contractual or project documents which refer to individuals).
- Smartphone apps (personal information about persons who purchase, subscribe to, or use apps published by Agilysis will be maintained on secure servers, protected by industry standard security protocols)
Data Processor Training will be provided for all staff involved in handling personal data for:
- Users of online assets;
- Suppliers of services to Agilysis;
- Agilysis employees;
- Clients with whom Agilysis has a contractual relationship; and/or
- Marketing to existing or potential clients.
This training will be included during induction for new starters. The Data Process Auditor is responsible for ensuring training is delivered.
The training will ensure familiarity with the attached procedures which are relevant to their job roles. The privacy notice procedure is required for all staff; the information request and deletion procedures are only required for designated Data Processors.
The Data Process Auditor will conduct an annual audit of Agilysis’ Data Protection structures. This audit will:
- Audit the contents of the Data Protection Archive and destroy any information held therein which is no longer required for legal or compliance purposes
- Consider information about projects or clients which have been dormant throughout the previous year, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance or accounting purposes
- Consider financial records in or related to Sage which have been held for more than six years, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance or accounting purposes
- Check personnel data for information held on past employees, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance or accounting purposes
- Review the contents of this code of conduct and related procedures, and make recommendations to the Board on any revisions which may be necessary