We hold personal data about our clients, for a limited number of business purposes. This policy sets out how TTIO seeks to protect personal data and ensure that company staff understand the rules governing their use of personal data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed. The purposes for which personal data may be used by us:
Administrative and Licencing purposes.
These purposes include the following:
• Recording and processing transactions
• Teachers/Students hold responsibility for the data they chose to put on TTIO. e.g. Full names and additional information. If a teacher or student wishes to maintain complete anonyminity, this can be taken into account when creating usernames. Additionally, personal information can be edited or deleted at any time in the "settings" menu.
• Licencing reasons: stamping each page of each downloadable resource, with the user’s username, email address and full name, so to prevent unauthorised sharing of resources and to trace any instances of individual’s breaching their licence agreement Scope This policy applies to all staff who must be familiar with this policy and comply with its terms. Who is responsible for this policy? As our Data Protection Officer, Jonathan Marvin (email@example.com) has overall responsibility for the day-to-day implementation of this policy. TTIO
Fair and lawful processing We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.
The Data Protection Officer’s responsibilities:
• Keeping up to date about data protection responsibilities, risks and issues
• Reviewing all data protection procedures and policies on a regular basis
• Arranging data protection training and advice for all staff members and those included in this policy
• Answering questions on data protection from staff
• Responding to clients who wish to know which data is being held on them by ‘TTIO’.
Responsibilities of the IT Manager
• Ensuring all systems, services, software and equipment meet acceptable security standards
• Checking and scanning security hardware and software regularly to ensure it is functioning properly
• Researching third-party services, such as cloud services the company is considering using to store or process data.
Responsibilities of the Marketing Manager
• Approving data protection statements attached to emails and other marketing copy
• Addressing data protection queries from clients
• Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and the company’s Data Protection Policy.
The processing of all data must be:
• Necessary to deliver our services
• In our legitimate interests and not unduly prejudice the individual's privacy
• In most cases this provision will apply to routine business data processing activities.
Accuracy and relevance
We will ensure that any personal data we process is accurate, adequate, relevant and not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this. If individuals ask that we correct inaccurate personal data relating to them, this will be done by the Data Protection Officer, Jonathan Marvin.
‘TTIO’ must keep personal data secure against loss or misuse.
Storing data securely
• In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it
• Printed data should be shredded when it is no longer needed
• Data stored on a computer should be protected by strong passwords that are changed regularly.
• Data stored on CDs or memory sticks must be locked away securely when they are not being used
• The DPO must approve any cloud used to store data
• Servers containing personal data must be kept in a secure location, away from general office space
• Data should be regularly backed up
• All servers containing sensitive data must be approved and protected by security software and a strong firewall.
Data retention We must retain personal data for no longer than is necessary. For subscribers to either one of TTIO’s websites, their data will be held for no longer than one year after their latest subscription has expired. This is so that the renewal process is simplified for any customer that wishes to renew their membership.
Transferring data internationally
PayPal and Stripe will process customer payment data for the processing of transactions, in accordance to their data policies. https://www.paypal.com/ee/webapps/mpp/ua/privacy-full https://stripe.com/gb/privacy Customer payment data is sent directly to PayPal or Stripe. TTIO does not process or store any customer payment data. When a customer enters this sensitive information (e.g. card number), TTIO encrypts the transmission of that information using secure socket layer technology (SSL).
Subject access requests
Please note that under the Data Protection Act 1998, individuals are entitled, subject to certain exceptions, to request access to information held about them. Any subject access request will be referred immediately to the DPO and will be processed quickly.
Processing data in accordance with the individual's rights
TTIO will abide by any request from an individual not to use their personal data for direct marketing purposes. The DPO will be notified about any such request. TTIO will not send direct marketing material to someone electronically (e.g. via email) unless they have given consent. Training All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.
It will cover:
• The law relating to data protection
• Our data protection and related policies and procedures.
Completion of training is compulsory. GDPR provisions Where not specified previously in this policy, the following provisions will be in effect on or before 25 May 2018.
Privacy Notice - transparency of data protection
Being transparent and providing accessible information to individuals about how we will use their personal data is important for our organisation. The following are details on how we collect data and what we will do with it (see table below):