In the course of business, Axiom needs to gather and use certain information about individuals, including customers, suppliers, business contacts, employees and other individuals the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the Axiom’s internal data protection standards, and to comply with external data protection regulations.
This policy is intended to ensure that Axiom:
The collection and management of personal information - whether store electronically or otherwise - is governed by the Data Protection Act 1998, and its requirements are further clarified by the General Data Protection Regulation (GDPR) of 2018.
Under these regulations, personal data must be collected and used fairly, stored safely and not disclosed unlawfully. The regulations are underpinned by eight important principles. Stating that personal data must:
This policy applies to all staff, contractors, suppliers and others working on behalf of Axiom Software. It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act or the GDPR. This can include:
The nature of Axiom’s applications means that data of this kind will also be under the control of clients (specifically, candidate data acquired during the testing process). Axiom will use all means to ensure that clients and candidates understand their responsibilities and rights under this policy and under current data protection regulations.
This policy is designed to protect Axiom, its clients and other associates from the consequences of data security risks and maintaining confidentiality of any personal data held.
Everyone who works for or with Axiom has their own responsibility for ensuring data is collected, stored and handled appropriately. Whenever personal data is handled, staff must ensure that it is managed and processed in line with this policy and with the principles of data protection principles.
In particular, staff have the following responsibilities, as relevant to the details of their particular role.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. In particular, these guidelines should be followed.
On rare occasions where data is printed, the security of these printed materials should be ensured. When not required, this material should be kept in a locked location, and not left accessible to unauthorised individuals. Printed materials should be shredded or otherwise securely destroyed when no longer required.
When working with personal data, staff should make every effort to ensure that it remains secure. Data should not be left in a visible state while unattended, nor should it be share informally.
Data must be encrypted before being transferred electronically, and should only be transferred over approved secure channels. In particular, personal data should never be sent by e-mail, or through other similarly insecure forms of insecure communication.
The law requires that reasonable steps be taken to ensure data is kept accurate and up to date at all times. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
All individuals who are the subject of personal data are entitled to:
A subject access request describes the action of an individual contacting Axiom requesting information of this kind. Requests like this should be made by e-mail, addressed to any standard Axiom Software address. It is the responsibility of staff receiving subject access request to ensure that they are routed to the correct individual or department to efficiently handle the request. For candidate information, this may involve liaison with the client responsible for maintaining that data.
The data controller will always verify the identity of anyone making a subject access request before handing over any information. Individuals will be charged £10 per subject access request. The data controller will aim to provide the relevant data within 14 days.
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, after ensuring such a request is legitimate, the requested data will be disclosed.
Further details of our and your legal obligations and duties can be found at the Information Commissioner's web site http://ico.org.uk.