Data Protection Policy

Introduction

In the course of business, Axiom needs to gather and use certain information about individuals, including customers, suppliers, business contacts, employees and other individuals the organisation has a relationship with or may need to contact. This policy describes how this personal data must be collected, handled and stored to meet the Axiom’s internal data protection standards, and to comply with external data protection regulations.

Policy purpose

This policy is intended to ensure that Axiom:

• Complies with data protection law and follow good practice
• Protects the rights of staff, clients and representatives
• Is open about how it stores and processes personal data
• Protects itself from the risks of a data breach

Data protection law

The collection and management of personal information - whether store electronically or otherwise - is governed by the Data Protection Act 1998, and its requirements are further clarified by the General Data Protection Regulation (GDPR) of 2018.

Under these regulations, personal data must be collected and used fairly, stored safely and not disclosed unlawfully. The regulations are underpinned by eight important principles. Stating that personal data must:

• Be processed fairly and lawfully
• Be obtained only for specific, lawful purposes
• Be adequate, relevant and not excessive
• Be accurate and kept up to date
• Not be held for any longer than necessary
• Processed in accordance with the rights of data subjects
• Be protected in appropriate ways
• Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

Applicability

This policy applies to all staff, contractors, suppliers and others working on behalf of Axiom Software. It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act or the GDPR. This can include:

• Names of individuals
• Contact addresses
• Email addresses
• Telephone numbers
• ...plus any other information relating to individuals

The nature of Axiom’s applications means that data of this kind will also be under the control of clients (specifically, candidate data acquired during the testing process). Axiom will use all means to ensure that clients and candidates understand their responsibilities and rights under this policy and under current data protection regulations.

Responsibilities

This policy is designed to protect Axiom, its clients and other associates from the consequences of data security risks and maintaining confidentiality of any personal data held.

Everyone who works for or with Axiom has their own responsibility for ensuring data is collected, stored and handled appropriately. Whenever personal data is handled, staff must ensure that it is managed and processed in line with this policy and with the principles of data protection principles.

In particular, staff have the following responsibilities, as relevant to the details of their particular role.

• Identifying and notifying appropriate staff regarding data protection responsibilities, risks and issues that may arise.
• Reviewing all data protection procedures and related policies, in line with an agreed schedule.
• Arranging data protection training and advice as required or appropriate for the individuals covered or affected by this policy, and addressing any specific queries or questions.
• Responding to requests from individuals outside the organisation pursuant to the regulations in place (such as providing access to any personal details held, correcting those details, or erasing data on request).
• Ensuring that third parties that might come under this policy are fully aware of their rights and responsibilities.
• Ensuring that all systems, services and equipment used for storing data meet acceptable security standards, and that data is maintained in encrypted form wherever possible.
• Performing regular checks and scans to ensure security hardware and software is functioning properly.

General staff guidelines

• Access to personal data covered by this policy should be restricted to those who need it for their work. Confidential personal data should not be shared informally.
• Staff should make every effort to keep data secure, by taking sensible precautions and following the guidelines described below.
• Personal data should never be disclosed to unauthorised people.
• Data should be regularly reviewed and updated to ensure that it remains accurate and relevant. If no longer required, it should be deleted and disposed of.
• Employees should request help if they are unsure about any aspect of data protection.

Data storage

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts. In particular, these guidelines should be followed.

• Data should be protected by strong passwords that are changed regularly and never shared between employees.
• Data should only be stored on designated drives and servers, and should only be uploaded to an approved cloud computing services or maintained on approved cloud database services.
• Data should be backed up frequently and maintained in line with the company’s standard backup processes.
• Personal data should never be saved directly to external media or devices, except where essential for operational purposes.
• All servers and computers containing data should be protected by approved security software and a firewall.

On rare occasions where data is printed, the security of these printed materials should be ensured. When not required, this material should be kept in a locked location, and not left accessible to unauthorised individuals. Printed materials should be shredded or otherwise securely destroyed when no longer required.

Data use

When working with personal data, staff should make every effort to ensure that it remains secure. Data should not be left in a visible state while unattended, nor should it be share informally.

Data must be encrypted before being transferred electronically, and should only be transferred over approved secure channels. In particular, personal data should never be sent by e-mail, or through other similarly insecure forms of insecure communication.

Data accuracy

The law requires that reasonable steps be taken to ensure data is kept accurate and up to date at all times. It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.

• With the exception of essential backups, data redundancy and duplication will be minimised. Staff should not create any additional data sets unless absolutely necessary for their work.
• Staff should take every opportunity to ensure data is confirmed and updated whenever possible.
• Data should be updated and corrected whenever an inaccuracy is discovered.

Subject access requests

All individuals who are the subject of personal data are entitled to:

• Ask what information the company holds about them and why.
• Ask how to gain access to it.
• Be informed how to keep it up to date.
• Be informed of the ways the company is meeting its data protection obligations.

A subject access request describes the action of an individual contacting Axiom requesting information of this kind. Requests like this should be made by e-mail, addressed to any standard Axiom Software address. It is the responsibility of staff receiving subject access request to ensure that they are routed to the correct individual or department to efficiently handle the request. For candidate information, this may involve liaison with the client responsible for maintaining that data.

The data controller will always verify the identity of anyone making a subject access request before handing over any information. Individuals will be charged £10 per subject access request. The data controller will aim to provide the relevant data within 14 days.

In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject. Under these circumstances, after ensuring such a request is legitimate, the requested data will be disclosed.

Further details of our and your legal obligations and duties can be found at the Information Commissioner's web site http://ico.org.uk.