Data Protection Policy
The Data Protection Act 1998 (the Act) and the EU GDPR 2018 regulate the way in which all personal data is held and processed. This is a statement of the data protection policy adopted by GroundTruth Consulting Ltd (‘GCL’).
In order to operate efficiently GCL needs to collect and use information about the people with whom we work. This includes current, past and prospective employees, contractors, consultants, professional experts, stakeholders, delegates and others with whom we communicate.
GCL regards the lawful and correct treatment of personal information as integral to our successful operations and to maintaining the confidence of the people we work with. To this end we fully endorse and adhere to the principles of the Act and GDPR.
GroundTruth Consulting Ltd is the ‘Data Controller’ under the Act and GDPR which means that it determines what purposes personal information held, will be used for. The ‘Data Subject’ is all those with whom we work with and hold personal data of. Data processors are all those working on behalf of GCL who process such ‘data’ within the systems of GCL.
The purpose of this policy is to ensure that everyone handing personal information at GCL is fully aware of the requirements of the Act and GDPR and further complies with data protection procedures and that data subjects are aware of their rights under the Act and GDPR.
Scope: information covered by the Act and GDPR
‘Personal data’ covered by the Act and GDPR is essentially any recorded information, which identifies a living individual. Personal data held by GCL will include contact information for a variety of stakeholders and other personal details.
Sources of data
We may obtain your personal data from a number of different sources:
- From when you contact GCL with an enquiry or in response to a communication from GCL
- From a registration or booking form when you first attend a training programme
- From course attendance documents supplied by your employer
- From you or your associates in response to opportunities of work
What type of data do we collect?
We collect the following types of information:
- Your name
- Your email address
- Home address
- Telephone number
- How your conduct and manage your account(s) with us;
- Your use of GCL products
- Debit or credit card details, banking details and other payment information;
- CCTV footage (security purposes)
- Medical history
When we collect Personal Data from you we do so under one or more of the following Lawful Bases:
- Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract with GCL
- Consent: you have given clear consent for GCL to process your Personal Data
- Legitimate interests: the processing is deemed as necessary by the ‘controller’ in view of legitimate interests for the operational running of business programmes
- Legal obligation: the processing is necessary in order to for the controller (GCL) to comply with the law
- Vital interests: processing is necessary to protect the vital interest of the data subject (you)
- Public interest: processing is necessary in view of public interest
The principles of the Act and GDPR require that personal information must:
- Be processed fairly and lawfully
- Not be used for a purpose for which it was not collected
- Be adequate, relevant and not excessive for the purpose
- Be accurate and up-to-date
- Not be kept longer than necessary
- Be processed in accordance with the data subject’s rights
- Be kept secure and protected from unauthorised processing, loss or destruction
- Be transferred only to those countries outside the European Economic Area that provide adequate protection for personal information.
In order to meet the requirements of the principles GCL will:
- Fully observe conditions regarding the fair collection and use of information
- Meet its legal obligations to specify the purposes for which information is used
- Collect and process appropriate information and only to the extent that it is needed to fulfil operational needs or to comply with any legal requirements
- Ensure the quality of the information used
- Hold personal information on GCL systems for as long as is necessary for the relevant purpose, or as long as is set out in any relevant contract held or Legal obligations
- Ensure that the rights of people about whom information is held can be fully exercised under the Act and GDPR, these include:
- The right to be informed that processing is being undertaken.
- The data subject’s right of access to their personal information.
- The right to prevent processing in certain circumstances
- The right to correct, rectify, block or erase information, which is regarded as wrong information.
- The right to delete personal information held by GCL
- Take appropriate technical and organisational security measures to safeguard personal information
- Ensure that personal information is not transferred outside the EEA without suitable safeguards
How long will we keep your Data?
We keep information for as long as we need it for the purposes that it is being processed and depends on a set of variables such as:
- How long you have been a customer/client with us, the types of products or services you have with us, and when you will stop being our customer.
- How long it is reasonable to keep records to show we have met the obligations we have to you and by law.
- Any periods for keeping information which are set by law or recommended by regulators, professional bodies or associations.
- Any relevant proceedings that apply.
For example when we collect medical information for training courses or deployments we delete it one month after completion of the course or deployment.
For further advice, please contact the Managing Director.
GCL responsibilities for data protection and confidential information
GCL will ensure that:
- Everyone managing and handling personal information (processors) understands that they are responsible for following good data protection practice.
- This policy is available to each member of staff.
- Everyone (all processors) managing and handling personal information is appropriately trained and supervised.
- Queries about handling of personal information are promptly and courteously dealt with and clear information is available to all staff
All Staff are made aware of the requirements of the Act and the EU GDPR and how the regulations apply to them.
- All staff have a responsibility to ensure that they respect confidential information in their possession and maintain information security. Disclosure of confidential information gained as part of your employment to a third party, or assisting others in disclosure, will be viewed by GCL with the utmost seriousness.
- All staff are responsible for ensuring personal information is kept no longer than is necessary. For further advice, please contact the Managing Director.
Privacy statement GCL
GCL respects your privacy. The information that you provide us with, or that is gathered automatically, helps us to monitor our services and provide you with the most relevant information.
Subject Access Requests
Under the Act and GDPR individuals have the right to access personal information GCL may hold about them, correct and request the deletion of personal data that is not held as a ‘Legal Obligation’ by the controller (GCL). If you wish to request such information please email firstname.lastname@example.org