Skip to content

General Protection Data Regulations (GDPR)

Away From My Desk Ltd GDPR

General Data Protection Regulations (GDPR)

Away From My Desk Ltd GDPR

General Data Protection Regulations (GDPR) Compliance Information

1 Purpose

This document is designed to set out Away From My Desk Limited and Away From My Desk Remote Support Limited’s compliance with the General Data Protection Regulations (GDPR). It sets out the seven principles of the GDPR and how Away From My Desk performs against each of these.

Away From My Desk Limited is owned and based in the United Kingdom which offers a fully managed service from order through installation and post-sales support by telephone, email and remote management for a single annual fee.

 

2 Away From My Desk Company Information

 

2.1 Limited Company Information

Away From My Desk Limited is a limited company registered in England and Wales, whose company registration number is 07333624 with a registered office address of 20 Apex Court, Woodlands, Bradley Stoke, Bristol BS32 4JT.

This document also covers Away From My Desk Remote Support Limited (for the IG Tool for Rescue solution) which is a limited company registered in England and Wales, whose company registration number is 09711508 with a registered office address of 20 Apex Court, Woodlands, Bradley Stoke, Bristol BS32 4JT.

Away From My Desk Remote Support Limited is wholly owned by Away From My Desk Limited as a subsidiary of Away From My Desk.

To contact us about GDPR or Data Protection please email us on [email protected] or call us on 0117 325 0060.

 

2.2 Information Commissioners Office (ICO) Registration

In line with our GDPR compliance, Away From My Desk Limited and Away From My Desk Remote Support Limited are registered with the Information Commissioners Office (ICO)

Away From My Desk Limited Z3489450 03 January 2020

Away From My Desk Remote ZA272584 20 August 2019 Support Limited

Data Controller / Company Name:

Away From My Desk Limited

Away From My Desk Remote Support Limited

ICO Reg Number:

Z3489450

ZA272584

Registration Expiry:

03 January 2020

20 August 2019

2.3 Cyber Essentials

Under the Cyber Essentials scheme, which is backed by Government and supported by industry, organisations can apply for certification, which recognises the achievement of government-endorsed standards of cyber hygiene.

Away From My Desk has undertaken the Cyber Essentials Certification in January 2019, the systems and processes used are shared with Away From My Desk Remote Support so this certificate covers both companies. Recertification will take place annually.

IASME 24th January 2019 IASME-A-09442 Recertification Due: January 2020

Issued By: 

IASME

Date:

24th January 2019

Certificate Number:

IASME-A-09442

Recertification Due:

Date:

January 2020

 

3 Lawfulness, Fairness and Transparency

 

 

3.1 General Data Protection Regulations Article 5(1)(a)

GDPR Article 5(1)(a) requires that personal data shall be: “processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’)”

 

3.2 Personal Data

“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

We may obtain and use the following Personal Data about you:

  • Customer Account and Registration Data – this includes information you provide to create your account with us or register for events, webinars, surveys etc. and may include first and last name, billing information and a valid email address.

  • Service Data (including Session and Usage data) – When you use our Services, we receive information gather through the use of the Service, either entered by you or from the Service infrastructure itself (for example, duration of session, connections information etc.). We may also collect usage and log data about how the services are accessed and used, including information about the device you are using the Services on, IP addresses, location information, language settings, what operating system you are using, unique device identifiers and other diagnostic data to help us support the services.

  • Third Party Data – we may receive information about you from other sources, including publicly available databases or third parties from whom we have purchased data, and combine this data with information we already have about you. We may also receive information from other affiliated companies that are a part of our corporate group. This helps us to update, expand and analyse our records, identify new prospects for marketing, and provide products and services that may be of interest to you.

  • Location Information – We collect your location-based information for the purpose of providing and supporting the service and for fraud prevention and security monitoring. If you wish to opt-out of the collection and use of your collection information, you may do so by turning it off on your device settings.

  • Device Information – When you use our Services, we automatically collect information on the type of device you use, operating system version, and the device identifier (or “UDID”).

 

3.3 The lawful basis for processing

The lawful bases for processing this data falls under Article 6

  • –  (b) Contract – The processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract. Our contract also covers trial’s.

  • –  (c) Legal obligation – the processing is necessary for us to comply with the law for example recording transactional information for tax purposes.

  • –  (f) Legitimate interests – the processing is necessary for our legitimate interests such as service improvements, type of use and systems used.

We do not process any special category data or criminal offence data of our customers.

 

3.4  Fair Processing

Away From My Desk will always process your personal data fairly. We will ensure that individuals are treated fairly when exising their rights over their data including updating or removing their data.

 

3.5  Transparent Processing

Away From My Desk aim to always be transparent about who we are, what data we may collect and store and the reasons why; including how we protect your information. Above and through this document you will see what personal data we may obtain about you, the purpose for processing this personal data, our retention periods for that personal data and who it will be shared with where relevant.

Away From My Desk’s policies will be reviewed and updated regularly to ensure compliance with the General Data Protection Regulations.

 

4 Purpose Limitation

 

4.1 General Data Protection Regulations Article 5(1)(b)

GDPR Article 5(1)(b) requires that personal data shall be: “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’)”

 

4.2 Purpose Use

Away From My Desk will always process your personal data fairly. We will ensure that individuals are treated fairly when excising their rights over their data including updating or removing their data.

Away From My Desk aim to always be transparent about who we are, what data we may collect and store and the reasons why, including how we protect your information. Above and through this document you will see what personal data we may obtain about you, the purpose for processing this personal data, our retention periods for that personal data and who it will be shared with where relevant.

Away From My Desk’s policies will be reviewed and updated regularly to ensure compliance with the General Data Protection Regulations.

Away From My Desk may access and use the data we collect as necessary (a) to provide and maintain the Services; (b) to address and respond to service, security, and customer support issues; (c) to detect, prevent, or otherwise address fraud, security, unlawful, or technical issues; (d) as required by law; (e) to fulfil our contracts; (f) to improve and enhance the Services; (g) to provide analysis or valuable information back to our Customers and users.

Some specific examples of how we use the information:

  • Create and administer your account

  • Send you an order confirmation

  • Facilitate and improve the usage of the services you have ordered

  • Assess the needs of your business to determine suitable products

  • Send you product updates, marketing communication, and service information

  • Respond to customer enquiries and support requests

  • Conduct research and analysis

  • Display content based upon your interests

  • Analyse data, including through automated systems and machine learning to improve our services

    and/or your experience

  • Provide you information about your use of the services and benchmarks, insights and suggestions

    for improvements

  • Market services of our third-party business partners

If Away From My Desk plan to use or disclose personal data for any purpose that is additional to or different from the originally specified purpose we will ensure that the new use is fair, lawful and transparent. In this instance we will ensure that the new purpose is compatible with the original purpose or we will gain specific consent for the new purpose or we will point to a clear legal provision requiring or allowing the new processing in the public interest, for example a new function for a public authority.

 

4.3 Data Subject Rights

In addition to the policies and procedures mentioned, we ensue that individuals can enforce their data protection rights. we provide easy to access information in the office and during induction of an individual’s right to access any personal information that Away From My Desk Limited processes about them and to request information about: –

  • What Personal Data we hold about them

  • The purpose of the processing

  • The categories of personal data concerned

  • The recipients to whom the personal date has/will be disclosed

  • How long we intend to store your personal data for

  • If we did not collect the data directly from them information about the source

  • The right to have incomplete or inaccurate data about them corrected or completed and the

    process for requesting this

  • The right to request erasure of personal data (where applicable) or to restrict processing in

    accordance with data protection laws, as well as to object to any direct marketing from us and to

    be informed about any automated decision-making that we use.

  • The right to lodge a complaint or seek judicial remedy and who to contact in such instances

 

4.4 Subject Access Request (SAR)

Away From My Desk’s SAR procedures accommodate the revised 30-day timeframe for providing the requested information and for making this provision free of charge. Our procedures detail how to verify the data subject, what steps to take for processing an access request, what exemptions apply and a suite of response templates to ensure that communication with data subjects are compliant, consistent and adequate.

 

5 Data Minimisation

 

5.1 General Data Protection Regulations Article 5(1)(c)

GDPR Article 5(1)(c) requires that personal data shall be: “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”

 

5.2 Data required

Away From My Desk has identified the minimum amount of personal data we require to fulfil our obligations and in order to provide your contracted services. We do not request or hold any further information than this.

 

5.3 Deletion of Personal Data

The personal data we hold is periodically reviewed and any information we no longer require is deleted.

 

6 Accuracy

 

6.1 General Data Protection Regulations Article 5(1)(d)

GDPR Article 5(1)(d) requires that personal data shall be: “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’)”

 

6.2 Incorrect or Misleading Data

Away From My Desk takes all reasonable steps to ensure that the personal data a hold is not incorrect or misleading as to any matter of fact. In order to achieve this, we make regular calls to the practice or individuals to check their information. In addition to this, we regularly request that information is updated with us should things change for example job title, the address of your organisation, if you leave a practice or the NHS etc and this is included in our Terms of Service.

 

6.3 Correction of Incorrect Data

If Away From My Desk discovers that personal data or incorrect or misleading, we will take reasonable steps to correct or erase this information as soon as possible and keep a record of any challenges to the accuracy of the personal data.

 

6.4 Right of Rectification or Erasure

Individuals have the right to complete any incomplete data which is inadequate for our purpose, under the right to rectification. They also have the right to ask us to delete any data that is not necessary for our purposes, under the right to erasure (right to be forgotten).

 

7 Storage Limitation

 

7.1 General Data Protection Regulations Article 5(1)(e)

GDPR Article 5(1)(e) requires that personal data shall be: “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’)”

 

7.2 Data Retention – During Contract

Away From My Desk will retain your information as long as your account with us is active, and then for up to six-months thereafter in case of re-subscription and our own internal administrative purposes, to comply with our legal obligations, to resolve disputes, and enforce our agreements. All data pertaining to customer accounts are automatically removed after six-months.

 

7.3 Data Retention – After Termination Of Contract

After this six-month period, aside from financial records discussed below, all information will be deleted or anonymised in the case of statistical and historical reports required for us to analyse our business and processes.

In the case of financial records, Away From My Desk will retain the relevant information for tax purposed for 7 years in order to comply with legal obligations.

 

 8 Integrity and Confidentiality (Security)

 

8.1 General Data Protection Regulations Article 5(1)(f)

GDPR Article 5(1)(f) requires that personal data shall be: “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality)”

 

8.2 Data Security

Away From My Desk has appropriate security to prevent the personal data we hold being accidentally or deliberately compromised. This is managed through technical and organisational measures to ensure compliance with the General Data Protection Regulations.

Away From My Desk has undertaken full analysis of the risks presented by our processing of personal data to assess the appropriate levels of security required to protect the information. When deciding what measure to implement, we take account of the state of the art and costs on implementation.

We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and take steps to make sure that this is implemented. We make sure that we regularly review our information security policies and measures and, where necessary, improve them.

Away From My Desk understands the requirements of Confidentiality, Integrity and Availability for the personal data we process. We make sure that we can restore access to personal data in the event of any incidents by establishing appropriate backup processes and test these to ensure data can be restored easily if necessary. We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement. We ensure that any data processor we use also implements appropriate technical and organisational measures.

 

8.3 Technical Measures

Away From My Desk has completed the Cyber Essentials Framework to ensure basic compliance and have put in place additional technical measures to protect and secure personal data. We take privacy and security of individuals and their personal data very seriously and take every reasonable measure and precaution to protect and secure the personal data that we process. We have robust information security policies and procedures in place to protect personal information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures, including: –

  • Patching – We have automated systems in place that monitor the versions and vulnerabilities in all the projects that power Away From My Desk.

  • Encryption At Rest – Our database has automatic encryption at rest, cloaking your data in another layer of protection.

  • Cross Site Request Forgery Tokens – We verify CSRF tokens at every point possible to ensure your data can’t be tampered with by malicious 3rd parties.

  • HTTP Strict Transport Security – Our application forces all requests over HTTPS, ensuring all traffic is secured in transit and protecting against protocol downgrade attacks.

  • Regular External Pen Tests – We test our own product regularly by hiring specialist security friendlies to attack us from the outside and in.

  • Security Checks On Build – We have automated safeguards in place to check our code for potential issues before anything goes live.

  • Two Factor Authentication – We support (and encourage) Away From My Desk users to use our two-factor authentication mechanism for additional user account protection.

  • Private Key Authentication – Where supported, we always use trusted certificate based private key authentication.

  • Code Review – We draw on industry experience both internal and external to ensure our code is readable and maintainable. This helps us develop secure systems with ease and confidence.

  • High Availability – We’ve designed Away From My Desk to ensure high availability throughout the platform. At every layer of the stack we have a suite of contingency mechanisms, including automatic failover, to ensure 24/7 application availability.

  • SSL/TLS – All traffic between Away From My Desk and the user’s browser is encrypted in transit. We support TLS exclusively and only utilising strong cipher suites.

  • Secure Software Development Life Cycle – We put security at the heart of all our feature design and builds to ensure we are always maintaining our standards at 100%.

  • Automated Tests – We have automated test suites to verify that team members can only see what they are supposed to.

  • Key Management – We keep our keys secret and out of version control, to ensure access to critical resources cannot be compromised.

  • Customer Data Regulation – We never move user data out of the secured environment for testing or any other reason. Your data will always stay where it’s put.

  • Access Controls – We have secure directory servers in place to ensure that access is restricted to those who should have access and to prevent access by others.

  • Password Policy – We have a network password policy in place to ensure that strong, secure passwords are used to access our systems which are changed regularly.

  • Pseudonymisation Processes – We pseudonymise user names for our subscription services to ensure that they are secure. Any information gathered that is shared with others for example CCG’s is collected anonymously and shared without disclosing users’ details. Un-anonymised is only provided to the purchasing organisation.

  • IT systems – Our IT Systems are designed with privacy in mind to ensure that everything is as secure as possible, which always come before functionality.

 

8.4 General Data Protection Regulations Roles and Employees

Away From My Desk Limited have designated Rob Morrow as our Appointed Person and have appointed a data privacy team to develop and implement our roadmap for complying with the new Data Protection Regulations. The team are responsible for promoting awareness of the GDPR across the organisation, assessing our GDPR readiness, identifying any gap areas and implementing the new policies, procedures and measures.

Away From My Desk Limited understands that continuous employee awareness and understanding is vital to the continued compliance of the GDPR and involved our employees in our preparation plans prior to implementation. This is further backed up by including GDPR in our induction and annual training programmes.

 

9 Accountability Principle

 

9.1 General Data Protection Regulations Article 5(2)

GDPR Article 5(2) adds that “The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”

 

9.2 Accountability

Away From My Desk takes responsibility for complying with the GDPR at the highest management level and throughout our organisation and keep evidence of the steps we take to comply.

As described above we put in place appropriate technical and organisational measures. Away From My Desk takes data protection by design and default approach by putting appropriate data protection measure in place throughout the entire lifecycle of our processing operations. We put in place written contracts with organisations that process personal data on our behalf and ensure that they are also governed by either the same or equivalent legislation such as the US Privacy Shield.

Away from My Desk reviews its accountability measures regularly and updates them where necessary.

Away-From-My-Desk-Logo