In order to provide services to clients, ChangeWave collects, collates and analyses business and personal data from its clients and people involved in the client’s business, business partners, associates and business contacts. Data Subjects are the people or companies about whom we store data. This information needs to be treated carefully to ensure appropriate confidentiality is maintained.
This document describes the information security operating principles to be adopted by ChangeWave and people working for ChangeWave. These principles are aimed at providing appropriate data security for a small organisation and compliance with EE directive on General Data Protection Regulations (GDPR) that comes into force on 25 May 2018.
In the normal course of business, routine contacts with clients and people involved in the client’s business, suppliers, business partners and others will be collected to facilitate ongoing communication. This includes business contact data such as Name, Role, Telephone numbers and email addresses. ChangeWave will not seek formal permission to store this business contact data but recognises its sensitivity as described below.
During formal discussions and contracting with clients, potential clients, business partners and associates ChangeWave will explicitly recognise and advise that data, both personal and business related, will be collected and processed in order that ChangeWave can provide services in a professional manner.
Four classes of information are envisaged:
Ways in which data are collected include but are not limited to: meeting notes, coaching logs, psychometric test results, personal objectives, answers to questionnaires, 360 degree / other feedback and performance reviews, interviews with staff prior to team meetings and workshops and team meeting and workshop slides and outputs.
The above information classes will be treated separately
Business contact data and personal contact data
This information is primarily contained in Contacts databases, emails and appointment calendars. ChangeWave will use externally hosted email, contacts and calendar services. A professional, established application with active security oversight and updating will be utilised. (Currently Microsoft Exchange is used through the Office 365 subscription and is therefore fully updated and includes the latest security controls). All information exchanged with the service provider will be encrypted. The service provider is expected to comply with all relevant EE directives and standards in providing security of the data with respect to its services.
Where there is a reasonable expectation that introducing one person to another will be beneficial, ChangeWave will request permission to share contact email and other contact details with the other party.
Contact data is stored by ChangeWave personnel as long as it is considered useful for normal business needs.
Sensitive Personal and Company Data
Electronic versions of data will be stored on the internal ChangeWave network. Any paper copies or hand-written notes will be stored securely at ChangeWave’s office.
Such data will be shared only with Data Subjects and others whom they have specified.
ChangeWave will always request a client’s permission before using their feedback in any testimonial or case study.
If we need to take electronic data outside of the ChangeWave office this data will be carried will be carried in an encrypted or password protected way.
Most of our clients require us to have Professional Indemnity Insurance and for this insurance companies require data to be held for 7 years. This is our default storage period. Seven years after a programme or piece of work is completed, all paper versions will be shredded and electronic copies deleted.
There are a number of statutory rights and how we handle these is covered below:
If any ChangeWave employee, associate or supplier becomes aware of leakage or breach of security on sensitive information, or of systemic loss of personal data (eg mail service provider has suffered a theft of personal data), then the data controller must ensure that relevant clients are contacted as soon as possible advising of the breach, the data lost and an action plan agreed.
E Maguire is the Data Protection Officer and can be contacted at eddie.maguire@changewave.co.uk
This document has been approved by ChangeWave Directors. It will be reviewed at least annually and when material changes are required. Next review due before 1 May 2019