Who is DT Information Governance?
DT Information Governance Ltd is a privately-owned training and consultancy company. I carry out these services for a range of clients and it is very important to us that I respect the privacy and protection of personal data. This Privacy Notice sets out how I process personal data (information) that I may collect during our work with you or when you contact us, how I will use it responsibly and how I keep it safe and secure. It also demonstrates my commitment to complying with the EU and UK versions of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA).
DT Information Governance Ltd is the ‘Controller’ of the personal data you provide. As there is only one person in the company, the Data Protection Officer is me, Deborah Topping. You can contact me at firstname.lastname@example.org.
What data I need
I collect personal data about you that includes name, address, email and contact number.
I will not ordinarily collect any special categories or types of information such as health information (unless this is necessary for food allergies or accessibility on one of my public courses); and I will not collect any personal data from you that I do not need in order to provide the services to you.
How I get the information and why I have it?
Most of the information I process is provided to me directly by you for one of the following reasons:
- You are a client that I am working with and I need to collect this information to enable me to work with you;
- You have asked or agreed (consented) to join my mailing list where I may provide you with updates on my services;
- I am monitoring contracts and performance of these;
- You are joining a training course with me;
- You have visited my website and cookies have been applied or accepted.
I may also receive information indirectly, from the following sources in the following scenarios:
- Your employer, organisation or group if they are my client;
- The charity that you are a trustee or volunteer for when the charity is my client;
I will also use the data or information you provide to me to create invoices which will be recorded on my invoice/payment records.
Why I need it? The lawful or legal bases
I have a number of lawful or legal bases for processing your information in line with GDPR. These vary depending on the work or support I am providing to you.
Where I have agreed to work with you, or to provide with you with training, the legal basis will be a contractual obligation.
Where you have joined my mailing list, the legal basis will be consent. You are able to withdraw or remove your consent at any time by contacting me at email@example.com .
To enable me to operate and administer my business, and to ensure that I can business plan effectively, I have a legitimate interest in processing some personal information. This helps me to remain accountable to my clients.
How I store your personal data?
Keeping personal data safe and secure is important to me and I have policies and procedures to do this.
I use Microsoft 365 (business version) to store your personal data and emails. Where possible I will store your data in the UK, however, the service provider may use storage facilities outside the UK, EU or EEA. Where this is necessary I undertake appropriate due diligence and ensure additional safeguards are in place.
My devices have passcode, fingerprint authentication or two-factor authentication (2FA) and all software including antivirus/firewall is kept up to date.
I ensure that I have contracts in place for any external service providers such as my accountant, who may have access to name and address for the purpose of preparing accounts.
I do not…
I do not allow any other third parties to have access to your personal data unless I am required to share your data with them by law or I am ordered to do so by a Court.
I do not knowingly transfer your personal data to third countries outside of the EEA. I do not make automated decisions on your data, nor do I use your data for profiling purposes.
How long I keep your personal data
I have a retention schedule which details how long I keep data for. In general I will keep it for a period that is required by law. For example financial records or HMRC records will be kept for 6 years and contracts will be kept for 6 years after the end date of the contract. I may keep personal data for longer if you have consented to me keeping it or you have asked me to keep it.
When I no longer need to keep your personal data, I will then dispose of this by secure shredding (paper records) or by secure and permanent deletion (electronic records).
What are your rights?
You have a number of rights relating to the processing of your personal data. You can ask to see the personal data that I hold about you (known as a Subject Access Request), or even as me to correct it or have it deleted.
Where you have provided personal data with consent, you can withdraw this consent at any time. Please send an email to firstname.lastname@example.org with the subject “withdraw consent” if you wish to do this.
You are not required to pay any fee for exercising your rights. If you do make a request, in most circumstances I have one month to respond to you. Please contact me at email@example.com if you wish to make a request.
More information on your rights can be found on the Information Commissioner’s website at www.ico.org.uk .
If you wish to raise a complaint on how I have handled your personal data, you can contact me and I will investigate the matter as I would like the opportunity to resolve this with you.
If you are not satisfied with my response or believe I am processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, Telephone 0303 123 1113 (local rate) or by using their online reporting form on their website at www.ico.org.uk .