Data Protection Policy

This is the data protection notice of The Awareness Partnership, and of Graham Lee as an individual practitioner. In this document, "we", "the company”, "our", or "us" refer to The Awareness Partnership and to Graham Lee.

Introduction
In order to deliver our services we gather and use information about individuals and companies. No personal data is collected for purposes other than the delivery of these services.
These individuals include customers, suppliers, business contacts, employees and other people where we have a relationship.

Purpose
• Collect and store this personal data in line with data protection legislation
• Protect the rights of these persons
• Show that we are open, aware and compliant
• Minimise the risk of a breach of legislation

The Principles
The Data Protection Act 1998 sets out rules for processing personal information relating to living individuals. It applies to some paper records as well as those held in electronic form. The Act gives individuals certain rights. It also imposes obligations on those who record and use personal information to be open about how that information is used and requires them to follow the eight data protection principles.

Personal data must be processed following these principles so that data is:
• processed fairly and lawfully and only if certain conditions are met;
• obtained for specified and lawful purposes;
• adequate, relevant and not excessive;
• accurate and where necessary kept up-to-date;
• not kept for longer than necessary;
• processed in accordance with an individual's rights;
• kept in a secure manner;
• not transferred outside of the EEA without adequate protection;
The Act provides individuals with rights in connection with personal data held about them. It provides individuals with the right to access data concerning themselves (subject to the rights of third parties). It also includes the right to seek compensation through the courts for damages and distress suffered by reason of inaccuracy or the unauthorised destruction or wrongful disclosure of data. Requests for information access should be made to [email protected]. This information is provided without charge.
We comply with all the principles of this Act.

GDPR
The EU parliament approved GDPR (General Data Protection Regulation) which comes in force in May 2018. Its purpose, as described by the governing body (www.eugdpr.org) states:
“The EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.”

Considered issues
We have reviewed the following areas to identify where real needs to collect data exist and how we handle the resulting data.
What personal information is being collected?
The main data held by the company (or Graham Lee) is either contact information: names, addresses, email addresses, phone numbers, psychometric data in the form of personality reports, feedback reports, and meeting notes.
Who is collecting it?
It is collected by a single officer of the company.
How is it collected?
By agreement with a client as part of the contracted work, comprising online questionnaires, online feedback results, feedback interview notes, and ad hoc notes taken during meetings. Secondary data is accumulated over time through other communication systems such as email, mobiles and letters.
Why is it being collected?
The personal information has been minimised to a point where we have enough to complete the required tasks and no more. All stored, digital personal information is password protected, and all manual notes are stored in locked cabinets.
How will it be used?
The data is stored and used as part of our responsibility to ensure the efficient running of the services we provide. Stored data is retained for as long as a client continues to work with us.  We also retain stored data for 10 years after the end of a contract, because clients sometimes re-contract after an extended time-gap in requiring our services, and because we reserve the right, occasionally, to use anonymised information from this work as case studies for educational purposes.
Who will it be shared with?
The information is not shared with anyone outside The Awareness Partnership/Graham Lee, but it is held on a number of GDPR-compliant applications outside the company and, in some cases outside the EEA.

Fairness
It is important that we have a fair and transparent privacy notice. It is based on:
• Using information in a way that people would reasonably expect
• Thinking about the impact of your processing
• Being transparent and ensuring that people know how their information will be used. This means providing privacy notices or making them available, using the most appropriate mechanisms. In a digital context this can include all the online platforms used to deliver services.

Risks and Security
A single member of staff is designated as a ‘Data Processor’ and has the responsibility for ensuring data is collected, stored and handled appropriately. This is essentially controlled through system access.
We have made appropriate technical and organisational measures against unauthorised or unlawful processing of personal data and against accidental loss or destruction of or damage to personal data. Staff and other individuals should be aware that guidelines and regulations relating to the security of manual filing systems and the preservation of secure passwords for access to relevant data held on computer should be strictly observed.

Responsibilities
The ‘Data Controller’ is responsible for:
• Keeping the business updated about data protection responsibilities, risks and issues
• Handling data protection questions from customers and anyone else covered by this policy
• Dealing with requests from individuals to see the data we hold about them
• Ensuring all systems, services and equipment used for storing data meet acceptable security standards
• Performing regular checks and scans to ensure the policy is effective
• Evaluating any third-party services the company is considering using to store or process data

Staff Guidelines
The only people able to access data covered by this policy should be those who need it for their work.
• Consider all personal data to be confidential
• Data should not be shared informally
• Staff should keep all data secure (not leaving PCs unprotected, avoid printing and leaving records for others to see, etc.)
• In particular, strong passwords must be used and they should never be shared
• Data should be regularly reviewed, updated or deleted if it is found to be out of date
• When data is stored electronically it must be protected from unauthorised access

If you have any questions regarding the data we hold on you, please contact us at [email protected] and we will be happy to help.