Skip to content

Data protection and information security policy

Spiranti Limited is committed to protecting data privacy. We believe that we have a duty of care to
people contained within our data, and that data should only be collected and processed when absolutely
necessary. This policy explains how we collect and use the personal information provide to us during the
course of business operations, whether online or via phone, mobile, e-mail, letter or other
correspondence.

1. General provisions

1.1. This policy applies to all personal data processed by Spiranti Limited in the course of its
business activities.
1.2. Spiranti is registered with the Information Commission’s Office as an organisation that
processes personal data.
1.3. It is the personal responsibility of all employees and contractors of Spiranti Limited, and
anyone else processing information on our behalf, to comply with relevant data protection
legislation.
1.4. The company Directors will regularly review business activity to ensure ongoing compliance
with this policy.

2. GDPR

2.1. The EU General Data Protection Regulation (GDPR) effective from May 2018 gives all EU citizens more rights and protections for their personal data, to minimise the possibility of theft and fraud.

2.2. These regulations include provisions for the following areas:
• The right to be informed: Organisations must publish a privacy notice, in addition to explaining transparently how they use this personal data.
• The right of access: Individuals will have the right to demand details of any of their data that an organisation may hold. This information must be provided within one month of request at no charge to the individual.
• The right to rectification: If a person’s data is incorrect or incomplete, he or she has the right to have it corrected. If the organisation that holds the information has passed any of that information to third parties. The company must inform the third party of the correction and inform the person which third parties have their personal data.
• The right to be forgotten: A person may request the removal of his or her personal data in specific circumstances.
• The right to restrict processing: Under certain circumstances, an individual can block the processing of his or her personal data.
• The right to data portability: A person can access their data for their own use anywhere they prefer.
• The right to object: A person can object to the use of their personal data for most purposes.

2.3. Spiranti regularly reviews and updated its business practices and policies to ensure compliance with the following national and international legislation with regards to data protection and user privacy:
• UK Data Protection Act 1988 (DPA)
• EU Data Protection Directive 1995 (DPD)
• EU General Data Protection Regulation 2018 (GDPR)

2.4. Our compliance with the above legislation, all elements of which are stringent in nature, means that Spiranti Limited is likely to be compliant with the data protection and user privacy legislation set out by many other countries and territories as well.

3. Data Protection Act

3.1. In carrying out our day to day activities Spiranti Limited processes and stores personal information and we are therefore required to adhere to the requirements of the Data Protection Act 1998. We take our responsibilities under this act very seriously and we ensure the personal information we obtain is held, used, transferred and otherwise processed in accordance with that Act and all other applicable data protection laws and regulations including, but not limited to, the Privacy and Electronic Communication Regulations.

4. Lawful purposes

4.1. All data processed by Spiranti is done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests.

5. Data minimisation

5.1. Spiranti Limited shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

6. Data accuracy

6.1. Spiranti Limited aims to ensure that all information we hold is accurate and, where necessary, kept up to date.

6.2. If any of the personal information we hold is inaccurate and we are notified by a client, either you advise us or we become otherwise aware, we will ensure it is amended and updated as soon as possible.

7. Deletion of personal data

7.1. To ensure that personal data is kept for no longer than necessary, Spiranti Limited shall implement an annual review of all personal kept on Spiranti systems.

7.2. This review process shall consider what data should/must be retained, for how long, and why.

7.3. Personal data which no longer needs to be kept on Spiranti systems shall deleted.

8. Electronic and physical data security

8.1. Spiranti Limited recognises that personal and confidential information should be kept secure, using an appropriate level of physical security.

8.2. Spiranti Limited will store confidential information in such a way as to ensure that only authorised persons can access it.

8.3. Each Spiranti user has a unique user ID and password that is subject to a system enforced change on a regular basis. External access is only permitted through use of Share Point Server and Microsoft Exchange domain set up by the Company.

8.4. All confidential matters must be disposed of using confidential waste bins or shredders. In particular, client confidential waste must be shredded.

9. Data Breaches

9.1. In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Spiranti Limited shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the ICO.

10. Information sharing and disclosure

10.1. As part of our day-to-day operations we may share personal data with our data processors. These are trusted partner organisations that work with us in connection with our organisation’s purposes.

10.2. All our trusted partners are required to comply with data protection laws and our high standards and are only allowed to process your information in strict compliance with our instructions.

10.3. We will always make sure appropriate contracts and controls are in place and we regularly monitor all our partners to ensure their compliance.

10.4. Spiranti may disclose personal information to third parties if we are required to do so through a legal obligation (for example to the police or a government body); to enable us to enforce or apply our terms and conditions or rights under an agreement; or to protect us, for example, in the case of suspected fraud or defamation.

10.5. Although most of the information we store and process stays within the UK, some information may be transferred to countries outside the European Economic Area. This may occur if, for example, one of our trusted partner’s servers are located in a country outside the EU. These countries may not have similar data protection laws to the UK however, we will take steps with the aim of ensuring data privacy continues to be protected as outlined in this policy.

11. Upholding the rights of data subjects

11.1. Spiranti Limited recognises that data subjects have the right to:
• request a copy of the information we hold about them;
• update or amend the information we hold about them if it is wrong;
• change their communication preferences at any time;
• ask us to remove their personal information from our records;
• object to the processing of their information for marketing purposes; or
• raise a concern or complaint about the way in which their information is being used.

11.2. Spiranti Limited will collaborate with our clients, upon request, to ensure the rights of data subjects are upheld.

12. Staff training

12.1. Spiranti Limited is committed to providing sufficient education and training to staff and contractors to ensure they understand the importance of data information security and, in particular, exercise appropriate care when handling personal and confidential information.

Spiranti Limited
10 August 2018