Data Protection Officer : APDI(SW)
Contact : Andy Morrison
07815 613436, email: firstname.lastname@example.org
Nature of Data Held
For members of the Association we hold: Name, address, phone number and email address.
In order to respond to enquiries from this site, we ask for your name plus email address and / or phone number. This gives us the opportunity to personalise your reply and contact you using your preferred contact method.
This information is kept solely for the purpose of answering your original enquiry. Once the enquiry has been satisfactorily dealt with, your personal data are deleted permanently from the online database.
If we are unable to contact you and your enquiry remains incomplete for 180 days, the information is deleted, regardless of there having been no satisfactory conclusion to the enquiry.
Data Held for Association Members
Contact information is held for the purpose of:
• Sending you the Association minutes
• Other industry related information
• Information about social events
Data held relating to visitors
Contact information is held for the purpose of:
• Responding to your enquiry
Making the reasonable assumption that having asked a question via our web site enquiry page, that you are entitled to and expect an answer, we claim your consent to reply by your chosen means, e.g. email or phone. Once your enquiry has been dealt with, we assume no further consent to use your personal data, which are then removed from the online database.
This section defines the policy for managing data throughout Apdisw of (apdi.info web site), hosted on a dedicated server located in the data centre belonging to Names Co Ltd.
Data held by the organisation for the purposes of carrying on its day to day business may be at risk of leakage or loss through the following means:
• Data Theft through hacking (Cyber Crime)
• Data Theft from the Cloud
• Data Theft through embezzlement
• Data Theft through hardware loss
• Physical damage to equipment
• End of equipment life risks
In order to minimise risks, the number of copies of data held is minimised, commensurate with protection against data loss. In this case, this means that no portable device is ever used as a data repository. All data relating to customers, prospects and enquirers is held on one of the dedicated web servers in the Names Co data centre. For day to day use, this is accessed via a single account that does not have root privileges. Only permanent members of the committee have the login credentials for this account. Only one person has login credentials for the root account on any of our servers.
Our database is held on servers used are all protected by firewalls, and all security patches or updates are applied as soon as they become available by the one person responsible for security.
Data Theft Through Hacking
All personally identifiable data is held on a dedicated web server located in the UK and maintained by Names Co. This is protected by a firewall which is updated regularly.
Access to the database that holds such data is also restricted by a separate login with different credentials to the root user, connection being made via https web pages. See General Considerations for the policy regarding password generation, which is applied to all systems used by APDI(SW) of , both on line and internally.
For disaster recovery purposes, the contents of the web server are backed up to a NAS unit in the main office. The backup is a snapshot of only the latest data and only the most recent backup file is retained in between weekly backup sessions, so that no obsolete data can be accessed or restored once removed from the main database (allowing a week of latency added to our regular data review cycle, as laid out in our Data Retention Term document).
Data access for employees is granted at a level where they can carry out the necessary procedures for their work through https web pages. These pages do not allow download of the database contents and nobody other than the responsible person has access to the database as root user.
Data Theft Through Equipment Loss
To prevent loss of data with equipment, no unlocked device that is used outside the office carries any sensitive data relating to the business or to the people that it deals with.
Damaged and End of Life Equipment
In the event of damage to equipment rendering it no longer serviceable, the hard drive will be removed and physically destroyed before disposal of the remaining hardware.
Where equipment has reached the end of its service life and is to be sold as used, the internal hard drive will either be replaced or completely erased and the OS replaced before sale.
Data Access Policy
Under the provision of the General Data Protection Regulation, you have the right to request to view, or have removed any data held relating to you as a natural person.
This can be requested direct to the DPO.
Right to be Forgotten Policy
Under the provisions of the General Data Protection Regulation, you have the right for all data held relating to yourself to be completely and permanently erased.
Note : Removal of all data may impact on our ability to provide a service to you.
The Regulation also provides for this information being removed from all backup copies and other repositories in the organisation. To ensure that this requirement is followed, APDI(SW) adopts the following practices:
• Only one copy of the database exists for each day over the past 7 days. This is held on a remote server in a secure data centre
• For disaster recovery
• The backup is a snapshot of the most recent data for each day of the week.
• Every week that backup file is overwritten with the latest data
• In case of a backup being restored, the responsible individual is required to manually reconcile any RTBF requests that may have been overridden by the restoration
Please note that the database is backed up daily with each days backup held for one week so there will be a latency of seven days between removal from the active database and removal from all backup copies.
Data Retention Policy
Your data is held until satisfactory conclusion of your enquiry or until you are no longer using our services.
Enquiry info is held in the database for no more than 3 days. This is to ensure we can respond to them even if there is an issue with email delivery. No automated processing of data is carried out on the database holding your information, other than a regular check for expired data. To ensure compliance with our policies, every day, the database is queried for entries that are greater in age than the number of days laid out in our Data Retention Terms Policy.
If found, the record and all associated data are automatically deleted from the active database. The active database is backed up daily, overwriting the previous copy from the same day the week before, so there will be a latency between deleting from the active database and the backup version. This will mean a possible delay of a maximum of seven days before final eradication of over-age data.