ARIC DATA PROTECTION POLICY

ARIC  is registered under the Data Protection Act.  A link to our registration is below;

https://ico.org.uk/ESDWebPages/Entry/ZA038242

General Statement of Duties and Scope

ARIC is required to process relevant personal data regarding subjects of investigation, witnesses, business contacts, suppliers, complainants and clients as part of its operation and shall take all reasonable steps to do so in accordance with this Policy.

Data Protection Controller 

ARIC has appointed Alex Gardner as the Data Protection Controller (DPC) who will endeavour to ensure that all personal data is processed in compliance with this Policy and the Principles of the Data Protection Act 1998. The Freedom of Information Act 2000 and the Protection of Freedoms Act 2012 are also relevant to parts of this policy.

ARIC recognises The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) adopted 27 April 2016, the two-year transition period and the application date of 25 May 2018 and has been assessed as fully compliant.

The Principles 

ARIC shall so far as is reasonably practicable comply with the Data Protection Principles (the Principles) contained in the Data Protection Act to ensure all data is:-

  • Fairly and lawfully processed
  • Processed for a lawful purpose
  • Adequate, relevant and not excessive
  • Accurate and up to date
  • Not kept for longer than necessary
  • Processed in accordance with the data subject’s rights
  • Secure
  • Not transferred to other countries without adequate protection

Personal Data 

Personal data covers both facts and opinions about an individual where that data identifies an individual.  For example, it may include information necessary for tracing so will include dates of birth along with previous addresses.  Personal data may also include sensitive personal data as defined in the Act.

Consent

ARIC will only accept instructions where in its opinion it passes the test for “Consent”, you as a client must be able to prove to ARIC you have the subjects consent, this can be from your terms of contract with them for example.

Processing of Personal Data 

Consent may be required for the processing of personal data unless processing is necessary for the performance of the contract of employment. Any information which falls under the definition of personal data and is not otherwise exempt will remain confidential and will only be disclosed to third parties with appropriate consent.

ARIC processes some personal data for direct marketing and fund-raising purposes, data subjects have the right to request an opt-out to these activities, which must be respected.

Sensitive Personal Data 

ARIC, as part of its very raison d’être is required to process sensitive personal data.  Sensitive personal data includes data relating to medical information, gender, religion, race, sexual orientation, trade union membership and criminal records and proceedings.

Rights of Access to Information 

Data subjects have the right of access to information held by the ARIC, subject to the provisions of the Data Protection Act 1998 and the Freedom of Information Act 2000.  Any data subject wishing to access their personal data should put their request in writing to the DPC.  ARIC will endeavour to respond to any such written requests as soon as is reasonably practicable and in any event, within 30 days for access to records and 14 days to provide a reply to an access to information request.  The information will be imparted to the data subject as soon as is reasonably possible after it has come to ARIC’s attention and in compliance with the relevant Acts.

Exemptions

Certain data is exempted from the provisions of the Data Protection Act which includes the following:-

  • National security and the prevention or detection of crime
  • The assessment of any tax or duty
  • Where the processing is necessary to exercise a right or obligation conferred or imposed by law.

The above are examples only of some of the exemptions under the Act.  Any further information on exemptions should be sought from the DPC.

Accuracy 

ARIC will endeavour to ensure that all personal data held in relation to all data subjects is accurate. Data subjects have the right in some circumstances to request that inaccurate information about them is erased. This does not apply in all cases, for example, where records of mistakes or corrections are kept, or records which must be kept in the interests of all parties to which they apply.

Enforcement 

If an individual believes that ARIC has not complied with this Policy or acted otherwise than in accordance with the Data Protection Act, then they should notify the DPC if they feel it is the DPC at fault they should seek guidance from the Information Commissioners Office.

Data Security

ARIC will take appropriate technical and organisational steps to ensure the security of personal data.

All staff are be made aware of this policy and their duties under the Act.

ARIC respect the personal data and privacy of others and will ensure that appropriate protection and security measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to all personal data.

An appropriate level of data security is deployed for the type of data and the data processing being performed. In most cases, personal data is stored in appropriate systems and is encrypted when transported offsite. Other personal data may be for limited distribution within ARIC to investigators, therefore having a lower requirement for data security.

External Processors

ARIC ensures that data processed by external processors, for example, service providers, Cloud services including storage, web sites etc. are compliant with this policy and the relevant legislation.

Secure Destruction

When data held in accordance with this policy is destroyed, it is destroyed securely in accordance with best practice at the time of destruction.

Retention of Data

ARIC retains data for differing periods of time for different purposes as required by statute or best practices, as a rule of thumb the majority of investigative records are deleted after 30 days from date of report to client, statutory obligations, legal processes and enquiries may necessitate the retention of certain data beyond this point for example if it relates to ongoing legal proceedings then we may have to retain statements etc.

ARIC may store some data such as records of instructions, invoices, contracts, accounts etc indefinitely.

CCTV

ARIC owns and operates covert and overt cameras for the purposes of crime prevention and detection. Where a data subject can be identified, images will be processed as personal data.

Author:   Alex Gardner

Date:    March 2018

Review:   As Required