1.1 Comms-care Group Ltd is committed to supplying you with the best possible information and protecting and respecting your privacy. In order for us to do this we will occasionally require you to supply us with some personal information.
1.2 This privacy statement (together with any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
1.3 Comms-care will process your personal data in the pursuit of its legitimate business interests regardless of whether it is the data controller or data processor as defined in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (the “Regulation”), which forms part of the Data Protection Act (DPA) 2018.
- INFORMATION WE MAY COLLECT FROM YOU
2.1 We may collect and manage the following data about you:
(a) Information you give us. You may give us information about you by filling in forms on our web site, by corresponding with us by phone, e-mail or otherwise, or by placing contractual business with us. The information you give us may include your name, address, e-mail address, phone number and details relevant to your specific enquiry.
(b) Information we may receive about you. Third party companies with which you have a contractual relationship may provide your personal contact information to allow us to deliver services on their behalf. Where we do not receive the required personal contact information your service and the SLAs you receive from us may be affected.
(c) Information we collect about you. With regard to each of your visits to any of our web sites or portals we may automatically collect the following information:
(i) technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
(ii) information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products and services you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page.
- USES MADE OF THE INFORMATION
3.1 We use information held about you in the following ways:
(a) Information you give to us. We will use this information:
(i) to respond to any enquiries you make regarding further details on our services or requesting any marketing literature
(ii) to carry out our obligations arising from any contracts entered into between you and us and to provide you with the information and services that you request from us in support of Comms-care operating as an IT service company;
(iii) to carry out our regulatory obligations;
(iv) to provide you with information about other existing and new services we offer that we feel may be of interest to you;
(v) to notify you about changes to our service; and
(vi) to ensure that content from our web site is presented in the most effective manner for you and for your computer.
(b) Information we collect about you. We will use this information:
(i) to administer our web site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
(ii) to improve our web site to ensure that content is presented in the most effective manner for you and for your computer;
(iii) as part of our efforts to keep our web site safe and secure;
(iv) to make suggestions and recommendations to you and other users of our web site about services that may interest you or them.
- DISCLOSURE OF YOUR INFORMATION
4.1 We may share your information with selected third parties including:
(a) Employees, partners and parent company of Comms-care Group Ltd to deal with accounts and services provided by us;
(b) If we or substantially all of our assets are acquired by a third party, in which case personal data held by us about our customers will be one of the transferred assets;
(c) Analytics and search engine providers that assist us in the improvement and optimisation of our web site;
4.2 We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or to protect the rights, property, or safety of Comms-care or our users. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
- WHERE WE STORE YOUR PERSONAL DATA
5.1 The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). It may also be processed by staff operating outside the EEA who work on our behalf. Such staff maybe engaged in, amongst other things, the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this privacy statement and relevant UK legislation.
5.2 Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our web site; any transmission is at your own risk.
5.3 Once we have received your information, we will use strict procedures and security features in accordance with our ISO27001-certified Information Security Management System.
- HOW LONG WE RETAIN YOUR PERSONAL INFORMATION
This Privacy Statement provides the governance of internal & external personal data records held and processed by the Company on its systems and networks, and takes into consideration legal requirements and best practice approach. Paper records are also included.
For ease of management it is the Company’s policy that when personal data is gathered that unless there is a statutory or legal basis to delete it earlier/retain it for longer, it will be held securely and deleted after 6yrs plus current year following the end of its use e.g. deleting employee records 7 years after an employee’s employment ceases or deleting customer CRM records 7 years after a customer relationship ends. This does not preclude the deletion of personal data earlier where legal retention is not required based on business decisions or an opt-out request has been received (where applicable). Retention of data within the scope of this Privacy Statement enables us to service any contract and maintain our legal records.
- A variety of methods may be used to delete personal data including manual deletion (scheduled via automated reminders), system scripts, recycling/shredding/disposal of paper documents, disposal of old/faulty company devices via the Company’s Data Destruction & Handling Process in accordance with ISO27001 requirements
- The Data Protection Lead (DPL) will instruct process owners annually to review the personal data they are responsible for and to delete/dispose of it in line with this policy. Compliance with this policy will be subject to internal and external audit
- It is expected that external suppliers will have their own data retention policies and will apply these to personal data held by them e.g. ISP’s, couriers & HMRC. Key suppliers are required to sign and adhere to the Company’s Supplier Code of Conduct which confirms data retention expectations
- Where personal data is held by suppliers and third parties, where relevant they will be notified of the requirement to delete it g. to delete PMI member & pension member data
- Where the Company is aware that an employee has personal user credentials for third party systems and portals, it shall remove where possible or request removal of these user profiles when the employee leaves the Company
- Collective data sets which include personal data of many people e.g. lists of names, roles & salaries collected for statistical analysis may be retained after employees leave
- Where non-sensitive personal data is captured on an incidental basis on records and reports e.g. a name and title on an audit report, an email where an employee’s email address is captured on the email’s distribution list or a customer’s contact details are included on a Service Desk job record, these records will not be deleted as they are considered incidental. The definition of incidental is when records note where people have done something for the business as part of a process or service rather than being a record about them.
- The reason incidental records are not deleted is because the amount of effort to track down and delete them would be a disproportionate to the risk to the individual of retaining them and due to system limitations. This does not apply to emails specifically about a person or containing sensitive personal data e.g. emails relating to health issues
- Records on our internal workflow system are subject to pseudonymisation after 5 years
- All electronic archives and back-ups within the business are overwritten within the 6 years + current year due to the re-use of media. Paper records e.g. Finance records, site visit reports etc. are subject to this Privacy Statement and are manually deleted/destroyed within 6 years + current year.
- All Employees are urged to save all work and works in progress on the Company network rather than on their desktop for security reasons and to ensure personal data is not put at risk. It is noted however that hard disk drives on Company desktops and laptops are encrypted
Where you have opted in to receive communications from us outside of a business contract, your personal information will be retained for 6 years from the date of opt in; at which point we will re-contact you to reconfirm permissions. You will be able to unsubscribe at any point you choose by clicking the subscription link at the foot of any of our emails or by emailing email@example.com.
- YOUR RIGHTS
7.1 You have the right to select how we use your personal data for marketing purposes. You can exercise this right by checking certain boxes on the forms we use to collect your data or by visiting our preference centre. You can exercise your right to change your preferences or opt-out completely at any time by contacting us at firstname.lastname@example.org or by unsubscribing through any online content we send you.
7.2 Our web site may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.
7.3 The Data Protection Act 2018, UK GDPR and GDPR give you the right to access information held about you at any time and to view, modify, alter or withdraw it if required in permissible circumstances. Your right of access can be exercised in accordance with the requirements by emailing email@example.com including:
- The type of data subject request
- Information access
- Objection to processing
- Objection to automated decision-making and profiling (currently not applicable)
- Restriction of processing
- Data portability
- Data rectification
- Data erasure
- Last name
- First name
- Maiden or former names
- Current address
- Daytime phone number
- Mobile phone number
- CHANGES TO OUR PRIVACY STATEMENT
Any changes we may make to this privacy statement in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to this privacy statement.
Questions, comments and requests regarding this privacy statement are welcomed and may be sent to firstname.lastname@example.org or addressed to Comms-care Ltd, Cheshire Avenue, Cheshire Business Park, Lostock Gralam, Northwich, Cheshire. CW9 7UA, UK.
Last Reviewed Date: October 2022