Like most organisations, we have been looking at the new General Data Protections Regulations that come into force on 25th May 2018 to help protect the data organisations hold and use on individuals. Pharos believes this is really important and we thought you might want to know how we will comply with GDPR and give further confidence that Pharos is a responsible data processing partner.
What is Pharos doing differently?
We believe these new Regulations are just an evolution and development of good practice, much of which we have already been doing. Whilst we have had to learn more about data protection in the last six months we have not had to make significant changes, but we have formalised some of our existing arrangements.
What is Pharos doing to protect data?
- Audit. We have conducted an audit of the data we hold and reviewed its purpose, how consent is provided for us to store and use it, how we keep this safe and how we delete it when it’s no longer necessary.
- Data Protection Policy. This has been reviewed and updated, a full copy is available upon request which includes details on the lawful basis for us processing your data and how consent is gained. The key points of this policy are summarised below.
- Data Compliance Officer. Pharos is not required to appoint a Data Protection Officer under the GDPR since it does not conduct large scale, regular and systematic collection or processing of personal data and the amount of sensitive data processed is limited. However, we have voluntarily appointed a Data Compliance Officer with similar responsibilities of a Data Protection Officer as our internal focal point in order to set policy and monitor procedural compliance.
- Operational data protection measures. Key to this is recruiting individuals who have significant experience in working in confidential settings where the handling of sensitive information is routine. Indeed, many of our incident team are former military and police officers who remain subject to legislation such as The Official Secrets Act and all our staff have undergone recent Enhanced Disclosure & Barring Service (DBS) checks. We have a number of key internal staff policies, processes and conduct routine ‘data housekeeping’ that help protect individual’s data and these are included in our Data Protection Policy.
- Technological data protection measures. Due to the sensitive data we process, we had already invested in a secure system that insulates our customers’ data in an enterprise level secure encrypted browser used by government departments. Other software tools are selected for use because of their strong data control measures. A number of IT policy controls and settings are also implemented to add additional layers of security, the details of which are in our Data Protection Policy.
- Data sharing. Naturally, we would never share personal information with external bodies, unless legally required to do so. Who is the Data Controller and Data Processor? Pharos’ client organisation is the Data Controller for most personal information that we are in receipt of and manage. Our contract with clients include specific provisions for data protection and Pharos will only process data under instruction of our data controlling client. Under such arrangements, Pharos is the Data Processor.
How does Pharos gain individual’s consent to store and use personal information when providing incident support?
Since Pharos does not have direct contact with individual participants or your customers in advance of our service being provided, our clients need to gain the consent from their customers to share their data with Pharos Response. The lawful basis for this will normally be in either the participant’s legitimate or vital interests. Pharos will need to be named specifically by our clients in their own contracts, booking conditions or privacy statements.
Will Pharos change the way it collects personal information from you about your customers?
We have different arrangements with different clients. If you currently send us details of your own customers in advance of an incident such as participant lists, we will no longer collect this information ‘just in case’. Instead, we will ask for incident specific access to this data which you can send over by encrypted email attachments or grant us incident specific access to your own cloud-based file sharing systems.
What about protecting data given over the telephone during an incident?
We record inbound telephone calls to our incident telephone numbers to protect the interests of those involved and to maintain accurate records of conversations. Our enterprise level secure telephone server now prompts inbound callers to provide their consent before a call is connected to our staff. When sensitive personal information is provided to Pharos staff over the telephone during an incident, information documented will be minimised by our staff, and anonymised when possible.
In the event of a data breach, what would Pharos do if it lost any personal data?
When Pharos is acting as a Data Processor, it will report to you as the Data Controller client without delay, mindful of your 72-hour reporting deadline. Pharos will report data loss that is likely to result in a risk to the individuals and when, if unaddressed, such a breach is likely to have a significant detrimental effect on them to the Information Commissioners’ Office. In addition, where a breach is likely to result in a high risk to the individuals, Pharos will notify those concerned directly without delay. Full details are included within our Data Protection Policy.
How long will Pharos keep personal information for?
We will only keep customer information for as long as it is necessary to fulfil the incident service. Individuals’ data that is not necessary for us to hold for post-incident review will be deleted monthly. Telephone call recordings are deleted 30 days after the call.
Will Pharos make information it holds on individuals available to them or correct it if it’s wrong?
Yes of course! Data subject rights are important and when requested by our data controlling client, we will provide full disclosure of any data we hold about an individual participant customer of yours without delay or cost to you or the individual. This includes recordings of inbound calls to incident telephone lines. Full details are included in our Data Protection Policy.
Where can I find out more about Pharos’ data protection policy and procedures?
Please contact us on 01183 800140 or email firstname.lastname@example.org