Intasite Ltd. (‘we’, ‘us’, or ‘our’) are committed to having the correct procedures in place to protect and respect your privacy, in line with the guidelines Data Protection Act 1998.
We may need to gather and use certain information about individuals. These individuals can include customers, suppliers, contractors, employees and other people that the organisation has a relationship with or may need to contact.
This policy, along with our Terms and Conditions, state the types of information we may gather or that you may provide us with, how they will be processed, and who may be be able to access this information along with the privacy procedures we have in place to handle and store the data.
The policy applies to all Intasite Ltd. employees and all personal data processed at any time by Intasite Ltd.
The objective of the policy is to ensure that:
We process personal data in compliance with the Data Protection Act 1998 and GDPR regulations. Intasite Ltd. and all its staff members are aware of all obligations and protocols when processing personal data. We protect the rights of the staff, customers and partners. Intasite Ltd. protects itself from the risks of a data breach.
The Client will take all reasonable steps necessary to ensure that the Operators use the Services securely and will follow such guidance on the subject of security as Intasite might issue from time to time. In particular, the Client will ensure that all Credentials are stored securely and that passwords chosen are sufficiently strong to withstand social hacking techniques. Intasite will not be liable for any loss or damage suffered by the Client where that loss or damage arises partially or entirely as a result of the use of Credentials that are shared or are insufficiently secure.
The Client will cooperate with any investigation relating to security that is carried out either by Intasite or by a third party authorised to do so either by Intasite or under applicable law.
If Intasite become aware that the Client is making deliberate use of the Services for any purpose that endangers the security, safety or wellbeing of the Users, Intasite may, at its discretion, suspend the delivery of the Services or terminate the Contract with immediate effect and without notice. The Client will abide by such directions as Intasite may give as to the secure use and implementation of the Services.
The Client agrees to remain alert to activities of other Clients or Users that may endanger the security, safety or well being of Intasite, other Clients and their Operators and/or Users and to inform Intasite if it becomes aware of the same.
2. People, Risks & Responsibilities
This policy applies to:
- The head office of Intasite Ltd.
- All branches of Intasite Ltd.
- All staff and volunteers of Intasite Ltd.
- All contractors, suppliers and other people working on behalf of Intasite Ltd.
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the Data Protection Act 1998. This can include:
- Names of individuals.
- Postal addresses.
- Email addresses.
- Telephone numbers.
- Dates of birth
- Along with any other information that relates to individuals.
2a. Data protection risks
This policy helps to protect Intasite Ltd from some real data security risks:
- Breaches of confidentiality: such as information being given out inappropriately.
- Failing to offer choice: all individuals should be free to choose how the company uses data relating to them.
- Reputational damage: the company could suffer if hackers successfully gained access to sensitive data.
Everyone who works for or with Intasite Ltd has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data ensures that it is handled and processed in line with this policy and data principles.
However, the individuals below have key areas of responsibility.
- The board of directors is ultimately responsible for ensuring that Intasite Ltd meets its legal obligations.
- The Data Protection Officer is responsible for:
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy
- Dealing with requests from individuals to see the data Intasite Ltd holds about them (also called ‘subject access requests’).
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- The IT Manager is responsible for:
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the company is considering using to store or process data.
- The Marketing Manager is responsible for:
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
3. Policy Statement | Processing Your Data
Intasite Ltd. will:
- Comply with the Data Protection Legislation and adhere to the following 8 Data Protection Principles:
- Must be processed fairly and lawfully.
- Must be obtained only for specific and lawful purposes.
- Must be adequate, relevant and not excessive.
- Must be accurate, and kept up to date.
- Must not be held for any longer than necessary.
- Must be processed in accordance with the rights of data subjects.
- Must be protected in appropriate ways.
- Must not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection.
- Comply with the statutory requirement to maintain accurate entries on the Information Commissioner’s public register of Data Controllers which describes the purposes for which Personal Data is processed.
- Comply with all other relevant legal requirements which apply to its processing of Personal Data, including:
- The Human Rights Act 1998.
- The Privacy and Electronic Communications (EC Directive) Regulations 2003.
- The common law duty of confidence.
- Adhere to the requirements set out in the following standards to support compliance with Data Protection Legislation:
- The Information Commissioner’s guidance documents and Codes of Practice.
- The Payment Card Industry Data Security Standard (PCI DSS).
- Intasite Ltd.’s Disclosure of Personal Data to the Police and other Statutory Law Enforcement Agencies policy.
- Intasite Ltd.’s Information Security Policy.
- Implement appropriate structures, systems and processes to manage all Personal Data fairly and lawfully.
- Be transparent about how Personal Data is processed, providing clearer privacy notices at the point it is collected, providing users with an option.
- Ensure that procurement processes and contractual arrangements with external service providers also adhere to adequate measures to ensure compliance with the Data Protection Principles.
- Approach the identification, control, mitigation and elimination of Privacy risk in the same way as financial and operational risk.
- Provide customers with an opportunity to opt in to receiving future marketing communications at the point at which their Personal Data is collected and provide a simple process to unsubscribe should they change their mind.
- Ensure that requests from customers to change the use of their data for the purposes of marketing/ the provision of service updates are acted upon promptly.
- Not disclose Personal Data to third parties except where disclosures are permitted or required by law.
- Label Personal Data in accordance with its Information Security Classification Standard for protectively marking information.
- Ensure that any complaint about Intasite Ltd.’s processing of Personal Data or non-compliance with the policy will be passed to the Privacy and Data Protection Team. The complaint will then be dealt with promptly in accordance with the Privacy and Data Protection Complaints Handling Procedure.
- Provide training to any relevant member of staff and ensure that training is kept up to date.
- View serious or repeated breached of this policy by a Intasite Ltd. employee as misconduct that will be managed and resolved in accordance with relevant disciplinary policies and procedures.
3a. Types of data that we may collect:
Information that you may give us:
You may provide us with information about yourself through the use of on site forms, through speaking with a staff member on the phone or via email. This includes information that you give us when you use our website, subscribe to our services, participate in any discussions via social media or report an issue with our service. This information may include but is not limited to: your name, email address, phone number, address.
Information that we may collect:
When you visit our website, we measure visits using Google Analytics and standard web server log files. These record which pages you visit, how you arrived at the site, and other basic information about your computer. All this information is anonymous and we do not make any attempts to find out the identities of those visiting the website.
When an individual uses the Intasite platform, we collect data to make sure our customers can identify a user when they visit a site and confirm they have a valid induction. We only collect information which our customers have requested us to collect, such as vehicle registration number.
Details of your URL
We may gather information about your visit to our website including the URL clickstream to and from the website, the date and time, pages viewed, length of page visit, interaction with those pages, their response times, any errors, your exit behaviour from the website and if you called directly from viewing the website on mobile we may collect your mobile number.
Cookies & Google Analytics
Google Analytics sets cookies on your device to function. These cookies do not personally identify you and the data these services collect is anonymous. We use these services and the data they collect to make our website better.
Any email sent to Intasite Ltd., including any attachments, may be monitored and used by us for reasons of security and for monitoring compliance with office policy. Email monitoring or blocking software may also be used. Please be aware that you have a responsibility to ensure that any email you send to us is within the bounds of the law.
Information we may be given from other resources:
We may have access to certain information if you use any of the other service we provide or if you interact with our social media pages. We also work with some third parties, such as: business partners, subcontractors, payment services, ad networks, analytics providers, search engine providers, credit reference agencies, so we could receive information about you from them if it is necessary.
3b. How we may use your data:
Intasite Ltd. may use your information to:
- Carry out obligations arising from contracts entered between Intasite Ltd. and yourselves.
- Provide you with information, products and services that you request from us.
- Provide you with information about other goods and services that we offer that are similar to those you have already purchased, enquired about, or that we would recommend.
- Permit (where appropriate) approved third parties to provide you with information about goods or services that we feel may be appropriate for your company and may interest you. Where we permit third parties to use your data, we (or they) will contact you only if you have consented to this.
- Administrate our site and for internal operations such as troubleshooting, data analysis, testing, or for research purposes.
- To improve our site in order to ensure that content is presented in the most effective manner for you and your computer.
- To allow you to interact with features of the service
- To help us keep our site safe and secure.
- To measure the effectiveness of advertising served to you
- To make suggestions and recommendations to you about services that may interest you.
Personal data is of no value to Intasite Ltd unless the business can make use of it. However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft.
- When working with personal data, employees ensure the screens of their computers are locked when left unattended.
- Personal data is not shared informally. In particular, it is never sent by email as this form of communication is not considered secure.
- Data must be encrypted before being transferred electronically. When personal data is transferred it is always done over an encrypted connection, either https or ssh.
- Personal data is never be transferred outside of the European Economic Area.
- Employees do not save copies of personal data to their own computers and are always encouraged to access and update the central copy of any data.
3c. Data Accuracy:
It is the responsibility of all employees at Intasite Ltd who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data is held in as few places as necessary. Staff are advised against creating any unnecessary data sets and if this is required they must dispose of this data by either shredding the paper copy or thoroughly deleting the additional copy.
- Staff take every opportunity to ensure that data is updated. For instance, by confirming a customer’s details when they call, or if they change their contact information in their email footer.
- Data is updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it is removed from the database.
- The marketing manager ensures that marketing databases are checked against industry suppression files every six months.
4. Processes | General Staff Guidelines:
The only people who are able to access data covered by this policy are those who need it for work: employees of Intasite Ltd. We do this by using built in firewalls to block external connections from untrusted sources on all servers and computers in our offices. Our router also has a built-in firewall. There is limited physical access to the building as staff members must use their key fob at 3 separate stages to get into the office. Doors are automatically locking and can only be unlocked with each staff member’s key fob.
Data is not shared informally. When access to confidential information is required, employees will request this from their line managers and provided with the required details if appropriate.
Intasite Ltd. provides training to all employees, to help them understand responsibilities when handling data. Employees are trained to keep all data secure by taking sensible precautions and following the guidelines provided. Employees are also encouraged to request help from their line manager or the data protection officer if there are any aspects they become unsure of in regards to data protection.
Strong passwords are used and are never shared. Personal data is not disclosed to unauthorised people, neither internally within the company or externally.
Data is regularly reviewed and updated if it is found to be out of date. If it is no longer required, it is deleted and/or disposed of.
5. Access | Disclosure of Data:
If necessary, legal and in your best interests, we may share your personal information with selected third parties including:
- Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you.
- Third party services who send transactional email and SMS messages for functions on the Intasite platform
- Advertisers and advertising networks that require the data to select and serve relevant adverts to you and others.
- Analytics and search engine providers that assist us in improving our website.
- Credit reference agencies for the purpose of assessing your credit score where this is a condition of us entering into a contract with you.
When might this be necessary?
- In the event that we sell any business or assets, in which case data may be disclosed to the seller or buyer of such business/assets.
- In the circumstance that Intasite Ltd. or all its assets are acquired by a third party. Personal information would be one of the transferred assets.
- If we have a duty to disclose information in order to comply with legal obligations.
- In order to apply agreements between us, to protect our rights, property, safety and customers. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
6. Storage | Where We Store Your Data
Data is used to make sure our customers can identify a user when they visit a site. Only the requested information is collected for each customer we work with.
The Intasite platform and database is hosted on a server in a London data centre. The server is protected by a firewall and all data is transferred to it via an encrypted connection.
Daily backups are made of the database by an automated backup system, which are stored securely offsite for disaster recovery. These backups are stored on an Amazon S3 private bucket in an EU (Ireland) region and are automatically erased after 30 days. Backups are transmitted to Amazon S3 over an encrypted connection.
We keep all data in our live database until the cancellation of a contract. We do this so that when an induction is expiring we can send reminders to visitors and to enable our customers to check an individual’s induction history.
7. Physical data
Wherever possible, Intasite Ltd endeavour to avoid keeping ‘physical’ data.
When data is stored on paper, it is kept in a secure place where unauthorised people cannot see it. This also applies to data that is stored electronically, but may have been printed out.
- When the document is not required, the paper or files are kept in a locked drawer or filing cabinet.
- Employees ensure that paper and print-outs are not left where unauthorised people could see them, i.e. displayed on a desk or left on the printer.
- Data printouts are shredded and disposed of securely once they are no longer required
7b. Electronic Data
Intasite Ltd. ensure to keep electronic data stored safely and securely.
- When data is stored electronically, it is protected from unauthorised access, accidental deletion and malicious hacking attempts.
- Data is protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a CD or USB stick) they are kept locked away securely when they are not used.
- Data is only stored on designated drives and servers, and are only uploaded to an approved cloud computing services.
- Servers containing personal data are sited in a secure location, away from general office space in a data centre in London.
- Data is backed up daily for the purpose of disaster recovery. The backups are tested regularly in line with Intasite Ltd’s backup procedures.
- Data is never saved directly to laptops or other mobile devices like tablets or smartphones.
- All servers and computers containing data in our offices use a built-in firewall to block external connections from untrusted sources. Our router has a built in firewall.
8. Your Rights | Subject Access Requests
All individuals who are the subject of personal data held by Intasite Ltd. are entitled to make subject access requests, which include:
- Ask what information the company holds about them and why.
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting its data protection obligations.
We will inform you before collecting your data if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. We will provide you with the opportunity to opt in to this. You can exercise your right to prevent such processing by checking the tick boxes on the forms we collect your data with or if you wish to opt out of such processing after you have agreed to having such data processed, you must express your Subject Access Request in writing by contacting us directly.
Our website may contain links to and from websites we partner with such as advertisers or partners. If you do follow these links, it is important to be aware that these websites use their own privacy policies so Intasite Ltd. will be unable to accept any responsibilities for these policies.
9. Updates | Changes To Our Policies
Any changes made to our policies will be posted on this page and where possible we will update you via email. Please check back frequently to see any updates made.