PRIVACY POLICY

Effective from May 2018

Introduction & Description – This policy defines the legal basis for processing and sharing privileged personal and sensitive information held and processed by Maggie Sargent & Associates (Aviacrown Ltd Trading As Maggie Sargent & Associates) relating to information stored, processed and shared by Maggie Sargent & Associates regarding all Employees, all Associates, Suppliers, Customers and the Personal Medical records of our customers clients.

1.     Definitions

For the purpose of this policy the following definitions apply:

  • Maggie Sargent & Associates means Aviacrown Ltd, any reference to either within this policy referrers to the legally established company of Aviacrown Ltd which is listed on with Companies House under reference 2424951.
  • Company Head office means Maggie Sargent & Associates, Darlingscott Farm, Darlingscott, Warwickshire, CV36 4PN.
  • Associates means the medical experts that are legally separate trading entities (either self-employed sole traders or limited companies) that are appointed by Maggie Sargent & Associates to complete to provide Expert Witness Medico-Legal reports for and on behalf of Maggie Sargent & Associates.
  • Staff means direct employees of Maggie Sargent & Associates.
  • GDPR means General Data Protection Regulation (GDPR) (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union.
  • DPA means Data Protection Act 1998
  • EU means European Union and current and future member countries including the UK pre/post departure from the union.
  • Data subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about.
  • The Data Controller is a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
  • Data processor in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.
  • Processing in relation to information or data means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data.
  • Client means the individual named as the data subject by the data controller and the individual that the required medical report relates to.
  • Customer means the entity that has commissioned the medical report concerning the data subject (Client) and which has full legal authority to do so.
  • PIA means Privacy Impact Assessment.
  • Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes.
  • Individual rights mean the 8 rights for individuals as set out in the GDPR.
  • Personal Data means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. As defined by the GDPR.
  • Sensitive Personal Data means the data as defined by Article 9 of the GDPR.

2.     Acknowledgments

Maggie Sargent & Associates recognises all rights and responsibilities provided for in the DPA and GDPR legislation.

3.     Privacy Statement

Maggie Sargent & Associates respects privacy and will only use information shared with us for the specified and lawful purposes as provided for under the GDPR. Maggie Sargent & Associates will use and process your information responsibly and will take all appropriate organisational and technical measures to safeguard your information from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Maggie Sargent & Associates will not share information for any purpose other than the specific purpose it was shared with Maggie Sargent & Associates.

At no time now or in the future will Maggie Sargent & Associates share personal information with any third party for the purpose of marketing, advertising or statistical analysis.

4.     Data processing

During the course of providing services to clients, supplier and staff the following personal information may be processed by Maggie Sargent & Associates:

.       Staff personal information

.       Supplier personal information

.       Associates personal information

.       Customer personal information

.       Client Personal information and medical records

.       Newsletter subscribers

.       Website Cookie Policy

5.     Privacy Impact Assessments

Maggie Sargent & Associates has deemed it not necessary to conduct a Privacy Impact Assessments in regard to the processing of client information.

6.     Staff Personal Information

6.1.  Lawful Basis For processing - where personal information is collected about staff and employee’s, Maggie Sargent & Associates is defined as the Data Controller and our Lawful Basis for processing personal and sensitive information is the Legal Obligation we have to process your personal information in respect to UK employment law, tax, pensions and payments to you.

6.2.  Data Collected – The following list is an example of the data that is collected and processed regarding all staff and employees of Maggie Sargent & Associates:

.       Name, address, email address and contact telephone numbers

.       Emergency contact details – name and telephone

.       Date of birth

.       National Insurance Number

.       Pension information

.       Bank account information

.       UK right to work documentation and

.       Work experience, references and Supervisory information

6.3.  Data Sharing – within the confines of the lawful basis for processing Maggie Sargent & Associates is required to share the following information:

  • Salary and employment information with Her Majesty’s Revenue and Customs (HMRC)
  • Personal information and your right to work documentation will be shared with the Human Resources Support Provider - Peninsular
  • Limited details with the company pension provider Nest Pensions, or your elected pension scheme
  • Your personal details will be stored in the accounting system at the company head office.
  • Your emergency contact details will only be shared with senior managers and directors only when need for making emergency contact
  • Maggie Sargent & Associates will not share your personal information collected for the purpose of employment

6.4.  Retention - Staff personal information – will be retained for the duration of employment and for a period of 7 years thereafter.

7.     Supplier Personal Information

7.1.  Lawful Basis For processing - where personal information is collected about suppliers, Maggie Sargent & Associates is defined as the Data Controller and our Lawful Basis for processing personal information is the performance of a contract between Maggie Sargent & Associates and the supplier. Maggie Sargent & Associates processes personal information in respect to UK law relating to the provision of goods and services, tax and for the processing of invoices and payments.

7.2.  Data Collected – The following list is an example of the data that is collected and processed regarding all suppliers of Maggie Sargent & Associates:

.       Company name, address, email address and contact telephone numbers

.       Company contacts including job role

.       VAT number and company registration number

.       Bank account information

7.3.  Data Sharing – within the confines of the lawful basis for processing Maggie Sargent & Associates is may to share the following information:

  • Accounting information may be shared with Her Majesty’s Revenue and Customs (HMRC) in accordance with normal accounting practice
  • Limited information may be shared with a representative of Maggie Sargent & Associates accounting and auditing service only when absolutely necessary

7.4.  Retention – Supplier information will be retained for the duration of time the supplier is providing goods & services to Maggie Sargent & Associates and then for 7 years thereafter.

8.      Associates Personal Information

8.1.  Lawful Basis For processing - where personal information is collected about Associates, Maggie Sargent & Associates is defined as the Data Controller and our Lawful Basis for processing personal and sensitive information is the performance of a contract between Maggie Sargent & Associates and our customers. Associates personal information is processed in respect of providing services to Maggie Sargent’s & Associates customers, to ensure the provision of services and for the processing of invoices and payments.

8.2.  Data Collected – The following list is an example of the data that is collected and processed regarding all associates of Maggie Sargent & Associates:

.       Name, address, email address and contact telephone numbers

.       Company contacts including job role

.       VAT number and company registration number

.       Bank account Information

.       Medical qualification, registrations and membership to professional bodies

.       Insurance information

.       Work experience

8.3.  Data Sharing – within the confines of the lawful basis for processing Maggie Sargent & Associates is may to share the following information:

  • Name, address and contact information may be shared with customers
  • Accounting information may be shared with Her Majesty’s Revenue and Customs (HMRC) in accordance with normal accounting practice
  • Limited information may be shared with a representative of Maggie Sargent & Associates Accounting and Auditing service only when absolutely necessary

8.4.  Retention - Associates information will be retained for the duration of time the associate is registered with Maggie Sargent & Associates and available to provide services and then for 7 years thereafter.

9.     Customer Personal Information

9.1.  Lawful Basis For processing - where personal information is collected about Customers, Maggie Sargent & Associates is defined as the Data Controller and our Lawful Basis for processing personal information is the performance of a contract between Maggie Sargent & Associates and the customer. Customer personal information is processed in respect of providing services to the customer, to ensure the provision of services and for the processing of invoices and payments.

9.2.  Data Collected – The following list is an example of the data that is collected and processed regarding all customers of Maggie Sargent & Associates:

.       Name, address, email address and contact telephone numbers

.       Company contacts including job role

.       VAT number and company registration number

.       Bank account Information

9.3.  Data Sharing – within the confines of the lawful basis for processing Maggie Sargent & Associates is may to share the following information:

  • Name, address and contact information may be shared with associates
  • Accounting information may be shared with Her Majesty’s Revenue and Customs (HMRC) in accordance with normal accounting practice
  • Limited information may be shared with a representative of Maggie Sargent & Associates Accounting and Auditing service only when absolutely necessary

9.4.  Retention - Customer information will be retained for the duration of time that Maggie Sargent & Associates is providing services to the customer and then for 7 years thereafter.

10.  Client Personal Information

10.1.      Lawful Basis For processing - where personal information is collected about Customer Clients, Maggie Sargent & Associates is defined as the Data Processor and our Lawful Basis for processing personal and sensitive information is the performance of a contract between Maggie Sargent & Associates and the customer. Client personal information is processed in respect of providing services to the customer, to ensure the provision of services and for the processing of invoices and payments.

10.2.      Data Collected – The following list is an example of the data that is collected and processed regarding all suppliers of Maggie Sargent & Associates:

.       Name, address, email address and contact telephone numbers

.       Age, gender, race and religious background

.       Medical records, doctors notes and treatment records

.       Criminal history

.       Personal contact information of family members and support workers

.       Legal representatives and Litigation casework

.       Any additional information relevant to the provision of services to the customer

10.3.      Data Sharing – within the confines of the lawful basis for processing Maggie Sargent & Associates is may to share the following information:

  • All client data may be shared with Maggie Sargent & Associates nominated Associate for the provision of services to the customer
  • Only personal and sensitive information absolutely necessary will be shared with the appointed associate

10.4.      Retention – Client information will be retained by Maggie Sargent & Associates for the duration of the contract between the customer and Maggie Sargent & Associates. Client information will be retained for a period of 7 years after the contract is fulfilled and the final payment is received.

11.  Newsletter Subscriber Personal Information

11.1.      Lawful Basis For processing - where personal information is collected about Newsletter subscribers, Maggie Sargent & Associates is defined as the Data Controller and our Lawful Basis for processing personal information is consent. Subscriber personal information is processed to provide information on news and events hosted by Maggie Sargent & Associates and relevant 3rd parties.

11.2.      Data Collected – The following list is an example of the data that is collected and processed regarding all customers of Maggie Sargent & Associates:

.       Name

.       address

.       email address

.       contact telephone numbers

.       Job Title

11.3.      Data Sharing – at no time will Maggie Sargent & Associates share this information with any 3rd party.

11.4.      Consent – explicit “opt in” consent will be sought from the subscriber when they request to join our mailing list. Consent will be verified every 5 years. If we do not receive a response from a request to renew consent we will deem this as the subscriber has withdrawn consent and their personal information will be removed from our system.

11.5.      Retention - Customer information will be retained indefinitely while we have a record of explicit consent from the customer. At any point a subscriber can request they are removed from or database, and we will do so within 28 days.

12.  Transfer of Personal Information Outside the EU

In accordance with the provisions of the DPA and the GDPR Maggie Sargent & Associates will not transfer any information (personal or sensitive) outside the EU for processing either directly or by a 3rd party.

Where data is processed in a 3rd party system or service, Maggie Sargent & Associates affirms that these services are fully DPA and GDPR compliant and all information is stored within EU data centres.

Where the client resides in a country outside of the EU Maggie Sargent & Associates will take any steps necessary and as required by the laws applicable in the client’s country of residence to processes personal information.

13.  Information retention

Personal and sensitive information will only be retained for as long as necessary to fulfil the lawful basis for processing and in accordance with the Maggie Sargent & Associates Retention policy and as detailed in sections 5 to 9 of this policy.

All financial information relating to any transaction will be retained for a minimum of six years to begin the year after the financial year that the transaction was completed. This is in accordance with guidelines set out by the HMRC.

It is important to note that in some circumstance it may not be possible to destroy a limited amount of personal and sensitive information when the relevant retention policy expires. These include backups of electronic documents and email communications that may be securely archived. Deletion of any such material will take place when the opportunity to do so arises.

14.  Data Access

Access to all personal and sensitive information processed by Maggie Sargent & associates will only be granted on a “least privileged” basis only. This means that only people that have a specific need to perform a function vital to the lawful basis for processing will be granted access.

All access to personal or sensitive information processed by Maggie Sargent & Associates is reviewed and audited on a regular basis.

All electronic data is backed up in a secure manner for the purpose of disaster recovery and data loss prevention. Access to information in the backup systems is restricted to all users excluding those persons charged with the support of the IT infrastructure.

15.  Website Cookies

Maggie Sargent & Associates website uses cookies. A cookie is a small file of letters and numbers that is sent to and stored on your computer to allow the collection of standard internet log information and visitor behaviour information in an anonymous form.

The cookies used are 'analytical' cookies. They allow recognition and count the number of visitors to see how visitors move around the site when using it. This helps with improving the way the website works, for example by making sure users are finding what they need easily. Similar information about site usage is also gathered from the web servers log from log files.

Maggie Sargent & Associates does not use cookies or log files to personally identify information about individuals, nor is the information gained from the use of cookies shared with any third party. Maggie Sargent & Associates website advertises the use of cookies on the home page which also provides a link to this privacy policy.

16.  Data Protection Breaches

Where Maggie Sargent & Associates is the Data Controller for information and when breach has occurred, an immediate investigation will be conducted, and the breach will be reported to the Information Commissioner within 24 hours.

Where Maggie Sargent & Associates is the Data Processor for information and when breach has occurred, an immediate investigation will be conducted, and the breach will be reported to the relevant Data controller within 12 hours. A record of any personal data breach will be retained indefinitely.

17.  Individual Rights

17.1.      The right to be informed - Maggie Sargent & Associates recognises the right to be informed and will provide each data subject a copy of this privacy policy before commencement of the processing of personal information.

17.2.      The right of access - Maggie Sargent & Associates recognises the right to access any personal and sensitive information processed by Maggie Sargent & Associates from the Data Subject, or in the case of a Client any lawfully appointed representative of Maggie Sargent & Associates will provide any information requested under the right to access free of charge and within 28 working days of the request.

17.3.      The right of rectification - Maggie Sargent & Associates recognises the right to rectify any personal and sensitive information processed by Maggie Sargent & Associates from the Data Subject, or in the case of a Client any lawfully appointed representative of Maggie Sargent & Associates will make any required rectification requested under the right to rectification free of charge and within 28 working days of the request.

17.4.      The right to erasure - Maggie Sargent & Associates recognises the right to erasure and will consider all requests on a case by case basis, requests may only be denied where significant legal or technical reasoning prevents the destruction of records. All requests will be responded to within 28 working days. Where records are not deleted the right to restrict processing will automatically be considered as an alternative.

17.5.      The right to restrict - Maggie Sargent & Associates recognises the right to restrict the processing of personal and sensitive information and will consider all requests on a case by case basis, requests may only be denied where significant legal or technical reasoning prevents the destruction of records. All requests will be responded to within 28 working days.

17.6.      The right to portability - Maggie Sargent & Associates recognises the right to portability and will cooperate with the relevant Data Controller as required.

17.7.      The right to object - Maggie Sargent & Associates recognises the right to object, however, this right does not apply to Maggie Sargent & Associates lawful basis for processing personal and sensitive information.

17.8.        Rights in relation to automated decision making and profiling - Maggie Sargent & Associates does not conduct any profiling and does not rely on any automated decision-making process.

18.  Accountability and Governance

18.1.      Maggie Sargent & Associates has implement the following Data Protection Policy’s:

.       Maggie Sargent & Associates Privacy Policy

.       Maggie Sargent & Associates Information Communication & Technology Security Policy

.       Maggie Sargent & Associates Backup and Disaster Recovery Policy

.       Maggie Sargent & Associates Data Retention Policy

.       Maggie Sargent & Associates Customer Data Processing & Sharing Agreement

.       Maggie Sargent & Associates Associate Information Sharing Agreement

.       Maggie Sargent & Associates Breach and GDPR Rights Policy

18.2.      All policies relating to the processing of personal and sensitive information will be reviewed on an annual basis.

18.3.      Maggie Sargent & Associates has appointed a specific individual to perform the functions of a data protection officer.

18.4.      Any concerns regarding data protection, privacy or information governance can be reported in confidence to gdpr@maggiesargent.co.uk

19.  3rd Party Services Used by Maggie Sargent & Associates

Here are links to the privacy policies of the 3rd party services used by Maggie Sargent & Associates:

·       Sage Pay Role

·       Microsoft Office 365

·       Glasscubes

·       Peninsular

 

To download a copy of our Privacy Policy please click here

 

To download a copy of our Data Breach Policy please click here