Ensuring the security of private data and the systems on which it is hosted is a top priority to fulfill our obligations to the providers of this data and to protect the data and systems from accidental or deliberate damage, loss or corruption.
The term data encompasses all electronically stored information and paper reproductions of that information.
Any private data stored by us or produced by persons as part of their client duties is considered to be owned by the member or client and is therefore subject to this policy.
Every person handling private data is accountable for their actions and has a duty of care to ensure due diligence is afforded to data security.
Access and use of data must be made in compliance with all appropriate legislation. This includes but is not limited to:
The Computer Misuse Act 1990
Regulation of Investigatory Powers Act 2000
Copyright Designs and Patents Act 1988
Malicious Communications Act 1988
Criminal Justice and Public Order Act 1994
We welcome the new regulations which have little impact on our service to you. That’s because we have had similar GDPR privacy policies in place for over a decade.
We review here the GDPR and describe our policies to meet the new regulations:
3.1 We are required to manually review significant algorithmic decisions.
Response: all extracted Forecasts are human edited and improvements made to our algorithms whenever appropriate. Accuracy and transparency are values we constantly strive for.
3.2 We are required to provide detailed explanations of individual algorithmic decisions.
Response: Our AI extracts verbatim forecasts and associated metadata only and makes no predictions. We provide a glossary of key terms, a guide to the service and learn more’s wherever further explanation of the algorithms decisions are required.
3.3 We are required to remember all the data used by our AI to train itself.
Response: We do not erase any data, save for when the original third-party link to the content is taken down or broken or when members unsubscribe and wish to be forgotten. This ensures that accuracy, an evidence trail, and transparency are maintained.
3.4 We are required not to repurpose data for any other purpose than that for which it was first collected.
Response: We have never repurposed personal data. Should we do so we would obtain the permission of our member and clients first.
3.5 We are allowed to de-identify data.
Response: We de-identify data not required for the express purpose of properly sourcing materials and other shared inputs by any member or client. We do not share personal data with third parties and use the collected information only in aggregate forms to help identify trends and potential improvements to our system.
3.6 We are required to use data centers inside the EU.
Response: Our cloud provider is based in the UK.
3.7 We are allowed the right to data portability.
Response: We already have data portability schemes in place with our business partners using only anonymized personal data when absolutely necessary.
3.8 GDPR states that personal data shall be kept for no longer than is necessary for the purposes for which it is being processed.
We maintain personal data to assist you as a registered member and to enable usable and anonymized trends research. The data is kept for as long as you remain a registered member. You can withdraw your consent at any time by clicking the 'unsubscribe' link which can be found in the footer of any of our email communications.
We never have and never will sell, share or distribute or any of your personal data without your express permission.
4.1. Our team all have a responsibility to give full and active support to the policy.
4.2. Our team are expected to observe the data security policy and associated procedures.
4.3. All categories of data are the responsibility of a designated officer. This person is responsible for the security of that data and determines the standards of confidentiality and requirements for access that apply. Unless specified otherwise this is Matthew Richardson, Director whose team operates our systems.
4.4. The security and operation of central systems is the responsibility of the IT team. It is their responsibility to ensure that all data systems meet agreed access requirements.
5. Classification of Data
For the purposes of this policy three classifications of data exist.
5.1. Non-sensitive Data
a) Any data which has been made a matter of public record.
5.2. Sensitive Data
a) Any data identified by the Data Protection Act (1988) as personal sensitive data, specifically data relating to the racial or ethnic origin, political opinions, religious beliefs, membership of trade union organizations, physical or mental health, sexual life, offenses or alleged offenses.
b) Data that if lost or stolen would be likely to cause damage or distress to one or more individuals. This includes, but is not limited to, human resources data and exam or assessment results which are not a matter of public record.
c) Any data which may reasonably be expected to be considered sensitive, personally confidential or commercially confidential. For example, data or materials which may be of interest to a competing organization.
5.3. Extremely Sensitive Data
Data, which if used inappropriately may have a significant impact on an individual or organization. In particular, bank account details or any other data which it is believed could be used for illegal purposes.
6. Actions to Implement and Develop Policy
6.1. Data Confidentiality
All personal data is maintained for the purpose defined in the notification under the Data Protection Act. Matthew Richardson is responsible for maintaining the data protection notification, dealing with subject access requests, maintaining awareness of Data Protection legislation and offering advice on compliance with the Act.
6.2. Data Access & Disposal
Access to data is restricted to those who need such access to carry out their duties. Anyone who has been granted access is personally responsible for ensuring compliance with this policy, the relevant legislation and the confidentially of the data to which they have been granted access.
When no longer required data must be disposed of in a manner which is compliant with the GDPR. IT is responsible for the correct disposal of data which is stored on our servers.
6.3. Physical Security
All reasonable measures are taken to prevent physical access by unauthorized persons to data. Sensitive data are destroyed when no longer required.
7. IT Systems
7.1. Access Controls
Electronic access to data is controlled by means of a user’s email address and password. Control of network accounts is the responsibility of IT.
Backups of central servers are carried out in line with the IT Backup Policy.
The privacy of members’ files will be respected, but we reserve the right to examine systems, folders, files and their contents, to ensure compliance with the law.
We never launder activities for which a client wants to avoid public scrutiny.
7.4. Remote Access
Responsibility for ensuring that policies are complied with when accessing systems remotely lies with the individual undertaking the access.
The IT Backup Policy defines requirements for backup and restoration for all central servers.
8. Monitoring & Evaluation
We monitor the operation of the policy; report on breaches of the policy and changes to relevant legislation.
9. Breaches of Policy
Breaches of this policy and/or security incidents are incidents which could have, or have resulted in, loss or damage to Company or client assets, including IT equipment and information, or conduct which is in breach of the Company's security procedures and policies.
All The Company, it's contractors and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible. through the Company's Incident Reporting Procedure. This obligation also extends to any external organization contracted to support or access the Information Systems of the Company.
We will report any serious future loss of data to the relevant supervisory authority.
To date, we have not had any breaches of our policies.
In the case of third-party vendors, consultants or contractors non-compliance could result in the immediate removal of access to the system. If damage or compromise of the Company's ICT systems or network results from the non-compliance, the Company will consider legal action against the third party. The Company will take appropriate measures to remedy any breach of the policy through the relevant frameworks in place.
Date Reviewed: 22 May 2018
Version Number: 1.4
Revised by: Matthew Richardson (Director)
Approved by: Michael Jackson (Chairman)
Next Review Date: 3 January 2019