This statement applies to personal information (PI) provided to Paydata (we/our) by our customers (you) in relation to the services we are contracted to provide. It sets out the PI you are likely to provide, an overview of what we do with that data, and how we will look after it.
For the purposes of this statement PI is any data that includes the identity of a living individual, or from which a living individual can be identified in conjunction with other information we hold or could readily obtain. The type of information we are likely to hold about an individual includes employer, role, salary, bonus and other variable pay, benefits, work location, age, length of service, gender, office and performance rating. We may know the name of the role holder through information you have provided verbally or in writing or because we are able to identify the role holder. We may hold a limited amount of sensitive personal data such as ethnicity for some services.
Who is the data controller and who is the data processor?
You are the data controller and we are the data processor based on the arrangements set out in the contract we have with you.
What do we do with the personal information?
We process the PI in order to provide services to you under the contract between us. The exact nature of this processing is dependent on the service(s) we are providing. We do not share the PI with any third party except subcontractors we may be using to deliver services to you. Any sub-contractors are contractually bound to the same duty of care.
What technical and organisational measures have we put in place?
Our service(s) are designed by us and each service starts life as a specification that focuses on functionality, privacy, and data protection. This process is widely known as Privacy by Design (PbD). PbD is at the very heart of each service we develop, from user credentials, personal data fields required, database security including ‘Data at Rest’, psuedonimisation, aggregation, hosting and storage arrangements, to secure data transport protocols.
Once we have established a specification, this is then subject to a Privacy Impact Assessment (PIA) as part of a Data Management Plan (DMP). The DMP allows us to identify and reduce any privacy risks to protect your data.
What is our legal basis for processing the data?
Our lawful basis for processing the data is the contract we hold with you. We rely on you having a legal basis for processing the data and therefore for providing it to us to process on your behalf. In most cases you are likely to be processing the data because it is necessary for the performance of a contact you hold with the data subject, or to take steps in order to enter into that contract.
Where is the data stored?
All the PI is stored within the EEA, most is stored on our own servers in the UK.
For how long is the data held?
This will depend on the services we are providing. As a general rule, data will be held for a minimum of twelve months so you have data for audit purposes. Data provided for benchmarking services may be held for up to six years in order to provide the basis for statistical analysis, for example to map trends in average salaries.
How will we manage subject access rights?
You will be responsible for managing subject access requests. We will not respond to directly to requests from the data subject and will refer these to you. Should you have a request that affects the data we hold, we will cooperate with you and use reasonable business efforts to identify the data and to take the actions you request in order that you can fulfil your legal obligations.
How will we maintain the data?
You are responsible for ensuring that the data you provide to us is accurate, and to the extent that it is necessary that it is maintained so it remains accurate. We are responsible for ensuring that we update our records in order that we only process the most up to date data except where we have maintained historical records for statistical analysis purposes.
How is data security documented?
We have a fully documented data security policy which all staff are required to sign. This has been agreed by the directors and is reviewed regularly both for effectiveness and compliance.
How is user data access managed?
The management of user access rights depends on the systems concerned. In-house server access is managed via Windows server authentication protocols. Access to external systems hosting PI utilises two token authentication.
How do we protect against viruses, Trojans, malware, etc.?
We run gateway, server, and user-device level software to protect against infections. Our employees are regularly reminded of the vital role they play in protecting our systems, for example in avoiding clicking on malicious links in emails.
What physical access measures do you have in place?
Our in-house servers are located in a locked server room to which only authorised personnel have access. The servers are physically located within a locked rack within the server room. Cloud services hosting PI are located in third party premises meeting the equivalent of tier 2 standards as a minimum.
What business continuity plans do you have in place?
We have a fully documented business continuity plan which would enable us to maintain services. Data and configuration setting from our in-house servers are backed up to a cloud service that would allow us to rebuild a replica virtual server and provide remote access to all employees.
How do you protect mobile devices?
Our policy is that any data removed from company servers is stored on encrypted devices.