Divine Water PHE Ltd - Data Protection and Privacy Policies (GDPR Compliance)

Data Protection Document Links
  • Instructions
  • Necessary Data
  • Purpose of Database
  • Legal Basis
  • View their policies here.Risks
    Data held by the organisation for the purposes of carrying on its day to day business may be at risk of leakage or loss through the following means:
    • Data Theft through hacking (Cyber Crime)
    • Data Theft from the Cloud
    • Data Theft through embezzlement
    • Data Theft through hardware loss
    • Fire
    • Flood
    • Physical damage to equipment
    • End of equipment life risks


    General Considerations
    In order to minimise risks, the number of copies of data held is minimised, commensurate with protection against data loss. In this case, this means that no portable device is ever used as a data repository. All data relating to customers, prospects and enquirers is held on one of the dedicated web servers in the Easyspace data centre in Glasgow. For day to day use, this is accessed via a single account that does not have root privileges. Only one person has the login credentials for this account. Only one person has login credentials for the root account on any of our servers.

    The data on the remote server is backed up to a NAS unit in our main office in Tintern, This can be accessed via a personal cloud for the purpose of remote disaster recovery. Only one person has login credentials for this unit. Other than those backup files, the only data on the NAS unit that could identify a person is the folder of invoice copies. By default, our invoice copies carry no personal names, being addressed solely to the organisation. However, in a small number of cases where the client is a sole trader without a business name, their name does appear in the business name field. As part of our contract with self employed people trading in their own name, we will be seeking permission to retain invoice records for the length of time required by tax authorities.

    The servers that we use are all protected by firewalls, and all security patches or updates are applied as soon as they become available by the one person responsible for security.

    Root and account passwords are changed twice a year, with only one person being aware of what they are. That person commits them to memory and no physical record of the root password is kept anywhere in the organisation. The account password is recorded for the sake of business continuity, should the main keeper become ill or injured.

    When changed, passwords are generated at random between 8 and 16 characters, drawn from a list of upper case, lower case, numerals and punctuation marks/symbols.

    Data Theft Through Hacking
    All personally identifiable data are held on a web server based in the Easyspace data centre in Glasgow. This is protected by a firewall, which is updated regularly as is the OS kernel. Furthermore, root access to the server is achieved via two-stage authentication, with a unique code being transmitted to the Data Protection Officer, via mobile phone at each login attempt.

    Access to the database that holds such data is also restricted by a separate login with different credentials to the root user, connection being made via https web pages. See General Considerations for the policy regarding password generation, which is applied to all systems used by Divine Water PHE Ltd, both on line and internally.

    For disaster recovery purposes, the contents of the web server are backed up to a NAS unit in the main office. The backup is a snapshot of only the latest data and only the most recent backup file is retained in between weekly backup sessions, so that no obsolete data can be accessed or restored once removed from the main database (allowing a week of latency added to our regular data review cycle, as laid out in our Data Retention Term document).

    Data Theft Through The Cloud
    As a matter of policy, Divine Water PHE Ltd does not entrust any data to the Cloud. This has always been viewed by us as inherently secure with the faceless owners and uncertain location of data being too risky to contemplate.

    All data held by Divine Water PHE Ltd is hboused on dedicated servers rented from out hosting provider, or on machines that we have control over at all times.

    Data Theft Through Embezzlement
    To protect data from theft by trusted individuals, nobody outside the organisation is entrusted with any of the data held for the purposes of carrying on the business of Divine Water PHE Ltd. Neither are login credentials granted to anyone outside the organisation.

    Data access for employees is granted at a level where they can carry out the necessary procedures for their work through https web pages. These pages do not allow download of the database contents and nobody other than the responsible person has access to the database as root user.

    Access to backup files on the local NAS unit is restricted to the responsible person.

    Data Theft Through Equipment Loss
    To prevent loss of data with equipment, no device that is used outside the office carries any sensitive data relating to the business or to the people that it deals with. No mobile phone, tablet or computer belonging to Divine Water PHE Ltd holds such data, all information is secure on the web server, with access being restricted to staff alone.

    Damaged and End of Life Equipment
    In the event of damage to equipment rendering it no longer serviceable, the hard drive will be removed and physically destroyed before disposal of the remaining hardware.

    Where equipment has reached the end of its service life and is to be sold as used, the internal hard drive will either be replaced before sale, or zero-filled seven times using military strength erasure option in Apple Disk Manager. ';">Data Protection Policy
  • Cookies Policy
  • Privacy Policy
  • Data Access Policy
  • Your Right to be Forgotten
  • Complaints Procedure
  • Data Retention Period
  • Automated Procedures


Actions

E-Mail Address


Instructions (How to use this page)
Welcome to Divine Water PHE Ltd Data Protection Policy page. Using the links on this page, you can find out what information we hold relating to you as an individual, what it is used for, how long it is kept and what steps we take to keep it private and safe.

By following the links in the policies column, you can access our:
  • Necessary Data Statement
  • Purpose for Data Processing
  • Legal Basis for Processing Data
  • Data Retention Periods
  • Data Protection Policy
  • Privacy Policy
  • Cookies Policy
  • Right to Access Policy
  • Right to be Forgotten Policy
  • Complaints Procedure
Other links on this page allow you to view all the data held relating to you, edit those details if incorrect, or completely remove yourself from our database.

To ensure that only you can see, edit or remove these details, clicking on the button will generate an email to the address held on file for you, containing a secure link back to this page, which will then display your information or enable you to confirm deletion.

Please note that if you have made more than one enquiry or transaction and used different email addresses, you will need to repeat the process for each address, as the email address is used to uniquely identify you as an individual.

Data Protection Officer Contact Details
Responsible Person:Neil Hesman

Contact Number: 07703 290243