This Privacy and Data Protection Policy is in relation to: http(s)://www.cybercology.com
Cybercology does not collect your data for any other purpose than for some or all of the following:
- Where the processing enables us to enhance, modify, personalise or otherwise improve our services/communication for the benefit of the customer.
- To identify and prevent fraud
- To enhance the security of our networks and information systems
- To better understand how people interact with our website and social media pages
- To determine the effectiveness of our promotional campaigns and our advertising
If you would like to know what personal data of yours we have on record, you can get in touch asking for the details of what personal data we have. Upon receipt of your request, we will have 30 days to respond under GDPR guidelines. Requests must be in writing to help with data protection and fraudulent 3rd party emails where requests do not originate from the data subject themselves.
Whenever we process data for these purposes we will ensure that we keep your Personal Data rights in the highest regard and take into account all of your data protection rights under any and all current UK legislation.
You have the right to object to this processing at any time. If you wish to do so, please get in touch to instruct us to either remove your details from our system or to opt you out of any further communication. Please bear in mind that if you object or opt-out, this may affect our ability to carry out the tasks above which may be of benefit to you.
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
How long do we retain your data?
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognise and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights do you have over your data?
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments may be checked through an automated spam detection service.
Data Protection Policy
Organisation: Cybercology Ltd
Scope of Policy: This policy covers all Cybercology employees as they go about business which includes home offices, hired rooms or co-working space (as required), engaged company premises and when networking or giving talks about CyberPsychology and related topics.
Policy Operational Date: Policy has immediate effect as of 12 September 2022
Policy Review Date: 12 September 2024 or sooner if legislation or requirements dictate
Purpose of Policy:
- Comply with the law
- Follow good practice
- Protect clients, staff and other individuals
- Protect the organisation.
Data Protection Principles: To ensure the safety of all client data, company data and individual data.
Personal Data: The policy applies to all personal data such as name, email address and contact number. All notes taken during sessions and any questionnaires completed. The policy will not cover anything taken away by a client.
Policy Statement: Cybercology’s commitment is to:
- Comply with both the law and good practice
- Respect individual rights
- Be open and honest with individuals whose data is held
- Notify the Information Commissioner and those affected should a breach occur
Key Risks: The main risks within Cybercology are four key areas:
- Information about individuals getting into the wrong hands, through poor security or inappropriate disclosure of information
- Individuals being harmed through data being inaccurate or insufficient
- Staff personal safety
- Website being hacked or website security being breached.
Responsibilities of the Data Protection Officer:
- Informing clients about Cybercology’s use and management of their data
- Inform the ICO and affected parties of any breach
- Reviewing Data Protection and related policies
- Ensuring no data is shared with third parties
- Handling subject access requests
- Dealing with unusual or controversial disclosures of personal data
- Keeping notes separate from personal data so that any breach would not yield sensitive data that could be used maliciously
- Keeping required data up to date
- Deleting data when requested through proper channels and/or any data that is out of date and/or not required to be kept by the authorities.
Scope: All Cybercology employees will ensure that any professional parties used by Cybercology, such as Accountants, will never see any sensitive data on any client that could be used for malicious purposes.
Communication with Data Subjects: All new clients are made aware of our data protection and confidentiality policies before the commencement of initial sessions.
Authorisation for disclosures not directly related to the reason why data is held: There are two main categories:
- Requests by the Data Subject
- Requests made in the course of official investigations.
For the first (such as a financial request from a bank), consent is required from the Data Subject. This consent will be recorded.
For the second, it may be appropriate for the Data Subject not even to be informed. This will be made by the Director(s) of Cybercology.
Scope: To ensure that all data is treated with the utmost respect and kept confidential. To follow the principles as laid out below.
- Cybercology operates a clear desk policy
- Laptops must be shut down or locked when not in use
- Passwords are changed regularly and are complex
- Other than returning to the office from an initial contact, full details are never with the notes of an individual
Business Continuity: Computer data is backed-up to a cloud provider with a secure complex password.
- Cybercology staff have a code system for client note sheets that make them useless to any third parties who may have malicious intent. Personal details and individual notes are kept separately from the cloud server. Passwords are complex and changed in conjunction with MS security guidance
- Social media is controlled in-house. No personally sensitive information will be used which eliminates the risks of malicious intervention
- No personally sensitive details will be discussed over the phone or where third parties will overhear
- No paperwork will be left unattended or in a manner where a third party would be able to gain access to information about any individual(s) or business clients
- Away from the office, no names are on the notes sheets, and therefore if stolen or mislaid would be of no use to any third party for malicious gain or intent.
Contact Form Storage: Cybercology staff keep initial contact forms in a locked cloud safe. All subsequent notes do not have personal contact details on them making them useless to anyone with malicious intent.
Retention Periods and Archiving: Personal details are retained for as long as a client is active or until a client requests them to be removed. Once a client is no longer active, personal details are archived or removed if directly requested by the client.
- The initial contact form is kept securely and electronically locked away in a cloud safe. Cybercology’s database spreadsheet is kept on the cloud storage and secured by a complex password. No sensitive details are held on this spreadsheet. Minimal details will be held for contact purposes only and will not be locked while in use
- Notes taken during sessions will not carry identification details, only Cybercology staff will be able to link the subjects with the notes. This information will be kept separately from the client’s personal details at all times.
Clients have the right:
- To be informed
- Of access
- To rectification
- To erasure
- To restricted processing
- To data portability
- To object
- To not be the subject of automated decision making including profiling.
If you wish to clarify any of the above, please ask in the first instance in writing, stating the nature of your query and or request. Cybercology will act on your request as a priority.
Responsibility: Cybercology staff are directly responsible for dealing with any requests and ensuring complete transparency.
Underlying Principles: Cybercology will only process data or hold data where consent has been given.
Forms of Consent:
- Entering into a working contract with Cybercology staff implies consent
- Cybercology will strive to ensure that all consent for membership is in writing, however, where verbal consent has been given, this will be recorded.
All data subjects have the right, and are given the option, to opt out from some or all of Cybercology processes and/or marketing communication.
Withdrawing Consent: Cybercology acknowledge that once given, consent can be withdrawn, but not retrospectively. There may be occasions when Cybercology has no choice but to retain data for a certain length of time, even though consent for using it has been withdrawn (e.g. Lawful compliance).
Underlying principles: Even though Cybercology only market to consenting leads/clients, all marketing carries an opt-out solution via a link on the email or automated response (e.g. Mailchimp unsubscribe option)
Opting Out: Cybercology acknowledges that Data Subjects have the right to require their data not to be used for marketing. To this end, clients are provided with an easy opt-out solution (via the unsubscribe link or easy-to-use alternative) at the earliest opportunity.
Sharing Lists: Cybercology does not share client data with any third parties unless requested to do so by law.
Electronic Contact: Cybercology will only have e-contact for marketing purposes where consent has been given.
Information Notes for Readers of the Policy:
Data Controller: The Data Controller is the legal ‘person’ responsible for complying with the Data Protection Act. It will almost always be the organisation, not an individual staff member or volunteer.
Data Processor: The processing of data such as spreadsheets etc, are only processed by Cybercology staff.
Fair Processing Conditions: Schedule 2 of the Data Protection Act lays down six conditions, at least one of which must be met, in order for any use of personal data to be fair. These are (in brief):
- With the consent of the Data Subject
- If it is necessary for a contract involving the Data Subject
- To meet a legal obligation
- To protect the Data Subject’s ‘vital interests’
- In connection with government or other public functions
- In the Data Controllers ‘legitimate interests’ provided the Data Subjects’ interests are not infringed.
Notification: All Data Controllers have to consider whether they are exempt from Notification. If they are not exempt, they have to Notify. This means completing a form for the Information Commissioner and paying an annual fee. The Notification form covers:
- The purposes for which personal data is helped (from a standard list)and for each purpose (again from a standard list)
- The types of Data Subject about whom data is help
- The types of information that are held
- The types of disclosure that are made
- Any transfers abroad
The Notification entry has to be reviewed each year and may have to change if the organisation changes its processing in significant ways.
Subject Access: Individuals have the right to know what information is being held about them. The basic provision is that, in response to a valid request (including a fee, if required), the Data Controllers must provide a permanent, intelligible copy of all the personal data about that Data Subject held at the time the application was made. The Data Controller may negotiate with the Data Subject to provide a more limited range of data (or may choose to provide more), and certain data may be withheld. This includes some third-party material, especially if any duty of confidentiality is owed to the third party, and limited amounts of other material. (“Third Party” means either that the data is about someone else, or someone else is the source).