Privacy Policy

1.0 Introduction

This policy governs the use of personal information within MyWorkpapers (referring to the entities of MyWorkpapers Group including MyWorkpapers Ltd (of the United Kingdom) and MyWorkpapers Pty Ltd (of Australia) and MyWorkpapers Group Pty Ltd (of Australia) so that all of our team members, individual contractors and other workers (Personnel) will have a clear idea of the limits of use of personal information, and where to go for further advice.

1.1 Purpose

This policy lays down the principles for the processing of personal information, whether it relates to team members, suppliers, guests, customers or others. Personal information means any information relating to a living, natural person, who can be identified either directly or indirectly. Processing personal information includes the obtaining, handling, processing, transporting, storing, destruction and disclosure of personal information.

It is not designed to replace practical advice from the Data Manager. Nor is it intended to provide all the answers to questions concerning the use of personal information in particular areas, such as HR, IT or marketing.

1.2 Summary

MyWorkpapers will use the personal information of individuals fairly, lawfully, transparently and in a manner consistent with its valid business interests and at the same time, respecting the fair and lawful privacy requirements of those individuals concerned.

1.3 Status of this policy

This policy has been approved by the board of MyWorkpapers. Personnel who process personal information on behalf of the company must adhere to the terms of this policy and any breach will be taken seriously and may result in formal disciplinary action.

Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with your line manager, HR team or the Data Manager.

Any Personnel who consider this policy has not been followed should raise this matter with their relevant head of his/her function within the company, or (if an employee related issue) the HR Team.

1.4 Further advice

Further advice may be obtained from the Data Manager at MyWorkpapers Pty Ltd (of Australia) and MyWorkpapers Ltd (of United Kingdom).

The Data Protection Officer

Gainsborough House, 2 Sheen Road, Richmond upon Thames

London, United Kingdom, TW9 1AE

Phone: +44 (0)20 3519 9104

E-mail: [email protected]

Website: https://myworkpapers.com/gb

Any data subject can contact our data protection officer at any time.

2.0 Governing Principles

2.1 Principles

Personal information will be used within MyWorkpapers by its Personnel according to the principles of applicable data protection legislation (the “DP Legislation”), meaning the General Data Protection Regulation (“GDPR”), the Data Protection Act (“DPA”) and the Privacy and Electronic Communications Regulations (“PECR”). The principles require that personal information will be:

 

1. Lawfulness, fairness & transparency The DP Legislation seeks to ensure that processing is carried out lawfully, fairly and transparently without adversely affecting the freedoms, interests and rights of the individual concerned.

For personal information to be processed lawfully, certain conditions have to be met.  These may include, among other things, requirements that the individual data subject has consented to the processing, or that the processing is necessary for the performance of the contract with the individual, for compliance with a legal obligation, the vital interest of the data subject, or the legitimate interest of MyWorkpapers or the party to whom the information is disclosed.

DP Legislation imposes specific requirements in relation to electronic marketing (e.g. email, Apps, social media and SMS), telephone marketing and the use of tracking or profile analysis technology (e.g. to deliver targeted online advertising).  It is very important that you seek advice from internal teams, including the Data Manager before undertaking such activities on behalf of the company.

Before personal information is passed to third parties, including law enforcement agencies, government bodies, investigators or anyone else, it is important that full consideration is made of the possible data protection implications of doing so.

2. Purpose limitation Personal information will only be processed for the specific purposes notified to the individual when the information was first collected or for any other purposes specifically permitted by the DP Legislation.  This means that personal information will not be collected for one purpose and then used for another, unless the other purpose is also specified.
3. Data minimisation Only personal information that is necessary for the purposes specified will be collected. Any data which is not necessary for that purpose will not be collected in the first place.
4. Accuracy Information which is incorrect, misleading or inaccurate will be amended immediately. Inaccurate or out-of-date information will be securely destroyed.
5. Storage limitation Personal information will not be kept longer than is necessary for the purpose for which it was collected.  This means that data will be destroyed or erased from our systems when it is no longer required.
6. Integrity and confidentiality MyWorkpapers will ensure that appropriate safeguarding measures are taken against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage to, personal data.  Individual data subjects may apply to the courts for compensation if they have suffered damage or distress from such a loss.

The DP Legislation requires us to put in place procedures and technologies to maintain the security of all personal data from the point of collection to the point of destruction, be it paper-based or in electronic format.

Thus, personal data will only be transferred to a third-party data processor (such as a supplier or service provider to the company or a group company) if they agree to comply with these procedures and policies, or if they have put adequate measures in place.  DP Legislation also requires MyWorkpapers to have a written contract in place with all suppliers or service providers who will process personal information.

Unless the relevant party has the prior written consent of the other or unless required to do so by law, each party will preserve the confidentiality of all confidential information of the other obtained in connection with this Agreement.  Neither party will, without the prior written consent of the other, disclose or make any confidential information available to any person, or use the same for its own benefit, other than as contemplated by this agreement.  Each party’s obligations under this clause will survive termination of the agreement.

The provisions of this clause shall not apply to any information which:

a)     is or becomes public knowledge other than by a breach of this clause;

b)    is received from a third party who lawfully acquired it and who is under no obligation restricting its disclosure;

c)      is in the possession of the receiving party without restriction in relation to disclosure before the date of receipt from the disclosing party; or

d)    is independently developed without access to the Confidential Information.

Please note that if at any time MyWorkpapers is required by law to release information about you or your organisation, MyWorkpapers must co-operate fully.

7. Accountability MyWorkpapers will ensure that we are able to provide evidence that we comply with DP Legislation.

For example, to demonstrate that all the above principles have been applied, documentation is up to date, training on data protection and privacy has been completed, and security measures are complied with.

2.2 Compliance with the principles

In order to meet the requirements of the principles MyWorkpapers will:

  • observe the conditions regarding the fair, lawful and transparent collection and processing of personal information;
  • meet its obligations to specify the purposes for which personal information is used;
  • collect and process personal information only to the extent it is required for the company’s valid business interests and where there is a legal basis for doing so;
  • ensure the quality of the personal information used;
  • adopt a data retention and disposal policy that includes the length of time personal information is held;
  • ensure that the rights of individuals about whom personal information is held can be fully exercised under the respective DP Legislation;
  • take appropriate technical and organisational safeguarding measures (which include strict Personnel access controls) to protect personal information including following the policy guidelines set out in Example Company IT Security Policy and IT Acceptable Use Guide;
  • ensure that any contractor, agent or other third party who processes personal information on the company’s behalf does so under a written contract requiring that third party to:
  • only process the personal information in accordance with the company’s instructions; and
  • take appropriate technical and organisational security measures to safeguard personal information; and
  • ensure that personal information is not transferred outside the European Economic Area without suitable safeguards; and
  • confirms destruction of all information. This should include paper, electronic and consideration should be given to backup media; and
  • which contains additional data processing clauses which are specified in the DP Legislation.

2.3 Responsibility for compliance

MyWorkpapers is a data controller (and, in certain circumstances, also a processor) responsible for complying with the DP Legislation. It is the responsibility of each member of Personnel to comply with this policy when using personal information relating to team members, customers or others.

The Data Manager has responsibility for this policy and its review.

3.0 LEGAL BASIS

All processing must be lawful, which means that there must be one of the following legal grounds established before processing can take place:

3.1 Consent

When using consent, MyWorkpapers must be able to demonstrate that consent has been unequivocally given, not just implied. Consent cannot apply to children under 13 vis-à-vis online unless the holders of parental responsibility have provided it. Nor can consent be coerced, for example, forced consent as part of a contract. Consent is a valid legal basis for processing of special categories of personal information. Consent must be prominent in any privacy statement:

  • freely given, specific, informed and unambiguous
  • a clear affirmative action, signifying agreement to the processing of their personal information

When consent is given in the context of a statement which also concerns other matters, the request for consent needs to be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

When consent is provided, it must be able to be withdrawn at any time with as much ease as it was originally given.

When carrying out any direct marketing using personal information MyWorkpapers will:

  • only market to those individuals under the correct legal basis, such as consent, and for the specific purposes notified to the guest or customer when the personal information was collected;
  • use safeguarding measures such as the Telephone Preference Service, Mailing Preference Service and other third party suppression lists where appropriate;
  • use standard Example Company consent wording; and
  • require our third party partners to use the an approach compatible with this document when capturing consents on our behalf.

NB The legal basis of consent must be used for any direct marketing that involves electronic communications, including Apps, SMS, phone and / or email, and for the purpose of direct marketing using these channels, you cannot use legitimate interests.

3.2 Legitimate Interests

It is always important to demonstrate the necessity for MyWorkpapers to process personal information for its legitimate interests if relying on this legal basis.

When using legitimate interests, MyWorkpapers must be able to demonstrate that there are no over-riding risks to the individuals’ interests, rights or freedoms.

Therefore, the company’s legitimate interests when weighed up against the risks to individuals must always be taken into account when conducting a data protection impact assessment (required for any new system or process – or a significant change). Similarly, the mitigating measures that are applied need to be documented.

3.3 Contract

When using contract as the legal basis, MyWorkpapers must be able to demonstrate that the necessity of the performance of a contract (or negotiation of a contract) with the individual, for example, employee, supplier or customer / guest.

NB – Consent is presumed not to be freely given if it does not allow separate consent to be given if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.

3.4 Legal Obligation

When there is a statutory obligation, MyWorkpapers must be able to demonstrate for the specific purposes of processing personal information what that legal obligation is, third parties who receive the personal information under the auspices of the obligation, and any retention obligations required.

3.5 Public Interest

When using public interest, MyWorkpapers must be able to demonstrate that there is a need to store personal information in the interests of the public. For example, for public safety and security purposes, retaining staff information to pass to emergency services personnel given some event.

4.0 Requirements

4.1 Notices

Individuals have the right to be informed regarding the specific purposes that their personal information is being processed before processing takes place, for how long the information will be stored and processed, who it is being shared with (including internationally), and if there is automated decision-making, including profiling.

4.2 Transfers

The DP Legislation prohibits us from transferring personal information to countries outside the European Economic Area (EEA), unless we first put in place additional safeguards.

4.3 Data Protection by Design / Data Protection by Default – Approach

MyWorkpapers will ensure that our policies reflect processes and a culture of respecting privacy. This includes ensuring that we are each accountable for the security and other safeguarding measures are adhered to, as well as collecting, processing storing, and only sharing it with those authorised and required to use it, only the personal information that is required, and only for as long as it is required for.

4.4 Data Protection Impact Assessment (DPIA)

DPIA guidance is to undertake an assessment from a risk-based perspective.

Any new process or system that includes innovative technologies or processing personal information or monitoring individuals on a large scale, where there is a higher risk to rights and freedoms of individuals affected.

5.0 Data subject rights

5.1 Summary of Rights

The subjects of personal information held by, or on behalf of, MyWorkpapers (“Data Subjects”) have a wide range of rights granted to them under the DP Legislation. Whilst MyWorkpapers can make use of personal information for specific purposes and where we can lawfully justify such use, an individual can still exercise significant control over what we do.

A summary of each of the rights is set out below.

5.2 Right to be informed

Individuals have the right to be informed of how their personal information is being processed.

This will be provided in a privacy notice – the notice may be in the form of:

  • a privacy statement or privacy policy, separate to a cookie policy (which is also required);
  • an email signature, other correspondence, or information board in a public area;
  • a privacy clause in an Employee Handbook; or
  • a clause within the Terms and Conditions of a contract.

In general, individuals will be informed about:

  • the purpose for processing their personal information,
  • what information is processed, and
  • for how long.

The notice will also include the contact details of MyWorkpapers and our Data Manager.

5.3 Right of access (‘Subject Access Requests’)

Individuals have the right to request that MyWorkpapers:

  • confirm, amongst other things, whether we are holding their personal information;
  • provide them with a copy of that information, and
  • provide them with supporting (and detailed) explanatory materials.

MyWorkpapers will comply with Subject Access Requests without undue delay and at the latest within one month of the request (although this can be extended in limited circumstances), and we will not charge individuals for making a request (except in specific situations). Particular care will be taken to ensure a request from one individual will not result in personal information of another individual being disclosed.

5.4 Right to rectification

Individuals have the right to require us to rectify inaccuracies in personal data held about them. In some circumstances, if personal information records are incomplete or inconsistent, individuals have the right to require us to complete the data, make it consistent, or to record a supplementary statement correcting it.

5.5 Right to erase (‘the right to be forgotten’)

Individuals have the right to have their personal information erased in certain specified situations – in essence where the continued processing of it does not comply with DP Legislation.

There are several exemptions which apply to such requests, and you should not assume that your personal information is simply deleted.

5.6 Right to restriction

The right to restricts allows individuals, in certain situations, to restrict our use of their personal information. This might result in our use of it being limited to storage only, and could mean we have to move personal information to separate IT systems, or temporarily block access to it.

This issue could arise in a situation where an individual is disputing the accuracy of information we hold, or where they are objecting to our right to continue to use their information and we need to take some time to establish whether we have a right to continue to do so.

5.7 Right to data portability

Data portability is the right to access on request, information to individuals in a structured, commonly used and machine-readable format. We could also be asked by an individual to transmit personal information directly to another data controller in the same format.

This right only applies to electronic records which have been provided to us by the individual themselves, or generated from their activity or are our observations of their activity (but not subsequent analysis of such activity), and only where we hold the personal information because we have the individual’s consent or because we are fulfilling a contract with them.

5.8 Right to object

Individuals have an absolute right to object to their personal information being processed for the purpose of direct marketing. If we receive any such objection we will immediately cease such marketing activities in respect of that individual.

Individuals have a wider right to object to processing we undertake which is justified on the basis that it is in our legitimate interests (rather than because we have their consent).

5.9 Rights in relation to automated decision-making, including profiling

Individuals have rights which apply if we take decisions about them which are based solely on automated processing (i.e. without human intervention) and which produce significant or legal effects on the individuals.

MyWorkpapers can use such automated decision making in circumstances where we need to do so for us to enter into a contract with the individual, or where we have their explicit consent. However, transparency is required with individuals about what decisions are taken in this way.

5.10 Right to complain

Individuals have the right to bring a complaint to the Information Commissioner, or other supervisory authority.

5.11 Right to bring legal proceedings

Individuals have the right to seek judicial remedy through the Courts.

5.12 Requests

Team members, customers and other subjects of personal information held by, or on behalf of MyWorkpapers may exercise any of the rights specified above. These rights are subject to certain exemptions which are set out in the DP Legislation.

Any team member, customer or other subject of personal information wishing to exercise any of these rights should make the request in writing to the Data Manager.
MyWorkpapers aims to comply with any requests in relation to personal information as quickly as possible and in any event within the time specified by DP Legislation.

5.13 Personnel responsibilities

All Personnel are responsible for:

  • checking any personal information which they provide to MyWorkpapers is accurate and up to date;
  • informing MyWorkpapers of any changes to personal information which they have provided, for example change of address; and
  • checking any information that MyWorkpapers may send out from time to time, for example giving details of personal information that is held by the company.

If, as part of their responsibilities, Personnel have access to or use personal information about other people as part of their employment duties (for example, customer or guest personal information) they must comply with this policy and in MyWorkpapers other policies and procedures for processing personal information.

All Personnel are responsible for ensuring that any personal information which they hold or process is kept secure and is not disclosed either orally or in writing or otherwise to any unauthorised third party and transferred internationally without checking first that the right safeguards are in place.

Only those Personnel who strictly require access to personal information for their role will have such access, and all Personnel will make sure that personal information is not shared with Personnel who do not need to see it.

Personal information about Personnel and others may include special categories of personal information or other information that needs to be treated sensitively. This is personal information relating to an individual’s:

  • racial or ethnic origin;
  • political opinions;
  • religious beliefs or other beliefs of a similar nature;
  • membership of a trade union;
  • physical or mental health or condition;
  • sexual life;
  • biometric or genetic data (e.g. facial or iris imaging, or biological sample information.)
  • commission or alleged commission of an offence;
  • any proceedings for any offence or alleged offence, the disposal of such proceedings or any sentence imposed by a court

Particular care will be taken when dealing with any personal information falling under one or more of these headings.

5.14 Email

Due to the ease with which large quantities of personal data can be accidentally or inappropriately exposed when using email staff will be particularly careful to use email in a considered manner. In particular:

  • Email to addresses outside the “@company.com” domain will not include personal data beyond simple contact information (name, email, telephone, address, job title and place of work). If more extensive data needs to be provided an encrypted attachment can be used (MS Office encryption is adequate for low risk data) or a specialised secure transfer option may be used in high risk cases.
  • Emails sent from “@company.com” addresses to “@company.com” addresses are restricted to the secure environment and may include personal data.
  • No personal information will be in the “Subject” field of an email regardless of the recipient.

6.0 Information collected, use and retention

MyWorkpapers is the sole owner of the information collected.  We will not sell, share, or lease this information to others in ways different from what is disclosed in this statement. MyWorkpapers collects information from our clients and prospects via email, websites, forums, telephone, mail and various web services.

Information is collected when a prospect or client:

  1. enquires about our software or services
  2. purchases any of our software or services
  3. provides feedback by any media
  4. completes surveys or replies to expressions of interest
  5. registers for promotional events
  6. registers for hands on training, update seminars or webinars
  7. renews a software subscription or service subscription
  8. obtains any other service or product from us
  9. participates in special offers
  10. logs a support call
  11. accesses our website
  12. communicates in our forums
  13. provides feedback through our website

Data files containing client information (information of our clients’ clients) may also be collected:

  1. assist with the resolution of software problems
  2. convert data from another software package to MyWorkpapers
  3. combine software data sets

MyWorkpapers also has access to data stored in our web applications.

We request information from the clients to provide you with a specific service.  This may include details of special offers, updates to software, details of product training courses, update sessions and webinars, newsletters, new product information and other information of interest.  Information collected may be in the form of email, website submissions, phone, face to face or mail. A client may provide information such as contact names, business name, contact number(s), mailing address and financial information like credit card number. This information is used for billing purposes.  If we have trouble processing payment, the contact information is used to contact the client.

MyWorkpapers will send materials to clients by email and via phone calls.  If at any time you receive material that you did not request or do not want to receive you can withdraw consent at any time.

6.1 Where is the data held?

All our client data is stored on Rackspace and Google Cloud Platform (GCP) in the country of origin for the United Kingdom and Australia, respectively. Where the client is not in either of these countries, the client data will be held in either the United Kingdom and Australia depending on their geographic location. Our file servers are controlled by login user names and encrypted passwords.

7.0 What happens if you do not provide the information?

Should the relevant information not be provided, clients may be disadvantaged as they may not receive software and product updates, support calls may not be able to be resolved and information may not be provided to the correct person.

8.0 Third party compliance

MyWorkpapers will not sell, rent, trade or otherwise supply to third parties any personal data obtained from you unless you consent.

9.0 Aggregated data

MyWorkpapers may share unidentifiable aggregated demographic data with other organisations and may use the unidentifiable aggregated demographic data to provide clients with a better user experience.

10.0 Security measures in place

MyWorkpapers takes every precaution to protect our clients’ information.  When clients submit sensitive information via our websites or client centre, information is protected both online and off-line.  When our registration/purchase form asks users to enter sensitive information (such as credit card number), that information is protected.

MyWorkpapers has security measures designed to protect against the loss, misuse and/or alteration of the information under its control.

All client information is password protected.  All paper files maintained are stored securely.

All client data stored on our fileservers is controlled by login names and passwords.  Client data is deleted once the support issue has been resolved or the conversion or combination of data is complete.

11.0 The use of Cookies

We use cookies and similar technologies (‘cookies’) to collect and analyse information to give you the best experience on our website. In specific standard information from your web browser will be collected such as browser type, browser language, IP address and the pages you navigated through. This information helps us to:

  • Allowing us to identify your device, so that you are not treated as a new visitor each time you visit our website.
  • Understand how visitors use the website to optimise the most effective website layout.
  • Cookies assist in detecting and preventing security threats.
  • Noting your browser capabilities.
  • Third party cookie use by Google analytics and Pardot are used to collect marketing information which is collected anonymously and statistically. If you
would like more information about the cookies used by these third parties, please see their individual cookie policies.
  • Third party cookie use by Typekit to allow custom fonts on our website.
  • Third party cookie use by YouTube to connect directly to the MyWorkpapers YouTube account which contains training videos of our software.

Note cookies used alone cannot personally identify you.

12.0 Changes to our Privacy Policy

If we decide to change our privacy policy, we will post those changes on our website, so our clients are always aware of what information we collect, how we use it and under what circumstances. If at any point we decide to use personal identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email and request separate consent.

Please note that if at any time MyWorkpapers is required by law to release information about you or your organisation, MyWorkpapers must cooperate fully.

This Privacy Policy does not apply to acts or practices of MyWorkpapers that are directly related to employee records of current or former employees.

[1] The right to data portability applies in the case of contract being the legal basis.

[2] The right to not being subject to automated decision-making, including profiling, does not apply where there is a necessity for the purposes and legal basis of a contract (or entering into a contract).

The right to data portability applies in the case of contract being the legal basis.