PRIVACY & DATA RETENTION POLICY

Umbrella is a B2B Promotional Marketing Agency that manages campaigns on behalf of our clients. Our goal is to protect the privacy of the personal data that we receive through the Internet from our clients’ customers. 

Umbrella does not store or process any data. All processing of data occurs at various handling houses and other suppliers that are contracted to Umbrella. However, Umbrella controls the processes and protocols, which are assigned to each campaign. All parties, including third party suppliers and contractors, are aligned in both policy and process. 

It is the goal of this policy to ensure that the highest level of data protection & privacy is given to the personal data we process and temporarily store.

Within the confines of a promotional marketing campaign there are three main ways in which data is received.

Website – Consumer enters their personal details into a website to claim a prize or to receive a chance of winning a prize. Our suppliers are given secure access to the site so that they can download the data and process the prize.

Postal – Consumers enter a campaign by filling in some sort of form which they either post in or hand in at an event. The postal entries are data captured onto an in-house server and the postal applications are then securely stored until 6 months after the end of the campaign.

Secure File Transfer Protocol – Data has been collected elsewhere but needs to be delivered to us for processing. Our handling suppliers will be given passwords to securely access and download the data. The data is only on the SFTP for a limited time.

Customer Service – From time to time we have queries direct from consumers regarding their entry or claim to a promotion. In this instance they either call or email. Only key crucial data is required to access their application (ie. Name/Postcode)

Personal Data is only used for the purposes of processing and delivering a prize or gift to that individual. Our clients own the data which is explicitly stated in the client contract. 

At the end of a campaign the data is transferred or disposed of as per contractual agreement with that client. If no contractual agreement exists, then the data will stay on the system for 6 months (in case of any queries) then is archived for a further 18 months before being destroyed.

We maintain administrative, technical and physical safeguards to protect against unauthorised disclosure, use, alteration or destruction of the personal information. We use Secure Socket Layer (SSL) technology to help keep the personal information provided on any site we maintain secure.  

Long-term data storage is either via in-house server or cloud based secure storage that is approved by our clients.

Umbrella holds a great deal of important information that is crucial to the running of a promotional marketing campaign. While many information systems can be recovered after an incident, the business critical data that resides in electronic and paper form must be suitably protected. This involves considerations into the confidentiality, integrity and availability (CIA) of business critical and potentially sensitive data.

The objective of the Data Retention Policy is to provide guidance on the retention of the various types of data Umbrella holds. This document strives to balance the need to store information with legal obligations to destroy the data safely when it is no longer required.

The Data Retention Policy applies to information in all its forms. It may be on paper, stored electronically or held on film, microfiche or other media. It includes text, pictures, audio and video. It covers information transmitted by post, by electronic means and by oral communication, including telephone and voicemail. It applies throughout the lifecycle of the information from creation through storage and utilisation to disposal. Appropriate protection is required for all forms of information to ensure business continuity and to avoid breaches of the law and statutory, regulatory or contractual obligations. 

The policy applies to all staff and suppliers of Umbrella. With regard to electronic systems, it applies to use of both Umbrella owned facilities and privately/externally owned systems whether connected to the Umbrella network directly or indirectly. 

The policy applies to all Umbrella owned/licensed data and software, be they loaded on Umbrella or privately/externally owned systems, and to all data and software provided to Umbrella by clients or external agencies. 

Umbrella is committed to protecting the security of data through the preservation of: –

• Confidentiality: protecting information from unauthorised access and disclosure. 

• Integrity: safeguarding the accuracy and completeness of information and processing methods. 

• Availability: ensuring that information and associated services are available to authorised users when required. 

Umbrella will develop, implement and maintain the Data Retention Policy to ensure data is sufficiently stored, processed, transmitted and destroyed in a way consistent with our legal, contractual and ethical obligations. 

 

All staff will collect, retain and transmit personal data under the terms of the Data Protection Act 1998 and GDPR 2018.

The Act and GDPR governs the collection, retention and transmission of information about living individuals and the rights those individuals have to see this information. The Act was updated in 2000 to cover personal data in both electronic and manual form and again with the issuance of GDPR in 2018.

The principles are that personal data shall be: 

1. Fairly and lawfully processed 

2. Processed for limited purposes 

3. Adequate, relevant and not excessive 

4. Accurate 

5. Not kept longer than is necessary 

6. Processed in accordance with the data subjects rights and access rights

7. Secure 

8. Not transferred to a country or a territory outside the European Economic Area (EEA) 

Personal data is defined by the Information Commissioner as any information about an individual from whom you are collecting, in which the compromise, loss or theft of which could cause distress or harm to that individual. 

Examples of personal data include: 

• Address 

• Date of birth 

• National Insurance Number 

• Telephone numbers 

• Benefit details 

• Bank account details 

• Information relating to the persons health or disability 

Umbrella outsource this responsibility to a third party supplier who is subject to the mandatory requirements of the Payment Card Industry Data Security Standards (PCI DSS) introduced in June 2007. PCI DSS was created by the major credit card companies to improve consumer data protection. The main implication is that any risk from malicious activity, such as fraud and hacking, has been transferred to merchants (such as Umbrella’s third parties) from the credit card companies. All members of staff must store, process and transmit payment card information in accordance with PCI DSS mandatory requirements. This standard applies to information held on paper as well as electronically and to transactions processed both online and via a third party terminal. Umbrella processes payment card information, for collection of fees and other areas.

Subsequently it is everyone’s responsibility to ensure payment card data is stored and used in the right way as any incident involving loss in confidentiality or integrity of this information could have a serious impact on the day-to-day operations of Umbrella, its income, and its reputation. 

The standard sets out 12 requirements that must be met in order to process credit or debit card information: 

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data

4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software or programs

6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know

8. Assign a unique ID to each person with computer access

9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy

12. Maintain a policy that addresses information security for employees and contractors

Requirement 3 and 4 are of particular importance as they state we should: 

• Keep cardholder data storage to a minimum 

• Develop a data retention and disposal policy 

• Limit storage amount and retention time to that which is required for business, legal, and/or regulatory purposes 

• NEVER store the card verification code or value or PIN verification value data elements. 

• As a minimum render the Personal Account Number (PAN) unreadable anywhere it is stored 

• Encrypt transmission of cardholder data across open, public networks (such as the main campus LAN) 

Guidance on payment card information 

For online transactions (such as WorldPay): 

• Staff must only use a Finance Department approved supplier of online card payment services 

• Payment card information should not be stored or processed on approved servers 

• Payment card information should not be transmitted across the campus network unless this is done securely 

For third party terminal transactions (such as Streamline): 

• Suppliers must only use a Finance Department approved supplier of terminal card payment services 

• Payment card information must not be stored either on paper or electronically once a payment has been authorised 

• The 3 digit security code must be completely erased following authorisation or ideally not kept at all 

• Only the last four digits of the card number can be retained following authorisation 

• Paper forms with any remaining card details recorded must be kept securely in locked cupboards with access limited to authorised personnel 

• These paper forms must be destroyed as soon as they are not needed 

Where information systems (including paper and electronic data) store payment information locally they must conform to PCI DSS standards. This may require an audit from an external, Qualified Security Assessor (QSA) and/or the completion of a Self Assessment Questionnaire (SAQ) as part of the ongoing risk assessment programme. 

Staff have an obligation to dispose of personal, confidential and business critical information in a secure manner. 

For confidential paper information, staff should ideally cross shred onsite. 

For confidential, electronic information: 

• DVDs/CDs should be shredded and then put into the recycling stream 

• Computer hard drives should be wiped with a suitable software tool. No unencrypted data should be left on these types of media before re-using/recycling/disposal 

• Media that cannot be wiped initially will need to be sufficiently protected before being overwritten e.g. storage tapes in a locked safe 

Legal and Contractual Requirements 

Umbrella will abide by all UK legislation and relevant legislation of the European Community related to the holding and processing of information. 

This includes the following Acts and mandatory requirements: 

• Copyright Designs and Patents Act 1988 

• Data Protection Act 1998 and GDPR 2018

• Freedom of Information Act 2000 

• Payment Card Industry Data Security Standards 2007 

Umbrella will also comply with all contractual requirements related to the holding and processing of information. 

Responsibilities 

The Data Protection Officer is responsible for the Data Retention Policy. 

All staff are responsible for protecting business critical and potentially sensitive data. 

Everyone granted access to Umbrella information systems and that of their suppliers has a personal responsibility to ensure that they, and others who may be responsible to them, are aware of and comply with the Data Retention Policy. 

All staff, suppliers and other users should report immediately any observed or suspected breach of this policy to the Head of Department, the owner of the information, or, where the IT infrastructure is involved, IT Services Help Desk. 

Those responsible for information or information systems, for example database and IT systems administrators, must ensure that appropriate security arrangements are established and maintained. 

Policy Awareness and Disciplinary Procedures 

The Data Retention Policy will be made available to all staff and suppliers. 

Staff, suppliers, authorised third parties and contractors given access to Umbrella and that of their suppliers information systems, will be advised of the existence of the relevant policies, codes of conduct and guidelines. 

Failure to comply with the policy may lead to suspension or withdrawal of an individual’s access to information systems. 

Failure of a member of staff to comply with the policy may lead to the instigation of the relevant disciplinary procedures as specified in their terms and conditions of employment and, in certain circumstances, legal action may be taken. 

All suppliers should have Service Level Agreements to ensure liability also rests with the contractor who is storing, processing or transmitting data obtained from Umbrella. 

Failure of a supplier to comply could lead to the cancellation of a contract and, in certain circumstances, legal action may be taken. 

Umbrella recognises the need for all staff and other suppliers to be aware of information security threats and concerns, and to be equipped to support the policy in the course of their normal work. 

Appropriate training or information on security matters will be provided for users and suppliers will supplement this to meet their particular requirements. 

All Directors will undertake a proactive campaign of awareness and monitor/report upon the type and frequency of incidents.

The Data Retention Policy will be monitored by Data Protection Officer and reviewed as necessary. Revisions will be subject to appropriate consultation. The Data Protection Officer will report on a summary and exception basis, will notify issues and bring forward recommendations. 

Suppliers are required to carry out periodic risk assessments and establish and maintain effective contingency plans. They are also required to carry out regular assessment of the security arrangements for their information systems. They must take into account changes in business requirements, changes in technology and any changes in the relevant legislation and revise their security arrangements accordingly.

UMBRELLA RISK MANAGEMENT LTD, Company established under the laws of England and Wales and having its registered office at Dodwell House, Chilton Business Centre, Chilton, Buckinghamshire, HP18 9LS