Privacy Policy
Introduction
We are the National Association of Professional Sourcing Agents (NAPSA) Ltd – Company Number: 13002455 (referred to as “NAPSA”, “We”, “Us”, “Our” from here forward) understands that your privacy is important to you and that you care about how your personal data is used.
We respect and value the privacy of everyone who visits Our website www.napsa.org.uk (“Our Site”) and will only collect and use personal data in ways that are described here and in a way that is consistent with Our obligations and your rights under the regulation, the Data Privacy Act 2018.
By providing your Personal Data, you are affirming that you are over 18 years of age. For the purpose of the Data Privacy Act 2018, NAPSA are the data controller and are registered with the Information Commissioner’s Office as such with Registration Number: ZA804627
Please see: https://ico.org.uk/ESDWebPages/Entry/ZA804627 for further details.
Roles and Responsibilities
NAPSA’s Data Protection Officer is: Tina Walsh (Director)
Email: [email protected]
Telephone number 01200 437 528.
In Writing: NAPSA Ltd, Unit 3, Clitheroe Business Centre, 105 Whalley Road, Clitheroe, BB7 1HW.
Please read this Privacy Policy carefully and ensure that you understand it. Your acceptance of this Privacy Policy is deemed to occur upon your first use of Our Site and you will be required to read and accept the Privacy Policy when signing up for membership. If you do not accept and agree with this Privacy Policy, you must stop using Our Site immediately.
If you are not happy with any aspect of how We obtain, hold or use your personal data then you have a right to make a complaint to the Information Commissioners Office (ICO) – www.ico.org.uk – We would however prefer that you contact Us first and be given an opportunity to resolve any issue that you might have.
Summary
The Regulation defines “personal data” as any information relating to an identified or identifiable natural person (a data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
This Policy sets out the procedures that are to be followed when dealing with personal data. The procedures and principles set out herein must be followed at all times by NAPSA, its employees, agents, contractors, or other parties working on behalf of NAPSA.
NAPSA is committed not only to the letter of the law but also to the spirit of the law and places a high premium on the correct, lawful, and fair handling of all personal data, respecting the legal rights, privacy, and trust of all individuals with whom it deals.
Information Collected
Website Visitors
When you visit our sites we use a third party service, Google Analytics, to collect information from you. We may collect technical information with the potential to identify you such as:
Your IP Address, your browser type, time zone, browser plug-in type, operating system and platform.
We may also collect information about:
Your visit – Including which websites you click through to from our sites, which websites you leave our site to go directly to, which pages you visit within our sites, page response times, download errors, visit duration, pages you interact with, and any methods used to browse away from the page.
We use this information to review and optimise our sites, to ensure that our sites operate correctly, are safe and secure and free from errors; doing this also enhances the experience of visitors to our sites.
NAPSA Membership Applications
When you make payment for membership of NAPSA we ask you to complete an online Membership Profile Form. The Form asks for personal information, including your name, company name, company registration number, telephone number and email address.
We also ask for various declarations, such as business insurance, Ombudsman, ICO & HMRC registration details as well as copies of other documentation (Sourcing Business Set Up Guide) to prove that you meet standards for ‘Live’ membership.
During the administration of your Membership Profile development, we ask for your consent to process data obtained. This is our legal basis for processing.
We will continue to process the above information to administer your membership and monitor your obligations.
NAPSA Members
Once you are a NAPSA Member, our legal basis for processing your information is to perform services under your membership contract. You are required to enter your membership details and password to log into the Members Area of our site.
Occasionally, a member of the NAPSA Team may contact you via SMS, email or social media channels to ensure your continued compliance with membership. Failure to maintain compliance may result in your membership being terminated.
As a part of your membership, we will contact you via email with guidance, sector information, news and invitations to relevant events.
We may also email you or use Facebook and LinkedIn targeted advertising to let you know about NAPSA events and training courses (these may be free to attend or have an additional cost.) These are to help you comply with your CPD requirements, which form a part of your membership.
You can unsubscribe from our emails at any time by either, clicking on the unsubscribe link within the email, or replying to the email with ‘STOP’ in the subject line.
We may also gather data about whether you opened an email from us, if you clicked on any links in the email and how many times. We use this information to help us provide you with a more bespoke membership service.
As is required as a part of your membership of NAPSA, you are required to adhere to our Code of Practice and Membership Rules. If an alleged breach of these rules has happened your information will be processed for the purposes of investigating any allegations and any further action where it is necessary.
The outcomes of a Disciplinary Tribunal Hearing may be published on the NAPSA website. Please refer to our (Disciplinary Procedure Document) for more details.
NAPSA Investor Register Applications
When you apply to register with NAPSA to work with a NAPSA Member. The Form asks for personal information, including your full name, company name, telephone number, email address, where you operate and strategies of interest.
During the administration of your application, we ask for your consent to process data obtained and communicate with you should further information be required and to pass on your contact and investment criteria to an appropriate NAPSA Member. This is our legal basis for processing. we will continue to process the above information to administer your registration and connect you with appropriate new NAPSA Members that fit your criteria.
Complaints Submitted
When you submit a complaint to us about a NAPSA member, we will process the personal information that you provide us in our (Complaints Form.) We request personal information such as, your name, postal address, email address, contact phone number and details of your complaint and what resolution you are looking for.
We ask for your consent to use your information for the purpose it was gathered when you make a complaint to NAPSA. This is our legal basis for processing your information. We use your information to investigate and process your complaint in accordance with our (Code of Practice).
Should your complaint result in a Disciplinary Tribunal Hearing the outcome may be published on the NAPSA website.
We may also process information about your complaint for reporting or statistical purposes but, we will also ensure all personal information is removed and the data is anonymised.
Who has Access to Your Data?
If you paid for membership, your personal information will be processed by NAPSA for the purposes of assessing your suitability to become a ‘Live’ NAPSA member. Your personal information may also be shared with other bodies and authorities for example; Trading Standards, Police, HMRC, government authorised redress schemes, awarding bodies. Subject to certain legal exemptions, we will not share your information with any third parties, unless you have given your express consent.
If we have to investigate a complaint, or allegations are made against you and action is required, we may share your information with bodies and public authorities as mentioned earlier.
If you are an Investor Registering to use the services of a NAPSA Member, your personal information will be processed by NAPSA for the purposes of assessing your application. Your personal information will also be shared with appropriate ‘Live’ NAPSA members who meet your criteria, we will not share your information with any third parties, unless you have given your express consent.
How Long is Data Kept?
NAPSA Member
As a NAPSA member, we will keep your personal information for the period of time that your membership continues and for a further 6 years after your membership ceases. Your data is retained for this period of time in case we have to follow up on any complaint received relating to your time as a member.
Investor Applicants
If your Registration application is successful, we will keep your Application Form until you let us know that you want to end your Registration with NAPSA, following which it will be securely destroyed. Your data is kept for this period of time to enable us to provide you with the service for which you registered.
Complaints
If you make a complaint to us about one of our members, we will keep your personal information whilst your complaint is being processed and for a period of 6 years after your case has been closed. Your data is retained for this period of time in case we have to follow up on any aspect of the complaint.
The Data Protection Principles
NAPSA follows the Data Protection Principles set out in the Regulations. The following principles with which any party handling personal data must comply.
1. Lawfulness, Fairness, and Transparency
The Regulation seeks to ensure that personal data is processed lawfully, fairly, and transparently, without adversely affecting the rights of the data subject. The Regulation states that processing of personal data shall be lawful if at least one of the following applies:
a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
b) Processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract.
c) Processing is necessary for compliance with a legal obligation to which the controller is subject.
d) Processing is necessary to protect the vital interests of the data subject or of another natural person.
e) Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
2. Purpose Limitation
2.1 NAPSA collects and processes the personal data set out in Part 12 of this Policy. This may include personal data received directly from data subjects (for example, contact details used when a data subject communicates with Us)
2. 2 NAPSA only processes personal data for the specific purposes set out in Part 12 of this Policy (or for other purposes expressly permitted by the Regulation). A link to a copy of our Data Privacy, Data Retention and Cookie Policy is available at any time, at the bottom of each page of our website: www.napsa.org.uk.
3. Data Minimisation
NAPSA will only collect and process personal data for and to the extent necessary for the specific purpose(s) informed to data subjects as under Part 2, above.
4. Accuracy
NAPSA shall ensure that all personal data collected and processed is kept accurate and up to date. The accuracy of data shall be checked when it is collected and at 12-monthly intervals thereafter. Where any inaccurate or out-of-date data is found, all reasonable steps will be taken without delay to amend or erase that data, as appropriate.
5. Storage Limitation
NAPSA shall not keep personal data for any longer than is necessary in light of the purposes for which that data was originally collected and processed. When the data is no longer required, all reasonable steps will be taken to erase it without delay.
For full details of the Company’s approach to data retention, including retention periods for specific personal data types held by NAPSA, please refer to our Page 3 of this document: How Long is Your Data Kept?
6. Integrity and Confidentiality (Security)
NAPSA shall ensure that all personal data collected and processed is kept secure and protected against unauthorised or unlawful processing and against accidental loss, destruction, or damage. Further details of the data protection and organisational measures, which shall be taken, are provided in Parts 14 to 18 of this Policy.
7. Accountability
7.1 NAPSA’s Data Protection Officer is Tina Walsh (Director) Email: [email protected]
7.2 The Data Protection Officer shall be responsible for overseeing the implementation of this Policy and for monitoring compliance with this Policy and with the Data Privacy Act 2018 and other applicable data protection legislation.
7.3 NAPSA shall keep written internal records of all personal data collection, holding, and processing, which shall incorporate the following information:
a) The name and details of NAPSA, its Data Protection Officer, and any applicable third-party data processors.
b) The purposes for which NAPSA processes personal data.
c) Details of the categories of personal data collected, held, and processed by NAPSA; and the categories of data subject to which that personal data relates.
d) Details (and categories) of any third parties that will receive personal data from NAPSA. e) Details of any transfers of personal data to non-EEA countries including all mechanisms and security safeguards.
f) Details of how long personal data will be retained by NAPSA; and
g) Detailed descriptions of all technical and organisational measures taken by NAPSA to ensure the security of personal data.
1. Data Protection Impact Assessments
NAPSA shall carry out Data Protection Impact Assessments for any and all new projects and/or new uses of personal data, which involve the use of new technologies and the processing involved is likely to result in a high risk to the rights and freedoms of data subjects under the Regulations.
Privacy Impact Assessments shall be overseen by NAPSA’s data protection officer and shall address the following areas of importance:
a) The types of personal data that will be collected, held, and processed.
b) The purpose(s) for which personal data will be used.
c) The Company’s objectives.
d) How personal data is to be used.
e) Any parties (internal or external) who may be consulted.
f) The necessity and proportionality of the data processing with respect to the purpose(s) for which it is being processed.
g) Risks posed to data subjects.
h) Risks posed both within and to NAPSA; and
i) Proposed measures to minimise and handle identified risks.
2. The Rights of Data Subjects
The Data Privacy Act 2018 sets out the following rights applicable to data subjects (please refer to the parts of this policy indicated for further details):
a) The right to be informed (Part 3);
b) The right of access (Part 4);
c) The right to rectification (Part 5);
d) The right to erasure (also known as the ‘right to be forgotten’) (Part 6);
e) The right to restrict processing (Part 7);
f) The right to data portability (Part 8);
g) The right to object (Part 9);
h) Rights with respect to automated decision-making and profiling (Parts 18 and 19).
3. Keeping Data Subjects Informed
3.1 NAPSA shall ensure that the following information is provided to every data subject when personal data is collected:
a) Details of NAPSA including, but not limited to, the identity of Tina Walsh (Director), its Data Protection Officer;
b) The purpose(s) for which the personal data is being collected and will be processed (as detailed in Part 20 of this Policy) and the legal basis justifying that collection and processing;
c) Where applicable, the legitimate interests upon which NAPSA is justifying its collection and processing of the personal data;
d) Where the personal data is not obtained directly from the data subject, the categories of personal data collected and processed;
e) Where the personal data is to be transferred to one or more third parties, details of those parties;
f) Where the personal data is to be transferred to a third party that is located outside of the European Economic Area (the “EEA”), details of that transfer, including but not limited to the safeguards in place (see Part 28 of this Policy for further details concerning such third country data transfers);
g) Details of the length of time the personal data will be held by NAPSA (or, where there is no predetermined period, details of how that length of time will be determined);
h) Details of the data subject’s rights under the Regulation;
i) Details of the data subject’s right to withdraw their consent to NAPSA’s processing of their personal data at any time;
j) Details of the data subject’s right to complain to the Information Commissioner’s Office (the ‘supervisory authority’ under the Regulation);
k) Where applicable, details of any legal or contractual requirement or obligation necessitating the collection and processing of the personal data and details of any consequences of failing to provide it;
l) Details of any automated decision-making that will take place using the personal data (including but not limited to profiling), including information on how decisions will be made, the significance of those decisions and any consequences.
3.2 The information set out above in Part 10.1 shall be provided to the data subject at the following applicable time:
3.2.1 Where the personal data is obtained from the data subject directly, at the time of collection; 3.2.2 Where the personal data is not obtained from the data subject directly (i.e. from another party):
a) If the personal data is used to communicate with the data
subject, at the time of the first communication; or
b) If the personal data is to be disclosed to another party,
before the personal data is disclosed; or
c) In any event, not more than one month after the time
at which NAPSA obtains the personal data.
4. Data Subject Access
4.1 A data subject may make a subject access request (“SARs”) at any time to find out more about the personal data which NAPSA holds about them. NAPSA is normally required to respond to SARs within one month of receipt (this can be extended by up to two months in the case of complex and/ or numerous requests, and in such cases the data subject shall be informed of the need for the extension).
4.2 All subject access requests received must be forwarded to Tina Walsh (Director) NAPSA’s Data Protection Officer – Email: [email protected]
4.3 NAPSA does not charge a fee for the handling of normal SARs. NAPSA reserves the right to charge reasonable fees for additional copies of information that has already been supplied to a data subject, and for requests that are manifestly unfounded or excessive, particularly where such requests are repetitive.
- 5. Rectification of Personal Data
5.1 If a data subject informs NAPSA that personal data held by NAPSA is inaccurate or incomplete, requesting that it be rectified, the personal data in question shall be rectified, and the data subject informed of that rectification, within one month of receipt the data subject’s notice (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension).
5.2 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of any rectification of that personal data.
- 6. Erasure of Personal Data
6.1 Data subjects may request that NAPSA erases the personal data it holds about them in the following circumstances:
a) It is no longer necessary for NAPSA to hold that personal data with respect
to the purpose for which it was originally collected or processed.
b) The data subject wishes to withdraw their consent to NAPSA
holding and processing their personal data.
c) The data subject objects to NAPSA holding and processing their personal data (and there is no overriding legitimate interest to allow NAPSA to continue doing so) (see
Part 17 of this Policy for further details concerning data subjects’ rights to object).
d) The personal data has been processed unlawfully.
e) The personal data needs to be erased in order for NAPSA to comply with a particular legal obligation.
6.2 Unless NAPSA has reasonable grounds to refuse to erase personal data, all requests for erasure shall be complied with, and the data subject informed of the erasure, within one month of receipt of the data subject’s request (this can be extended by up to two months in the case of complex requests, and in such cases the data subject shall be informed of the need for the extension).
6.3 In the event that any personal data that is to be erased in response to a data subject request has been disclosed to third parties, those parties shall be informed of the erasure (unless it is impossible or would require disproportionate effort to do so).
- 7. Restriction of Personal Data Processing
7.1 Data subjects may request that NAPSA ceases processing the personal data it holds about them. If a data subject makes such a request, NAPSA shall retain only the amount of personal data pertaining to that data subject that is necessary to ensure that no further processing of their personal data takes place.
7.2 In the event that any affected personal data has been disclosed to third parties, those parties shall be informed of the applicable restrictions on processing it (unless it is impossible or would require disproportionate effort to do so).
- 8. Data Portability
8.1 NAPSA processes personal data using automated means:
a) Pipedrive – Customer Relationship Management System
b) Acuity – Automated Telephone call booking system
c) Zoom – Telephone Conference facility
d) WordPress – Website(s) – Contact Us and/or request further information Forms
e) WooCommerce – Membership System
f) Stripe – Payment system
g) Xero – Accounting System
h) Google Analytics – Website Analytics System
i) Google Adverts – User Keyword Search
8.2 Where data subjects have given their consent to NAPSA to process their personal data in such a manner or the processing is otherwise required for the performance of a contract between NAPSA and the data subject, data subjects have the legal right under the Regulation to receive a copy of their personal data and to use it for other purposes (namely transmitting it to other data controllers, e.g. other organisations).
8.3 To facilitate the right of data portability, NAPSA shall make available all applicable personal data to data subjects in the following format(s):
8.3.1 Exported data in csv file format;
8.4 Where technically feasible, if requested by a data subject, personal data shall be sent directly to another data controller.
8.5 All requests for copies of personal data shall be complied with within one month of the data subject’s request (this can be extended by up to two months in the case of complex requests in the case of complex or numerous requests, and in such cases the data subject shall be informed of the need for the extension).
- 9. Objections to Personal Data Processing
9.1 Data subjects have the right to object to NAPSA processing their personal data based on legitimate interests (including profiling), direct marketing (including profiling).
9.2 Where a data subject objects to NAPSA processing their personal data based on its legitimate interests, NAPSA shall cease such processing forthwith, unless it can be demonstrated that NAPSA’s legitimate grounds for such processing override the data subject’s interests, rights and freedoms; or the processing is necessary for the conduct of legal claims.
9.3 Where a data subject objects to NAPSA processing their personal data for direct marketing purposes, NAPSA shall cease such processing forthwith.
- 10. Automated Decision-Making
10.1 In the event that NAPSA uses personal data for the purposes of automated decision and those decisions have a legal (or similarly significant effect) on data subjects, data subjects have the right to challenge to such decisions under the Regulation, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from NAPSA.
10.2 The right described in Part 18.1 does not apply in the following circumstances:
a) The decision is necessary for the entry into, or performance of, a contract between NAPSA and the data subject;
b) The decision is authorised by law; or
c) The data subject has given their explicit consent.
- 11. Profiling
NAPSA does not use personal data for profiling purposes. If it did the following would apply:
a) Clear information explaining the profiling will be provided, including
its significance and the likely consequences;
b) Appropriate mathematical or statistical procedures will be used;
c) Technical and organisational measures necessary to minimise the risk of errors and to enable such errors to be easily corrected shall be implemented; and
d) All personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling (see Parts 22 to 28 of this Policy for more details on data security).
- 12. Personal / Company Data
The following personal data may be collected, held and processed by NAPSA:
Contact Type | Data Collected | Purpose of Data |
Site Visitor | a)Technical b)Site Usage | To improve Our website, product/services, customer relationships and provide a bespoke Site experience |
Association Member | a) Identity – Full Name b) Email &/or Telephone Number c) Company Name d) Company Registration No e) Documentation f) Technical g) Site Usage | • Contact • Meet Membership Minimum Standards • Collect membership fees • Marketing & Communication • Inform of other professional services • Share with Partners and/or other professional bodies as required • Provide access to Membership section • Fulfil Member Profile information |
Investor Application | a) Identity – Full Name b) Email & Telephone Number c) Company Name d) Location of Operation e) Strategy of interest f) Technical g) Site Usage | • Contact • Communication • Provide access to NAPSA Member(s) |
- 13. Marketing Communications
You may receive marketing communications from Us if you have:
• Requested information, become a member of the association, purchased goods or services from Us. Or • Completed one of Our ‘Contact Us’ forms and ‘ticked the box’ requesting information. • Not opted out of receiving marketing from Us.
You can opt–out at any time by emailing Us at [email protected] and typing STOP in the subject line.
- 14. Data Protection Measures
NAPSA shall ensure that all its employees, agents, contractors, or other parties working on its behalf comply with the following when working with personal data:
a) No personal data is to be sent via an email(s) system unless expressly requested by the data owner. b) All emails containing personal data must be marked “confidential”;
c) Where any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of.
d) Personal data may be transmitted over secure networks only; transmission
over unsecured networks is not permitted in any circumstances;
e) Personal data may not be transmitted over a wireless network if there
is a wired alternative that is reasonably practicable;
f) Personal data should not be transferred via email, however if this happens, whether sent or received, it should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted using the ‘CleanMyMacX’ (held on ALL office computers and laptops);
g) Where Personal data is to be transferred in hardcopy form it should be marked as “confidential” and passed directly to the recipient or sent using Royal Mail (receipt signature required) Postal Service;
h) No personal data may be shared informally and if an employee, agent, sub-contractor, or other party working on behalf of NAPSA requires access to any personal data that they do not already have access to, such access should be formally requested from Tina Walsh (Director).
i) All hardcopies of personal data, along with any electronic copies stored on physical, removable media should be stored securely in either the locked filing cabinet or locked, fireproof safe.
j) No personal data may be transferred to any employees, agents, contractors, or other parties, whether such parties are working on behalf of NAPSA or not, without the authorisation of Tina Walsh (Director);
k) Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;
l) If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
- 15. Data Security – Storage
NAPSA shall ensure that the following measures are taken with respect to the storage of personal data:
a) No personal data should be transferred to any device personally belonging to an employee and personal data may only be transferred to devices belonging to agents, contractors, or other parties working on behalf of NAPSA where the party in question has agreed to comply fully with the letter and spirit of this Policy and of the Regulation (which may include demonstrating to NAPSA that all suitable technical and organisational measures have been taken);
b) All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols.
c) Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of NAPSA,
irrespective of seniority or department. If a password is forgotten, it must be reset.
using the applicable method. IT staff do not have access to passwords;
d) Where personal data held by NAPSA is used for marketing purposes, it shall be the responsibility of Tina Walsh (Director) to ensure that no data subjects have added their details to any marketing preference databases including, but not limited to, the Telephone Preference Service, the Mail Preference Service, the Email Preference Service, and the Fax Preference Service. Such details should be checked at least annually.
- 16. Data Security – Disposal
When any personal data is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it should be securely deleted and disposed of. For further information on the deletion and disposal of personal data, please refer to NAPSA’s Data Retention Policy below.
- 17. Data Security – Use of Personal Data
NAPSA shall ensure that the following measures are taken with respect to the use of personal data:
17.1 Personal data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors, or other parties at any time;
17.2 If personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it; and
17.3 Where personal data held by NAPSA is used for marketing purposes, it shall be the responsibility of Tina Walsh (Director) – The Data Protection Officer – Email: [email protected] to ensure that the appropriate consent is obtained and that no data subjects have opted out, whether directly or via a third-party service.
17.4 The Member expressly consents to NAPSA processing and supplying to third parties any information, or personal data (as defined in the Data Protection Act 2018) that is supplied to NAPSA under or arising out of the NAPSA Terms and Conditions of Membership Agreement.
18. Data Security – IT Security
NAPSA shall ensure that the following measures are taken with respect to IT and information security:
18.1 All passwords used to protect personal data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols.
18.2 Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of NAPSA, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method. IT staff do not have access to passwords.
18.3 All software (including, but not limited to, applications and operating systems) shall be kept up-to date. NAPSA’s Director’s shall be responsible for installing any and all security-related updates as soon as reasonably and practically possible, unless there are valid technical reasons not to do so; and
18.4 No software may be installed on any Company-owned computer or device without the prior approval of the Tina Walsh (Director) – The Data Protection Officer – Email: [email protected]
- 19. Organisational Measures
NAPSA shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:
a) All employees, agents, contractors, or other parties working on behalf of NAPSA shall be made fully aware of both their individual responsibilities and NAPSA’s responsibilities under the Regulation and under this Policy, and shall be provided with a copy of this Policy;
b) Only employees, agents, sub-contractors, or other parties working on behalf of
NAPSA that need access to, and use of, personal data in order to carry out their
assigned duties correctly shall have access to personal data held by NAPSA;
c) All employees, agents, contractors, or other parties working on behalf of
NAPSA handling personal data will be appropriately trained to do so;
d) All employees, agents, contractors, or other parties working on behalf of
NAPSA handling personal data will be appropriately supervised;
e) Methods of collecting, holding and processing personal data
shall be regularly evaluated and reviewed;
f) The performance of those employees, agents, contractors, or other parties working on behalf of NAPSA handling personal data shall be regularly evaluated and reviewed;
g) All employees, agents, contractors, or other parties working on behalf of
NAPSA handling personal data will be bound to do so in accordance with
the principles of the Regulation and this Policy by contract;
h) All agents, contractors, or other parties working on behalf of NAPSA handling
personal data must ensure that any and all of their employees who are involved
in the processing of personal data are held to the same conditions as those
relevant employees of NAPSA arising out of this Policy and the Regulation;
i) Where any agent, contractor or other party working on behalf of NAPSA handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless NAPSA against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
- 20. Transferring Personal Data to a Country Outside the EEA
NAPSA does not transfer any personal data to any country outside the EU or EEA.
- 21. Data Breach Notification
21.1 All personal data breaches must be reported immediately to NAPSA’s Data Protection Officer (Tina Walsh).
21.2 If a personal data breach occurs and that breach is likely to result in a risk to the rights and freedoms of data subjects (e.g. financial loss, breach of confidentiality, discrimination, reputational damage, or other significant social or economic damage), the data protection officer must ensure that the Information Commissioner’s Office is informed of the breach without delay, and in any event, within 72 hours after having become aware of it.
21.3 In the event that a personal data breach is likely to result in a high risk to the rights and freedoms of data subjects, the Data Protection Officer must ensure that all affected data subjects are informed of the breach directly and without undue delay.
21.4 Data breach notifications shall include the following information:
a) The categories and approximate number of data subjects concerned;
b) The categories and approximate number of personal data records concerned;
c) The name and contact details of NAPSA’s Data Protection Officer (or
other contact point where more information can be obtained);
d) The likely consequences of the breach;
e) Details of the measures taken, or proposed to be taken, by NAPSA to address the breach including, where appropriate, measures to mitigate its possible adverse effects.
- 22. Third Party Links
Our website may include links to ‘third party websites’, applications or plugins. By clicking on any of those links you are enabling those connections and that may allow third party websites to collect data about you.
We do not control those third-party websites and cannot be held responsible for their privacy policies. We advise that if you leave Our website, that you read privacy notices for all other websites that you may visit.
- 23. Cookies
Cookies are small text files that your computer stores when You visit some websites. On Our website, these cookies help you to experience all aspects of the site and provide you with the best service. The cookies allow us to create a custom experience for you, tailored to your membership.
You are able to set your browser to refuse some or all cookies. You can also set it to alert you when a website sets or adds cookies. If you disable or refuse cookies, some parts of Our website may become inaccessible or fail to function as intended. You can gain more information about cookies at: Wikipedia – Guide – HTTP Cookies or www.allaboutcookies.org. For more information please refer to Our Cookie Policy section later in this document.
- 24. Implementation of Policy
This Policy shall be deemed effective as of 1st August 2022. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This policy has been approved & authorised by:
Name: Christina Walsh
Position: Director
Date: 27th January 2024
Signature: C. C. Walsh