Data protection

1.1 Limited ("IAM") is committed to complying with privacy and data protection laws including:

  • Regulation (EU) 2016/679 - the General Data Protection Regulation ("the GDPR") and any related legislation which applies in the UK, including, without limitation, the Data Protection Act 2018;
  • all other applicable laws and regulations relating to the processing of personal data and privacy, including statutory instruments, and,
  • where applicable, the guidance and codes of practice issued by the Information Commissioner's Office ("ICO") or any other supervisory authority.
(together "the Legislation")

1.2   This policy achieves two aims. First, it sends a clear signal of intent to our staff, customers and stakeholders about the importance we at IAM attach to having high standards for protecting personal data. Second, it shows what we actually do at IAM to protect individuals' personal data.

1.3   Anyone who handles personal data in any way on behalf of IAM must ensure that they comply with this policy. Section 3 of this policy describes what comes within the definition of "personal data". Any breach of this policy will be taken seriously and may result in disciplinary action or more serious sanctions.

1.4   This policy applies to the personal data held by or on behalf of IAM as a data controller. The majority of this information is data which has been voluntarily provided by you in connection with your use of our Site, including name, email address, telephone number and property address. There is also a moderate amount of personal data IAM collects through other sources about you such as third party service providers. On rare occasions we may come to hold personal data of a sensitive nature which we treat in accordance with the additional protection given under Article 9 of the GDPR.

1.5   This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions.

2.  Definitions of data protection terms

2.1   The following terms will be used in this policy and are defined below:

Data Subjects include all living individuals about whom we hold personal data, for instance an employee or a contractor. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.

Personal data is any information that relates to an individual who can be identified from that information. This includes name, age and address, bank details, IP address, attendance, and other information that IAM will come into contact with so that it can comply with its obligations both as a home-mover service provider and as an employer of our own staff.

Personal data also includes more sensitive information that IAM may hold including details of marital status, physical or mental health, medical data for the purpose of any priority registers or vulnerable customer classifications relevant to some utility service providers, and the details of any criminal or driving offences or alleged offences. This is referred to as 'special category data'.

Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any personal data is processed. They have a responsibility to process personal data in compliance with the Legislation. IAM is the data controller of all personal data that we hold.

Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as payroll providers, benefit providers, occupational health advisors or other service providers which handle personal data on our behalf.

European Economic Area includes all countries in the European Union as well as Norway, Iceland and Liechtenstein.

ICO means the Information Commissioner's Office (the authority which oversees data protection regulation in the UK).

Processing is any operative activity which is performed on personal data, whether or not by automated means. It includes but is not limited to collecting recording organising structuring storing adapting or altering retrieving consulting using disclosing by transmission disseminating or otherwise making available aligning or combining restricting erasing or destroying personal data.

3.  Data protection principles

3.1   Anyone processing personal data must comply with at least the six data protection principles set out in Article 5 of the GDPR. We are required to comply with these principles (summarised below), and show that we comply, in respect of any personal data that we deal with.

3.2   IAM processes personal data in accordance with the following data protection principles:

  • IAM processes personal data lawfully, fairly and in a transparent manner.
  • IAM collects personal data only for specified, explicit and legitimate purposes.
  • IAM processes personal data only where it is adequate, relevant and limited to what is necessary for the purposes of processing.
  • IAM keeps accurate personal data and takes all reasonable steps to ensure that inaccurate personal data is rectified or deleted without delay.
  • IAM keeps personal data only for the period necessary for processing.
  • IAM adopts appropriate measures to make sure that personal data is secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

IAM tells individuals the reasons for processing their personal data, through its basic business model (a home mover and change of address service) and through its Privacy Policy. All of this plus this Data Protection Policy explains how IAM uses such data and the legal basis for processing it. It will not process personal data of individuals for other reasons.

IAM will update personal data promptly if an individual advises us that information has changed or is inaccurate. Please also refer to the ‘individual responsibilities’ section within this document.

Most personal data gathered during the employment, worker, contractor or volunteer relationship, or apprenticeship or internship, will be held in the individual's personnel file (in electronic format), and on HR systems. There will be other personal data in the form of IP addresses and email addresses held on IT systems in connection with the use of and interaction with a variety of software and hardware licences which IAM uses for its business. The periods for which IAM holds different kinds of personal data are part of IAM's retention and disposal protocols.

4.  Rights of individuals under the GDPR

4.1   The GDPR gives people rights in relation to how organisations process their personal data. Everyone who holds personal data on behalf of IAM needs to be aware of these rights. They include (but are not limited to) the right:

  • to request a copy of any personal data that we hold about them (as data controller), as well as a description of the type of information that we are processing, the uses that are being made of the information, details of anyone to whom their personal data has been disclosed, and how long the data will be stored (known as subject access rights);
  • to be told, where any information is not collected from the person directly, any available information as to the source of the information;
  • to be told of the existence of automated decision-making;
  • to object to the processing of data where the processing is based on either the conditions of public interest or legitimate interests;
  • to have all personal data erased (the right to be forgotten) unless certain limited conditions apply;
  • to restrict processing where the individual has objected to the processing;
  • to have inaccurate data amended or destroyed; and
  • to prevent processing that is likely to cause unwarranted substantial damage or distress to themselves or anyone else.

4.2   IAM will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise.

4.3   If the individual wants additional copies, IAM will charge a fee, which will be based on the administrative cost to IAM of providing the additional copies.

4.4   To make a subject access request, the individual should send the request to IAM’s Data Protection Officer - . In some cases, IAM may need to ask for proof of identification before the request can be processed. IAM will inform the individual if he/she needs to verify his/her identity and the documents it requires.

4.5   IAM will normally respond to a request within a period of one month from the date it is received. In some cases, such as where IAM processes large amounts of the individual's data, it may respond within three months of the date the request is received. IAM will write to the individual within one month of receiving the original request to tell him/her if this is the case.

4.6   If a subject access request is manifestly unfounded or excessive, IAM is not obliged to comply with it. Alternatively, IAM can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which IAM has already responded. If an individual submits a request that is unfounded or excessive, IAM will notify him/her that this is the case and whether or not it will respond to it.

Other rights

4.7   Individuals have a number of other rights in relation to their personal data. They can require IAM to:

  • rectify inaccurate data;
  • stop processing or erase data that is no longer necessary for the purposes of processing;
  • stop processing or erase data if the individual's interests override IAM’s legitimate grounds for processing data (where IAM relies on its legitimate interests as a reason for processing data);
  • stop processing or erase data if processing is unlawful; and
  • stop processing data for a period if data is inaccurate or if there is a dispute about whether or not the individual's interests override the firm's legitimate grounds for processing data.

4.8   IAM takes the security of personal data seriously. IAM has in place suitable technical and organisational measures which comply with Article 32 of the GDPR (Security of Processing). Central to these technical and organisational measures is an information security policy framework.

4.9   These standards and policies combine to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by permitted persons in the proper performance of their duties.

4.10   Where IAM engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

5.  Impact assessments

5.1   It is unlikely on the basis of current information held by IAM that any existing data processing would result in a high risk to individual's rights and freedoms. But if this assessment were to change, as a result of any particular new initiative such as the introduction of new automated processes or the consideration of using profiling ways IAM will carry out a data protection impact assessment to determine the necessity and proportionality of such new processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.

5.2   As an ethically responsible and legally aware business, its directors are keen to ensure that IAM maintains its vigilance and values when conducting its affairs, particularly with respect to data protection.

6.  Data breaches

6.1   If IAM discovers that there has been a data security breach which poses a risk to the rights and freedoms of individual home movers, it will report it to the Information Commissioner within 72 hours of discovery. IAM will internally record all data breaches regardless of their effect, gravity or likelihood of risks to the rights and freedoms of individuals.

6.2   If the breach is confirmed to be likely to result in a high risk to the rights and freedoms of individuals, IAM will tell affected individuals that there has been a breach and provide them.

7.  Individual responsibilities

7.1   Individuals, tenants, landlords, and letting agents are responsible for helping IAM keep their personal data up to date.

7.2   To ensure that we are able to do this, individual home movers, as well as letting agents, landlords should regularly review the information held in relation to them by IAM and keep IAM informed and up to date with accurate personal details.

7.3   Individuals may have access to the personal data of other individuals (for example employee records). Where this is the case, IAM relies on individuals to help meet its data protection obligations to staff.

7.4   Individuals who have access to personal data are required:

  • to access only data that they have authority to access and only for authorised purposes;
  • not to disclose data except to individuals (whether inside or outside IAM) who have appropriate authorisation;
  • to keep data secure (for example by complying with rules on access to premises, computer access, including password protection, and secure file storage and destruction);
  • not to remove personal data, or devices containing or that can be used to access personal data, from IAM premises without adopting appropriate security measures (such as encryption or password protection) to secure the data and the device; and
  • not to store personal data on local drives or on personal devices that are used for work purposes.

7.5   Failing to observe these requirements may amount to a disciplinary offence. Significant or deliberate breaches of this policy, such as accessing employee or a home mover’s data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.

7.6   You should report any loss of personal data (e.g. data sent accidentally by e-mail; stolen laptop) immediately to IAM’s Data Protection Officer at

8.  Training & Awareness

8.1  IAM will provide training to all individuals about their data protection responsibilities, especially those whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests.

8.2  The world of data protection is rapidly changing. IAM is pleased to be a business which is cognisant of those changes, and which sees the commercial value and the ethical value in being vigilant with its users’ data. We therefore will periodically update this policy to reflect changes in the world around us.