1.1 IAMMOVING.com Limited ("IAM") is committed to complying with privacy and data protection laws including:
1.2 This policy achieves two aims. First, it sends a clear signal of intent to our staff, customers and stakeholders about the importance we at IAM attach to having high standards for protecting personal data. Second, it shows what we actually do at IAM to protect individuals' personal data.
1.3 Anyone who handles personal data in any way on behalf of IAM must ensure that they comply with this policy. Section 3 of this policy describes what comes within the definition of "personal data". Any breach of this policy will be taken seriously and may result in disciplinary action or more serious sanctions.
1.4 This policy applies to the personal data held by or on behalf of IAM as a data controller. The majority of this information is data which has been voluntarily provided by you in connection with your use of our Site, including name, email address, telephone number and property address. There is also a moderate amount of personal data IAM collects through other sources about you such as third party service providers. On rare occasions we may come to hold personal data of a sensitive nature which we treat in accordance with the additional protection given under Article 9 of the GDPR.
1.5 This policy may be amended from time to time to reflect any changes in legislation, regulatory guidance or internal policy decisions.
2.1 The following terms will be used in this policy and are defined below:
Data Subjects include all living individuals about whom we hold personal data, for instance an employee or a contractor. A data subject need not be a UK national or resident. All data subjects have legal rights in relation to their personal data.
Personal data is any information that relates to an individual who can be identified from that information. This includes name, age and address, bank details, IP address, attendance, and other information that IAM will come into contact with so that it can comply with its obligations both as a home-mover service provider and as an employer of our own staff.
Personal data also includes more sensitive information that IAM may hold including details of marital status, physical or mental health, medical data for the purpose of any priority registers or vulnerable customer classifications relevant to some utility service providers, and the details of any criminal or driving offences or alleged offences. This is referred to as 'special category data'.
Data Controllers are the people who, or organisations which, decide the purposes and the means for which, any personal data is processed. They have a responsibility to process personal data in compliance with the Legislation. IAM is the data controller of all personal data that we hold.
Data Processors include any person who processes personal data on behalf of a data controller. Employees of data controllers are excluded from this definition but it could include other organisations such as payroll providers, benefit providers, occupational health advisors or other service providers which handle personal data on our behalf.
European Economic Area includes all countries in the European Union as well as Norway, Iceland and Liechtenstein.
ICO means the Information Commissioner's Office (the authority which oversees data protection regulation in the UK).
Processing is any operative activity which is performed on personal data, whether or not by automated means. It includes but is not limited to collecting recording organising structuring storing adapting or altering retrieving consulting using disclosing by transmission disseminating or otherwise making available aligning or combining restricting erasing or destroying personal data.
3.1 Anyone processing personal data must comply with at least the six data protection principles set out in Article 5 of the GDPR. We are required to comply with these principles (summarised below), and show that we comply, in respect of any personal data that we deal with.
3.2 IAM processes personal data in accordance with the following data protection principles:
IAM will update personal data promptly if an individual advises us that information has changed or is inaccurate. Please also refer to the ‘individual responsibilities’ section within this document.
Most personal data gathered during the employment, worker, contractor or volunteer relationship, or apprenticeship or internship, will be held in the individual's personnel file (in electronic format), and on HR systems. There will be other personal data in the form of IP addresses and email addresses held on IT systems in connection with the use of and interaction with a variety of software and hardware licences which IAM uses for its business. The periods for which IAM holds different kinds of personal data are part of IAM's retention and disposal protocols.
4.1 The GDPR gives people rights in relation to how organisations process their personal data. Everyone who holds personal data on behalf of IAM needs to be aware of these rights. They include (but are not limited to) the right:
4.2 IAM will also provide the individual with a copy of the personal data undergoing processing. This will normally be in electronic form if the individual has made a request electronically, unless he/she agrees otherwise.
4.3 If the individual wants additional copies, IAM will charge a fee, which will be based on the administrative cost to IAM of providing the additional copies.
4.4 To make a subject access request, the individual should send the request to IAM’s Data Protection Officer - email@example.com . In some cases, IAM may need to ask for proof of identification before the request can be processed. IAM will inform the individual if he/she needs to verify his/her identity and the documents it requires.
4.5 IAM will normally respond to a request within a period of one month from the date it is received. In some cases, such as where IAM processes large amounts of the individual's data, it may respond within three months of the date the request is received. IAM will write to the individual within one month of receiving the original request to tell him/her if this is the case.
4.6 If a subject access request is manifestly unfounded or excessive, IAM is not obliged to comply with it. Alternatively, IAM can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request. A subject access request is likely to be manifestly unfounded or excessive where it repeats a request to which IAM has already responded. If an individual submits a request that is unfounded or excessive, IAM will notify him/her that this is the case and whether or not it will respond to it.
4.7 Individuals have a number of other rights in relation to their personal data. They can require IAM to:
4.8 IAM takes the security of personal data seriously. IAM has in place suitable technical and organisational measures which comply with Article 32 of the GDPR (Security of Processing). Central to these technical and organisational measures is an information security policy framework.
4.9 These standards and policies combine to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed, except by permitted persons in the proper performance of their duties.
4.10 Where IAM engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality and are obliged to implement appropriate technical and organisational measures to ensure the security of data.
5.1 It is unlikely on the basis of current information held by IAM that any existing data processing would result in a high risk to individual's rights and freedoms. But if this assessment were to change, as a result of any particular new initiative such as the introduction of new automated processes or the consideration of using profiling ways IAM will carry out a data protection impact assessment to determine the necessity and proportionality of such new processing. This will include considering the purposes for which the activity is carried out, the risks for individuals and the measures that can be put in place to mitigate those risks.
5.2 As an ethically responsible and legally aware business, its directors are keen to ensure that IAM maintains its vigilance and values when conducting its affairs, particularly with respect to data protection.
6.1 If IAM discovers that there has been a data security breach which poses a risk to the rights and freedoms of individual home movers, it will report it to the Information Commissioner within 72 hours of discovery. IAM will internally record all data breaches regardless of their effect, gravity or likelihood of risks to the rights and freedoms of individuals.
6.2 If the breach is confirmed to be likely to result in a high risk to the rights and freedoms of individuals, IAM will tell affected individuals that there has been a breach and provide them.
7.1 Individuals, tenants, landlords, and letting agents are responsible for helping IAM keep their personal data up to date.
7.2 To ensure that we are able to do this, individual home movers, as well as letting agents, landlords should regularly review the information held in relation to them by IAM and keep IAM informed and up to date with accurate personal details.
7.3 Individuals may have access to the personal data of other individuals (for example employee records). Where this is the case, IAM relies on individuals to help meet its data protection obligations to staff.
7.4 Individuals who have access to personal data are required:
7.5 Failing to observe these requirements may amount to a disciplinary offence. Significant or deliberate breaches of this policy, such as accessing employee or a home mover’s data without authorisation or a legitimate reason to do so, may constitute gross misconduct and could lead to dismissal without notice.
7.6 You should report any loss of personal data (e.g. data sent accidentally by e-mail; stolen laptop) immediately to IAM’s Data Protection Officer at firstname.lastname@example.org
8.1 IAM will provide training to all individuals about their data protection responsibilities, especially those whose roles require regular access to personal data, or who are responsible for implementing this policy or responding to subject access requests.
8.2 The world of data protection is rapidly changing. IAM is pleased to be a business which is cognisant of those changes, and which sees the commercial value and the ethical value in being vigilant with its users’ data. We therefore will periodically update this policy to reflect changes in the world around us.