What is your organisation name?
This website refers to the processes put in place by the Armstrong Watson group whose registered office is 15 Victoria Place, Carlisle, CA1 1EW and comprises of:
Who is your GDPR / Data Protection contact?
The role of Head of Privacy is held by one of our senior partners who work closely with our Management Board. The contact details are:
Contact: Head of Privacy
Address: 15 Victoria Place, Carlisle, CA1 1EW
Telephone: 01228 690100
What personal data do you collect, receive or hold?
We aim to only keep data that is required to fulfil our contractual obligation; as a result the exact detail held will differ from service to service. It is however likely to include:
We may also occasionally hold data that is defined as sensitive, we will only ask for this data where it is explicitly required. More details can be found in Privacy Statement
What security is in place to protect the firm’s IT infrastructure?
We use a secure offsite data centre to host all our internal servers. This data centre is accredited with PCI DSS for Physical Hosting Services and holds ISO27001 and ISO9001 certification. In addition the centre has been authorised to process HM Government data protectively marked ’Official-Sensitive’.
All laptops have encrypted hard drives using AES (Advanced Encryption Standard) encryption.
The firm uses TLS (Transport Level Security) for all email traffic and SSL (Secure Sockets Layer) for Internet traffic where possible
The firm is certified under the National Cyber Security Centre’s Cyber Essentials certification which is designed to help organisations to protect the confidentiality, integrity and availability of data stored on devices which connect to the Internet.
Further details can be found: www.cyberessentials.ncsc.gov.uk
What processes are kept in place to ensure access to our servers?
The firm uses an online backup and business continuity service provided by Databarracks which ensures access to personal data in the event of a physical or technical incident. Databarracks holds both ISO 27001 and ISO 9001 certification. Further details can be found www.databarracks.com/company/certifications
Our offsite data centre provides a highly secure computing environment with 24 hour A/C power; UPS with emergency generator backup; ventilation, air conditioning & computer monitored climate control for heating (HVAC); and fire detection & suppression.
What are the processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measure?
The firm has a Data Protection Impact Assessment (DPIA) based on the guidelines provided by the ICO which is used to ensure that changes to environment or process which are likely to result in a high risk to individuals’ interests are identified and minimised.
From a technical perspective the firm regularly performs phishing and penetration testing across the business as well as simulated DR tests.
How does the firm guard against the risks of accidental or unlawful destruction of personal data, data loss or alteration and unauthorised disclosure of, or access to, personal data, and its’ obligations to notify the individuals involved promptly of any such events occurring?
Access to all systems within the firm is controlled through user account which prevents unauthorised access. All access is revoked and all equipment is returned when an employee leaves the firm.
The firm has a Data Protection policy which explains the duties and responsibilities each member of our team must uphold with regards both electronic and non-electronic records. All new starters are trained on this policy when they join the firm; on-going training is performed as part of our CPD processes. Our employment contracts include clauses an obligation to comply with our information security and data protection policies.
The firm has a defined process for identifying and reporting personal data breaches which follows the guidelines provided by the ICO. The firm has appointed a senior member of the management team to act as Head of Privacy and oversee this and all other data protection processes
What controls are in place to ensure third party systems and contractors adhere to the GDPR?
All contracts with third party systems and contractors are reviewed to ensure that appropriate controls are in place to ensure data security and confidentiality. During the procurement process an assessment is made by the firm to ensure that the use of this system or contractor will not reduce our data security. These controls are reviewed periodically to ensure that the situation has not changed.
What physical security measures do the firm employ?
We use numerous security measures in our offices, some of which are: