Data Protection Policy
Our Data Protection Policy applies to all employees, all operatives and all subcontracted individuals, businesses and companies to Burton Regan Ltd (Also Trading as: Varsity Directory of Investigators and Process Servers and Private Investigator Training UK).
In the first instance all operatives and all subcontracted individuals, businesses and companies will assume they are a “Joint” Data Controller, Data processor or Sub-Processor until a “Lawful basis” is established or is determined and confirmed via your (and our) balancing tests (Legitimate Interest Assessments).
An LIA is a type of light-touch risk assessment based on the specific context and circumstances. It will help ensure that processing is lawful.
The Lawful Basis that is the most appropriate for our work is, usually: Legitimate Interest.
Recording the LIA helps demonstrate compliance in line with the accountability obligations under Articles 5(2) and 24. In some cases an LIA will be quite short, but in others there will be more to consider. An example of the balancing test is:
Purpose test – is there a lawful basis behind the processing? (Yes) the instructions are from a solicitor who is trying to effect service of legal documents on a debtor, it’s a trace and serve assignment – the Solicitors are involved in the enforcement of civil procedure orders originating from the civil court in the UK.
Necessity test – is the processing necessary for that purpose? (Yes) our LIA determine that we are permitted to locate the debtor and effect personal service of the court documents. As professional and ethical trace experts we need to interrogate available data and “Open source” databases to find an address for the process server to attend to serve the documents or to make (doorstep) enquiries.
Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms? (No) Provided that our trace work is compliant with GDPR and DPA we are permitted to use, for example: [email protected] by sending an appropriately formulated request to find the location of the debtor who is believed to be in a prison.
We, of course, will protect the data sent and received and will adhere to a “Clean desk policy” – when we attend the prison to effect the serve, we will not keep any documents (For example) on the seat of our vehicle that could seen by a passer by (Privacy by design and default). All reporting will use Anonymisation and Pseudonymisation where appropriate. Our Data Protection Impact Assessments will be “On going” throughout all stages of the assignment.
We confirm that we maintain Article 30 Registers of Processing Activity https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/what-do-we-need-to-document-under-article-30-of-the-gdpr/
Data Subject Requests
If you require a copy of the data we hold – we adhere to published Information Commissioner’s Office Subject Access Request (SAR) guidelines
https://ico.org.uk/for-the-public/getting-copies-of-your-information-subject-access-request/
All electronic and papers records are protected by our Data Protection Policy
We work to the best practice protocols enshrined in GDPR (And DPA) Principles:
Lawfulness, fairness, and transparency: Personal data must be processed in a lawful, fair, and transparent manner, with clear communication to data subjects about how their data is being used.
Purpose limitation: Personal data should only be collected for specific, explicit, and legitimate purposes, and not further processed in a manner incompatible with those purposes.
Data minimization: The collection of personal data should be limited to what is necessary for the intended purpose, and no more.
Accuracy: Personal data must be accurate and, where necessary, kept up to date.
Storage limitation: Personal data should not be stored for longer than necessary for the intended purpose.
Integrity and confidentiality: Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage.
Accountability: Data controllers must be able to demonstrate compliance with the GDPR principles, including having appropriate policies and procedures in place.
Sections 2(1)(a) and (b) of the Data Protection Act 2018 aligns with the (Above mentioned) core principles for the processing of personal data – ensuring lawfulness and fairness.
At all times we have a clean desk and destruction policy that can be provided upon request for all electronic and papers records.
Changes to our Data Protection Policy
We may change this Data Protection Policy from time to time (for example, if the law changes). Any changes will be immediately posted on Our Site. We recommend that you check this page regularly to keep up to date.
Special Category Data
Typically we will rely on: GDPR Article 9(2)(f) that permits us to process special category data if:
“Processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity.”
You do not need a DPA Schedule 1 condition to rely on this condition or an appropriate policy document.
International Data Transfers
We will use the appropriate safeguards of the Standard Contractual Clauses (SCC) created by the European Commission to transfer personal data to controllers or processors outside the EEA whose activities are not subject to the GDPR.
I.T. Security Policy
Our in-house IT security Policy is available upon request.
Data Retention Policy
Data is not retained longer than necessary.
We are required to keep and store some of our records and data.
For example, we retain surveillance footage for a 6-year period (Should it be required for inspection in, future, criminal proceedings) and will delete the footage thereafter in accordance with good practice directives derived from the Criminal Procedure and Investigations Act 1996 (section 23(1)) Code of Practice.
Automated Decision Making
We do not use Automated Decision Making when conducting our enquiries.
Our Data Breach policy including our Data Breach Register is kept by our DPO.
The Data Processing Agreement Template is available to all employees, all operatives and all subcontracted individuals, businesses and companies to Burton Regan Ltd (Also Trading as: Varsity Directory of Investigators and Process Servers and Private Investigator Training UK).
Right to be Forgotten policy
The UK GDPR introduces a right for individuals to have personal data erased. The right to erasure is also known as ‘the right to be forgotten’.
Please note that our:
Privacy Policy also covers a number of our DPA and GDPR requirements.
Contacting Us
If you have any questions about Our Site or this Data Protection Policy or if you have a Subject Access Request, please contact us by email at [email protected] by telephone on +44 (0)113 270 7500 or by post at Data Protection Officer (Kevin John Regan), Burton Regan Limited, Vicarage Chambers, 9 Park Square, Leeds, LS1 2LH, United Kingdom. Please ensure that your query is clear and is not just a “Fishing exercise,” particularly if it is a request for information about the data we hold about you.
Supervisory Authority & Complaints
The Information Commissioner’s Office (ICO) is the UK’s supervisory authority for data protection and manages complaints related to data breaches or misuse of personal information. If you need to complain about how an organisation has handled your personal data, you should first attempt to resolve the issue directly with the organisation. If that is unsuccessful or if you’re not satisfied with their response, you can then lodge a complaint with the ICO.
https://ico.org.uk/make-a-complaint/
Please also see our Complaints Procedure
© Kevin John Regan, Burton Regan Limited