Information Risk Management Limited (IRM) is committed to protecting and respecting your privacy.
This Privacy Notice sets to define the basis on which any personal information we collect from you, or that you provide to us, will be handled and treated by us and to explain your rights regarding the use(s) of this information.
Our Commitments to you
- We will only collect the least amount of personal information necessary in order to fulfil our obligations to enable us to provide and improve our products and services.
- We will ensure your information is safeguarded whilst under our care and responsibility, and where appropriate ensure that third party processes are required to do likewise.
- We will limit access to and use of the information based on the principles of ‘need to know’ and ‘need to have’.
- We will not deliberately retain any personal information for any longer than is absolutely necessary to complete the legal basis for which it was captured and in order to fulfil our legal, regulatory or contractual obligations, or our legitimate business interests.
- If you believe we have fallen short of these requirements in any way you have various rights to challenge us, and if upheld we will take corrective action as appropriate. Your rights are explained in more detail below.
Who we are
Your personal information is controlled by IRM, who for the purposes of data protection legislation are the data controller. This is because we (whether acting alone, or jointly with others) determine how and why your personal information is processed in the context of our legitimate business needs.
- IRM is registered in England and Wales (under company number 03612719) at the following address: 11th Floor, Eagle Tower Montpellier Drive, Cheltenham, Gloucestershire, England GL50 1TA.
- Our Data Privacy Lead can be contacted via DP@irmsecurity.com or alternatively by writing to the Data Privacy Lead at the above address.
Why we collect personal information
We collect personal information on the grounds of:
- The fulfilment of a contract with you (for example, to provide you with products or services you have purchased from us). We may be unable to fulfil a contract with you without the provision of certain relevant information.
- Because we have a legal basis for processing the personal information, for example if you apply to become an IRM employee. Your application cannot be processed without certain information being made available to us under Employment legislation.
- Our legitimate interests (for example, to send you marketing about products and services similar to those you have previously purchased from us, have enquired about, or to help us administer the Website).
If we are unable to rely on either the fulfilment of a contract or our legitimate interests as set out within Data Protection Legislation to process your personal information, we will first seek to obtain your consent before processing it.
Where you have provided your consent, it can be withdrawn at any time without detriment to any current activities between our organisations. We will provide a link through which you can inform us of your intentions, alternatively you can notify us by emailing firstname.lastname@example.org or call our Head Office on 01242 225 200.
We may obtain personal information from third parties, particularly from seminars, sector conferences where we are presenting or have a business stand if this is permitted by law, as part of a legal business activity, or where you have provided your consent to this information being provided to us.
We do not buy lists, and where lists are provided to us we make every effort to verify that the provider can evidence that they have the legal authority to provide the information to us before we use it.
We may also use legal public sources to obtain or verify information about you where we have a business need and justification to do so.
Types of personal information collected
In the course of our normal business operations we will collect some element of personal information every time there is interaction and communication between us.
This includes personal details such as: your name, email address, business postal address, position/title and contact details such as email address, mobile and/or telephone numbers.
Where you enter into a contract for the provision of our products and/or services we will collect payment and delivery details.
You may provide us with personal information when you complete forms on our website (www.irmsecurity.com) or when corresponding with us by phone, email or otherwise. This includes information provided to us when you:
- Seek to commission our technical, consulting or software products and services;
- Register to attend a course at our Training Academy
- request downloads of documentation or software and related support functions;
- subscribe to our mailing lists, newsletters or bulletins;
- complete questionnaires and surveys;
- book into a seminar or training event run by us;
- apply to join IRM;
- interact with us on social media platforms (such as LinkedIn or Twitter); or
- report a problem with our Website
If you download publications, white papers and other documentation made available through our website we may ask for some information to identify you and in some instances your organisation and role within it. We may ask for details pertaining to the size of the company and the industry sector in which you operated. This information enables us to understand our audience and uses of the materials we produce, or who have expressed an interest in the products and services what we have to offer. We will also ask if we may send you further similar communications about our software and services.
When you visit our website we may also collect personal information, whether you have actively provided it or are merely browsing. The information collected may include:
- the type of device you have used;
- your internet protocol (IP) address;
- a location indicator;
- date and time you access the site;
- the type of browser and operating system you use;
- the pages of our website that you visit;
- any information you provide where you complete any forms as may be available; and
- the page you are on and time at which you exit the website.
How long we retain personal information
Where we provide technical and consultancy services to your business we will retain the personal information associated with this for the duration of the services and for six years thereafter, unless contractually agreed otherwise.
Where we undertake forensic investigations and analysis the evidence captured will be retained for seven years after our final report have been delivered to you.
Reports of Compliance (RoC) relating to assessments conducted against the Payment Card Industry Data Security Standards (PCI DSS), along with relevant evidence to support the assessments, will be retained for three years in accordance with our contractual obligations.
We also retain the following material that contains personal information:
- feedback on our products and services will be retained for a maximum of 24 months;
- where you have provided specific feedback and ‘quotes’ for use in our marketing, seminars and presentations, we will retain and use this information for up to 5 years (unless specified otherwise);
- questionnaires and general industry or marketing surveys will be retained for 24 months;
- data collected through event registration, event participation will be retained for 36 months;
- information relating to delegates registration and participation in courses at our Academy will be retained for three (3) months after the course has concluded and certification details relating to examinations will be retained for four (4) years;
Unless otherwise set out in this privacy notice, any other information we process about you will be retained by us until we no longer than necessary for the purpose(s) for which it was collected. We will base that decision on a number of criteria, including whether:
- we are required by law, regulation or contractual obligation to retain the information for a certain period of time;
- you have withdrawn consent or changed your ‘rights’ to the processing activities;
- a contract has been performed and the likelihood of us needing to retain the information in the event of a claim arising;
- the personal data is still up to date and we have a legitimate interest to retain it;
- there are exceptions set out in the applicable data protection legislation that allows us to retain the personal information for a longer period or indefinitely.
We will review and delete or destroy personal information on a regular basis. If we are unable, using reasonable endeavors, to delete or destroy personal information we will ensure that it is anonymised or appropriate measures are taken to put the personal information beyond use.
How we use the information
In addition to using your information to fulfil a contract to provide you with requested products or services, we may also use your information in the following ways (provided that, where we are required to obtain your consent to use your information, you have provided such consent):
- To conduct credit checks and account validity, using the details you provide, before we fulfil orders for the provision of any of our products or services
- To provide you with information about other services we offer to enhance your security maturity that we believe may be of interest to you (you may opt-out of receiving such information at any time);
- To notify you about changes and enhancements to our software solution;
- To notify you about changes to other industry and market standards which we know you align with or which may impact or influence the security integrity and compliance to other regulations;
- To notify you of new products or services in our service catalogue;
- To monitor and improve the quality of our products and services;
- To monitor the security and integrity of our website and for the protection of our communications systems
- For internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- To enable us to comply with our legal or regulatory requirements, and for the protection of our legitimate interest in the event of legal claims or disputes.
- We may provide you information relating to security trends, exploits and vulnerabilities in order that you may ascertain the risks they pose to your organisations technical infrastructure and environment in order that you can consider appropriate strategies and mitigations to defend against them.
Who your personal information is shared with
We may share your personal information linked to the products and services we provide you with Altran Group our holding company and in specific circumstance to its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may disclose your personal information to third parties:
- Our professional advisors such as our auditors, external legal and financial advisors;
- With security vetting agencies (where necessary);
- With government authorities and/or law enforcement officials as mandated for the protection of our legal or legitimate interests and in compliance with applicable legislation;
- If the third party contracts with us to provide certain of the services you have requested and requires your personal information in order to do so;
- Where we have a significant request, complaint or Subject Access Request (See Section on Your rights) which we have been unable to resolve with you directly we may escalate to the Altran Group Data Protection Officer for assistance and direction in order to resolve the matter amicably;
- If we sell or buy any business or assets, in which case we may disclose your personal information to the prospective seller or buyer of such business or assets;
- If IRM or substantially all of its assets are acquired by a third party, in which case personal information held about its customers will be one of the transferred assets; or
- If we are under a duty to disclose or share your personal information in order to comply with any legal obligation; or to protect the rights, property, or safety of IRM, our customers, or others.
Where we store your personal information
The personal information we collect from you will not normally be transferred to or stored outside the European Economic Area (“EEA”). If there are circumstances where your personal data does need to be processed outside the EEA we will make provision to notify you first and we will take reasonable endeavours’ to ensure that your data is transferred securely and handled in accordance with this privacy notice our information security policy and standards.
We capture personal information, (names, contact details, addresses, roles and functions) in our Synergi software platform. Our customers are responsible for all information entered into Synergi and also for administering who has access to their instance of the software. Our terms and conditions make it clear that this platform is not a suitable data store for significant quantities of business related personal information. IRM is responsible for the hardware this platform sits on, which is hosted with Rackspace in the UK. The data is encrypted at rest and in transit.
We use Salesforce (https://www.salesforce.com/uk/) /
Financial Force (https://www.financialforce.com/)
& Hubspot (https://www.hubspot.com/) to store business and personal information.
For business continuity purposes we backup our data, including the personal information therein, through Acronis (https://www.acronis.com/en-us/cloud/backup/).
We also use Societe Generale for our payroll services : https://www.sgebs.com/privacy-policy
We ensure that any destinations to which your personal information is transferred employ appropriate levels of protection as determined by the Data Protection Legislation. These are subject to periodic review.
Where we store and maintain your personal data we have put in place appropriate and proportionate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
We will also ensure adequate safeguards are in place when transferring personal information to any other party, especially to countries outside the EEA where additional measures are required by National law. If you would like to know details about this please contact DP@irmsecurity.com.
We are subject to various third party, independent security assessments to ensure our governance, processes and controls applicable to our business systems and data stored therein are at the levels expected and required. If any anomalies or discrepancies were to be identified we have processes to address and rectify them in a timely way.
Job applicants, current and former employees
IRM is the data controller for the information you provide during the job application process, and where successful during your term of employment thereafter, unless stated otherwise.
- What we will do with the information you provide us? The information you provide during the process will only be used for the purpose of progressing your application and to fulfil our legal or regulatory requirements. We will not share any of the information you provide during the recruitment process with any third parties for marketing purposes or store any of your information outside of the European Economic Area. The information you provide will be held securely by us and/or our data processors whether the information is in electronic or physical hard-copy (on paper).We will use the contact details you provide to us to contact you to progress your application. We will use the other information you provide to assess your suitability for the role you have applied for.
- Information we ask for – We do not collect more information than is required to fulfil our stated purposes and will not retain it for longer than is necessary.The information we ask for is used to assess your suitability for the position you have applied for. You do not necessarily have to provide this information however it is likely to affect our ability to process your application and our decisions regarding it if you do not.
- Agencies – We use recruitment agencies to aid us in the recruitment process. Their role is to facilitate the search for suitable candidates. Where they provide us your personal information, we will be joint controllers.
- The application stage – We ask for your personal details including name and contact details in order to communicate with you regarding the application.We will also ask you about your previous employment (where applicable), your experiences, qualifications, referees and for answers to questions relevant to the role you have applied for. Our Human Resources, and recruitment team will have access to all of this information.You may be asked to provide information regarding equal opportunities. This is not mandatory and should you choose not to provide this information it will not affect your application. Information you do provide will not be made available to anyone other than our Human Resources or recruitment team, including hiring managers, in a way which can identify you. The information will be used only to produce and monitor equal opportunities statistics as we are legally required to do.
- Shortlists – Managers who are hiring will shortlist applicants whom they wish to interview for the opportunity. At this time they will not be provided with your name, contact details or equal opportunities information if you have provided it.
- Assessments – You may be asked to participate in an initial telephone discussion with the hiring manager or their designated representative in the first instance. Thereafter you may be invited to attend an interview and may be asked to complete tests, (which may be written, verbal or technical), we may ask you to give a short presentation, or a combination of these elements. There may be two formal interview stages depending on the specific role you are applying for. During the assessment process personal information will be generated by both you and us, e.g. you might complete a written test or we may take interview notes. Information generated during the assessment process is only held by IRM. If you are unsuccessful following assessment for the position you have applied for, we may ask if we can retain your details in our talent tool for consideration should another suitable opportunity arise with us. If you provide your consent to this, your details to be retained for no more than one year, and should a suitable vacancy arise we will contact you directly about it.
Conditional offer – If we make a conditional offer of employment to you we will ask you for further personal information in order that we can complete various pre-employment checks. You must successfully complete these pre-employment checks to progress to a final offer.We are required to confirm the identity of our employees, to verify their right to work in the United Kingdom and to seek assurances as to their trustworthiness, integrity and reliability. To assist us in this process you will be required to provide:· Proof of your identity – you will be asked to attend our office with original documents, we will take copies. This may include us taking a copy of any Visa or Right to Work authorities you may have or require to permit you to work for us.· Proof of your qualifications – you will be asked to attend our office with original documents, we will take copies.· P45 from previous employer (if applicable).· You will be asked to complete a criminal records declaration to declare any unspent convictions, or pending actions in this regards. New starters are required to complete Disclosure and Barring Service (DBS) forms on their first working day as part of the onboarding process. Using the details provided in your application we may at our discretion contact the referees. If we make a final offer, we will also ask you for the following:
- Bank details – to process salary payments
- Emergency contact details – so we know who to contact in case you have an emergency at work. As a condition of employment you may be required to provide proof that your vehicle is suitably insured for business travel.
Final decisions regarding recruitment are made by hiring managers, senior management and members of our Human Resources and recruitment team appropriate to the role. All of the information gathered during the application process is taken into account. You have the right to ask about decisions made about your application by speaking to your contact within the Human Resources or recruitment team. You can submit your request in writing and emailing this to: email@example.com
Post start date
- Some of our roles require a higher level of security clearance – this will be specified in the job advert. If this is the case, you will be asked to submit information via a link to our Security Vetting Sponsor, who will be the data controller for this information. The sponsor will inform us whether your application is successful or not. If it is unsuccessful, we (IRM) will not be told the reason(s) why but we may need to review the conditional offer we have provided, as not having security clearance could impact your suitability to fulfil the specific role. Technical Consultants may become certified through the National Cyber Security Centre (NCSC) (https://www.ncsc.gov.uk) CHECK scheme. Enterprise Risk Consultants may become qualified and registered as Qualified Security Assessors (QSA) through the Payment Card Industry Security Standards Council (PCI SSC). (https://www.pcisecuritystandards.org/). Our Code of Conduct requires all staff to declare if they have any potential conflicts of interest which might impact their employment with us, or if they are active within a political party. Completed declarations will be held on your personnel file. We will capture some personal information relating to you and your out-of-pocket expenses, travel, accommodation and substance whilst performing company business. We require this information in order to verify the expense such that you can be reimbursed appropriately.It may be necessary for us to facilitate travel arrangements for you both within the UK and overseas in the fulfilment of our business activities, this may necessitate the provision of your passport details and confirmation that you are not travelling against medical advice. We will pass this information to relevant parties in order to facilitate the necessary bookings. Performance appraisals and periodic line managers meetings will be undertaken as part of your personal development plans which will be aligned to team objectives and corporate goals. We provide various benefits to employees through responsible and reputable parties; as shown below along with links to their privacy policies. We may act either as a facilitator to introduce you to the provider and confirm that you are, and that you continue to be an employee. In other instances we may pass personal information that we already have to these providers for processing on your behalf.
- Pension: Legal and General https://www.legalandgeneral.com/privacy-policy/·
- Private Medical Insurance: Aviva https://www.aviva.co.uk/legal/privacy-policy.html
- Dental Cover: Bupu https://www.bupa.co.uk/legal-notices/privacy-and-cookies
- Data processors – In the course of our business operations we use third party data processors to provide various Human Resource, payroll and other services for us; we have contracts in place with our data processor. They will not share your personal information with anyone, they will hold it securely and retain it for the relevant period as instructed by us.We maintain your records either in hard copy form or electronically in a local internal Human Resources Drive – which is only accessible to specified persons.Employees’ details are provided to our Finance Department to facilitate provide payroll services for us. We will provide them details that include your name, bank details, address, and date of birth, National Insurance Number and salary. The Finance Department will also process expenses claims and payments.
- Retention of your personal information – If your application is successful and you accept our offer of employment, the information you provide during the process will be retained by us as part of your employee file for the duration of your employment plus 6 years. This includes your criminal records declaration, fitness to work, records of any security checks and references.If you are unsuccessful at any stage of the process, the information you have provided until that point will be retained for 6 months from the closure of the application.Information generated throughout the assessment process, for example interview notes, is retained by us for 6 months following the closure of the application.Equal opportunities information is retained for 6 months following the closure of the application whether you are successful or not.Personal information relating to projects and assignments along with related timecard information will be retained indefinitely as it is not possible to remove this information.Other information created during your employment may be retained for up to 6 years after you leave IRM.
Your rights under applicable data protection law
Your personal information is protected by various Data Protection Legislation and there a number of rights (briefly explained below) which you can seek to exercise.
We will respond to legitimate and requests as quickly as possible and in any event within one month. If we require more information or need to seek clarification we will contact you directly and without undue delay.
Depending on the nature of your request we may need to verify your identity before sharing any related personal information, or taking further action on the request itself.
There are circumstances where we may still be required to retain your information in order for us to fulfil our own legal, regulatory or business obligations. If this is the case we will explain this to you when we respond to you following a question or complaint.
If your request is manifestly unfounded, excessive or repetitive we may refuse to deal with it or we may in certain circumstances charge a reasonable fee for dealing with it. We will notify you should this be the case before we proceed to resolve your request.
- Right of access – You have the right to access the personal information we hold and process relating to you and to obtain certain prescribed information about how we process and share it with others – although most of this information corresponds to the explanations set out in this Privacy Notice.The Right to Access is also commonly known as ‘Subject Access Request’ (SAR).
- Right of rectify your personal information – If you believe that the personal information we hold about you is inaccurate or incomplete you have the right to have this information rectified (corrected).We will comply with a legal and reasonable request as quickly as practically possible unless there are reasonable grounds for not doing so – in such instance we will notify you directly and without delay.
- Right of be forgotten – You may ask us to delete personal information we hold about you. This is known as either the ‘right to be forgotten’ or the ‘right to erasure’. This is not an absolute right and only applies in particular circumstances. It may not therefore be possible for us to delete the information we hold about you, for example if we have an ongoing relationship or require to retain the information to comply with our legal, regulatory or legitimate business obligations or to exercise or defend legal claims and disputes.
- Right to object to processing – You may object to our processing of your personal information where the processing is based upon our legitimate interests. You may also object to the processing of your personal information for the purposes of direct marketing and for statistical analysis.We will stop processing your personal information unless we can demonstrate that there are compelling and legitimate grounds to override your rights and freedoms; we will inform you if this is the case. Where we cease to actively processing the personal information in response to a legitimate request we do not have to delete it and the information will be retained in order to fulfil our various legal, regulatory or business requirements.
- Right to data portability – You have a right to receive, move, copy or transfer personal information you have given to us to another data controller a right known as data portability.Your rights to this extend to when we process your personal information based on having obtained your consent, in relation to a contract, or if the processing is carried out by automated means (which we do not do).We will provide such information, in response to a legitimate request, in a commonly used and machine-readable format. It should be noted that this right is different from the Right of access (given above) and the types of information you can obtain under these rights may be different.
We do not perform automated decision-making, i.e. processing that is carried out without human intervention, on your personal information.
Our website may contain links to third party websites. IRM is not liable or responsible for your use of such other websites and you are advised to check their policies and privacy statements before you submit any personal information through them.
What to do if you have concerns or wish to make a complaint
If you have questions, comments or concerns, or wish to make a complaint regarding how we collect or use your personal information please raise them directly with us in order that we can address them promptly. In the first instance notify your account manager (if you have one), contact our or alternatively via our Data Protection Lead through the contact information given above.
If we are unable to resolve your concerns or compliant to your satisfaction you are entitled to raise a complaint with the relevant supervisory authority in your jurisdiction. Within the UK you can contact the Information Commissioner’s Office on 0303 123 1113 or via other means as set out on their website – https://ico.org.uk/concerns/.
Changes to our privacy notice
We will review and where necessary update this privacy notice at least annually and we will clearly indicate the date it was last updated for your reference and convenience.
If we do make material changes to the content of this Privacy Notice we will post the details of them below. We may also notify you of any material changes by e-mail where deemed necessary.
This Privacy Notice was last revised May 2019.