3. Sensitive Data (Special Category Data)
The ICPC processes no sensitive or ‘special category data,’ and so according to the GDPR regulations, no Data Protection Impact Assessment is required. The ICPC does however consider and apply appropriate precautions to protect the confidentiality of personal data.
4. Structure of the ICPC and flow of data across organisations contracted to the ICPC
The ICPC has no employees.
The ICPC contracts Pioneer Consulting Holdings LLC (Massachusetts, USA) to oversee all secretariat services. Pioneer Consulting Holdings LLC contracts with Geoffrey N Barnes Ltd for independent accounting services. No personal data that is not required by law to be put into the public domain is sent to Geoffrey N Barnes. Pioneer Consulting Holdings Contracts on a back-to-back basis with Connecting Technologies Ltd for the sub-provision of secretariat services.
The ICPC contracts with Creative Republic for the provision of IT and Web design services.
Personnel working on ICPC activities in Pioneer Consulting and Creative Republic have all successfully passed GDPR training. The ICPC intends to undergo repeat training for the secretariat/IT personnel nominally every 3 years to refresh expertise, or on appointment of new personnel.
For the provision of mail and web hosting services, the ICPC contracts with Hostek.
Information about members is held on the web behind a password-protected website.
The Senior Secretariat representative (Connecting Technologies Ltd) assumes the role of Data Controller, and the Financial Controller (Pioneer Consulting Holdings LLC) assumes the role of Data Processor, supported by Creative Republic. Should escalations or alternates be required, this should be to the General Manager in the first instance, and to the Chair/Vice Chair if the GM should not be available.
5. Documentation of Personal Data
The ICPC has prepared the workflow as attached at Appendix 1 – ICPC Personal Data Workflow and Information to describe its key data workflow.
6. Procedure for the handling of Personal Data
Personal data should be handled by contractors of the ICPC in accordance with GDPR regulations and to at least the same standard to which the ICPC’s contractors and subcontractors hold their own personal information. This is intended to include where possible two-step authentication for mail systems in which the ICPC’s personal data is transmitted, and secure (https) servers whose access is password-protected for the storage of Personal Data.
7. Access Requests
Contacts of the ICPC can access most of their personal information themselves via the secure area of the ICPC website and make changes to it at any time. Access requests for any other data are to be by email to firstname.lastname@example.org
and the ICPC aims to respond to reasonable and lawful requests within timescales contemplated in GDPR regulations. Information is passed back to enquirers as may be appropriate in a data-portable way either by email or if not, in standard MS Word, Excel, PowerPoint or Adobe pdf format.
8. Identification of Information Assets
This is overseen by the financial controller in consultation with the senior secretariat representative.
9. Privacy Notice updatedPrivacy Notice page
11. Withdrawal of Consent
After logging in, ICPC members can update their own personal information from the member area of the website. Should they wish to withdraw consent for the ICPC to hold other information (other than that lawfully required for the ICPC to function, such as company billing information), requests can be sent to email@example.com
and the ICPC aims to act on such requests in a timely fashion in accordance with GDPR regulations.
The ICPC endeavours to ensure the accuracy of personal data held through interaction with members at the annual billing cycle. However, some identifying information may be held for long periods by the ICPC because of the nature of its work to provide a historical source for cable-related information. This remains a historical record for research purposes and is a fundamental part of the service the ICPC supplies to its members.
Though the ICPC does not have staff, GDPR training is provided to the contracted secretariat representatives and the ICPC’s IT support contractor(s).
The ICPC disposes of electronic personal records through electronic deletion. Lawful disposal of paper records can be made by shredding on request.
15. Retention Policy
The ICPC retains the information of active Members which can be for a long time. However, Active members are reviewed in each billing cycle.
The ICPC holds the same data information about ‘Friends of the ICPC, Mailing List Only, Web Access Only, Call for Papers and Plenary Event contacts’. This information is reviewed on a triennial basis.
The ICPC holds a repository of archive and research information related to its purpose. As for any library, its intention is to retain that information in perpetuity.
16. Policy Review
To ensure continued compliance, at review dates the data controller and data processors will visit and complete the questionnaires at ico.gov.uk.
17. Written Contract with Data Processors
The ICPC has written contracts with data processors and has notified the contractors that their obligations will change upon the coming into force of the GDPR, and provided training so those obligations are understood. In the meantime, alterations to the contracts to reflect these obligations will be drafted.
As the ICPC does not process sensitive, ‘special category’ data, the risk of breach is deemed to be limited, however this does not relieve the ICPC of adhering to its GDPR obligations. Should the risk profile change in the future, the ICPC will consider what changes to its policy is required.
The following potential threats have been identified by the ICPC, though threats remain under review:
- Hacking attempts on the website. These are logged and notified to GM.
- Breaches and loss of personal data from the website. These must be logged by the data processor and individuals affected notified by the senior secretariat representative.
- Loss of personal data from email. These must be logged by the data processor and individuals affected notified by the senior secretariat representative.
- Loss of personal data from the ICPC’s billing system. These must be logged by the data processor and individuals affected notified by the senior secretariat representative.
After any breach, the Data Processor, the Data Controller and the GM will consider and document how similar events may be mitigated in future. Should spend be required, this will be raised to the EC for approval.
20. Security Policies and Procedures
The ICPC has achieved the following policies and procedures:
a) Processing of all personal data behind password protection and firewall protection
b) GDPR compliant hosting of personal data it processes
c) Logging and communicating threats to the ICPC website.
21. Minimisation of Data Collected
The ICPC will henceforth seek to minimise the data it collects. It will not collect Personal Information related to requests for ICPC Recommendations.
Consideration of minimising data collected for any new Personal Data processes will be considered by the Data Processor and the Data Controller.
22. Data Protection Compliance
The senior secretariat representative will be the Data Controller. Policy has been created and implemented in consultation with the GM.
The ICPC is not deemed to require the appointment of a Data Protection Officer.
23. Security Policy
The following security policies shall wherever possible apply in relation to Personal Data, and compliance shale be checked at each annual billing round.
a) Secure backups of Personal Data
b) Physical locking away of personal data on paper
c) Password protection prior to accessing personal data online
d) GDPR-compliant hosting methodologies
e) Firewall-protected networks
f) Not accessing personal data via unprotected wifi networks (e.g. while travelling)
This security policy will be reviewed triennially, with the first review in 2021.
Appendix 1 – ICPC Personal Data Workflow and Information
ICPC is a membership-based organization in the Subsea Cable Industry. Here is the breakdown of the data the ICPC keeps.
Membership process: A potential ICPC member organization completes a Membership Application online on the ISCPC.org webpage. An email is automatically generated by the system to alert the secretariat that an application has been submitted for processing.
The data that is collected from the ICPC membership applications makes up the Organization Informational Record. The fields of data that are stored in the ICPC database in the Organization Informational Record are:
- the membership start date,
- name of member organization,
- organization address,
- VAT number,
- phone, fax,
- website link
Each Member Organization has a Primary and Alternate contact associated with the Member record that is supplied on the ICPC member application. Once the Application has been approved by the Executive Committee, the Primary or Alternate contact can request other individuals within their company be added as an ICPC Web user and/or a mailing list contact so their information will also be stored in the contact database. Contact information is provided by the Member Organization on the application and through requests to add or delete contacts made directly to the Secretariat.
The data fields the ICPC stores on a member Contacts are:
- contact type,
- working group they belong to,
- job title,
- email address,
- phone number,
- cell number,
- fax number,
- photograph and biography (if the contact chooses to add it to the record)
- access login and password to the ICPC members website.
The ICPC provides a PDF list of the Member Organization and the Primary and Alternate Contact information on the Members side of the website. This information is not provided on the public side of the site.
All member Contacts have a login and password to be able to access the member side of the ISCPC website which contains ICPC reports and educational information. Contacts cannot access or even see other Contact records. Contacts can access their own information records to change, add or delete the data contained in the record or to change their password. Contacts can request a copy of their contact information at any time.
Any Organization Informational Record changes are made by the secretariat when requested by the Primary and/or Alternate contacts. No financial data is stored.
The data for the administration portal is stored on a Hostek server behind a firewall. The ICPC contracts with Hokstek on an annual basis to host our website and store our data at this location.
A back up of the data and website is made once a week by Creative Republic who is under ICPC contract to maintain the website. The data is stored on a drive at Creative Republic and is secured in between backups. The backup does not get used for restoration unless something happens to the WebSite that is located on a server at Hostek.
Procedures for Breach of data: If a breach of the data was reported or detected we would immediately contact our General Manager and investigate the full details of the breach to determine the magnitude. Since the ICPC does not hold any “special categories” of data it would be up to the General Manager if he would like to inform the proper authorities. We would continue to work on assessing the damage and make recommendations for the General Manager on how best to handle the situation depending on the details of the breach. Again, since we do not hold any Special Category information it would be up to the General Manager if the Contacts would be notified of the breach.
Contractors that store ICPC contact data:
Hostek, Creative Republic.