JOHNSTON CAVE ASSOCIATES
takes protecting your data very seriously.
Under the new General Data Protection Regulation
(GDPR) which replaces the Data Protection act of 1998, we are required to obtain your specific consent to store your personal information.
Rest assured, we will only collect the minimum necessary in pursuant of our contract with you and what is stored will be as secure as we can reasonably make it (as detailed below).
Your data will not be made available to third parties except for example, if a contracted supplier requires your name and billing address. Similarly if we are organising a planning meeting and the parties involved require your name and address in order to attend or to address their documentation appropriately, will will provide them with this minimal information. However, under the GDPR these parties will separately also require your specific consent to store this information.
In order to pursue our contract or proposed contract with you, we obviously require the following:
Names, address(s), telephone number(s) and email addresses in order to correspond with you. The same applies if there is anyone else you would like us to liaise with such as partners and family. Again we are required to obtain their specific consent.
• Your login details such as name, username, and password, should you choose to correspond, upload or download via our forthcoming web portal
• Your bank account number and sort code will only be requested if necessary in pursuant of the contract.
Additionally we will require your consent to take photographs as being taken on your premises, under the GDPR, they could be considered of a personal nature. Initially photographs will be taken as necessary during the course of the contract as a record of progress but also to facilitate the construction process such as sending a photo to a contractor to assist with planning their task or highlighting an issue. Once the contract has finished, we will take photographs as a formal record of our work which will be made available to you upon request.
How we will use this information:
• In pursuant of the contract, to liaise with you, contractors and suppliers as described above
• For dealing with Local Authorities on your behalf
• For post-contract contact such as sending you a Christmas Card and infrequent updates on what projects that we are proud of and might be of interest to you
• To showcase our work to potential clients such as presentations, printed material and our website in the same way we presented ourselves to you.
How we protect your information:
We have both paper and digital storage systems which are held within the office and which is alarmed outside of office hours. Your name and contact details will not be associated with any marketing material.
• We may use the name of your property in marketing literature as long as it does not locate you e.g. ‘The Vicarage’, but not ‘place-name House’
• Photography will be careful not to include information of a personal nature such as recognisable people, family photographs or vehicle number plates. Where this has inadvertently occurred or is impossible to crop out, we will blur the information
• No financial information beyond account numbers and sort code (if required) and normal billing transactions are stored.
Printed documents are retained in the office filing cabinets when not in current use. Printed documents are shredded when no longer required and deposited in the recycling bin.
Computer generated files such as job correspondence, construction plans, photography and contacts are stored on the office server within the alarmed office. Access to the digital material is via office computers - all of which require a login.
• On joining, employees are required to create a login and password for their assigned computer and they are able to see a subset of the information stored, dependant on their access level e.g. financial information is only available to the Directors and the Financial Manager
• On leaving, their password is deleted and so access is not longer enabled
• We access our server remotely via a Virtual Private Network
(VPN) which is an encrypted communication protocol of the highest standard
• Server maintenance is managed by an outside specialist contractor via a VPN
• Digital data is backed up on a rotational basis to removable hard drives and stored in a firesafe within separate (alarmed) building within the JCA premises
• In the future this data may be backed up to an encrypted cloud server
• Marketing material is created internally and when professional printing is required, is formatted as a pdf and uploaded to the printing company’s server via login information. Smaller file sizes may be emailed. No client personal information is included.
The johnstoncave.com website is a bespoke construct and is shortly to be protected by https
- the encrypted form of the http standard internet protocol - which is designed to stop man-in-the-middle attacks
of the two-way communication and is the standard employed by payment transactions. The site was constructed and is continually maintained by a trusted developer whose client base includes financial institutions and so is required to maintain a higher standard of security than most developers.
• The site is added to either internally of by an external designer both using the bespoke site tools which require logins
• Photographs when used on our website are anonymised with our job number and image number with the exception of churches which retain their name (as they are public buildings)
data is deleted from website images in order to remove location information
• Login information on our website will be set by you and encrypted and we will not have access to your password. If lost, you will need to reset your password as we cannot retrieved it.
What you can opt out of:
Following the end of the contract you can opt out of our marketing effort such as sending Christmas cards or JCA updates. If you discover an image that despite our best efforts includes some personal information, we will retouch out the offending material or if impossible, withdraw the image.
You can also request to see what information we hold on you and withdraw your consent for us to use it.
We may however need to retain a core set of data to make sure we do not contact you inadvertently in the future and also for our financial records and other legal requirements.
Threats and mitigation:
We take our obligation to secure and protect our clients’ data very seriously.
• Our internal policy is that digital information is only accessed via authorised staff and contractors using a password and username
• This applies to internal and remote access and also for information that may be removed from the office on say a mobile phone, JCA laptop or tablet in pursuant of the contract
• Where out-of-office information is required, our server access requires a VPN link and approved login
• The JCA premises are locked and alarmed out of hours.