JOHNSTON CAVE ASSOCIATES
takes protecting your data very seriously.
Under the General Data Protection Regulation
(GDPR) which replaces the Data Protection act of 1998, we are required to obtain your specific consent to store your personal information.
Rest assured, we will only collect the minimum necessary in pursuant of our contract with you and what is stored will be as secure as we can reasonably make it (as detailed below).
Your data will not be made available to third parties except for example, if a contracted supplier requires your name and billing address. Similarly if we are organising a planning meeting and the parties involved require your name and address in order to attend or to address their documentation appropriately, will will provide them with this minimal information. However, under the GDPR these parties will separately also require your specific consent to store this information.
In order to pursue our contract or proposed contract with you, we obviously require the following:
Names, address(s), telephone number(s) and email addresses in order to correspond with you. The same applies if there is anyone else you would like us to liaise with such as partners and family. Again we are required to obtain their specific consent.
• Your login details such as name, username, and password, should you choose to correspond, upload or download via our forthcoming web portal
• Your bank account number and sort code will only be requested if necessary in pursuant of the contract.
Additionally we will require your consent to take photographs as being taken on your premises, under the GDPR, they could be considered of a personal nature. Initially photographs will be taken as necessary during the course of the contract as a record of progress but also to facilitate the construction process such as sending a photo to a contractor to assist with planning their task or highlighting an issue. Once the contract has finished, we will take photographs as a formal record of our work which will be made available to you upon request.
How we will use this information:
• In pursuant of the contract, to liaise with you, contractors and suppliers as described above
• For dealing with Local Authorities and other such bodies on your behalf
• For post-contract contact such as sending you a Christmas Card and infrequent updates on what projects that we are proud of and might be of interest to you
• To showcase our work to potential clients such as presentations, printed material and our website in the same way we presented ourselves to you.
How we protect your information:
We have both paper and digital storage systems which are held within the office and which is alarmed outside of office hours. Your name and contact details will not be associated with any marketing material.
• We may use the name of your property in marketing literature as long as it does not locate you e.g. ‘The Vicarage’, but not ‘place-name House’
• Photography will be careful not to include information of a personal nature such as recognisable people, family photographs or vehicle number plates. Where this has inadvertently occurred or is impossible to crop out, we will blur the information
• No financial information beyond account numbers and sort code (if required) and normal billing transactions are stored.
Printed documents are retained in the office filing cabinets when not in current use. Printed documents are shredded when no longer required and deposited in the recycling bin.
Computer generated files such as job correspondence, construction plans and photography are stored on in the ‘cloud’ via Microsoft SharePoint. Additionally JCA employs a bespoke database hosted internally on a dedicated and encrypted server (AES 256-bit encryption - classified by the US Government for use to protect 'National Security' level information) and served over the internet using AES 256-bit encryption, the https protocol as well as individual username and password protection. Access to the digital material is via office computers - all of which require a login as does the SharePoint access.
• On joining, employees are required to create a login and password for their assigned computer, the JCA database and SharePoint. They are then able to see a subset of the information stored, dependant on their access level e.g. financial information is only available to the Directors and the Financial Manager
• On leaving, their password is deleted and so access is not longer enabled
• Server and database maintenance is managed by outside specialist contractors via a dedicated VPN
• We also deploy an internally hosted encrypted server and additionally encrypted proprietary database for our general business functions and contacts. Access privileges are granted via job title and are individually password protected
• Marketing material is created internally and when professional printing is required, is formatted as a pdf and uploaded to the printing company’s server via https login information. Smaller file sizes may be emailed. No client personal information is included.
The johnstoncave.com website is a bespoke construct and is protected by https
- the encrypted form of the http standard internet protocol - which is designed to stop man-in-the-middle attacks
of the two-way communication and is the standard employed by payment transactions. The site was constructed and is continually maintained by a trusted developer whose client base includes financial institutions and so is required to maintain a higher standard of security than most developers.
• The site is added to either internally or by an external designer both using the bespoke site tools which require logins
• Photographs when used on our website are anonymised with our job number and image number with the exception of churches which retain their name (as they are public buildings)
data is deleted from website images in order to remove location information
• Once implemented, login information on our website will be set by you and encrypted and we will not have access to your password. If lost, you will need to reset your password as we cannot retrieved it
• 'Cookies' are used on the site to allow us to collect statistical information on how the site is performing such as which pages are more or less popular, how long a viewer remains on the site, which contries the site is accessed from and when. No personal or individual identifier data is collected and the information is run through Google Analytics only to provide a picture of how we can serve our customers and visitors better by modifying the site and making its content more relevant. You can block our 'cookies' by setting your web browser to 'block cookies'. Unlike many websites, doing so will not prevent you from accessing the site with the exception of the 'JCA Cloud' section.
What you can opt out of:
Following the end of the contract you can opt out of our marketing effort such as sending Christmas cards or JCA updates. If you discover an image that despite our best efforts includes some personal information, we will retouch out the offending material or if impossible, withdraw the image.
You can also request to see what information we hold on you and withdraw your consent for us to use it.
We may however need to retain a core set of data to make sure we do not contact you inadvertently in the future and also for our financial records and other legal requirements.
Threats and mitigation:
We take our obligation to secure and protect our clients’ data very seriously.
• Our internal policy is that digital information is only accessed via authorised staff and contractors using a password and username
• This applies to internal and remote access and also for information that may be removed from the office on say a mobile phone, JCA laptop or tablet in pursuant of the contract
• Where out-of-office information is required, our server access requires a VPN link and approved login
• The JCA premises are locked and alarmed out of hours.