Road Safety Analysis Data Protection Code of Conduct v 1.0 – September 2019

Corporate Data Protection Policy

Road Safety Analysis (RSA) is fully committed to transparency in how it handles personal data. The company takes all the essential measures ensure that information it holds remains private and secure and is processed with total confidentiality.

The lawful basis upon which RSA handles personal data is the Data Protection Act 1988 (DPA).

RSA only holds personal information supplied to it directly by the person concerned, or in the case of organisations with which Road Safety Analysis has an existing commercial relationship by professional colleagues of the person concerned.

RSA never has and never will store any sensitive personal data in the meaning of the DPA, except about its own employees for diversity and equality monitoring purposes.

RSA never has and never will store information about persons under the age of 16.

RSA never has supplied, and never will supply, personal data to any third parties; with the sole exception of Agilysis Ltd, a company registered in England (no. 10548841). Agilysis is under common control with Road Safety Analysis and is contracted by RSA to provide it with certain services. Agilysis operates to the same strict Data Protection standards as RSA.

These principles are enshrined in a series of related procedures which document the flow of personal data and who is responsible for implementing each step.

Personnel

Road Safety Analysis has no requirement for a Data Protection Officer, as the company does not hold or process substantial volumes of personal data or conduct extensive direct marketing activities.

Some RSA staff or contractors may be designated as Data Processors. An RSA Director is designated as the company’s Data Process Auditor. The Data Process Auditor is in overall charge of implementing this code of conduct and related procedures and administers the Data Protection Archive.

Systems

Road Safety Analysis uses four systems which may be used for processing personal data:

  • Salesforce (including paper records referenced in Salesforce such as MAST User Licences);
  • Sage (including paper records referenced in Sage such as invoices and POs);
  • Personnel data (personal information about persons under contract to Road Safety Analysis only, stored electronically in a folder to which access is restricted to managers and directors, with hard copies under lock and key); and
  • Project folders (which may contain contractual or project documents which refer to individuals).

Training

Data Processor Training will be provided for all staff involved in handling personal data for:

  • Users of online assets;
  • Suppliers of services to Road Safety Analysis;
  • RSA employees;
  • Clients with whom Road Safety Analysis has a contractual relationship; and/or
  • Marketing to existing or potential clients.

This training will be included during induction for new starters. The Data Process Auditor is responsible for ensuring training is delivered.

The training will ensure familiarity with the attached procedures which are relevant to their job roles. The privacy notice procedure is required for all staff; the information request and deletion procedures are only required for designated Data Processors.

Annual audit

The Data Process Auditor will conduct an annual audit of RSA’s Data Protection structures. This audit will:

  • Audit the contents of the Data Protection Archive and destroy any information held therein which is no longer required for legal or compliance purposes
  • Consider information about projects or clients which have been dormant throughout the previous year, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance or accounting purposes
  • Consider financial records in or related to Sage which have been held for more than six years, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance or accounting purposes
  • Check personnel data for information held on past employees, and destroy or archive any personal information held which is no longer required for legal, contractual, compliance or accounting purposes
  • Review the contents of this code of conduct and related procedures, and make recommendations to the Board on any revisions which may be necessary