Privacy Notice

Privacy Notice: Information Governance Services Limited

Last Updated – 24 September 2024

  1. Overview
 
Name: Information Governance Services Limited
Address: Furlong House, 10A Chandos Street, London, W1G 9DQ, United Kingdom
Phone Number: 0208 8106 7936
E-mail: info@informationgovernanceservices.com

We are Information Governance Services Ltd (AKA “IGS”). We’re a data protection and data ethics consultancy firm who help our clients with their data protection and ethics need.

This Privacy Notice provides you with transparency information about how we use your personal data.

This Privacy Notice covers any personal data we process when you have:

  • engaged our services as a client or prospective client;
  • interacted with our website and have consented to the use of your cookies;
  • submitted a contact form on our website;
  • gone through our recruitment process as an applicant; or
  • purchased a training module from our website or set up an account in the process of purchasing a training module.
 
We take our responsibilities under both the UK GDPR and Data Protection Act 2018 very seriously. You can be assured that your information will always be used appropriately, lawfully and in line with data protection legislation. We will store your data securely with appropriate safeguards in place to protect it against unauthorised or unlawful processing and ensure that we do not store any of your data for longer than it is strictly necessary to do so. This Privacy Notice will set out everything you need to know about how we use your data, what data we may use, and why we use it.
 
  1. What personal data do we collect, why do we collect it, why are we allowed to collect it and how long do we keep it for?

As an organisation, we process personal data only where it is strictly necessary to do so. We process different sets of personal data in different circumstances, depending on your relationships and interactions with us.

Client Data

What personal data do we collect?

If you or your organisation has, or is intending to procure, a business relationship with us, we may collect information from you and other colleagues to provide the services that you have engaged us for. Some of this information will include personal data.

The information we collect in these circumstances may include:

  • First Name;
  • Last Name;
  • Job Title;
  • Company Name;
  • Gender;
  • Email address;
  • Postal address; and
  • Telephone number.
 

In specific circumstances, we may be required to collect additional information from individuals in order to fulfil our anti-money laundering obligations. In these circumstances, we will be required to collect the following information from you by way of a copy of your passport, which we will obtain directly from you:

  • Nationality;
  • Ethnicity;
  • Photograph;
  • Place of Birth; and
  • Signature.

Why do we collect this data?

We will require this information for the functionality of communicating with you or your organisation and to facilitate a business relationship between us. We also collect information to fulfil our anti-money laundering obligations.

What’s our lawful basis for collecting this data?

Non-special category data:
  • UK GDPR Article 6(1)(b) – performance of contract;
  • UK GDPR Article 6(1)(c) – legal obligation; and
  • UK GDPR Article 6(1)(f) – legitimate interests.
 

Special category data:

  • UK GDPR Article 9(2)(b) – employment, social security and social protection.
How long do we keep this data for?

The duration of the contract and client engagement, in line with our legal obligations to hold certain financial information.

Contact Form

What personal data do we collect?

If you fill in a contact form on our website, we require certain personal information from you to process your request. We will collect your:

  • Name;
  • Email address;
  • Telephone number; and
  • Any optional information you put in the message body of your form.

Why do we collect this data?

We process this data to reply to your query and to capture initial information in anticipation of starting a business relationship with you.

What’s our lawful basis for collecting this data?

  • UK GDPR Article 6(1)(b) – performance of contract; and
  • UK GDPR Article 6(1)(f) – legitimate interests.
 

How long do we keep this data for?

6 years.

Recruitment Data

What personal data do we collect?

If you apply for an employment position with us, we may collect the following information in order to process your application and assess you as a candidate. We will collect your:

  • First name;
  • Last name;
  • Email address;
  • Postal address;
  • Telephone number; and
  • Any other personal data included in the body of your CV, cover letter or shared with us in the course of the application process (e.g. ethnicity, health issues or disabilities which we may need to accomodate for).
 

Why do we collect this data?

We process this personal data in order to assess your suitability to the role and whether we would like to progress your application to an offer of employment.

What’s our lawful basis for collecting this data?

Non-special category data:
  • UK GDPR Article 6(1)(b) – performance of contract.
 

Special category data:

  • UK GDPR Article 9(2)(b) – employment, social security and social protection.
 

How long do we keep this data for?

For the duration of and immediately after the recruitment window. We will destroy all personal data held on unsuccessful applicants within 1 year of the recruitment period ending, save for any information we are required to hold by law.

Cookies

What personal data do we collect?

If you are browsing our website, we will collect cookies from your device. Cookies are text files with small pieces of data which are used to identify your computer and specific users.

None of the information collected from these cookies are able to identify you as a person. It is all aggregated and, therefore, anonymised. Although aggregated, we will not collect any statistical or analytical cookies from you without obtaining your consent to collect first. 

Why do we collect this data?

When accessing our website, we are required to collect cookies for basic functionality of our site, without which, the site is not able to function. These cookies are known as ‘Necessary Cookies’.

We also use additional cookies for the purposes of tracking and monitoring how users interact with our site. We collect these cookies for the purposes of effectively monitoring our site as a business. These cookies are known as ‘Statistical’ and ‘Analytical Cookies’. Analytical (also statistical cookies) collect information about how a viewer uses a website, such as which pages you visit, and which links a viewer clicked on. Analytical cookies track when a viewer visits a site for the first time, as well as when they are a return viewer to the site. These cookies also track how long a viewer spends on a site at a given time, what link a viewer clicked on to access the site, and what keywords (if any) were used to generate the search.

What’s our lawful basis for collecting this data?

  • UK GDPR Article 6(1)(a) – consent.

How long do we keep this data for?

Specific information about each cookie and the duration it is held for can be found within the cookie audit table of our Cookie Consent banner. Broadly, necessary cookies are held for 1 year to remember the consent of users in visiting our site and the consent they have provided, analytical cookies are held for 2 years.

Training Module and User Account Data

What personal data do we collect?

If you set up an account with us or purchase a training module through our website, we will collect the following information from you:

  • First name;
  • Last name;
  • Company Name (optional);
  • Email address;
  • Postal address;
  • Telephone number; and
  • Credit/debit card details.

Why do we collect this data?

  • Set up a user account for you as part of the training module access procedure;
  • Take a payment transaction for you to access the training modules you have purchased; and
  • Provide user support regarding any issues with the training modules you have purchased.
 

What’s our lawful basis for collecting this data?

  • UK GDPR Article 6(1)(b) – performance of contract; and
  • UK GDPR Article 6(1)(f) – legitimate interests
 

How long do we keep this data for?

6 years

  1. Who do we share your personal data with?    

Where information is shared, it will be done on strictly need-to-know basis and limited to what is necessary.

The only third parties with whom your personal data may be shared will be third parties with whom Information Governance Services Limited have a contractual relationship with. We will never unnecessarily share personal data with third parties, all personal data will only be shared in order to facilitate or assist with our contractual and legal obligations, or to allow us to undertake our professional services to our clients.

A list of our current processors with whom your data may be shared, and the functions they undertake can be found below:

Third Party Organisation Name Location of Third Party Data Storage Processing Third Party Functions
Easy LMS The Netherlands (EU) Learning Management System Provider for training modules
Microsoft Limited United Kingdom Cloud Storage, Email Service Provider
SumFactors Limited United Kingdom Website Hosting and Management Provider
Google Republic of Ireland (EU) Google Analytics service for analytical cookies for website analytics
Stripe, Inc United States (Adequacy decision as per UK Extension to EU-U.S Data Privacy Framework Online payment processing platform
  1. Your personal data Rights

As a data subject, you have various rights about how your personal data is used.

Individual Right Information about your rights
The right to object

In certain circumstances, as a data subject, you have the right to object to the processing of your data.

In the event that we carry out any direct marketing (which we currently do not, with any personal data), you have the absolute right to object to the processing of your personal data. The method of objection to such processing will appear in the subject of the direct marketing in question.

You also have the right to object to the processing of your data where a data controller processes personal data on for purpose of a public task or under legitimate interests. Please note that we do not carry out any data processing under either of these lawful mechanisms, as such, the right to object in these specific circumstances do not apply.

The right to be informed

As a data subject, you have the right to be informed about how your data is collected and used. This Privacy Notice serves as our transparency material for data subjects as to how your personal data is used, informing you of our uses.

This Privacy notice aims to provide you with information in a concise, transparent, intelligible way which is easily accessible and uses a clear and plain language.

The right of access

As a data subject, you have the right to access and receive a copy of the personal data we hold on you. You can make a subject access request to us for this information.

We will provide the information in an accessible, concise and intelligible format, and it will be disclosed in a secure way.

We have processes to ensure that you will receive it without undue delay and within one month of receipt, with the exception of circumstances in which we can lawfully extend the time limit to respond to your request.

We have the right to refuse such a request where there is a relevant restriction, or where the request is manifestly unfounded or excessive.

The right of rectification

As a data subject, you have the right to rectify inaccurate personal data which we hold on you. You can make a request to us verbally or in writing if you believe that information we hold on you is inaccurate.

We have the right to refuse a request and we are aware of the information we need to provide to you.

We have processes to ensure the response to a request for rectification without undue delay and within one month of receipt. In certain circumstances, we can extend the time limit to respond to a request.

The right of erasure In certain circumstances, as a data subject you have the right to request verbally or in writing that we erase the personal data we hold about you. You can only request the personal data is erased where: it is no longer necessary for the purposes we collected it, if you provided the information by consent and you withdraw your consent, we have processed the information unlawfully, the erasure is in line with a legal obligation.
The right of restricting processing In certain circumstances, as a data subject you have the right to request verbally or in writing that we restrict the processing of your data for a period of time. You can only request the processing of personal data is restricted where: you are contesting the accuracy of the personal data and it is being verified, the data has been unlawfully processed, we no longer need the personal data but you require us to keep it in order to establish, exercise or defend a claim
The right of data portability

As a data subject, you have the right of data portability, meaning you have the right to receive a copy of your personal data in a structured, commonly used and machine readable format.

The right of portability only applies where we have collected this information via consent or the performance of a contract (see lawful bases above) and we are processing the data by automated means (i.e. not paper files)

Rights related to automated decision making including profiling We do not make any automated decisions or automated profiling about any data subjects.

You can find out more about your rights by visiting the Information Commissioner’s Office’s website:

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/

  1. Making a Complaint

Should you have any queries about the how your information is used, or wish to make a complaint about how your data has been used, then please contact our team at: info@informationgovernanceservices.com

Alternatively, you can also contact the Information Commissioner’s Office (ICO), who are the UK’s independent data protection supervisory authority, for further information or to make a complaint:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

The ICO have multiple ways of which they can be contacted, including telephone and live chat. More information about how you can get in contact with the ICO can be found below:

ICO Contact Information

Report a concern on the ICO website

Send Us A Message