We are registered with the Information Commissioner’s Office for this purpose.
Data Protection Law
The Data Protection Act 2018 describes how organisations – including Minerva – must collect, handle and store personal information. These rules apply regardless of whether data is stored electronically, on paper or on other materials.To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.
Date Protection Risks
This policy helps to protect Minerva from some very real data security risks, including;
Breaches of confidentiality. For instance, information being given out inappropriately.
Failing to offer choice. For instance, all individuals should be free to choose how the company uses data relating to them.
Reputational damage. For instance, the company could suffer if hackers successfully gained access to sensitive data.
Data you send us, which is likely to be included in the content of a CV, cover letter, email or additional attachment, will be stored confidentially and securely by us. We will only use this data in connection with the management of executive search processes, and will only disclose it to third parties when you have expressed an interest in a particular role, for the following purposes: (a) assessing and evaluating your suitability for a particular appointment; and (b) verifying your identity and the accuracy of the information provided. From time to time we may also contact you about other appointments on which we are working, and may invite you to events or share with you information which we feel may be of interest to you in your career progression. We do not send round-robin emails, or untailored marketing.
Clients and service providers
Data you send us, in relation to specific assignments, tenders or other interactions, will be stored securely and confidentially to ensure that we are able to meet our contractual commitments to you, and to notify you about any changes to our website, such as improvements or service/product changes, that may affect our service. If you are an existing client, we may contact you with information about services similar to those which were the subject of a previous sale to you, or to provide you with information requested from us about our services.
Information about others
If you provide us with information about other individuals, for example details of a referee or personal contact, you must ensure that they have agreed to you providing us with their details. We would advise you to keep a record of their agreement and provide them with a copy of, or link to, this policy to avoid any concern.
If you work with us at Minerva, we will typically require data concerning bank details, address, NI number and other personal data, to facilitate your employment with us and to meet our legal obligations as an employer on areas such as tax, health and safety and equality legislation. This data will be stored securely and confidentially. From time to time individuals with whom we interact in our general business will also supply data such as bank details, for example in relation to reimbursing of expenses. We will delete this data from our database and systems as soon as it is no longer required by us. The lawful bases for the this processing will usually be conducted under Article 6 (b) of the GDPR ‘the processing is necessary for the performance of a contract with the data subject’ for the majority of employment matters (e.g. setting up a staff IT account, paying travel expenses, etc.). Some processing of personal data will be conducted under Article 6 (c) of the GDPR ‘processing is necessary for compliance with a legal obligation (e.g. providing personal data to HMRC for the purposes of taxation).
General Employee Guidelines
The only people able to access data covered by this policy should be those who need it for their work.
Data should not be shared informally. When access to confidential information is required, employees can request it from a partner.
Minerva will provide training to all employees to help them understand their responsibilities when handling data.
Employees should keep all data secure, taking sensible precautions and following the guidelines below.
In particular, strong passwords must be used and they should never be shared.
Personal data should not be disclosed to unauthorised people, either within the company or externally.
Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted and disposed of.
Employees should request help from a partner if they are unsure about any aspect of data protection.
Everyone who works for or with Minerva has some responsibility for ensuring data is collected, stored, handled appropriately and processed in line with this policy and data protection principles. The Partners are ultimately responsible for ensuring that Minerva meets its legal obligations.
The Partners are also responsible for:
Reviewing all data protection procedures and related policies, in line with an agreed schedule.
Ensuring adequate advice has been given for the people covered by this policy.
Handling data protection questions from employees and anyone else covered by this policy.
Dealing with requests from individuals to see the data Minerva holds about them (also called ‘subject access requests’).
Checking and approving any contracts or agreements with third parties that may handle our sensitive data.
Fitzrovia IT Cloud & Support Services provider are a member of the Commissioner’s Office (no: Z151879X) and comply with the current terms of the Data Protection Act and are responsible for:
Evaluating monitoring and maintaining data and network integrity and security ensuring all systems, services and equipment used for storing data meet acceptable security standards.
Performing regular checks and scans to ensure security hardware and software is functioning properly.
Actively ensure that Cloud services are up to date and operating at the latest versions and update levels as and when necessary
Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
The law requires Minerva to take reasonable steps to ensure that our data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort Minerva put into ensuring its accuracy.
It is the responsibility of all employees and partners who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
Data will be held in Invenias CRM system and on our drive and employees shall avoid creating any unnecessary and additional data sets.
Employees and partners will take every opportunity to ensure data is updated in Invenias and data will be updated as soon as inaccuracies are discovered.
Minerva are mindful of the environment and sustainability as such do not advocate the paper storage of documents, unless they are originals we are required to keep for archiving purposes.
Data stored on paper is housed in filing cabinets in a secure and locked office, and any data printouts are disposed of securely when no longer required.
Data stored electronically is protected by strong passwords that are changed with system notifications and are not shared between employees.
Data is stored on designated drives and is linked to an approved cloud computing service
Data is backed up frequently and the backups tested regularly and in line with standard back up procedure
All laptops and tablets containing data are protected by an approved security software and a firewall.
We will collect personal data only if it is directly provided to us by you the user, e.g. your e-mail address, name, home or work address and telephone number, and therefore has been provided by you with your consent. We also use analytical and statistical tools that monitor details of your visits to our website and the resources that you access, including, but not limited to, traffic data, location data, weblogs and other communication data (but this data will not identify you personally).
The transmission of information via the Internet or email is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of data while you are transmitting it to our site; any such transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent unauthorised access.
You might find links to third party websites on our website. These websites should have their own privacy policies, which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.
For legitimate business purposes, we will store data for five years. This is in accordance with legal, tax and accounting requirements. Where your information is no longer required, we will ensure it is disposed of in a secure manner and, where required by applicable law, we will notify you when such information has been disposed of.
We will continue to oversee implementation of and compliance with this policy and will adapt the policy to reflect changes in technology and the expectations of everyone they deal with.
If you have any questions or comments on Minerva and its data protection policy please contact one of the partners at firstname.lastname@example.org. If you have a complaint about the handling of data, you have the right to involve the Information Commissioner - but please inform us first, preferably by e-mail to email@example.com, so that we may have the opportunity to address any issues directly with you.
The Data Protection Act 2018 gives you the right to access information held about you by us. This right can be exercised by you in accordance with the Act as an access request. Should you wish to receive details that we hold about you, please contact us using firstname.lastname@example.org
Subject Access Requests
All individuals who are the subject of personal data held by Minerva are entitled to:
- right to be informed;
- right of subject access;
- right to rectification;
- right to erasure;
- right to restrict processing;
- right to data portability;
- right to object to data processing;
- rights in relation to automated decision making and profiling.
If an individual wishes to submit a subject access request it should be made by email, addressed to a partner at email@example.com. Minerva has an obligation to respond within one calendar month. Minerva reserves the right to verify the identity of anyone making a request before handing over any information.
Disclosing data for other reasons
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Minerva will disclose requested data. However, the partners will ensure the request is legitimate, seeking assistance from legal advisers where necessary.
Version: March 2020