Appropriate Policy Document

Last updated 10.10.2024

  1. 1.

    Purpose

    Our Appropriate Policy Document outlines how we process, retain, and erase special category (SC) and criminal offence (CO) personal data. This Document details how we will comply with the Article 5 Principles of the UK General Data Protection Regulations (UK GDPR). It covers the processing of sensitive personal data and criminal offense data by Defense.com US Inc. as per Schedule 1 Part 1 of the Data Protection Act 2018 (DPA 2018).

  1. 2.

    Legislation

    The DPA 2018 outlines the requirement for an Appropriate Policy Document (APD) to be in place when processing special category personal data and criminal offence personal data under certain specified conditions.

    If substantial public interest conditions in Schedule 1 Part 1 of the DPA 2018 is relied upon, plus the condition for processing employment, social security and social protection data, there is a requirement for Defense.com US Inc. to have an APD in place. (See Schedule 1 Part 1 paragraphs 1(1)(b) and Part 2 paragraph (5) of the DPA 2018.)

  1. 3.

    Processed Data Types

    Defense.com US Inc. process personal information for the purposes of our services and to enable us to carry out our work, including being able to comply with contracts we have entered into. We also collect and process the following types of special category and criminal offence data for processing SOC services, employment, social security, and social protection:

    • Data concerning gender, sex life or sexual orientation
    • Genetic data
    • Biometric data for the purposes of uniquely identifying a natural person
    • Disability status
    • Sickness & health details
    • Race or Ethnicity
    • Religion or philosophical beliefs
    • Trade Union memberships
    • Disclosure and Barring Service Checks

    Criminal Offence data is defined under Article 10 of the UK GDPR which covers processing in relation to criminal convictions and offences or related security measures. In addition, section 11(2) of the DPA 2018 specifically confirms that this includes personal data relating to the alleged commission of offences or proceedings for an offence committed or alleged to have been committed, including sentencing. This is collectively referred to as ‘criminal offence data.’

  1. 4.

    Condition for Processing

    We have listed below the Schedules of the Data Protection Act 2018 in which are relying on to process sensitive data:

    Schedule 1, Part 1, para 1 of the Data Protection Act 2018 (employment and social protection), where Defense.com US Inc. needs to process Special Category/Criminal Offence data for the purposes of performing its obligations or rights as an employer, or for guaranteeing the social protection of individuals.

    Schedule 1, Part 2, para 10 (1) of the Data Protection Act 2018 (preventing or detecting unlawful acts), where Defense.com US Inc. needs to process Special Category/Criminal Offence data for the purposes of performing its obligations or rights as an employer, or for carrying out SOC services on behalf of our customers.

  1. 5.

    Accountability Principle

    At Defense.com US Inc., we prioritise our compliance with data protection principles. To demonstrate our compliance and accountability we have:

    • A Data Protection Officer, who is accountable for ensuring the data protection principles are applied.
    • Documented our processing activities within our Records of Processing Activities (RoPA), highlighting categories of personal data we process, the purposes, lawful bases for processing, retention periods for the personal data, recipients of personal data and international transfers of data.
    • Outlined in our privacy notices how and why an individual’s data is processed by Defense.com US Inc..
    • Carried out Data Protection Impact Assessments (DPIAs) for processes/changes of personal data that are likely to result in a risk to individual’s data protection rights and freedoms.
    • Implemented data protection policies and ensured that we have written contracts in place with our data processors and suppliers.
    • Adopted a ‘data protection by design and default’ approach to our activities.
    • Evidenced that the personal data is:
      • Processed lawfully, fairly, and transparently;
      • Collected for specific and legitimate purposes and processed in accordance with those purposes;
      • Adequate, relevant, and limited to what is necessary for the stated purposes;
      • Accurate and, where necessary, kept up to date;
      • Retained for no longer than necessary; and
      • Kept secure.
  1. 6.

    Lawfulness, Fairness & Transparency

    We only process data lawfully and have identified the most suitable lawful basis to do so. We carry out DPIAs for uses of personal data that are likely to result in high risk to individuals’ interests, and track these within the Records of Processing Activities Register.

    Individuals are provided with fully transparent privacy notices which inform individuals how and why we process personal data. These are bespoke where appropriate, or direct to the UK Privacy Notice - Your Data and Rights (defense.com) accessible on our website or our recruitment site on TeamTailor.

  1. 7.

    Purpose Limitation

    Defense.com US Inc. does not process data for purposes outside of the original purposes for which it was collected. These purposes are clearly identified within our Records of Processing Activities register.

    The purposes of all data collection and processing have been outlined within our privacy notices, which are clearly communicated. Personal data is not processed for other purposes without obtaining the Data Subject’s consent unless we have a legal basis for doing so.

    If there are any changes to the purposes of data processing, we ensure that we have identified a suitable lawful basis for doing so, that any additional risks are accounted for, and we will document these and communicate these changes to the relevant people.

  1. 8.

    Data Minimisation

    We will only collect data that we need and nothing above what is necessary for the purposes for which the data was collected. We ensure that the data in which we collected is sufficient and relevant for the identified purposes.

    Our Data Protection Impact Assessment procedures ensures that the collected data is sufficient for purpose, but not excessive. This is also informed by our use of national guidance and relevant legislation to determine what information can and should be collected.

    We periodically review this data, either annually or when necessary, and ensure that all data is deleted at the end of its retention period.

  1. 9.

    Accuracy

    All data processed by Defense.com US Inc. is accurate and kept up to date. Where we have become aware that personal data is incorrect, we take the necessary steps to amend data that may be incorrect or outdated.

    To ensure this, we review information regularly, and note who is responsible for ensuring the data is kept up to date. Additionally, settings are enabled within our systems that allow for rectification of inaccurate information, and the history of data changes (including source, and cause of mistake) is recorded.

    We have a Complaints Procedure, which would capture and manage any recorded complaints around data management. We also have an Incident Management Policy, Data Breach & Incident reporting procedure, and a Data Subject Rights Policy and Procedure to ensure that individuals can exercise their rights under Article 12 to 23 of the UK General Data Protection Regulations.

  1. 10.

    Storage Limitation

    Defense.com US Inc. retains personal data in accordance with our retention schedules, which is reviewed and updated regularly. Our retention schedules take into account legal and regulatory obligations and business requirements. The schedules justify the retention periods, lists how the data is deleted / destroyed / erased / anonymised, and clearly identifies any data that needs to be kept for archiving, scientific or historical research, or statistical purposes. Our retention periods have been outlined within our Data Retention & Disposal Policy.

    We review our data and destroy or archive it when it is no longer needed, as according to our Data Retention & Disposal Policy. We do so securely, using both physical and electronic destruction methods.

    In addition, Data Subject’s rights, including the ‘right to be forgotten’ are explained in our External Privacy Notice on our UK Privacy Notice - Your Data and Rights (defense.com)

  1. 11.

    Integrity & Confidentiality

    At Defense.com US Inc., we have arranged appropriate technical, electronic, and physical security measures to protect the data we collect about individuals. We ensure that it is collected, held, processed, and destroyed in line with our Policies and procedures which are designed to protect personal data, assets, and business information.

    Our staff receive regular training to inform them on how to keep information safe. We have enabled access controls in our systems and platforms to ensure that data can only be viewed or edited by authorised personnel.

    We have analysed the risks presented by our processing, and assessed and documented the appropriate level of security and there are higher security measures in place to protect sensitive data.

    Defense.com US Inc. is ISO 27001 certified, PCI and DSS compliant.

  1. 12.

    Further Information

    Defense.com US Inc. is a Data Controller and a Data Processor further information can be obtained from the Data Protection Officer who can be contacted at:
    Email: [email protected]

    Address: Unit H, Gateway 1000, Whittle Way, Stevenage, England, SG1 2FP

Subscribe

Get actionable cyber security advice and insights straight to your inbox.