Identity Agency Privacy Policy – 12 May 2021 – Version 1.0

The Identity Agency are committed to protecting your personal data. Here is our privacy policy to show you how we are doing just that.

Who we are

The Identity Agency is a creative agency based in Lincoln. We provide branding, graphic design and social media services to our clients.

Until 6 April 2022, we will continue to operate through a sole proprietorship under the name Thomas Atkins. After this date, we will be trading as the Identity Agency Limited, a registered company based in England under the registration number 13343136.

Our full contact details can be found at the end of this privacy policy.

This privacy notice covers all information held by the organisation be it captured by electronic means, on paper records, in person or via social media. This policy covers our main website identityagency.co.uk and also our eLearning website identitylearning.co.uk.

We need your personal information to allow us to offer our services to you and to comply with our legal and fiduciary duties. In order to be as transparent as possible we have split this privacy notice into the different types of data which we hold so that you can quickly identify the processing which affects you.

How we obtain your information

In most cases you will volunteer your personal details to us. Before we capture your information, we will explicitly tell you, or it will be very obvious, for example if you make an enquiry with us, why we need the information and how we will use it.

However, we could be given your details by a third party acting on your behalf, for example, your employer or personal assistant or we may identify your details from professional social networks in which we both operate, or public domain records such as the internet.

What information we capture and why

Clients or prospects:

We will obtain information directly from you, either in person, via normal business channels such as email, telephone, Skype, and social media etc and, also in person, for example at networking events.

We may identify your details from public domain sources and, also purchase legal and qualified third-party data (see section on Marketing below).

What information we capture and why:

Personal data is required to allow us to provide our branding, graphic design, social media, consultancy, and training services to our clients.

We will capture your name, company, and contact details and details of any colleagues with whom we may need to communicate. If you volunteer any other information, we may also record this where necessary to deliver the service.

We will record sensitive information, such as about a disability you may have, if you feel we need to know about this to deliver the service.

Who we will share your data with:

We will not share your personal information with any third parties save with your permission or required or allowed by law, for example, to obtain legal advice. If we feel another company can assist you when we cannot then your consent will be obtained before sharing your information with them.

On what legal basis do we process your information?

 

If you have contacted us then we shall rely on our legitimate interests to record your information, and if we wish to send you administrative or marketing emails, we rely on what is called the soft-opt-in to send those emails to you (at any time you can ask us to stop sending these to you).

If we wish to record any sensitive information about you, for example, about your dietary requirements, then we will have to have a legal reason to do so or ask for your explicit consent.

If we are in negotiation with you for goods or services then we shall rely upon contractual obligations to process the information, as we will either have a contract in place, or be in negotiations to enter one.

Learners:

If you have enrolled, or been enrolled onto one of our virtual or physical training courses then we will need to know your name, company address and contact details, and in order to support you in your learning experience we may need to ask for other specific sensitive information; for example if you have any medical conditions which may impair your ability to learn in order that we may offer particular assistance with learning materials or additional help in taking the exam.

We also ask if you have any dietary requirements to accommodate your catering requirements on the day and may on some courses ask for your next of kin details in case of an emergency on the day.

Who we share your data with:

If you work for a company, or have purchased licenses through a third party and asked them to supply the licenses, then that third party may also have access to non-sensitive personal data, i.e. your contact details and information relating to the courses you take, pass rates etc.

In order to maintain and develop the eLearning platform your personal details may be seen by our web developers. They will only access this under our guidance and instruction.

On what legal basis do we process your information?

As an individual learner you will give your information to us directly and we will process this information with your explicit consent, and then in line with our contractual obligations to offer the service to you.

As a business user, either as an administrator, or as a delegate/learner, we will process your details using your consent where you have given this, or our legitimate business interests where this does not impact on your fundamental rights or freedoms. We may also process your data to fulfil our contractual obligations with your employer or strategic partner placing the order,

Processing personal data for legitimate interests means we need to process your information for purposes such as monitoring our network for fraud and crime detection,

We may also share data with third parties if we are required to do so by law, for example to the police, or under a court order.

We may share your information with a third party if it is in the defence of a legal claim for example, seeking legal advice from a solicitor.

Employees and freelancers:

In order, to consider your application, offer employment, and comply with our legal obligations, for example, the right to work within the UK, we ask for your personal details including contact details. Other information such as qualifications and work experience will be requested to ensure you are qualified to fulfil your role. Your date of birth, nationality, ethnicity, and sexuality as well as any medical records that we may need to be aware of will be requested, although you can decline.

Details of marital status and next of kin will be collected as well as any other information you chose to give us.

We may anonymously ask for details of your ethnicity and sexuality to comply with anti-discrimination laws.

Who we share this with:

We may share your information with other parties if this is, in connection with your employment, such as obtaining confidential references, third party organisations who would verify your employment history, and also in connection with identity and right to work checks.

Your data will also be shared internally where this is necessary to facilitate your employment or support you in your role.

On what legal basis do we process your information?

We will process your data under contractual obligations, employment legislation and, also where applicable, with your consent and our legitimate interests.

Students or graduates:

We act as mentors for various educational establishments and need student contact details and profiles to facilitate that relationship.

How we obtain your information:

We will obtain personal data directly from the student or graduate or the University, school or college engaged in the programme.

Who we will share this with:

We will only share this with the University or College, and even then, only if the student is aware and has not objected.

What information we capture and why?

We hold contact details of the student, contact details, their goals, outcomes, and details of any challenges which they may face. Sensitive data may be recorded, for example, about any medical conditions, but only with their permission.

On what legal basis do we process your information?

We are processing the data with consent from the individual and to meet our contractual obligations.

If you visit our website:

We may collect information from you when you interact with us, for example, when you use our websites, perhaps by signing up for an eLearning Course, a newsletter, or making a general enquiry.

By visiting our website, we will be able to see your IP address and the pages you visit. Your information is anonymous until you log in as a user, at which point we shall know your details as you will be pre-registered.

What information we capture and why:

As a website visitor all we capture is your IP address, system type (PC, iPhone, Windows 10 etc), what pages you visit and dates/time. This is managed via Google Analytics, which is detailed below and in our Cookie Policy. You will be asked to consent before semi-anonymous data is collected by Google.

If you, or your company register to use our service, we shall capture your name, contact details, and if you are the Administrator or paying for the service, details of your purchase history. No credit or Debit card payments are managed by the Identity Agency, these are managed and held by PayPal or Stripe.

Google Analytics:

We use Google Analytics to analyse the use of our websites; Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ devices.

Be sure to view our cookie policy for further details.

The information generated relating to our website is used to create reports about the use of our website. Details captured during your visit will include, but not limited to, traffic data, location data, weblogs and other communication data and the resources you access, however, all data collected is anonymous and will not identify you as an individual.

Google, not the Identity Agency, store this activity information, and you can view Google’s privacy policy here.

To opt out of being tracked by Google Analytics across all websites visit their online opt-out page.

How long will we keep your information?

We will keep your information for no longer than is necessary. We shall follow any statutory time limits and regulator best practice guidelines, but the following will give you an idea of how long we shall retain your information.

Data type Reason Retention period
Employee data Employee files – for legal purposes 7 years after employee leaves
Employee data Pension data and certificates for medical tests, for example, eye or hearing tests for legal purposes indefinitely
Recruitment information CV’s and applications for unsuccessful candidates will be deleted – legal obligations 6 months after campaign unless the candidate has consented to a longer retention period.
Learner records Learner records and certificates – contractual and legal obligations 25 years
Learner records Details of special circumstances relating to certified exams – contractual and legal obligations 7 years
Client information All client information – to prove consents and in case of legal disputes 7 years after relationship ends or last activity
Enquiries We retain for this period as often enquiries can take this period of time to come to fruition. 2 years
Financial Information Tax records, payroll etc – for legal purposes 7 years
Analytics Semi-anonymous analytical data 25 years
Email broadcasting Semi-anonymous analytical data from email interaction 25 years

Your rights are detailed below, and you have a right to ask us to stop processing or remove certain types of personal data, especially sensitive data. Where there is no overriding lawful reason why we need to do this, we shall always honour your request.

Business contacts, marketing, and administration:

If you are a learner or business contact, we will ask you if you would like to receive regular communications from us, and we shall do this in accordance with any guidelines concerning the data protection or ePrivacy (electronic marketing) regulations. You can change your preferences at any time, and if you ask us to stop communicating with you, we shall action this request immediately.

We need to manage our business for example, processing invoices, entering into contracts and to do that we rely on our legitimate interests, legal obligations and fulfilment of our contractual obligations.

We may use your personal information to obtain legal advice or if it is necessary to defend a legal claim or pursue a bad debt, and we may have to pass your information to public authorities and organisations where the law requires us to do so.

To ensure that emails and ICT networks have not been compromised and we will monitor network traffic and may process personal data as a result of this monitoring.

Email marketing:

We do stay in touch with clients and prospects using email and to do this we use an email broadcast company. Emails will either be fully opted-in by the subscriber, or we shall be relying on the soft-opt-in rule within the ePrivacy legislation. Within our emails we utilise web beacon technology, sometimes called pixels, which allows us to see whether the email was delivered, which links were clicked and so on. This is to help us assess the success of campaigns and offer a better, more relevant service. The only information collected will be IP address, date/time, general location and device details. You can read more in our cookie policy.

We never share this information or any of your details with third parties.

How we store your information:

All client information and files are retained on cloud servers hosted within the EU and Canada, and any files containing commercially, or personally sensitive information are encrypted before saving to the server. We store our marketing information in a robust CRM system, and ensure that only basic contact information, as stated above, is stored. Only authorised members of the team have access to your personal information, and we back it up regularly to prevent against loss or damage.

Who do we share with?

Let me assure you that we will never sell your information, or share it with any third party, save those detailed below, or with any government agency or other party entitled to this information by law, statute, or court order.

However, if in the event that the Identity Agency is ever sold as a going concern, or enters into administration, the database of clients and prospects shall be deemed an asset of the company, and the consents and permissions provided by the individual shall be transferred to the new owners.

For learners, we will share your personal details with any awarding body as necessary to facilitate the awarding of your certificate or qualification. We may from time-to-time sub-contract elements of our operation to data processors, such as a mailing house, or market research company, but they will be working as a data processor on behalf of the Identity Agency, who shall at all times remain responsible for the confidentiality of the data. Any data processor will be vetted, and sufficient contracts will be in place to protect the integrity and privacy of your data.

Where possible data will remain on servers within the EEA, in a third country listed on the EU’s approved country list, or on servers within the United States if the company is part of the approved Privacy Shield scheme.

Your data protection rights:

The Data Protection Act 2018 and UK GDPR affords Data Subjects (that is people whose information we capture) certain rights and these are listed below for your convenience: –

  • You have the right to access a copy of the personal information we hold about you by making a Data Subject Access Request (DSAR), you can do this by phone, in writing or by email to the Identity Agency, for attention of Thomas Atkins (Full contact details are provided at the end of this Privacy Policy). We will just have to verify your identity before we can proceed.
  • You have the right of rectification to amend or update your personal information and ensure we maintain accurate and up to date records and or data about you.
  • You have the right to erasure, also known as ‘the right to be forgotten’.
    The broad principle underpinning this right is to enable an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing by the Identity Agency.
  • You have the right to ‘block’ or suppress the processing of your personal data.
    Processing of your personal information may be restricted in the event it is no longer essential to support the use of services provided to you and is no longer needed for any contractual, legal or financial reasons. In those cases, the Identity Agency is permitted to store the personal data, but not further process it. The Identity Agency may retain just enough information about you to ensure that any restriction is respected in the future.
  • You have the right to data portability which allows individuals to obtain and or reuse their personal data for their own purposes across different services. It allows you to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without hindrance to usability.
  • You have the right to object to the processing of your personal information based on consent, our legitimate interests or the performance of a task in the public interest or exercise of official authority including profiling activity, direct marketing including profiling activity, and processing for purposes of scientific and or historical research and statistics.
  • You have right to be made aware of any automated decision-making, that made without any human involvement, and/or profiling of your personal information by the Identity Agency. We use an automated process to mark papers, but this is simply a scoring system, decisions are not made on you which will affect you in a legal way.
  • You have an absolute right to ask us to stop sending you direct mail or marketing emails.

For some processing you will have given us permission to process your information, and in these cases, you can withdraw your consent at any time however, we may still need to keep the information for other legal reasons.

In certain situations, the above rights may not apply, for example if you entered into a membership minimum term contract, we may have to write to you about your membership even if you asked us previously not to, but in this case, we would not send you any further direct marketing communications.

Contact details:

If you have any questions about this privacy policy or wish to enforce one of your data protection rights, do not hesitate to get in touch.

Identity Agency, Unit S21

Sparkhouse, Enterprise Building

Rope Walk

Lincoln

LN67DQ (United Kingdom)

Telephone: 01522 837213

Email: Hello@Identityagency.co.uk

Information Commissioners Office:

We do not yet have to register on the Information Commissioners Office’s Register of Fee Payers. However, when we do, our registration number will appear in this section of the updated privacy policy.

If you wish to get in touch with the Information Commissioners Office, there contact details are as follows.

Information Commissioners Office

Wycliffe House

Water Lane

Wilmslow

Cheshire

SK9 5AF

Helpline: 03031231113 or +441625545745