Data Security and Personal Data Protection Policy Statement


Epiphany as a business generate, store and exchange large quantities of data, both in paper format or more frequently, digitally. We are mindful of the profound challenges concerning security and privacy of information this digital storage brings.

As a UK based business, Epiphany has a professional and legal duty (GDPR) to ensure the information it holds conforms to the principles of confidentiality. We must ensure the information we hold or are responsible for is safeguarded where necessary against inappropriate disclosure; is accurate, timely and attributable; and is available only to those with permission to access it.

This Data security policy provides a framework by which we record and act out these principles. Its primary purpose is to enable all employees, whether permanent or contracted, understand both their legal and ethical responsibilities concerning information, and empower them to collect, use, store and distribute it appropriately.

This policy is Epiphany’s promise and commitment to maintain, and improve where possible, our data security measures.

Security

We keep your information protected by taking appropriate technical and organisational measures to guard against unauthorised or unlawful processing, accidental loss, destruction or damage. For example:

  • Where appropriate, data is encrypted when transiting on our system or stored on our databases;
  • We have implemented safeguards in relation to access and confidentiality in order to protect the information held within our systems; and
  • We frequently carry out risk assessments and audits to monitor and review threats and vulnerabilities to our systems to prevent fraud.
  • However, whilst we will do our best to protect your personal information, we cannot guarantee the security of your information which is transmitted via an internet or similar connection. It is important that all details of any username, password and/or other identification information created to access our servers are kept confidential by you and should not be disclosed to or shared with anyone.

Your rights in respect of your personal data

You have certain rights under existing data protection laws, including the right to (upon written request) access a copy of your personal data that we are processing. From 25 May 2018, if you are based within the UK or the EEA or within another jurisdiction having similar data protection laws:

  • Right to access: the right to request certain information about, access to and copies of the personal information about you that we are holding (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs); and in certain circumstances, you will also have the following rights:
  • Right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of the data (if the legal basis for processing is based on your consent) and the right to request that we delete or erase your personal information from our systems however, this will not apply if we are required to hold on to the information for compliance with any legal obligation or if we require the information to establish or defend any legal claim);
  • Right to restriction of use of your information: the right to stop us from using your personal information or limit the way in which we can use it;
  • Right to data portability: the right to request that we return any information you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible; and
  • Right to object: the right to object to our use of your personal information including where we use it for our legitimate interests or for marketing purposes.
  • If you consider our use of your personal information to be unlawful, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office.

David Andrews

Director