Privacy Policy
1. Introduction
This document outlines how data collected from the Public and the NAZ Parties is handled. For the purpose of this policy NAZ means the North America Zone Agreement.
2. NAZ Data Protection Policy
The following data protection policy has been put in place:
(i) Your data is used only for the intended use.
(ii) Your data is never bartered or sold.
(iii) Data is given to law enforcement only when legal process is followed.
(iv) Your data is never given to advertisers or marketing companies.
(v) Your data may be kept indefinitely.
3. Sensitive Data (Special Category Data)
NAZ processes no sensitive data, so it is considered no Data Protection Impact Assessment is required. It does however consider and apply appropriate precautions to protect the confidentiality of personal data.
4. Structure of the NAZ Agreement and flow of data across organisations contracted to NAZ
NAZ has no employees.
NAZ has procured CJS Subsea Services to oversee all Website services. Creative Republic acts as a sub-contractor to the NAZ website coordinator for the purpose of Website services.
Information about NAZ Parties is held on the NAZ website via a password-protected access process.
The NAZ website coordinator representative assumes the role of Data Controller and Data Processor. Should escalations or alternates be required, this should be to the NAZ Chairman in the first instance.
5. Documentation of Personal Data
NAZ has prepared the workflow as attached at Appendix 1 – ‘NAZ Personal Data Workflow and Information’ to describe its key data workflow.
6. Procedure for the handling of Personal Data
Personal Data should be handled by contractors of NAZ to at least the same standard in which they hold their own personal information. This is intended to include, where possible, two-step authentication for e-mail systems in which NAZ’s personal data is transmitted, and secure (https) servers whose access is password-protected for the storage of Personal Data.
7. Access Requests
Parties and their associated employees registered on the NAZ website can only access their name, e-mail and password via the secure area of the NAZ website and make changes to it at any time. Access requests for any other data are to be sent via e-mail to the NAZ website coordinator and the NAZ website coordinator aims to respond to reasonable and lawful requests in a timely manner or within mutually agreed timescales. Information is passed back to enquirers as may be appropriate in a data-portable way either by direct e-mail or by documents produced in standard MS Office applications such as MS Word, Excel, PowerPoint or in Adobe pdf format and attached to such e-mails, as appropriate
8. Identification of Information Assets
This is managed by the NAZ website coordinator.
9. Privacy Notice
Privacy Notice page.
10. Consent
Consent is required by the user on all data collections pages of the website. By signing-in to the website is considered as granting consent before moving to the data collection page.
11. Withdrawal of Consent
After logging in, NAZ Parties can update their own personal information from the member area of the website. Should they wish to withdraw consent for NAZ to hold other information (other than that lawfully required for the NAZ to function), requests can be sent to the NAZ website coordinator and the NAZ website coordinator shall act on such requests in a timely manner or within mutually agreed timescales.
12. Accuracy
NAZ endeavours to ensure the accuracy of Personal Data held through interaction with Parties bi-annually. However, some identifying information may be held for long periods by NAZ because of the nature of its work to provide a historical source for cable-related information. This remains a historical record for cable maintenance analytical purposes and is a fundamental part of the service NAZ supplies to its Parties.
13. Disposal
NAZ disposes of electronic personal records through electronic deletion. Lawful disposal of paper records can be made by shredding on request.
14. Retention Policy
NAZ retains the information of active Parties which can be for a long time, as considered appropriate.
The NAZ website holds e-mail and mailing list information pertaining to NAZ Party main reps. and alternates. Other individuals from Party companies may have requested to be included on lists pertaining to website access only and such lists are also kept. This information is reviewed in the January of each year.
NAZ holds a repository of archive and cable maintenance analytical information related to its purpose. As for any library, its intention is to retain that information in perpetuity.
15. Policy Review
To ensure continued compliance, relevant government websites will be visited on a regular basis and any required regulatory action taken accordingly.
16. Risk
As NAZ does not process sensitive data, the risk of breach is deemed to be very limited, however this does not relieve NAZ of adhering to its own obligations. Should the risk profile change in the future, NAZ shall consider what changes to its policy is required in consultation with the NAZ Chairman.
17. Threats
The following potential threats have been identified by NAZ, though such threats remain under review:
18. Security Policies and Procedures
NAZ shall ensure the following policies and procedures are adhered to:
a) Processing of all personal data behind password protection and firewall protection.
b) Logging and communicating threats to the NAZ website.
19. Minimisation of Data Collected
NAZ shall henceforth seek to minimise the data it collects.
Consideration of minimising data collected for any new Personal Data processes shall be considered by the Data Controller.
20. Data Protection Compliance
The NAZ website coordinator shall oversee data protection compliance and shall address any issues or respond to any that may be notified, as appropriate.
21. Security Policy
The following security policies shall wherever possible apply in relation to Personal Data, and compliance shall be checked in the January of each year.
a) Secure backups of Personal Data
b) Physical locking away of personal data on paper, in the rare event that such paper data is required
c) Password protection prior to accessing personal data online
d) Firewall-protected networks
e) Not accessing personal data via unprotected wifi networks (e.g. while travelling)
This security policy shall be reviewed annually.
Appendix 1 – NAZ Personal Data Workflow and Information
NAZ is a Party-based organization in the Subsea Cable Maintenance Industry. An outline of the data NAZ keeps is detailed below:
Such contacts can also request other individuals within their company to be added as an NAZ website user and/or be included on the NAZ mailing list, hence such contact information will also be stored in the contact database.
The Party user page on the NAZ website contains name and email only.
All Party contacts have a login and password to be able to access the website Member side of the NAZ website, which, amongst other things, contains documents pertaining to the NAZ Agreement, NAZ Service Contract and other relevant documentation pertaining to NAZ services. Contacts cannot access or view other contact user records.
Contacts can access their own information records to change, add or delete the data contained in the record or to change their password.
Contacts can request a copy of their contact information at any time.
A back-up of data kept on the NAZ website is backed-up regularly by Creative Republic, with such back-up stored securely.
Procedures for Breach of data: If a breach of the data is reported or detected Creative Republic shall immediately contact the NAZ website coordinator and investigate the full details of the breach to determine the magnitude. Since NAZ does not hold any Sensitive data it would be up to the NAZ website coordinator, in consultation with the NAZ Chairman, as to whether the relevant authorities should be informed. The NAZ website coordinator would continue to work with Creative Republic in assessing the present or potential future damage of such breach and make recommendations to the NAZ Chairman on how best to handle the situation depending on the details of the breach.
This document outlines how data collected from the Public and the NAZ Parties is handled. For the purpose of this policy NAZ means the North America Zone Agreement.
2. NAZ Data Protection Policy
The following data protection policy has been put in place:
(i) Your data is used only for the intended use.
(ii) Your data is never bartered or sold.
(iii) Data is given to law enforcement only when legal process is followed.
(iv) Your data is never given to advertisers or marketing companies.
(v) Your data may be kept indefinitely.
3. Sensitive Data (Special Category Data)
NAZ processes no sensitive data, so it is considered no Data Protection Impact Assessment is required. It does however consider and apply appropriate precautions to protect the confidentiality of personal data.
4. Structure of the NAZ Agreement and flow of data across organisations contracted to NAZ
NAZ has no employees.
NAZ has procured CJS Subsea Services to oversee all Website services. Creative Republic acts as a sub-contractor to the NAZ website coordinator for the purpose of Website services.
Information about NAZ Parties is held on the NAZ website via a password-protected access process.
The NAZ website coordinator representative assumes the role of Data Controller and Data Processor. Should escalations or alternates be required, this should be to the NAZ Chairman in the first instance.
5. Documentation of Personal Data
NAZ has prepared the workflow as attached at Appendix 1 – ‘NAZ Personal Data Workflow and Information’ to describe its key data workflow.
6. Procedure for the handling of Personal Data
Personal Data should be handled by contractors of NAZ to at least the same standard in which they hold their own personal information. This is intended to include, where possible, two-step authentication for e-mail systems in which NAZ’s personal data is transmitted, and secure (https) servers whose access is password-protected for the storage of Personal Data.
7. Access Requests
Parties and their associated employees registered on the NAZ website can only access their name, e-mail and password via the secure area of the NAZ website and make changes to it at any time. Access requests for any other data are to be sent via e-mail to the NAZ website coordinator and the NAZ website coordinator aims to respond to reasonable and lawful requests in a timely manner or within mutually agreed timescales. Information is passed back to enquirers as may be appropriate in a data-portable way either by direct e-mail or by documents produced in standard MS Office applications such as MS Word, Excel, PowerPoint or in Adobe pdf format and attached to such e-mails, as appropriate
8. Identification of Information Assets
This is managed by the NAZ website coordinator.
9. Privacy Notice
Privacy Notice page.
10. Consent
Consent is required by the user on all data collections pages of the website. By signing-in to the website is considered as granting consent before moving to the data collection page.
11. Withdrawal of Consent
After logging in, NAZ Parties can update their own personal information from the member area of the website. Should they wish to withdraw consent for NAZ to hold other information (other than that lawfully required for the NAZ to function), requests can be sent to the NAZ website coordinator and the NAZ website coordinator shall act on such requests in a timely manner or within mutually agreed timescales.
12. Accuracy
NAZ endeavours to ensure the accuracy of Personal Data held through interaction with Parties bi-annually. However, some identifying information may be held for long periods by NAZ because of the nature of its work to provide a historical source for cable-related information. This remains a historical record for cable maintenance analytical purposes and is a fundamental part of the service NAZ supplies to its Parties.
13. Disposal
NAZ disposes of electronic personal records through electronic deletion. Lawful disposal of paper records can be made by shredding on request.
14. Retention Policy
NAZ retains the information of active Parties which can be for a long time, as considered appropriate.
The NAZ website holds e-mail and mailing list information pertaining to NAZ Party main reps. and alternates. Other individuals from Party companies may have requested to be included on lists pertaining to website access only and such lists are also kept. This information is reviewed in the January of each year.
NAZ holds a repository of archive and cable maintenance analytical information related to its purpose. As for any library, its intention is to retain that information in perpetuity.
15. Policy Review
To ensure continued compliance, relevant government websites will be visited on a regular basis and any required regulatory action taken accordingly.
16. Risk
As NAZ does not process sensitive data, the risk of breach is deemed to be very limited, however this does not relieve NAZ of adhering to its own obligations. Should the risk profile change in the future, NAZ shall consider what changes to its policy is required in consultation with the NAZ Chairman.
17. Threats
The following potential threats have been identified by NAZ, though such threats remain under review:
- Hacking attempts on the website - any such attempts shall be logged and notified to the NAZ website coordinator by Creative Republic, the website sub-contractor, as and when they occur and any required action taken accordingly.
- Breaches and loss of personal data from the website - any such instances shall be logged by the Data Controller and individuals affected notified by the NAZ website coordinator representative.
- Loss of personal data from email - any such instances shall be logged by the Data Controller and individuals affected notified by the NAZ website coordinator.
- Loss of personal data from the NAZ billing system - any such instances shall be logged by the Data Controller and individuals affected notified by the NAZ website coordinator.
18. Security Policies and Procedures
NAZ shall ensure the following policies and procedures are adhered to:
a) Processing of all personal data behind password protection and firewall protection.
b) Logging and communicating threats to the NAZ website.
19. Minimisation of Data Collected
NAZ shall henceforth seek to minimise the data it collects.
Consideration of minimising data collected for any new Personal Data processes shall be considered by the Data Controller.
20. Data Protection Compliance
The NAZ website coordinator shall oversee data protection compliance and shall address any issues or respond to any that may be notified, as appropriate.
21. Security Policy
The following security policies shall wherever possible apply in relation to Personal Data, and compliance shall be checked in the January of each year.
a) Secure backups of Personal Data
b) Physical locking away of personal data on paper, in the rare event that such paper data is required
c) Password protection prior to accessing personal data online
d) Firewall-protected networks
e) Not accessing personal data via unprotected wifi networks (e.g. while travelling)
This security policy shall be reviewed annually.
Appendix 1 – NAZ Personal Data Workflow and Information
NAZ is a Party-based organization in the Subsea Cable Maintenance Industry. An outline of the data NAZ keeps is detailed below:
- Name of company/party organization.
- Name of prime and alternate contact, tel. number, e-mail address and company/organization postal address.
Such contacts can also request other individuals within their company to be added as an NAZ website user and/or be included on the NAZ mailing list, hence such contact information will also be stored in the contact database.
The Party user page on the NAZ website contains name and email only.
All Party contacts have a login and password to be able to access the website Member side of the NAZ website, which, amongst other things, contains documents pertaining to the NAZ Agreement, NAZ Service Contract and other relevant documentation pertaining to NAZ services. Contacts cannot access or view other contact user records.
Contacts can access their own information records to change, add or delete the data contained in the record or to change their password.
Contacts can request a copy of their contact information at any time.
A back-up of data kept on the NAZ website is backed-up regularly by Creative Republic, with such back-up stored securely.
Procedures for Breach of data: If a breach of the data is reported or detected Creative Republic shall immediately contact the NAZ website coordinator and investigate the full details of the breach to determine the magnitude. Since NAZ does not hold any Sensitive data it would be up to the NAZ website coordinator, in consultation with the NAZ Chairman, as to whether the relevant authorities should be informed. The NAZ website coordinator would continue to work with Creative Republic in assessing the present or potential future damage of such breach and make recommendations to the NAZ Chairman on how best to handle the situation depending on the details of the breach.