Internal Privacy Policy

Mission 

Kerv understands that everyone has a right to data privacy and protection, and aims to set the highest ethical benchmark when processing individual’s data. We demonstrate our commitment to data privacy and protection by meeting multiple industry standards, enabling us to implement the highest levels of personal data protection.  

Transparency is also something we care deeply about, so in addition to our Privacy Notice we think it’s important that we clearly state the controls we have in place to ensure that we treat all personal data with the respect that it deserves, enabling our customers to challenge our approach in the interest of collective continual improvement.  

Purpose 

Kerv incorporates best-practice systems and all required privacy protection as part of its standard business processes, managed via our Governance Team. The following data privacy and protection controls are integration throughout our Business Management System:

• GDPR  
• ISO 9001:2015 framework for quality  
• ISO 27001:2017 framework for information security  
• ISO 27701:2019 framework for privacy management system  

Scope 

This policy applies to all employees, contractors, customers, visitors, and to all data held or processed by us, including programs, systems, facilities and technical infrastructure.  

Privacy Outcomes  

• A robust set of policies, procedures, and processes that ensure privacy is inherent in all Kerv business practices  
• A comprehensive list of PII assets that ensures compliant and secure data processing  
• A process of continuous improvement that reviews and enhances privacy controls  
• Third party review of Kerv policies, procedures, and processes to drive continuous improvement and create learning opportunities  
• Delivery of continuous improvement using employee engagement in data privacy and protection, including training and industry best practice  

Policy 

Privacy  Controls  

To ensure we continue to achieve our privacy outcomes, comply with applicable data protection laws and regulations and deliver our Privacy Objectives we have following controls in place:  

Organisational Controls  

• We maintain a detailed data inventory to track data sets, data owners, applications, locations, implemented controls and to maintain a record of processing activities.  
• We have appointed a Chief Data Protection and Privacy Officer (CDPPO) and Data Protection and Privacy Officers (DPPO), details of whom can be found in our Privacy Policy.  
• We publish a privacy notice, providing clear information for Kerv staff, current customers and prospective customers regarding what data we gather, what we will use it for, how data subjects can exercise their rights and include contact details for Kerv’s DPPO and the ICO.  

• We conduct information audits to ensure that all personal data we hold is tracked to maintain the adequacy, security, accuracy and integrity of data.  
• We have a clearly defined Data Retention & Disposal Policy which (in combination with our Data Inventory) defines the retention period, review schedule and method of disposal, to ensure that data we hold is only kept only as long as necessary and destroyed appropriately.  
• We have a clearly defined Data Breach & Reporting Policy which documents data breach escalation and reporting processes.  
• We maintain a Subject Request Policy which explains how data subjects can exercise their rights under privacy laws and use internal systems to expedite data subject requests.  
• We maintain clear version control for all internal documentation and audit trails of all communication sent or received to or from individuals, demonstrating accountability.  

• We have an extensive Business Continuity Plan in place which is tested at scheduled intervals to ensure that in the event of extended service outages caused by factors beyond our control (e.g. natural disasters), we can restore services to the widest extent possible in a minimum time frame.  
• We conduct supplier assessments in line with our Purchasing Policy before a supplier is approved. This assessment helps to ensure that the supplier has robust controls in place to ensure the security of data shared with them. Where required, we implement Data Sharing Agreements with our suppliers.  
• Data will be transferred or processed with other Group Practices outside of the EU only with explicit customer consent and subject to appropriate data privacy and protection controls in compliance with all applicable legislation.  
• Prior to processing any data, be it internal or on behalf of our customers, we ensure that all data is privacy screened.  
• Where appropriate, we conduct Data Protection Impact Assessments (DPIAs) for data processing operations that involve a high risk to the rights and freedoms of data subjects to determine the appropriate measures to be taken to minimise, or eliminate, the risks.  

• If we identify any high-risk processing for which effective controls cannot be designed, we escalate this to the ICO before proceeding.  
• For customers which we are engaged, we operate using Service Level Agreements (SLAs), clearly defining our and our customer’s responsibility to manage and process data in-line with privacy regulations.  
• We have a dedicated teams who are trained in privacy and security management best practices, providing on-going guidance internally and to our customers.  
• We are committed to continuous improvement and subject every part of our business to an internal audit, at least annually.  
• Kerv have no services specifically for children or minors. If we receive an inquiry from child or minor we do not process data in a way that should put them at risk.  

• We use advanced technical tools and services to enforce privacy controls that detect and respond to complex attacks with deep threat monitoring and analysis, designed to block sophisticated threats and malware.  

Human Resource Controls  

• We perform Pre-Employment Vetting and Screening checks to verify that are employees are suitable to work for us and that the data they provide about themselves is accurate, ensuring that the safety and security of existing staff, services and end-users is maintained.  
• Our employment contracts include data protection clauses for all staff ensuring compliance with applicable laws, regulations, and procedures. 
• We deliver regular training sessions for our employees including for relevant data protection and privacy regulations. Regular communications are sent to our employees to raise awareness and ensure implementation of data security controls and processes in daily operations. Training sessions are recorded for playback and attendance is tracked in our training log.  
• We conduct regular tests and assessments for all employees to ensure a high level of competency, knowledge, and understanding of relevant data protection and privacy regulations, and their responsibilities and the controls we have in place to protect personal information.  
• All employees sign an adherence register, annually confirming their understanding of all our management systems and underwriting their responsibility to ensure the organisation and their personal compliance.  
• Kerv staff data is reviewed annually to ensure the information we hold about them is accurate and up to date. All employees have access to self-service tools where the relevant information can be updated/corrected. All employees are responsible for ensuring that information we hold about them is accurate and up to date.  

Technical Controls  

• We operate as an organisation using a set of Architectural Principles, which mandate an array of good practices such as Privacy by Design, Secure by Design and Defence in Depth.  
• We design and build software and services in-line with a detailed Secure System Engineering Policy, which is regularly updated, to ensure strict security controls are in place including (but not limited to) continuous monitoring of environments, regular vulnerability scanning, penetration testing, weekly reviews of infrastructure and key storage abstraction, to identify threats and malicious unauthorised activity.  
• We enforce that all devices (physical or virtual) and methods of communication that store and/or transfer data are encrypted, in-line with good industry practice.  
• We follow a robust set of policies directed by our Information Security Management System, including (but not limited to):  

• Access Control Policy to mandate a Role Based Access Control and Principle of Least privilege for user/system access  
• Remote Access Policy designed to minimise the potential exposure to unauthorised use of our systems and data from remote locations  
• Password Policy to ensure a strict standard for the creation of strong passwords, the protection of those passwords, and the frequency of change  
• Removable Media Policy forbidding use in nearly all situations and to minimise the risk of loss or exposure of sensitive information in relation to portable storage  
• Information Transfer Policy mandating minimum requirements to ensure that the transfer of data is performed in a way that adequately protects it  
• Data Security Policy to ensure we protect restricted, confidential or sensitive data from loss or corruption  
• Mobile Device & Teleworking Policy to ensure that data used on our mobile device estate is robustly protected, even when devices are lost or stolen.  
• Bring Your Own Device policy mandating controls around any device which is used to access our employee tools that isn’t issued by us  
• Key Management System Policy which mandates controls and processes for key strength, rotation management and defining how credentials are stored and processed  
• Clear Desk and Clear Screen Policy to establish the minimum requirements for ensuring data is not inadvertently shared within the office 
• We utilise best-of-breed device management tooling to provide near-real-time security insight across our estate.  
• We conduct regular backups to enable data recovery in case of accidental loss or malicious attacks on internal or customer data, in-line with agreed Service Level Agreements.  

Responsibilities of Data Protection and Privacy Officer  

We have appointed a Chief Data Privacy and Protection Officer in place of a Data Protection Officer because:   

• we are not a public authority or body;  
• our core activities do not require large scale, regular and systematic monitoring of individuals;   
• our core activities do not consist of large-scale processing of special categories of data or data relating to criminal convictions and offences;  
• our Governance team is responsible for making all key compliance decisions.  

The Data Privacy and Protection Officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, considering the nature, scope, context, and purposes of processing.  

The DPPO is responsible for:  

1. informing and advising Kerv, and its employees who carry out processing, of their obligations pursuant to applicable laws and regulations and to other data protection provisions;  

2. monitoring compliance with the GDPR and with other data protection provisions and with our policies to ensure the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;  

3. providing advice, where requested, about the data protection impact assessment and monitor its performance;  

4. reviewing internal/external audit reports along with the Governance Team to evaluate and report on all aspects of Kerv’s compliance with these Rules and ensure that any corrective/preventative action takes place as soon as reasonably practicable;  

5. where a DPPO has reason to believe local or national legislation prevents Kerv from fulfilling its obligations under these Rules, or has a substantial effect on Kerv’s ability to comply with these Rules, the DPPO will promptly inform the Chief Data Protection and Privacy Officer;  

6. handling local complaints from data subjects;  

7. reporting major privacy issues to the Chief Data Protection and Privacy Officer; and  

8. ensuring data protection compliance at a local level.  

In addition to the above responsibilities the Chief Data Protection and Privacy Officer is also responsible for:  

1. cooperating with the Information Commissioners Office -  the UK supervisory authority;  

2. acting as the contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult, where appropriate, regarding any other matter;  

3. managing the Data Breach Assessment Board which is chaired by the Chief Data Protection and Privacy Officer and is composed of senior executives of Kerv. The Chief Data Protection and Privacy Officer is responsible for overseeing all privacy and data protection issues, including ensuring compliance with all aspects of these Rules. The Chief Data Protection and Privacy Officer reports to the board of directors of Kerv Group. The Chief Data Protection and Privacy Officer is supported by a team of local Privacy Officers responsible for overseeing and ensuring compliance with these Rules on a day-to-day basis at a local level;  

4. making a responsible decision where there is a conflict between national law and these Rules and will consult with the relevant Data Protection authority in case of doubt;  

5. keeping an up-to-date list of Kerv affiliates bound by the Rules, recording any updates to the Rules and providing the necessary information regarding updates on requests to any data controller and data subject or the relevant Data Protection Authorities and no transfer of data is made to a new Kerv affiliate until the Kerv affiliate is bound to these Rules; and notifying the relevant Data Protection Authorities of any changes in operation at least annually.  

Responsibility 

The Data Protection and Privacy Officer, supported by the Governance Team, are responsible for this policy and its implementation. We commit to providing the relevant resource and to reviewing this policy annually and communicating it within the organisation and to external interested parties.  

Legal Responsibilities  

The UK government mandates several statuary obligations regarding information security. This policy therefore actively complies and supports these obligations. We identify relevant and applicable data privacy and protection laws and regulation using our Requirements Gathering and Discovery Process, these legal responsibilities are then detailed in our Business Management System in Legislation and Regulation.  

• External Assurance  

We appoint independent external auditors to assess and confirm our compliance with ISO and NCSC data privacy and protection standards annually.