Privacy Notice – Portal

Identity and contact details of the controller

Risk-X LLP, Risk-X Holdings Ltd, Risk-X (UK) Ltd and Risk X Data Assurance (Pty) Ltd collectively ‘Risk-X’

Atrium Court

100 The Ring

Bracknell

Berkshire

RG12 1BW

UK

 

Paula Pocock

Privacy@risk-x.co.uk

+44 203 040 2990

 

Service that this Data Privacy Notice relates to

This data privacy notice only relates to personal data exchanged via https://portal.risk-x.co.uk

 

Data that we process

We process the following data for the provision of https://portal.risk-x.co.uk

 

The data

Privacy Data

Other data

The data you share as part of our contract

·         Representatives Names

·         Representatives business addresses

·         Representatives telephone numbers (mobile or landline)

·         Representatives email addresses

·         You may also share bank details if we are setting up direct debits or standing orders

·         Company Name

·         Company IP Addresses

·         Company specific data that may contain information on individuals as part of the business data transferred for us to perform the services contracted between us

Your logon information

·         Representatives Names

·         Representatives email addresses

·         Password hash will be stored by the system to validate logon

Your data collected as part of access to our site and the platform it resides upon

·         Your IP address (we cannot tell if this will identify you or your company so we will treat it as personal information)

·         Information on logon (i.e. date, time, etc.)

·         What documents you have downloaded or uploaded

·         Connection string and commands used by your browser and if this successful

 

Purpose of processing

The processing of data and this privacy notice only relates to https://portal.risk-x.net:

 

The data

Purpose

Legal Basis

The data you share as part of our contract

To allow access to data exchanged between the disclosing and receiving parties to fulfil contractual obligations between the parties / regulators, and to ensure that data is exchanged securely in line with contractual requirements.

6.1.b – processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract

Your logon information

To allow access to the platform so that we can exchange data under the contract that you hold with us.

Your data collected as part of access to our site and the platform it resides upon

Detection and prevention of crime, audit record to prove contractual obligations are fulfilled, availability and capacity planning of the portal website.

6.1.f – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

:

Legitimate interests of the controller

The controller is a security company that provides Audit, Advisory, Assurance, Digital Forensics and Incident Response services.  To ensure that our processing of data is fair to you we have used a Legitimate Interests Assessment (LIA) to evaluate our requirements against the impact to you as a data subject.  We maintain this assessment as part of this privacy notice to show fair, reasonable, proportionate, open, honest and transparent processing of your data.  The assessment is as follows:

 

Area

Test

Response

The legitimate interest(s)

Who benefits from the processing? In what way?

We both benefit, as analysis of how and where you connect to our site means that we can improve it for you and optimise this to most customers browsers, platforms, languages and locations.  We also use it to safeguard both you and us by recording your connection data should anything go wrong.

Are there any wider public benefits to the processing?

Yes.  In the detection and prevention of crime, we can provide law enforcement with enhanced information to help protect other websites and users on the wider internet.

How important are those benefits?

We have an obligation to report crime and help the community at large prevent further crime or damage.

What would the impact be if you couldn’t go ahead?

We would remove our portal from the public facing internet as we could not meet the requirement of confidentiality, integrity and availability of this service to our customers.  This is of critical importance to us being a security consultancy company.

Would your use of the data be unethical or unlawful in any way?

No.  We will use the data in following way:

1.       IP address and connection information for the detection and prevention of crime that would be shared with law enforcement if a data breach or security incident with the website occurred.

necessity test

Does this processing help to further that interest?

Yes.  We use it to safeguard both you and us by recording the connection data and browser request information should anything go wrong.  This way we can investigate and provide any relevant information to law enforcement.

Is it a reasonable way to go about it?

Yes.  These methods used by us are the same as for most global websites.  As security consultants we recommend that our customers collect this data to be able to provide evidence should unauthorised access to their systems happen so that investigation can occur, and law enforcement can be provided with appropriate information.

Is there another less intrusive way to achieve the same result?

No.  We collect only the minimum level of information necessary to protect the website.

Balancing test

What is the nature of your relationship with the individual?

There may or may not be a relationship with the individual.  This will be unknown at the time of interaction and data collection.

Is any of the data particularly sensitive or private?

No.  The data that is collected is not overly sensitive from a data privacy standpoint.  As every computer and device connected to the Internet is assigned an Internet Protocol (IP) address – which is recorded in most places you visit on the internet.  The data from a security point of view could be quite sensitive and therefore, will be protected in line with Article 32 – technical and organisational security measures.

Would people expect you to use their data in this way?

Yes.  Recording of logging and connection information is recommended by most global security best practice standards.

Are you happy to explain it to them

Yes.  This Legitimate Interest Assessment, documents our interests and is published as part of our data privacy notice.

Are some people likely to object or find it intrusive?

People may object to this, and have the right to do so.  Individuals always have the right not to use our portal or to only connect from their office’s registered IP address which is usually not associated within a single individual.

What is the possible impact on the individual?

We will know their IP address, which could reveal their approximate location to us.  Risk-X will also know specifics about the web browser and system that they have used to connect to us.  This data will be appropriately safeguarded to ensure it cannot be misused, and will not be used for any other purposes than stated.

How big an impact might it have on them?

The impact will be low to the individual, unless they have committed a crime, at which point their data would be reported to law enforcement and other authorities like the ICO as appropriate.

Are you processing children’s data?

Not knowingly.  This is a corporate website that is only designed for use by people with an interest in Risk-X for us to transfer data securely under contract.  No service we offer is aimed at Children.

Are any of the individuals vulnerable in any other way?

Not knowingly.  This is a corporate website that is only designed for use by people with an interest in Risk-X for us to transfer data securely under contract.  No service we offer is aimed at vulnerable groups.

Can you adopt any safeguards to minimise the impact?

All safeguards in line with the requirements of the GDPR will be in place, and all data will be protected in line with Article 32 – technical and organisational security measures.

Can you offer an opt-out?

For other data collected by the webserver directly like the IP address and connection string there is no opt out that is offered for this information.

 

Recipients of personal data

In the normal course of operation your data will not be shared with anyone outside of Risk-X as per the Non-Disclosure Agreements between the disclosing and receiving parties.  The servers that this data resides on have been encrypted to ensure that the provider of our hosting services does not have access to this data on their hard disks.  However, there may be occasions where data is shared with other organisations for the following purposes:

 

Type of company

Purpose

Penetration testing / security validation

Penetration testing companies during testing the security of this website.  This will be covered by NDA and your data will not be exposed to risk during this process.

Forensic investigation

Should this be necessary then during investigation the company engaged may require access to data.  This will be covered by NDA and your data will not be exposed to risk during this process.

Insurers / solicitors

For the purposes of defending any claim that is brought against us by you we may need to share information with our insurers or legal representatives.

Licensing agencies / auditors

During audit for the commercial licenses we hold our auditors may require onsite review of the data.  Any data that is to be taken offsite and out of our control will be anonymised so that your personal data is not exposed to risk during this process.

Law enforcement or other legal body (ICO etc.)

For the detection and prevention of crime, or to comply with statutory obligations we may be required to share information with law enforcement, government or other legal bodies as required by law.

 

These recipients are covered within the Non-Disclosure Agreement between the parties.

 

Details of transfers to third countries

To deliver the services to you there may be a requirement to use specialist companies that are based outside of the UK.  In this regard, Risk-X is relying on the legal derogation that any transfer would be necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual’s request.  Risk-X will assess these companies and ensure that they meet the same requirement and safeguards as you would expect from Risk-X in the UK.

 

For internal companies in the group our platforms are shared between our UK and South African company.  While there should be no transfers outside of the EEA where the platform is hosted this could occur.  However, all IT solutions in use by the company are administered and controlled in the UK.  All safeguards that are in place for UK staff are the same as those for our South African staff.  As such all technical and organisational controls are the same and will be fully enforced in all locations.

 

Retention period of your data

Your data will be retained for the following time periods:

 

Purpose

Retention period or how we calculate the retention period

Your access account

You can ask us to delete this at any time during your contract with us and we will do so.  By default, your account will remain active for the lifetime of the contract between us.  At the end of contract your access will be suspended and your account deleted within 90 days.

Audit records relating to your activity

These will be retained for the lifetime of the contract between us plus six years to be able to defend any insurance claims against us so we can prove what data has been exchanged.

The data you share

This will be retained for the lifetime of the contract between us plus six years to be able to defend any insurance claims against us so we can prove what advice has been given.

:

Your rights

Under the General Data Protection Regulation, you have rights, and our objective is to enable these appropriately.  Your rights in relation to this service are as follows:

 

Purpose

Legal Basis

The right to be informed

We will publish this notice on our website and will also include this as part of our contract with you.  This notice will serve as our information to you on your rights and how we use your data

The right of access

You have the right to know what information we hold on you for this service and this can be accessed via the portal directly.  If you seek further information then please contact us and we can provide this once we have established your identity.

The right to rectification

If any of the information that we hold upon you is inaccurate then please let us know and we will rectify this.

The right to erasure

You have the right to delete any data contained on the portal using your account or ask for your logon to be deleted.  However, the audit information is not subject to erasure as this is retained in line with contractual requirements, Risk-X’s ISO27001 ISMS and commercial licensing obligations.

The right to restrict processing

You have the right to ask us to stop processing your data for a given time and we have the right to restrict your access and processing using the portal.  This will either be because you ask us to, or there is a dispute between us in relation to the contract.  We will inform you if we restrict processing your data for any time, the reason behind this and any effects that this will have upon you.

The right to data portability

The Risk-X portal is what enables your data portability as this allows the upload and download of data that is shared between us.  Formats of data are limited to those commonly used and agreed between us by contract.  Note: You will have no rights to data portability where 6.1.f legitimate interests are used as our legal basis for processing of your data.

The right to object

You have the right to object to the processing that we undertake.  Please see the section ‘Your right to complain’ below for instructions on how to do this.

Rights in relation to automated decision making and profiling

Automated decision making is not used so will not affect your rights and freedoms.  The only automated processes used are for the generation and validation of passwords to access the portal.

:

Right to withdraw consent

The information that is exchanged between the parties is completed under contract and within our legitimate interests as a controller.  As such there is no ability to withdraw consent for this service, as consent is not our legal basis for processing for this service.

 

Your right to complain

You have the right to complain – although we should be complying with our obligations so that you don’t have to!  However, if you feel that you need to then we would ask you to complain to us in the first instance:

 

Paula Pocock

Privacy@risk-x.co.uk

+44 203 040 2990

 

However, you always have the right to complain to our supervisory authority.  We are based in the UK and our Supervisory Authority is the UK Information Commissioners Office, and more information can be found here:

 

  • https://ico.org.uk/concerns/

 

Statutory or contractual data processing

Data is processed by Risk-X for the https://portal.risk-x.net service as part of a contractual requirement.

 

Automated decision making

Automated decision making is not used so will not affect your rights and freedoms.  The only automated processes used are for the generation and validation of passwords to access the portal.

 

Version

2nd May 2018