Zinc Network gathers and uses a range of information about individuals. This includes current, past and prospective staff, suppliers, clients, contributors, individuals and other people Zinc Network has a relationship with, or contacts and communicates with.

This policy describes how personal data is collected, handled, stored and shared to meet data protection legislation and comply with the agency’s data protection standards.

This policy sets out the basis on which Zinc Network will process any personal data it collects from data subjects, or that is provided to Zinc Network by data subjects or other sources.

This data protection policy ensures that Zinc Network:

• Complies with data protection law and follows good practice
• Protects the rights of the data subjects whose data it collects, handles, stores and share
• Is open about how it stores and processes data
• Protects itself from the risk of a data breach

1. Definition of data protection terms

Act: the Data Protection Act 2018 and the General Data Protection Regulation (EU 2016/679) (GDPR). Other regulations referred to include the Australian Privacy Principles (APPs) from the Australian Privacy Act 1988.

Data: information which is stored electronically, on computers, or in paper-based filing systems.

Data subject(s): all living, identified or identifiable individuals about whom Zinc Network holds personal data. A data subject need not be a UK national or resident.

Personal data: any information identifying a Data Subject or information relating to a Data Subject that can be identified (directly or indirectly) from that data alone or in combination with other identifiers Zinc Network possesses or can reasonably access. Personal data includes sensitive personal data and pseudonymised personal data but excludes anonymous data or data that has had the identity of an individual permanently removed. Personal data can be factual (for example, a name, address or date of birth), electronic (for example, a unique device identifier) or it can be an opinion about that individual, their actions or behaviour.

Processing: any activity that involves use of personal data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring personal data to third parties.

 2. Data protection law

The types of personal data that Zinc Network may be required to handle include information about current, past and prospective staff, suppliers, clients and others that Zinc Network communicate with. The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards specified in the Act and other regulations. The Act describes how organisations – including Zinc Network – must collect, handle, store and share personal information, and applies regardless of whether data is stored electronically, on paper or on other materials.

Zinc Network adheres to processing of personal data set out in the Act and GDPR which requires personal data to be:

1. Processed fairly and lawfully and in a transparent manner

2. Collected only for specified, explicit and legitimate purposes

3. Adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed

4. Accurate and, where necessary, kept up to date

5. Not kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data is processed

6. Processed in a manner that ensures its security using appropriate technical and organisational measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage

7. Not be transferred to another country without appropriate safeguards being in place

8. Made available to data subjects and data subjects allowed to exercise certain rights in relation to their personal data.

 3. Responsibilities

Zinc Network is responsible for ensuring data is collected, stored and handled appropriately and that it handles personal data in line with this policy and the Act.

Staff guidelines/protocol

• The only people that access data covered by this policy are those with a genuine business need for that data
• Data is not shared informally
• Zinc Network provides training to help employees understand their responsibilities when handling, storing, processing and sharing data
• Data is kept secure, by means of taking sensible precautions and following the guidance in this policy
• Personal data is not disclosed to unauthorised people (see the Disclosure and Sharing of Personal
  Information section of this policy)
• Data is reviewed and updated if found to be out of date. If the data is no longer required it is reviewed in line with Zinc Network’s data retention periods (see the Data Protection Principles section of this policy)

If at all uncertain about any aspect of data protection, Zinc Network employees should seek advice from their line manager, Operations or HR.

4. Data storage

When data is stored on paper, it should be stored in a secure place, such as locked draws, cupboards or lockers, where unauthorised individuals cannot access it. Zinc Network employees should make sure that paper copies are not left anywhere that unauthorised people can see them, such as the printer, and that printouts that are no longer required are disposed of in the shred box.

When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:

• Data should be protected in accounts secured by strong passwords that are never shared between employees
• Data should only be stored on the designated Egnyte system or Zinc Network’s on-site servers
• Servers containing personal data are sited in a secure location, away from general office space
• Access permissions for folders or servers containing personal data are regularly reviewed to ensure no
  unauthorised access
• Data is backed up frequently and those backups are tested
• Data should not be saved directly to laptops or other mobile devices
• All servers and computers containing data are protected by approved security software and infrastructure

Disclosure and Sharing of Personal Information

Zinc Network may share personal data it holds with any of its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.

Zinc Network may also disclose personal data it holds to third parties:

• In the event that Zinc Network sells or buys any business or assets, in which case Zinc Network may disclose personal data it holds to the prospective seller or buyer of such business or assets
• If Zinc Network or a substantial amount of its assets are acquired by a third party, in which case personal data Zinc Network holds will be one of the transferred assets

5. Data use

Data is at the greatest risk of loss, corruption or theft when it is being accessed and used. As such, Zinc Network employees should remember the following points:

• When working with personal data, reasonable steps should be taken to ensure that data cannot be easily viewed, and screens should always be locked when left unattended
• Personal data should not be shared informally. Personal data should not be shared by email, as this form of communication is not secure
• Data must be encrypted before being transferred electronically. Zinc Network’s IT department can explain how to send data to authorised external contacts
• Zinc Network employees should not save copies of personal data to their own laptops. Such data should always be accessed and updated via the Egnyte system

6. Data protection principles

1. Lawfulness and fairness

Personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject. Zinc Network will only process data where there is a lawful basis for doing so and if it fits with data subject rights, for example:

• To comply with legal and regulatory obligations
• For the performance of a contract or in advance of entering into a contract
• For legitimate interest purposes of us or a client
• Where the data subject has given consent
• Where Zinc Network is acting in the public interest under contract to a public body

2. Processing for limited purposes

Zinc Network will only collect and process personal data for specified, explicit and legitimate purposes Zinc Network will notify those purposes to the data subject when it first collects the data. Some examples of purposes include:

• Participation in a research project
• Involvement in a project to produce films, images or other media types
• The review of open source public, online and social media data during the process of due diligence for collaboration or employment

3. Adequate, relevant and non-excessive processing

Zinc Network will only collect personal data to the extent that it is required for the specific purpose notified to the data subject

4. Accurate data

The Act requires Zinc Network to take reasonable steps to ensure data is kept accurate, complete and up to date and relevant to the purpose for which it is collected, in particular:

• Data should be held in as few places as necessary and creating unnecessary additional data sets should be avoided
• Zinc Network employees should take every available opportunity to ensure data is updated
• Data should be updated as soon as any inaccuracies are discovered

5. Timely processing

Zinc Network will maintain retention policies and procedures to ensure personal data is deleted after a reasonable time for the purposes for which it was being held, unless a law requires such data to be kept for a minimum time.

6. Processing in line with data subject’s rights

Zinc Network will process all personal data in line with data subjects’ rights, in particular their right to:

• Request access to any data held about them by Zinc Network
• Prevent the processing of their data for direct marketing purposes
• Ask to have inaccurate data amended
• Prevent processing that is likely to cause damage or distress to themselves or anyone else

7. Data security

Zinc Network will take appropriate technical and organisational measures against unlawful or unauthorised processing of personal data, and against the accidental loss of, or damage and destruction to, personal data. Zinc Network only allows third party service providers to handle personal data

8. Transferring personal data to a country outside the European Economic Area (EEA)

Zinc Network may transfer any personal data it holds to a country outside the EEA provided that one of the following conditions applies:

• The data subject has given his/her explicit consent to the proposed transfer after being informed of any potential risks
• The transfer is necessary for one of the reasons set out in the GDPR, including for the performance of a contract between Zinc Network and the data subject, or to protect the vital interests of the data subject
• The transfer is legally required on important public interest grounds or for the establishment, exercise or defence of legal claims
• The European Commission has issued a decision confirming that the country to which Zinc Network transfers the personal data ensures an adequate level of protection for the data subjects’ rights and freedoms
• Appropriate safeguards are in place such as binding corporate rules, standard contractual clauses approved by the European Commission, an approved code of conduct or a certification mechanism

Subject to the above requirements, personal data Zinc Network holds may also be processed by staff operating outside the EEA who work for Zinc Network or for one of Zinc Network’s suppliers. That staff may be engaged in, among other things, the fulfilment of contracts with the data subject, the processing of payment details and the provision of support services.

7. Data retention

Zinc Network has a data retention policy to keep different types of documents as legally required under contract or by law.

• 3 months for laptop backups
• 1 year for standard user private folders and mailboxes
• 6 years for senior management private folders and mailboxes
• 6 years for financial data
• 6 years for project data

Data no longer in active use is moved to archive where it is only accessible to IT Administrators.

8. Subject Access Requests

All individuals who are the subject of personal data held by Zinc Network are entitled to:

• Ask what information Zinc Network holds about them and why
• Ask how to gain access to that information
• Be informed how to keep that data up to date
• Be informed how Zinc Network is meeting its data protection obligations

If an individual contacts Zinc Network requesting this information, that is called a subject access request. Subject access requests should be made by email, addressed to the HR department at dataprotection@zincnetwork.com. The HR team will aim to provide the relevant data within 40 days and HR will always verify the identity of anyone making a subject access request before providing any information.

9. Disclosing data for other reasons

If Zinc Network is under a duty to disclose or share a data subject’s personal data in order to comply with any legal obligation, or in order to enforce or apply any contract with the data subject or other agreements; or to protect Zinc Network’s rights, property or safety of individuals, clients or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. In certain circumstances, the Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.

Under these circumstances, Zinc Network will disclose the requested data. However, Zinc Network will ensure the request is legitimate, seeking assistance from the Senior Management Team and Zinc Network’s legal advisors where necessary.

Changes to this policy

Zinc Network reserves the right to change this policy at any time.