Data Privacy Policy

Policy Version: 1.0 published 21st May 2018

1. Introduction

Lucid Networks Ltd, registered in England number 07420251, whose registered office is at Greenheys Business Centre, Pencroft Way, Manchester Science Park, Manchester, M15 6JJ (referred to hereafter as “We” or “Us”) needs to collect and use certain types of personal data about people we come into contact with (hereafter referred to as a “data subject”) in order to carry on our work.

This personal data must be collected, stored and dealt with correctly, in accordance with relevant data protection laws and this policy sets out our commitment to dealing with that personal data correctly.

We collect, store and process information in line with the General Data Protection Regulation.

We are registered with the Information Commissioners office, registration number ZA295606

2. Definitions

Data Subject – You, or any other living person who we store or process information about

Personal Data or Personally Identifying Information – Any information about a living individual that can be used on its own, or with other data, to identify them.

Processing – Doing any of the following with information: obtaining, recording, storing, updating, combining, analysing, sharing with or transferring to third parties.

Special Categories of Data or Sensitive Personal Data – Personal Data about racial or ethnic origin, political or religious beliefs, trade-union membership, biometric data, health, sex life or sexual orientation.

Filing Systems – Any structured set of data which allows access or retrievel of information by a set of criteria. They can include computer databases, paper based records or paper filing systems, and may be in one place, or spread over many places.

Data Controller – Person or organisation who determines what purposes personal information will be held or processed for.

Data Processor – Person or organisation who carries out processing of data on behalf of a data controller. The processor can be the same person or organisation as the controller or different.

Consent – Any freely given, specific, informed and unambiguous indication of the data subject’s wishes that they agree to the processing of personal data relating to him or her. Consent must be in the form of a clear statement or a clear affirmative action.

Data Breach – A failure of data security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data while it is stored, trasferred or processed

Subject Access Request – When a data subject contacts a data controller or data processor to ask what personal data is held about them, and how to access it

3. Management and Staff Responsibility

Overall – Managing Director

Data in our internal systems – Technical Director

Data in our financial and internal record keeping – Commercial Manager

Data in our marketing, events and website activities – Sales & Marketing Manager

In addition, we will:

  • Ensure everyone processing personal information understands that they are contractually responsible for following good data protection practice
  • Ensure everyone processing personal information is appropriately trained to do so
  • Ensure everyone processing personal information is appropriately supervised
  • Clearly publish our procedure to make enquiries about handling personal information.
  • Deal promptly and courteously with any enquiries about handling personal information
  • regularly review and audit the ways we hold, manage and use personal information
  • Make all staff aware that a breach of the rules and procedures identified in this policy may lead to disciplinary action being taken against them

4. Legal Principles

When we process personal data we will process it in line with the six data protection principles. Personal data will be:

  1. processed lawfully, fairly and in a way that is clear or transparent to the data subject.
  2. collected for a specified, explicit and legitimate purpose, and we will not process it in a different way which is incompatible with that initial purpose without the data subject’s prior consent.
  3. adequate, relevant and limited to what’s required for the processing we’re undertaking.
  4. accurate, and where necessary, kept up to date. Inaccurate data can and will be erased or corrected as soon as possible.
  5. kept for only as long as is necessary.
  6. processed and stored securely, including protection against unlawful or unauthorised access, processing or transfer.

5. How We Process Data

We are the Data Controller and Data Processor for the following types of data which we collect or hold on our systems.

Contact Data
Information which allows us to contact data subjects by various means and address them correctly, including name, gender, email addresses and other messaging handles, phone numbers, postal addresses at their place of business or other location they nominate, about our ongoing business dealings or potential business dealings. This data does not include special categories of personal information.

Employment data
Contact data for the data subject, contact data of next of kin, plus any other information we may need to properly manage our relationships with employment candidates, our past and present employees and subcontractors. This data may include special categories of personal information.

Marketing data
Contact data required to contact the data subject for the purposes of marketing our products and services to them. This data does not include special categories of personal information.

Customer Data
Contact data and other information we need in order to provide our IT services to and keep records about those services and their performance. This data does not include special categories of personal information.

Monitoring Data
Information collected from computer or communication systems we manage, which allows us to verify the systems are working as expected, to investigate problems with those systems, and to protect ourselves and our customers against criminal or other unauthorised activity. This data does not include special categories of personal information.

We are not a Data Controller or a Data Processor for any data held on our customers’ on-premise or cloud hosted systems, unless there is a written agreement in place which states otherwise.

6. Data collection and Consent

Informed consent is when:

  • the data subject clearly understands why their information is needed, who it will be shared with, the possible consequences of them agreeing or refusing the proposed use of the data.
  • And then gives their consent.
  • By signing, writing or saying a clear statement, or making an affirmative action (eg: double opt-in, or checking a box which is NOT checked by default)

We will ensure that data is collected within the boundaries defined in this policy. This applies to data that is collected in person, or by completing a form.

When collecting data for the purpose of direct (email or telephone) marketing, we will explain to the data subject:

  • why the information is needed.
  • what it will be used for and what the consequences are of not giving consent to processing.
  • request and record explicit consent to the processing.

We will not seek or record consent for the collection of other types of data set out in this policy, because our lawful basis for processing this data is either:

  • Legal obligation
  • Contractual obligation
  • Legitimate Interest of the data subject

7. Disclosure and Transfer

Legal disclosure

We may share data with local and national government, law enforcement, and other public agencies or bodies where we are required to do so by law.

The data subject will be made aware in most circumstances how and with whom their information will be shared. There are circumstances where the law requires or allows us to disclose data (including sensitive data) without the data subject’s consent. In these situations we will not seek or obtain consent.

These are:

  • Carrying out a legal duty or as authorised by the Secretary of State
  • Protecting vital interests of a Individual/Service User or other person
  • The Individual/Service User has already made the information public
  • Conducting any legal proceedings, obtaining legal advice or defending any legal rights
  • Monitoring for equal opportunities purposes – i.e. race, disability or religion

Transfer to Suppliers

We may share data with our suppliers where it is necessary in order to carry out our lawful business and contractual obligations to them.

Specific examples include (but are not limited to):

  • Sharing data about subscribers to services such as Microsoft Office 365 to Microsoft and other upstream suppliers in the Microsoft supply chain.
  • Sharing registrant, billing contact, administrative contact and technical contact information about domain names with the relevant registries.
  • Sharing data about technical or billing contacts with our upstream suppliers of onsite maintenance services to enable our suppliers to identify the end-user business.
  • Providing IP address or ownership information to global and regional internet registries.

8. Data Storage

Information and records stored in our systems relating to data subjects will be stored securely and will only be accessible to authorised personnel.

Information will be stored for only as long as it is needed or required by law and will be disposed of appropriately.

We will ensure all personal and company data is non-recoverable from any computer system previously used within the organisation, which has been passed on/sold to a third party or disposed of.

Wherever possible, personal data will be encrypted while it is stored at rest on our systems.

9. Data access

Subject Access Requests

Data subjects where we are the Data Controller for their data have the right to make a Subject Access Request to:

  • Ask what personal data we hold about them and why.
  • Ask how to gain access to their personal data.
  • To keep their personal data up to date.
  • To erase their personal data from our systems.
  • Be informed how we are meeting our obligations to protect their personal data.

In order to get the quickest possible service, data subjects (or a third party acting on their behalf) should make a Subject Access Request in the following ways:

  • by emailing [email protected] – our system will respond with a unique reference number for your request.
  • by writing to us at our address shown in section 1 of this policy, by recorded delivery.

Subject access requests should include:

  • Full name of the data subject
  • Company name, office address and email address or telephone number which will help us identify the data subject in our systems
  • The name of the third party acting on their behalf, if applicable, and a copy of any documentation authorising them to act for the data subject.
  • An explanation of what information they are asking for.

We will always verify the identity of the person making the Subject Access Request, or request for update or erasure of data before handing over any data. If the person making the request is not the data subject, they must show written evidence that they have the permission of the data subject to make the request.

There is no charge for Subject Access Requests, unless the requests are unfounded or excessive or repetitive in character – in which case we may charge a reasonable cost to satisfy the request.

Data subjects may make a Subject Access Request at any time by contacting us using the methods at the top of this section.

We will not be able to satisfy a Subject Access Request if:

  • we are not the data controller for the data in question.
  • the data is commercially sensitive or forms part of a trade secret.
  • disclosing the data will unavoidably identify another person.
  • we are required by law or other official process not to disclose the data.

We will provide any relevant data (or confirmation that we do not hold any data for which we are the data controller) within 30 days of receiving a Subject Access Request (the time limit will start from the time on the delivery docket or automated email response).

Updating or Erasing Data

We will take reasonable steps to ensure that personal data is kept up to date by asking data subjects whether there have been any changes whenever it is reasonably practical to do so.

Data subjects may at any time contact us using the methods at the top of this section to request that their personal data which we are the Data Controller for is erased.

We will not be able to update or erase personal data if:

  • we are not the data controller for the data in question.
  • erasing or changing the data will prevent us from providing our service to our customers.
  • erasing or changing the data will prevent us from carrying out our legal obligations (eg: employment, tax, preventing or reporting a crime).

Providing Personal Data

Wherever possible, we will provide data electronically, in standards-based formats (eg: Comma Separated Value, HTML, XML).

If we are unable to provide data in standards based formats, we will use another reasonable alternative, but we will always try to provide data in electronic form rather than paper.

We may be forced to provide some data on paper, for example, if our only method of storing the data is on paper.

All data will be encrypted using strong encryption while it is in transit.

10. Complaints

Any complaints about this policy should be submitted in writing using one of the following methods:

by emailing [email protected] – our system will respond with a unique reference number for your request.

by writing to us at our address shown in section 1 of this policy, by recorded delivery.

We will aim to respond to any complaint within 30 days.

11. Persons under the age of 18

We do not employ, or undertake any business directly with or on behalf of persons aged under 18 years.

We will only store personal information about persons under the age of 18 if:

  • The information has been collected via our email signup forms when the data subject signed up for a newsletter or event on ours
  • The data subject is employed by a company who is a customer or supplier of ours, and we are required to interact with the data subject in order to carry out our contractual or service obligations to their employer.

Under these circumstances, we will store and process only Contact information.

12. Review

This policy will be updated and reviewed at least once per calendar year to reflect best practice in data management, security and control and to ensure compliance with any changes or amendments made to relevant legislation 

It's easy to work with us

Just complete this form and a member of our team will contact you to arrange: