top of page

Cookie Policy

Information Technology, Communications Systems and Data Security Policy  

This policy, as amended from time to time, applies to all Members on the Nexus AML application and should be read in conjunction with other Policies for Members and the Terms.  


Please ensure you read and understand the policies.  We may terminate your access and stop you working on a Work

Package if you are not in compliance with this Policy.  


The purpose of the Policy is to set appropriate and secure IT communication and working practices and the standards that you must observe to protect EFI’s physical and organisational security by way of computer systems, devices, infrastructure, computing environment and all other relevant equipment or data when using these systems.  

It is your responsibility to adhere with this policy. We will monitor use and take action if we believe that you have breached this policy. 


All breaches of security relating to the systems, physical security or any data whether it be stored on EFI’s internal IT systems, client system or not must be reported immediately to  

Any breach which is either known or suspected to involve personal data shall be reported to the  


For the purposes of this Policy, “personal data” means the same as in Article 4 of the 2016 EU General Data Protection Regulation (“GDPR”): any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.  

Equipment security and passwords  

Passwords are a critical component of information security, poorly constructed passwords may result in compromising company information systems, networks and lead to data breaches.  


Members must apply the following practices when creating and using passwords and everyone must refer and abide to the Password Policy on the EFI intranet. You must report any problems or concerns to  

You are responsible for the security of the equipment allocated to or used by you, and you must not allow it to be used by anyone other than in accordance with this policy. This would include family members where you are working from home. You should use passwords on all IT equipment, particularly items that you take out of the office or that you have at home with you.  

You should keep your passwords confidential and change them regularly.  

You must only log on to our systems using your own username and password. You must not use another person’s username and password or allow anyone else to log on using your username and password.  

Passwords must not be written down.  


If you are away from your desk, you must log out or lock your computer. You must log out and shut down your computer at the end of each working day. This applies both to office based and remote locations.  

Systems access and data security  

You should not delete, destroy or modify existing systems, programs, information or data (except as authorised in the proper performance of your duties).  


You must not download or install software from external sources without authorisation from EFI to any EFI or client provided device. Downloading unauthorised software may interfere with our systems and may introduce viruses or other malware.  


You must not attach any device or equipment including mobile phones, tablet computers or USB storage devices to our systems without authorization in writing from EFI.  

We monitor all e-mails passing through our system for viruses. You must exercise particular caution when opening unsolicited e-mails from unknown sources. If an e-mail looks suspicious do not reply to it, open any attachments or click any links in it.  


Inform  immediately if you suspect any of your EFI devices or any device through which you access client or EFI tools or systems may have a virus.  


If you have been issued with a desktop for home use, a laptop, tablet computer, smartphone or other mobile device, you

must ensure that it is kept secure at all times, especially portable devices when travelling. Passwords must be used to secure access to data kept on such equipment to ensure that confidential data is protected in the event of loss or theft. You should also be aware that when using equipment away from the workplace, documents may be read by third parties, for example, passengers on public transport or family members when working from home.  

Any missing equipment issued by EFI or by an EFI client must be reported to your  immediately. Failure to do so will be considered a serious breach.  


All data must be handled with care at all times and should not be left unattended or on view to unauthorized users or other parties at any time whether you are at an EFI site, client site, working remotely or travelling / off site.  

Physical security  

EFI has a clean desk policy in place to protect the information security of EFI and our clients. This policy applies wherever you are working.  

All Members are required not to have on their desk for any longer than is required any sensitive or confidential information about our people, clients, vendors or intellectual property.  

All Members are required to secure all sensitive/confidential information in their workspace at the conclusion of the workday and when they are expected to be away from their workspace for an extended period of time. This includes both electronic and physical hardcopy information. 

Printed materials must be immediately removed from printers or scanners. Printing physical copies should be reserved for moments of absolute necessity. Documents should be viewed, shared and managed electronically whenever possible.  

File cabinets and drawers containing sensitive information must be kept closed and locked when unattended and not in use.  

All sensitive documents and restricted information must be shredded beyond recognition immediately as it is no longer required. When you are working from an EFI or client site this should be done through the designated confidential disposal bins. If you are working from home the same requirement applies to all documents. This means that you should either shred or otherwise destroy written documents, or alternatively store them securely until you are next able to return them to an office for secure destruction.  

Keys and physical access cards for our offices or client offices must not be left unattended.  

The use of mobile phones at work creates a security issue for EFI and our clients so generally all Members should refrain from keeping their mobile phones on their desks, unless required for work purposes and it should be stored in a safe and private location i.e. any locker provided in the workplace, or in a drawer away from your workspace if you are working from home.  

If a particular client specifies that no mobile phones are permitted on desks you will be required to keep your mobile phone in a safe and private location away from your workspace. 


Organisational data security  

Members must exercise care, caution, and discretion when discussing work-related matters that relate to such any data, whether in the workplace or otherwise.  

No data, personal or otherwise, should be shared informally (e.g. for the sending of birthday cards to home addresses).  

No data, personal or otherwise, can be transferred to anyone inside or outside of our organisation who is not already authorised to handle that data, without the express written authorisation of EFI. 


Services. E-mail and messaging systems  

It is important to understand that when you’re communicating in EFI’s systems (emails or IM systems such as Teams) that communication remains the property of EFI. Your communications inside client systems will remain the property of that client. 

Whenever communicating inside or outside of our organisation you should be considerate of your tone and email / messaging etiquette. Especially when communicating with clients through their systems (including instant messaging) it is of the utmost importance that you communicate in a way that is professional and courteous.  

Remember that e-mails and instant messages (within EFI or within client systems) can and will be used in legal proceedings. Deleting messages or emails do not remove them from systems and they are able to be retrieved.  

You must never send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, pornographic or otherwise inappropriate e-mails or messages within EFI, Nexus AML or client systems.  

You must not: a) send or forward private e-mails while working on a Work Package which you would not want a third party to read; b) send or forward chain mail, junk mail, cartoons, jokes or gossip; c) contribute to system congestion by sending trivial messages or unnecessarily copying or forwarding e-mails to others who do not have a real need to receive them; or d) send messages from another person’s e-mail address (unless authorised) or under an assumed name. 


Use of video tools  

Video tools provided by EFI or our client are for work purposes on a Work Package only. Please note the following requirements:  

Confidential Space - ensuring that you are free from being heard and any interruptions. 

Camera On - if you are not using your camera, you should briefly explain why.  

Eating and drinking -  drinking (e.g. tea, coffee or water) during a video call is fine. It is not, however, appropriate to eat whilst on a video call, unless this is part of the nature of the call (e.g. a lunch meeting).  

No smoking or vaping whilst on a video call.  

Dress Code - You should treat video calls in the same way you would any work in person where clients or external parties are attending, you should be considerate to match the formality of their approach. If in doubt it is better to be overdressed in front of clients than underdressed.  

Background - be considerate of the impression that your background makes. Visible space should be clean and tidy. Use background blurring tools if you are concerned by the impression that your workspace might make.  

Keeping to time - if you are leading a video call you should be mindful of timing and not over run without the agreement of all parties.  

Background noise - whenever you are not speaking you should mute your microphone to limit any background noise. Be considerate of any causes of background noise such as fans or mobile phones which might disrupt the meeting. 

Sharing documents on screen - if you intend to share documents on screen you should have these prepared ahead of the meeting. Similarly, if you are screen sharing, close any other documents and shut down or mute emails and instant messaging on your computer to avoid interruptions or a risk of accidentally breaching data security protocols.  


Using the internet  

When working on a Work Package, you must not access any web page or download any image or other files from the internet which could be regarded as illegal, offensive, in bad taste or immoral. Even web content that is legal in the UK may be in sufficient bad taste to fall within this prohibition. As a general rule, if any person (whether intended to view the page or not) might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of this policy.  


Personal use of systems  

Personal use of client technology (including laptops, desktops, email accounts and instant messaging) is strictly prohibited.  

If you have been issued EFI technology tools which you have access to at home (including desktop, mobile or laptop devices) you should treat these as you would any tool which you have access to only at our or a client site: you should not be using it for personal reasons outside of working hours (e.g. to surf the web at weekends).  



Our systems enable us to monitor activity on the Nexus AML application.  While working on a Work Package and while our software is installed on your personal computer, our systems enable us to monitor e-mail, instant messaging, internet use and other communications. For security reasons, your use of our systems (including any personal use) may be continually monitored by automated software or otherwise. 

We reserve the right to retrieve the contents of e-mail messages or check internet usage (including pages visited and searches made) as reasonably necessary in the interests of our business, including for the following purposes (this list is not exhaustive):  

to monitor whether the use of the e-mail system or the internet is legitimate and in accordance with this policy;  

to find lost messages or to retrieve messages lost due to computer failure;  

to assist in the investigation of alleged wrongdoing; or  

to comply with any legal obligation.  


Prohibited use of our systems  


Misuse or excessive personal use of our or our client’s instant messaging or e-mail system or inappropriate internet use will be dealt with seriously. Misuse of the internet can in some cases be a criminal offence.  

Creating, viewing, accessing, transmitting or downloading any of the following material will usually amount to gross misconduct (this list is not exhaustive):  

pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature);  

offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our clients;  

making a false and defamatory statement about any person or organisation; 

material which is discriminatory, offensive, derogatory or may cause embarrassment to others (including material which breaches our Equal Opportunities Policy or our Anti-harassment and Bullying Policy);  

sharing confidential information about us or any of our staff or clients (except as authorised in the proper performance of your duties);  

downloading or use of unauthorised software;  

making any statement which is likely to create any criminal or civil liability (for you or us); 

downloading or uploading music or video files or other material in breach of copyright.  




Remote Working Policy  


This policy, as amended from time to time, applies to all Members on the Nexus AML application and should be read in conjunction with other Policies for Members and the Terms.  

Please ensure you read and understand the policies.  We may terminate your access and stop you working on a Work Package if you are not in compliance with this Policy.  

The purpose of the Policy is to set appropriate and secure IT communication and working practices and the standards that you must observe to protect EFI’s physical and organisational security by way of computer systems, devices, infrastructure, computing environment and all other relevant equipment or data when using these systems.  

It is your responsibility to adhere with this policy. We will monitor use and take action if we believe that you have breached this policy. 

All breaches of security relating to the systems, physical security or any data whether it be stored on EFI’s internal IT systems, client system or not must be reported immediately to  

Any breach which is either known or suspected to involve personal data shall be reported to the  

Working Remotely  


Working remotely means working from a non office location home on an occasional, a temporary or a permanent basis. Your agreed location arrangement will be as set out in the Work Package Description for your Work Package, and it  may be remote any location, remote specified location, EFI location, Partner location or a combination.  


Requirements for temporary or permanent remote working  

You will need to have access to an appropriate space to work from. You should take note of the security, technology and health and safety sections within this policy to identify if your workspace is appropriate.  



Where we have agreed with you that you can regularly work from home, we will provide the relevant technology tools to enable you to do your job properly and safely from home. These may include a laptop/desktop computer and desk and chair. You will need to cover the cost of any necessary installations such as broadband connections.  

You must take good care of anything we provide to you and return it to us when requested.  If you do not take care or return the equipment, then we may charge you for the equipment and deduct the amount from anything we owe you.  

It is your responsibility to provide secure broadband access for home working. Your network should be password protected and your router’s firewalls up to date and enabled. You must not access either EFI or client systems through an insecure network (e.g. in a hotel).   

Your broadband should be of an appropriate speed for you to access files and systems and attend video calls without interruptions.  


Security for home working  

We will carry out periodic data protection risk assessments.  

Each of our clients will have clear contractual expectations of the data security provisions required by Members.  

You must be working in a private space where your work is neither overheard nor overlooked. This means that you are not in the same room whilst working as any family member, guest in your home, or other individual.  

Any glass doors or windows in your workspace should either face you (ie not be able to view your computer screen) or have blackout blinds / curtains covering them whilst you are logged into EFI or client systems. For clarity, this applies whatever floor your workspace is on or whether there are nearby properties or not.  

Whenever you are prompted to install a legitimate update to your computer or other equipment, you must do so straightaway.   

You must report any actual or potential breach of security, confidentiality or data protection to  immediately.  


Health and safety for home working  

Whilst you are working remotely your health and safety is just as important as when working on a client or EFI site. You are responsible for taking all  actions to ensure that your working environment is appropriate for your physical needs and you comply with Health and Safety requirements in your jurisdiction which you should familiarise yourself with.  


Accessing your home  

We may need to access your home or remote location to carry out risk assessments, checks, and repairs to our equipment.  


We may also need access to retrieve our property, whether during remote working, at the end of the arrangement, or when the Work Package ends.  


You must cooperate with our reasonable requests to visit in working hours. 


Household bills  

You will be expected to cover the cost of utilities including heating and electricity necessary for your remote working.  


Mortgage, lease and insurance  

You are responsible for making sure that your mortgage or lease and home insurance do not restrict or prevent your home being used for work.  

You should discuss with your landlord, mortgage provider and home insurer any changes that may need to be made to your policy / agreements to ensure that you are fully protected while working from home. You are responsible for any additional costs which ensue for these changes. 



As a remote worker you may be entitled to claim a tax rebate for household costs. EFI will not arrange this on your behalf. Please see the relevant section of the HMRC website for up-to-date details of any entitlement and relevant claims processes.  


There may be tax implications for you as a result of home working. You should get specific advice on this. At the time of writing this policy the HMRC website holds information on the tax implications for individuals to review.  





 General Data Protection Regulation (GDPR) Policy and Privacy Notice  



Efficient Frontiers International Limited understands that your privacy is important to you and that you care about  

how your personal data is used. We respect and value the privacy and will only collect and use personal data in ways that are described here, and in a way that is consistent with our obligations and your rights under the law. 


We need to gather and use information or ‘data’ about you as part of our business and to manage our relationship with you. This policy sets out the things we must tell you about data protection.  

We take the security and privacy of your data seriously and intend to comply with our legal obligations under the Data Protection Act 2018 (the ‘2018 Act’) and the EU General Data Protection Regulation (‘GDPR’) in respect of data privacy and security.  

This policy applies to Members on the Nexus AML application operated by Efficient Frontiers International Limited and you are a ‘data subject’ for the purposes of this policy. You should read this policy alongside your Nexus AML terms any other notice we issue to you from time to time in relation to your data. We may update this Policy at any time. 

We are a ‘data controller’ for the purposes of your personal data. This means that we decide how and why we process your personal data.  

This policy sets out how the Company will handle, process, store, transport and destroy personal information. It explains your rights as a data subject. It also explains your obligations when obtaining, handling, processing or storing personal data in the course of working for, or on behalf of, the Company.  


Information About Us  

Efficient Frontiers International Limited.  

Limited Company registered in England under company number 07022588  


Registered address:     Royal Exchange, No. 1 Royal Exchange London, EC3V 3DG  

VAT number:         989 8259 28  

Data Protection Officer:     Mina Thakore  

Email address:   

Telephone number:     020 7129 1046  

Main Contact:        Mina Thakore  



Data Protection Principles  


Personal data must be processed in accordance with the following ‘Data Protection Principles.’ It must:  

As an organisation, we only collect and use personal data on Members to enable us to run the business and effectively, lawfully and appropriately manage our relationship with our Members – whether during the account opening process, bidding process, while working on a Work Package, or when their engagement ends or the Account has been closed. This includes using information to facilitate the proper performance of the contract, to comply with any legal requirements, to pursue the legitimate interests of the Company and to protect our legal position in the event of legal proceedings.  

We will process personal data in line with the GDPR and Data Protection principles, namely:  

Lawful, fair and transparent:  

Personal data shall be collected only for legitimate purposes, will not be used for purposes other than     those for which they were collected and the Data Subject (person to whom the data relates) will be i    nformed of what information is held and the reasons for holding it.   


Limited purpose:  

Personal data will be used only for the purpose for which they have been collected.  



The personal data collected and used shall not exceed the purpose for which they are collected i.e. if only a name and address is adequate in order to provide a service, then no more than this data shall be collected.   



Every reasonable step must be taken to ensure that personal data are up-to-date and, where they are found to be inaccurate, updated without delay.  


Storage limitation  

Personal data must be kept in a form which permits identification of Data Subjects for no longer than is necessary for the purposes for which the personal data are processed. Any data kept beyond the point of no longer being used, must be either anonymised (i.e. any identifiers from the data must be irreversibly removed such that it would be impossible to know to whom the data relate) or pseudonymised (i.e. identifiers from the data must be separated so that there are two copies of the data which only when matched could be used to identify the Data Subject).    


Integrity and confidentiality  

Personal data shall be handled securely and protected against unauthorised or unlawful processing, accidental loss, destruction or damage.  



The Data Controller (person or business that determines the purposes for which, and the manner in which, any personal data are processed) shall be responsible for, and be able to demonstrate, compliance.   


What Does This Notice Cover?  

This Privacy Information explains how we use your personal data: how it is collected, how it is held, and how it is processed. It also explains your rights under the law relating to your personal data.  

Under the GDPR and the 2018 Act there are two categories of data:  

-Personal Data  

-Special Categories of Data   

What is Personal Data?  

Personal data is defined by the General Data Protection Regulation (EU Regulation 2016/679) (the “GDPR”) and the 2018 Act as ‘any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier’.  


Personal data is, in simpler terms, any information about you that enables you to be identified. Personal data covers obvious information such as your name and contact details, but it also covers less obvious information such as identification numbers, electronic location data, and other online identifiers.   

The personal data that we use is set out in Part 5, below.  


What Are My Rights?  

Under the GDPR and the 2018 Act, you have the following rights, which we will always work to uphold:  

The right to be informed about our collection and use of your personal data. This Privacy Notice should tell you everything you need to know, but you can always contact us to find out more or to ask any questions using the details in Part 11.  

The right to access the personal data we hold about you. Part 10 will tell you how to do this.  

The right to have your personal data rectified if any of your personal data held by us is inaccurate or incomplete. Please contact us using the details in Part 11 to find out more.  

The right to be forgotten, i.e. the right to ask us to delete or otherwise dispose of any of your personal data that we have as long as personal data is no longer necessary. Please contact us using the details in Part 11 to find out more.  

The right to restrict (i.e. prevent) the processing of your personal data.  

The right to object to us using your personal data for a particular purpose or purposes.  

The right to data portability. This means that, if you have provided personal data to us directly, we are using it with your consent or for the performance of a contract, and that data is processed using automated means, you can ask us for a copy of that personal data to re-use with another service or business in many cases.  

Rights relating to automated decision-making and profiling. we do not use your personal data in this way.  

For more information about our use of your personal data or exercising your rights as outlined above, please contact us using the details provided in Part 11.   

Further information about your rights can also be obtained from the Information Commissioner’s Office or your local Citizens Advice Bureau.   

If you have any cause for complaint about our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office.  


What Data Do We Collect?  

We collect personal data from Members, clients and website users.  We may collect some or all of the following personal data (this may vary according to your relationship with us):   

Personal data:   


-Date of birth;  



-Email address;  

-IP address  

-Telephone number;  

-Emergency Contact and Telephone Number  

-Business name and other relevant business information;  

-Job title;  


-Skill Level; 


-NI (employees);  

-Unique Taxpayer Reference   

-Bank details;  


-Computer data, electronic information in relation to your use of IT systems/swipe cards/telephone systems; 

Training records; 

-Information about your preferences and interests;  

-Invoices and billing; 

-Timesheet and Time Off information (holiday, sick etc);  

Information about your Account with Nexus AML application including use of the platform, working hours, bidding, bid acceptance, assessment attempts, assessment score, time off, working patterns 

Screening check (including Criminal, ID, Adverse Financial, Education, Employment References, Director, Social Media);  

Experience and education information  such as your CV, references, qualifications and membership of any professional bodies 

-Passport/ visa/ other documentation relating to your right to work in the UK  

-Your images (whether captured on CCTV, by photograph or video).  


-CSCS/ other professional organisation details   

-Information relating to disputes, investigations and proceedings involving you (whether or not you were the main subject of those proceedings).  

-Information relating to your performance and behaviour on Work Packages.  

-Any other category of personal data which we may notify you of from time to time.   


Your personal data is obtained from the following third parties:  

Experian;  Access Screening 


Special categories of data   

Special categories of data are personal data that would be considered ‘sensitive’.  These include data relating to:  


-Racial or ethnic origin (as may be collected for diversity monitoring)  

-Political beliefs/ affiliation  

-Religious or philosophical beliefs (including no belief)  

-Data relating to health (GP/ medical reports/ fit notes/ occupational health) 

-Trade Union membership  

-Genetic/ biometric data (such as when used for ID purposes)  

-Sexual orientation  

We may hold and use any of these special categories of your personal data for diversity and inclusion purposes and in accordance with the law.  


How Do You Use My Personal Data?  

We will process your personal data (including special categories of personal data) in line with our obligations under the 2018 Act and we must always have a lawful basis for using personal data. This is because the data is necessary for our performance of a contract with you, because you have consented to our use of your personal data, to comply with our legal obligations and because it is in our legitimate business interests to use it for delivering a service to our customer and or for direct marketing.    

Your personal data will be used for the following purposes:  


-providing consultancy and advisory, technological, operational solutions and other professional services. Our services may include reviewing customer files for quality assurance purposes, which may involve processing personal data for the relevant customer.  

-for administration purposes to maintain records and billing 

-your personal details are required in order for us to enter into a contract with you;  

in respect of performance, training,  

-relating to sickness (medical certificates and Fit Notes etc);   

-to comply with statutory and other requests from public authorities (HMRC, HSE, law enforcement authorities etc);  

-to check you have the legal right to work for us;  

-in relation to  disputes or contract breaches;   

-in connection with the Company’s intranet/ website; 

-in the provision of references following a request from you or a prospective future employer;  

-provide the customer with screening compliance information, the basic personal details and emergency contact to set -you up on the system, in case of an emergency and for invoicing purposes;  

-for direct communications and related business operations to promote our consultancy services. This may include -----responding to emails or calls from you;  

-complying with legal and regulatory obligations relating to AML, terrorist financing, fraud and other forms of financial crime;  

-data analytics, responding to online requests and business proposals quotes;  

-to monitor diversity and equal opportunities*;   

-to monitor and protect the security (including network security) of the Company, you, our other staff, customers and others;  

-to answer questions from insurers in respect of any insurance policies which relate to you;  

-to run our business and plan for the future;  

-for the prevention and detection of fraud or other criminal offences;  

-to defend the Company in respect of any investigation or litigation and to comply with any court or tribunal orders for disclosure*;  

-for any other reason which we may notify you of from time to time.  


We can process your personal data for these purposes without your knowledge or consent.  We will not use your personal data for an unrelated purpose without telling you about it and the legal basis that we intend to rely on for processing it.  

With your permission and/or where permitted by law, we may also use your personal data for marketing purposes, which may include contacting you by email with information on business operation, current job openings and or our newsletter on our company. You will not be sent any unlawful marketing or spam. We will always work to fully protect your rights and comply with our obligations under the 2018 Act, GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and you will always have the opportunity to opt-out.  However, if you wish to withdraw your consent to us holding certain personal information, we may not be able to carry out some parts of the contract between us. For example, if we do not have your bank account details, we may not be able to pay you. It might also prevent us from complying with certain legal obligations and duties, such as to pay the right amount of tax to HMRC or to make reasonable adjustments in relation to any disability you may have.  

We might process special categories of your personal data for the purposes in paragraph above which.    

In particular, we will use information in relation to:  


your race, ethnic origin, religion, sexual orientation or gender to monitor equal opportunities;  


How Long Will You Keep My Personal Data?  

We will not keep your personal data for any longer than is necessary in light of the reason(s) for which it was first collected. Your personal data will therefore be kept for the following periods (or, where there is no fixed period, the following factors will be used to determine how long it is kept):  



Screening Data and Personnel Data  


Your Account details will be kept for the duration of the contract, until the Account is closed.  

Post closure of the Account, all personal data will be kept for two years and deleted thereafter.    

Immigration Checks will be kept for 2 years from closure of the Account. 



Members billing  

Working time records will be kept for 2 years from the date on which they were made.  

H&S records will be kept for 3 years  

Recruitment and other records  

Unsuccessful applicants will be retained for at least a year after the individual has been notified that they are unsuccessful.  

Other records will be kept for 6 years however we may be required to keep the records longer to comply or demonstrate compliance with our legal and regulatory obligations.  Where we can and where it is appropriate to do so, we will minimise personal data or de-personalise the data for analytical purposes.   

Any personal information collected with no specified retention period mentioned above, shall be processed and stored for as long as required by the purpose they have been collected for.  

Once the retention period expires, Personal Data shall be deleted. Therefore, the right to access, the right to erasure, the right to rectification and the right to data portability cannot be enforced after expiration of the retention period.  



How and Where Do You Store or Transfer My Personal Data?  

We will only store or transfer your personal data in the UK. This means that it will be fully protected under the GDPR and the 2018 Act.   


The security of your personal data is essential to us, and to protect your data, we take a number of important measures, including the following:  



Data Storage  


-Electronic data Storage allows us to set permissions, reports and remote-wipe to keep critical business documents safe.  

-All files handled by an appropriate service such as SharePoint which is secured, both in transit and in storage, using 256-bit AES-encryption.  

-Role-Based Access Control.  

-Multi-Factor Authentication, also known as MFA, as an extra layer of security.  

-Accountancy software 

-Marketing and sales platforms  



Paper based   

-Any documents stored in a safe and locked environment.  

-Documents are scanned and thereafter shredded.  

-Restrict access with company login.  

-Discourage users from printing emails.  





-Emails are password protected and encrypted whilst in transit.  Any files with personal data sent are password protected.  



Do You Share My Personal Data?  


We will not share any of your personal data with any third parties for any purposes, except in the following instances:  

In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.   


If you subcontract with the following third parties to supply consultancy services on our behalf.  In some cases, those

third parties may require access to some or all of your personal data that we hold.  


Third Parties includes:  



-Provide the customer with the basic personal details and emergency contact to set you up on their systems, in case of an emergency and for invoicing purposes.  

-To process invoices. [         ].  

Tech provider  


For the provision of technology services  


Cloud based storage  







-CPD testing tool  

-The People’s Pension  



-LinkedIn and other appropriate social media platforms  

-Internal intranet and external website  


If any of your personal data is required by a third party, as described above, we will take steps to ensure that your personal data is handled safely, securely, and in accordance with your rights, our obligations, and the third party’s obligations under the law, as described above in Part 8.  

If any personal data is transferred outside of the EEA, we will take suitable steps in order to ensure that your personal data is treated just as safely and securely as it would be within the UK and under the Data Protection laws and GDPR, as explained above in Part 8.   

In some limited circumstances, we may be legally required to share certain personal data, which might include yours, if we are involved in legal proceedings or complying with legal obligations, a court order, or the instructions of a government authority.  

The Company will never sell on your personal data to a third party or use it for direct marketing purposes.  Your personal data will be treated as strictly confidential, and will be shared only with:   

internal teams for legal reasons and/ or the performance of the contract; and/ or   

Company-nominated outsourced service providers for the same reasons.  



How should you process personal data for the Company?  


The Company’s Data Protection Officer is responsible for reviewing this policy and updating the Board of Directors on the Company’s data protection responsibilities and any risks in relation to the processing of data. You should direct any questions in relation to this policy or data protection to this person.  


How Can I Access My Personal Data?  

If you want to know what personal data we have about you, you can ask us for details of that personal data and for a copy of it (where any such personal data is held). This is known as a “subject access request”.  

All subject access requests should be made in writing and sent to the email or postal addresses shown in Part 11. To make this as easy as possible for you, a Subject Access Request Form is available for you to use. You do not have to use this form, but it is the easiest way to tell us everything we need to know to respond to your request as quickly as possible.   

If your request is ‘manifestly unfounded or excessive’ (for example, if you make repetitive requests) a fee may be charged to cover our administrative costs in responding.  

We will respond to your subject access request within 28 days and, in any case, not more than one month of receiving it. Normally, we aim to provide a complete response, including a copy of your personal data within that time. In some cases, however, particularly if your request is more complex, more time may be required up to a maximum of three months from the date we receive your request. You will be kept fully informed of our progress.  


Raising a concern or reporting a breach relating to data protection   

A personal data breach can be broadly defined as ‘a security incident that has affected the confidentiality, integrity or availability of personal data’. In short, there will be a personal data breach whenever any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable and this unavailability has a significant negative effect on the individual(s) concerned.   

Should a breach arise, the immediate priority shall be to contain the breach, assess the potential adverse consequences for the individual(s) affected and limit the scope. Consideration will be given as to how serious or substantial the consequences are, and how likely they are to happen.  

Should a personal data breach occur, the Company will evaluate the likelihood and severity of the resulting risk to the Data Subject’s rights and freedoms. If it is likely that there will be a risk then the Company will notify the Information Commissioner’s Office (ICO). Where the breach is unlikely to infringe on the individual’s rights and freedoms, there will be no requirement to report the matter and the Company will keep a written record setting out the justification for its decision.    

The Director be responsible for notifying the ICO and individuals (where applicable) of any relevant personal data breaches.  

Should you become aware of any suspected or actual breach of the requirements of the General Data Protection Regulation (GDPR) or the 2018 Act or have any other serious concerns relating to data protection matters, you must inform the Director without delay so the matter can be investigated promptly. Depending on the nature of the alleged breach, the matter may result in disciplinary action being taken.   

If you wish to raise a complaint you should, in the first instance, raise it with the Director who will arrange to meet with you to discuss your concern(s). The format of the meeting will mirror that of the Grievance Process and will include one right of appeal. Should your complaint not be satisfactorily resolved, you may lodge a complaint with the Information Commissioner’s Office on 03031231113. For further details please see:  



What to do if personal data is sent to someone unauthorised to see it  


If personal data is accidentally sent to someone not authorised to see it, you should inform the Director who is the Company’s Data Controller. Additionally, and depending on the circumstances of the case, you should:  


-inform the recipient not to pass on the data or discuss it with anyone else;   

-inform the recipient to destroy or delete the personal data they have received and get them to confirm in writing that they have done so;   

The Data Controller or an appropriately senior person nominated by them, will also:    

-explain to the recipient the implications if they further disclose the data; and   

-where relevant, inform the Data Subjects whose personal data is involved what has happened so that they can take any necessary action to protect themselves.   

The matter must always be reported to a Director.  


Changes to this policy  


We may change this policy from time to time. This may be necessary, for example, if the law changes, or if we change our business in a way that affects personal data protection.  

Any changes will be made available to you by email.  

bottom of page