This document outlines how ACMA handles data collected from the Public and the ACMA Parties.
2. ACMA Data Protection Policy
The ACMA has put in place the following data protection policy:
(i) Your data is used only for the intended use.
(ii) Your data is never bartered or sold.
(iii) Data is given to law enforcement only when legal process is followed.
(iv) Your data is never given to advertisers or marketing companies.
(v) Your data may be kept indefinitely.
3. Sensitive Data (Special Category Data)
ACMA processes no sensitive or ‘special category data,’ and so according to the GDPR regulations, no Data Protection Impact Assessment is required. ACMA does however consider and apply appropriate precautions to protect the confidentiality of personal data.
4. Structure of ACMA and flow of data across organisations contracted to ACMA
ACMA has no employees.
ACMA has procured CJS Subsea Services to oversee all Secretary and Website services. Creative Republic acts as a sub-contractor to the ACMA Secretary for the purpose of Website services.
Personnel working on ACMA activities in CJS Subsea Services and Creative Republic have successfully passed GDPR training, with refresher training provided as and when required, but at least every 3 years.
Information about ACMA Parties is held on the ACMA website via a password-protected access process.
The ACMA Secretary representative assumes the role of Data Controller and Data Processor. Should escalations or alternates be required, this should be to the ACMA Chairman in the first instance.
5. Documentation of Personal Data
ACMA has prepared the workflow as attached at Appendix 1 – ‘ACMA Personal Data Workflow and Information’ to describe its key data workflow.
6. Procedure for the handling of Personal Data
Personal Data should be handled by contractors of ACMA in accordance with GDPR regulations and to at least the same standard in which they hold their own personal information. This is intended to include, where possible, two-step authentication for e-mail systems in which ACMA’s personal data is transmitted, and secure (https) servers whose access is password-protected for the storage of Personal Data.
7. Access Requests
Parties and their associated employees registered on the ACMA website can only access their name, e-mail and password via the secure area of the ACMA website and make changes to it at any time. Access requests for any other data are to be sent via e-mail to the ACMA Secretary
and the ACMA Secretary aims to respond to reasonable and lawful requests within timescales stipulated in GDPR regulations. Information is passed back to enquirers as may be appropriate in a data-portable way either by direct e-mail or by documents produced in standard MS Office applications such as MS Word, Excel, PowerPoint or in Adobe pdf format and attached to such e-mails, as appropriate
8. Identification of Information Assets
This is managed by the ACMA Secretary.
9. Privacy Notice Privacy Notice page
11. Withdrawal of Consent
After logging in, ACMA Parties can update their own personal information from the member area of the website. Should they wish to withdraw consent for ACMA to hold other information (other than that lawfully required for the ACMA to function, such as company billing information), requests can be sent to the ACMA Secretary
and the ACMA Secretary shall act on such requests in a timely fashion in accordance with GDPR regulations.
ACMA endeavours to ensure the accuracy of Personal Data held through interaction with Parties bi-annually. However, some identifying information may be held for long periods by ACMA because of the nature of its work to provide a historical source for cable-related information. This remains a historical record for cable maintenance analytical purposes and is a fundamental part of the service ACMA supplies to its Parties.
Although ACMA does not have staff, GDPR training is provided to the ACMA Secretary and Creative Republic representatives, as considered appropriate.
ACMA disposes of electronic personal records through electronic deletion. Lawful disposal of paper records can be made by shredding on request.
15. Retention Policy
ACMA retains the information of active Parties, which can be for a long time, as considered appropriate.
The ACMA website holds e-mail and mailing list information pertaining to ACMA Party main reps. and alternates. Other individuals from Party companies may have requested to be included on lists pertaining to website access only and such lists are also kept. This information is reviewed in the January of each year.
ACMA holds a repository of archive and cable maintenance analytical information related to its purpose. As for any library, its intention is to retain that information in perpetuity.
16. Policy Review
To ensure continued compliance, the ico.gov.uk website will be visited on a regular basis and any required regulatory action taken accordingly.
As ACMA does not process sensitive, ‘special category’ data, the risk of breach is deemed to be very limited, however this does not relieve ACMA of adhering to its GDPR obligations. Should the risk profile change in the future, ACMA shall consider what changes to its policy is required.
The following potential threats have been identified by ACMA, though such threats remain under review:
- Hacking attempts on the website. Any such attempts shall be logged and notified to the ACMA Secretary by Creative Republic, the website sub-contractor, as and when they occur and any required action taken accordingly.
- Breaches and loss of personal data from the website. Any such instances shall be logged by the Data Controller and individuals affected notified by the ACMA Secretary representative.
- Loss of personal data from email. Any such instances shall be logged by the Data Controller and individuals affected notified by the ACMA Secretary representative.
- Loss of personal data from the ACMA billing system. Any such instances shall be logged by the Data Controller and individuals affected notified by the ACMA Secretary representative.
After any breach, the ACMA Secretary, in consultation with the ACMA Chairman, shall consider and document how similar events may be mitigated in future. Should spend be required, this will be raised to the ACMA Chairman for approval.
19. Security Policies and Procedures
ACMA shall ensure the following policies and procedures are adhered to:
a) Processing of all personal data behind password protection and firewall protection.
b) GDPR compliant hosting of personal data it processes.
c) Logging and communicating threats to the ACMA website.
20. Minimisation of Data Collected
ACMA shall henceforth seek to minimise the data it collects.
Consideration of minimising data collected for any new Personal Data processes shall be considered by the Data Controller.
21. Data Protection Compliance
The ACMA Secretary representative shall be the Data Controller and Data Processor.
ACMA is not deemed to require the appointment of a Data Protection Officer, noting the ACMA Secretary shall address any such issues or respond to any that may be notified, as appropriate.
22. Security Policy
The following security policies shall wherever possible apply in relation to Personal Data, and compliance shall be checked in the January of each year.
a) Secure backups of Personal Data
b) Physical locking away of personal data on paper, in the rare event that such paper data is required
c) Password protection prior to accessing personal data online
d) GDPR-compliant hosting methodologies
e) Firewall-protected networks
f) Not accessing personal data via unprotected wifi networks (e.g. while travelling)
This security policy shall be reviewed triennially, with the first review in 2021.
Appendix 1 – ACMA Personal Data Workflow and Information
ACMA is a Party-based organization in the Subsea Cable Maintenance Industry. An outline of the data ACMA keeps is detailed below:
- Name of company/party organization.
- Name of prime and alternate contact, tel. number, e-mail address and company/organization postal address.
Such information is kept on the website within a document labelled ‘ACMA 2017 List of Representatives’. Such document is updated twice-yearly.
Such contacts can also request other individuals within their company to be added as an ACMA website user and/or be included on the ACMA mailing list, hence such contact information will also be stored in the contact database.
The Party contact/user page on the ACMA website contains:
- Working Group they belong to, MC Member, CMG, MG, as applicable
- Any user access restriction
- E-mail address
- Member Company website
- Access login and password details to the members area of the website.
All Member contacts have a login and password to be able to access the Member side of the ACMA website, which, amongst other things, contains documents pertaining to the ACMA 2017 Agreement, ACMA 2017 Services Contract and associated financial data such as billing for ACMA services. Contacts cannot access or view other contact user records.
Contacts can access their own information records to change, add or delete the data contained in the record or to change their password.
Contacts can request a copy of their contact information at any time.
Photos/bios of the ‘Support Function’ personnel may also be kept on the Public area of the ACMA website.
Financial data that is stored on the website pertains to individual Party/Company quarterly invoices for ACMA services, ACMA Supplier invoices and any other financial data related to ACMA Services.
A back-up of data kept on the ACMA website is backed-up regularly by Creative Republic, with such back-up stored securely.
Procedures for Breach of data: If a breach of the data is reported or detected Creative Republic shall immediately contact the ACMA Secretary and investigate the full details of the breach to determine the magnitude. Since ACMA does not hold any Sensitive “special categories” of data it would be up to the ACMA Secretary, in consultation with the ACMA Chairman, as to whether the relevant authorities should be informed. The ACMA Secretary would continue to work with Creative Republic on assessing the present or potential future damage of such breach and make recommendations to the ACMA Chairman on how best to handle the situation depending on the details of the breach.