Privacy Policy & Notices

Macnamara ICT Ltd

Effective Date: May 01, 2021

To be reviewed: August 2024

Responsible Person: Ciaran Kenny, ciaran@macnamara.co.uk, 020 8132 5803‬

Macnamara ICT Limited gathers, stores and processes the minimum Personally Identifiable Information required to maintain and develop our business and to deliver our service to our clients. In this policy and set of privacy notices we set out the personally identifiable information we gather, store and process, the legal basis on which we do this, what the information is used for, how it is protected, for how long it is retained, how it is disposed of and how you can exercise your rights in respect of any personally identifiable information we may hold about you.

We maintain a comprehensive set of policies and procedures related to security and data protection. Some or all of these may be made available on request subject to identify verification, reason for request and a signed non-disclosure agreement.  

Data Subjects

Macnamara ICT Limited gathers, stores, transmits and processes information about the following categories of individuals (Data Subjects): 

1. Employees, ex-employees and job applicants.
2. Individuals employed by, contracted to or otherwise associated with our clients.
3. Individuals employed by, contracted to or otherwise associated with companies who supply Macnamara ICT Limited and/or our clients with goods or services or with whom we have a business partnership or other business relationship.
4. Individuals to whom we sell and market our services with a view to establishing a contractual relationship.

For all four categories of data subject Macnamara ICT Limited acts, in respect of the UK GDPR (2018) as the Data Controller, with several service providers, as specified in the relevant Privacy Notices, acting as Data Processors.

Lawful Basis of Processing

We store and process only the minimum information required to fulfil the purpose under the lawful basis for which the information is collected, which includes our: legitimate interest in marketing our services and developing our business, requirement to fulfil our contracts and maintain business relationships with clients, suppliers, partners and suppliers to our clients as well as our contractual obligations to employees and our statutory and/or legal obligations.

Data Protection Impact Assessment(s)

When deciding on which information to gather, implementing new systems, or implementing business changes we determine if a Data Protection Impact Assessment (DPIA) is necessary and, if so, conduct the necessary assessment according to a documented procedure.

Assessments indicate that, apart from employee-related information, the risk posed to the rights of, and privacy and security of data subjects through the loss, corruption or unauthorized exposure of the personal identifiable information (PII) for which Macnamara ICT Limited is a Data Controller is minimal. Notwithstanding the minimal level of risk, we have taken extensive precautions, as outlined in the relevant privacy notices (below), to ensure the confidentiality, integrity and availability of all PII we store and process or which is stored and processed on our behalf. 

Macnamara ICT Limited is Data Controller and Data Processor

Macnamara ICT Limited is classed as a Data Controller/Data Processor based on the context of the processes under the current UK Data Protection Act 2018 and UK GDPR 2018 and is registered as such with the Information Commissioner’s Office (Registration Reference: ZA434404).

This policy confirms our commitment to protect the privacy of the personal information of our employees, client staff and other interested parties. We have engaged in a programme of information security management which is aligned to the international standard ISO27001 to ensure that the processing of personal information is conducted using best practice processes.

Macnamara ICT Limited is a Data Controller in respect of the PII we gather, store, transmit and / or process for its own purposes.

While providing IT support services, advice and consultancy to our clients, Macnamara ICT Limited acts as a Data Processor in respect of any PII for which the client is a Data Controller and to which we may be given access by virtue of our contractual relationship. The respective roles of Macnamara ICT Limited and our clients are defined in our contract of service. 

We act in respect of the information that clients store and process only under their instructions and in compliance with the UK GDPR (2018) and this Privacy Policy.

Data Subject Rights

All individuals (data subjects) about whom we store or process information or where this information is stored or processed on our behalf or where we process such information on behalf of another Data Controller, such as one of our clients, have the following rights:

The Right to be Informed

Individuals have the right to be informed about the collection and use of their personal information, we fulfil our obligation in this respect through a privacy notice (see below) made available when the information is collected and/or on request.

The Right of Access

Individuals have the right to access the information we hold or process about them. This information will be supplied on request allowing for the time taken to complete any necessary searches.

The Right to Rectification

Individuals have the right to require that we correct any inaccuracies in the information about them which we process, or which is processed on our behalf by any Data Processor which we use to process information on our behalf. Corrections, subject to any necessary verification, will be made on request.

The Right to Erasure

Individuals have the right to require that we delete their information, and we will do so on request unless doing so conflicts with our contractual, statutory or legal obligations, conflicts with the rights of another individual or is technically impossible or cost prohibitive. In any case we will explain the precise action taken and reasoning in response to a request for erasure.

The Right to Restrict Processing

Individuals have the right to require us and any data processors operating on our behalf not to process their information, allowing us to store but not use their information. Requests to restrict processing will be actioned on receipt unless doing so conflicts with our contractual, statutory or legal obligations, conflicts with the rights of another individual or is technically impossible or cost prohibitive. In any case we will explain the precise action taken and reasoning in response to a request to restrict.

The Right to Data Portability

Individuals have the right to request a copy of their information in a format that allows for the information to be transferred to, or imported into, another system. We will supply information in standard portable formats as appropriate to the content including csv files, MS Word, MS Excel and PST files. Where a particular format is requested, we will supply in that format if technically possible and not cost or time prohibitive.

The Right to Object

Individuals have the right to object to our processing their information in specific ways or by specific processors. Where such requests do not conflict with our contractual, statutory or legal obligations, the rights of another individual and are not technically impossible or time or cost prohibitive we will comply with any objections received. In any case we will explain the precise action taken and reasoning in response to a request for erasure.

Rights in Relation to Automated Decision Making and Profiling

Macnamara ICT Limited does not use any of the personally identifiable information it collects, stores or processes for automated decision making or profiling. 

Exercising Your Rights

Each of these rights can be exercised by contacting our Managing Director, Geoff Courts by phone on 020 8132 5804, by email at geoff@macnamara.co.uk or by post at Macnamara ICT Limited, The Clarence Centre, 6 St George’s Circus, Office DCG03 London SE1 6FE.

Requests will be fulfilled as quickly as possible. We will aim to fulfil all requests within one month of receiving all the information necessary to fulfil the request, including ID and verification if required.

If for technical or other reasons we anticipate the process taking longer than one month, the person making the request will be advised accordingly and kept informed of progress every two weeks until the process has been completed.  

If additional information, clarification of the request and / or verification or ID information is required to fulfil a request, the person making the request will be advised accordingly and the process of fulfilling the request will not begin until any such additional information is supplied. 

We may receive requests that we cannot fulfil in part or in full because the request conflicts with our contractual, statutory or legal obligations, the rights of another individual or is not technically possible or is time or cost prohibitive. 

In such cases the person making the request will be informed accordingly and given the opportunity to challenge and / or discuss the reasoning on which the decision is based.  

Any requests to exercise the above rights should specify which right is being exercised and, if more than one is involved, they will be handled as separate requests.      

We will not normally charge a fee to fulfil a request to exercise any of these rights. The only circumstances in which we reserve the right to charge a fee is where we judge the request to be manifestly unfounded or excessive or where the same information is repeatedly requested by the same individual. 

Special Note on Backups

Like all responsible businesses, to ensure that we meet our obligations in terms of the integrity and availability of the information we store and process, we ensure that this information is regularly backed up. 

Where we use another company as a data processor for information that is subject to a request based on any of the above rights, we will endeavour to ensure that any of the information that has been included in a backup of their systems or information stores is also included in the response to the request. This, however, is not always possible, as outlined below in relation to information where we control the backup. We will, in any case, ensure that any all information held in a third-party backup remains beyond use and cannot be accessed without being subject to fulfilment of the relevant request.      

For information where Macnamara ICT Limited is fully in control of the backup system and methodology, a snapshot is made several times a day and stored online in encrypted form where it is kept indefinitely. This allows for information to be restored at multiple points in time over seven years. 

Data Subject Access Requests (DSAR) are fulfilled by running an audited eDiscovery process across all information stores as it is not always possible to know where information about an individual may be found.

In respect of DSARs involving exercise of rights in respect of access to information, rectification of information, erasure of information, restriction of or objection to processing, a problem can arise if data is restored from backup after an eDiscovery search has been run and information relating to the DSAR is restored and added to live information. 

It is not technically possible to extend the eDiscovery process to include encrypted backups in that the searchable backup indexes do not contain sufficient information, e.g., file content, to identify all information that may be required to fulfil a DSAR. 

To resolve this technical obstacle to complete fulfilment of DSARs Macnamara ICT Limited has adopted the following procedure: 

1. Information in encrypted backups cannot be accessed, the only way backed up content can be accessed is via a procedure to restore it to live data stores.
2. Only a director can restore information from a backup.
3. When there is a requirement to restore information from a backup this is logged.
4. All DSARs are logged, and a copy is maintained of the eDiscovery search used to fulfil the request.
5. Whenever information is restored from backup, any relevant eDiscovery searches are re-run, targeting the restored information before this information is returned to the live environment and made generally available.
6. If any information subject to a DSAR is detected by rerunning the eDiscovery search, the original DSAR is then fulfilled in respect of that information.

Based on the above procedure, encrypted backups managed by Macnamara ICT Limited are defined as out of scope for DSARs.  

How Do We Keep Information Safe?

Macnamara ICT Limited is dedicated to the confidentiality, integrity and availability of all information it stores and processes and, in respect of Personally Identifiable Information (PII), is determined, at a minimum, to always meet in full its UK GDPR (2018) obligations and to strive to go beyond this high standard in the protection of PII. 

Certifications

Macnamara ICT Limited is certified Cyber Essentials Plus, IASME Governance Gold and IASME Quality Principles. Copies of our certificates are available on request from ciaran@macnamara.co.uk 

Encryption

Both in terms of the information we control and process and where we use third-party online services, personal information is encrypted at rest with AES-256 and, in transit with TLS.

Two Factor Authentication

Access to our own systems, and wherever possible third-party services we use, are protected by two-factor authentication.

Data Location

Information is stored and processed within the EEA, where third-party processors are used and the possibility is identified that information may be transferred outside the EEA, we ensure that this is only done in a way that is compliant with UK GDPR (2018) either to a country with a data protection adequacy finding, binding corporate commitments or EU Commission approved standard contractual clauses. 

Backups

All information is backed up at least daily.

Access Controls

Macnamara ICT Limited staff are restricted in access to information until they have completed the necessary training and their access has been approved by the Managing Director.

Deletion

When no longer required information is deleted such that it cannot be recovered.

Equipment

All equipment used to access your information is encrypted, fully managed and is securely and environmentally responsibly disposed of at end of life.

More Information

If you have questions about this policy or would like to know more about how we store, process and protect the information for which we are responsible, please contact our Security Director, Ciaran Kenny by phone on 020 8132 5803, by email at ciaran@macnamara.co.uk or by post at Macnamara ICT Limited, The Clarence Centre, 6 St George’s Circus, Office DCG03 London SE1 6FE.

How to Complain

You can complain or raise a concern about anything related to how we store, process or protect personally identifiable information. To do so, please contact our Security Director, Ciaran Kenny by phone on 020 8132 5803, by email at ciaran@macnamara.co.uk or by post at Macnamara ICT Limited, The Clarence Centre, 6 St George’s Circus, Office DCG03 London SE1 6FE.  

If you remain dissatisfied or believe that we have not complied with our obligations, you can contact the Information Commissioner’s Office (ICO) and ask for assistance. You should do this within three months of your last contact with us. 

You can raise your case with the ICO by following this link:

https://ico.org.uk/make–a–complaint/your–personal–information–concerns/

Privacy Notices

To minimise the risks to data subjects this set of privacy notices, made available online, does not show the full set of PII that is stored and / or processed for each category of data subject or all the Data Processors we use. Data subjects are entitled to this information which is contained in the customised Privacy Notices made available to each category of data subject at the time their PII is gathered.

Privacy Notice 1: Employees, Ex-Employees and Job Applicants

As your employer, ex-employer or company where you have applied to work, Macnamara ICT Limited is a Data Controller in respect of the personally identifiable information we hold about you. 

What Information About You do we Store and Process? 

We gather, store and process only the information required: to verify your eligibility for employment, perform relevant background checks, fulfil our contractual obligations to you, fulfil our legal, statutory or regulatory obligations and maintain your employment records. To minimise risk to your information we have not detailed the precise information we store and process in this online policy. This information is available in the Privacy Notice for Employees and Job Applicants.

On What Lawful Basis do we Store and Process this Information?  

Job Applicants

In the case of job applicants, we store and process your information based on our legitimate interest in hiring employees. We have determined that our interest in this respect is legitimate in that hiring employees is necessary to the maintenance of the company, storing and processing your information is necessary for this purpose in that there is no other way in which we can assess your suitability for employment and our doing so is not in conflict with your interests in that by virtue of your application you have an interest in being employed by Macnamara ICT limited. 

Current and Past Employees

For current and past employees, we store and process your information to fulfil our mutual contractual obligations and to meet statutory, regulatory and/or legal requirements.   

What Risks do you Face?  

We have assessed the PII we hold about you and have determined that unauthorised disclosure of your information would be a significant breach of your privacy and may expose you to risk of identity fraud, embarrassment or other dangers. Corruption, or loss of access to, the information we hold about you presents you with a close to zero risk.

Considering the potentially serious risks involved, we will advise you within 24 hours of our becoming aware of any unauthorised disclosure of your information. We will also report any such breach to the Information Commissioners Office. 

Can Anyone Else Access Your Information?  

Except for HMRC, the DWP and other government agencies with the right to access employee information, we do not share your information with any third parties unless we are required to do so by law. We contract with several third-party service providers to store and process your information. In all cases we ensure that such service providers do not have direct access to your information are contractually bound by the provisions of the UK GDPR (2018) in respect of their role as Data Processors of your information. 

Amongst the data processors we use to process your information are: 

• Microsoft SharePoint Online
• Microsoft Exchange Online
• Microsoft Teams
• Microsoft Azure

As with your Personally Identifiable Information, to minimise risk to your information we have not included all data processors we use in this online policy. This information is available in the Privacy Notice for Employees and Job Applicants.

For How Long Do We Keep Your Information?  

We retain employee information for as long as it is necessary to fulfil our legal obligations as your employer. Unless otherwise required for statutory, regulatory or legal reasons we maintain your information for the duration of your employment with the company and for seven years afterwards. 

All information relating to unsuccessful job applicants is deleted at the end of the relevant recruitment process. 

All emails sent from, or received by, Macnamara ICT Limited are retained for five years and then deleted. 

Privacy Notice 2: Client Members of Staff 

Macnamara ICT Limited has been contracted by your company or organisation to provide IT support, technical consultancy, planning and implementation, telephony and/or Internet connectivity services. Macnamara ICT Limited is a Data Controller in respect of the personally identifiable information we hold about you.  

What Information About You do we Store and Process? 

We store and process the minimum Personally Identifiable Information about you to provide our service.  

To minimise risk to your information we have not detailed the precise information we store and process in this online policy. This information is available in the Privacy Notice for Client Members of Staff.

On What Lawful Basis do we Store and Process this Information?  

We store and process this information based on the contractual agreement we have with your company or organisation to supply our services and communicate with you and other members of your staff, management and finance departments. 

What Risks Do You Face?  

We have assessed the PII we hold about you and have determined that unauthorised disclosure, corruption or unavailability of your information presents you with a close to zero risk to your rights or interests while loss of access to, or corruption of, your information presents you with no identifiable risk. 

If we determine that your information has been subject to unauthorised access, we will inform you and your employer within 24 hours of our becoming aware of the breach. 

Can Anyone Else Access Your Information?

Your employer is contractually entitled to access the information we hold about you. We do not share your information with any other companies unless it is necessary to provide service to you, for example, to arrange a delivery to you. We contract with several third-party service providers to provide our service to you. Where this involves sharing your information with them, we ensure that such service providers do not have more than the minimum necessary direct access to your information and that they are contractually bound by the provisions of the UK GDPR (2018) in respect of their role as Data Processors of your information.

Amongst the data processors we use to process your information are: 

• Microsoft SharePoint Online
• Microsoft Exchange Online
• Microsoft Teams
• Microsoft Azure

As with your personally identifiable information, to minimise risk to your information we have not included all data processors we use in this online policy. This information is available in the Privacy Notice for Client Members of Staff.

For How Long Do We Keep Your Information? 

We keep your information only for as long as necessary to provide the service we are contracted to provide to your employer. If you end your employment with your company or organisation or our contract with your employer comes to an end, we will delete all personally identifiable information we hold about you.

All emails sent from or received by Macnamara ICT Limited are retained for five years and then deleted.

Privacy Notice 3: Supplier Members of Staff

Individuals employed by, contracted to or otherwise associated with companies who supply Macnamara ICT Limited and/or our clients with goods or services or with whom we have a business partnership.  

Macnamara ICT Limited is an IT support and consultancy company that has a business relationship with the company or organisation for which you work. This relationship may relate to goods or services your company or organisation supplies to Macnamara ICT Limited or to one or more of our clients. We may also have a business relationship with your employer based on other mutual business interests such as a joint venture or Macnamara ICT Limited may be considering buying your goods or services or recommending them to our clients. Macnamara ICT Limited is a Data Controller in respect of the Personally Identifiable Information we hold about you.

What Information About You do we Store and Process?  

We store and process the minimum Personally Identifiable Information about you to maintain our business relationship with your company or organisation.  

To minimise risk to your information we have not detailed the precise information we store and process in this online policy. This information is available in the Privacy Notice for Supplier Members of Staff.

On What Lawful Basis do we Store and Process this Information? 

Where either Macnamara ICT Limited or one or more of its clients has a contractual relationship with your business or organisation we store and process your information on the basis that doing so is necessary either to fulfil our contract with your company or organisation or with our client. 

Where no contractual relationship is involved, we store and process your information based on our legitimate interest in maintaining our business relationship with your company or organisation or our legitimate interest in providing our service to our client. 

We have determined that our interests in these respects are legitimate in that building and maintaining relationships with other companies and organisations is necessary to maintaining and growing our company and providing our service to our clients, without storing and processing your information we cannot pursue this purpose and our doing so is not in conflict with your rights or interests in that you also have an interest in building a relationship with Macnamara ICT Limited and/or providing your service to our mutual clients.

What Risks do you Face?  

We have assessed the PII we hold about you and have determined that unauthorised disclosure, corruption or unavailability of your information presents you with a close to zero risk to your rights or interests while loss of access to, or corruption of, your information presents you with no identifiable risk.

Can Anyone Else Access Your Information?  

We do not share your information with any other companies or organisations unless required to do so by law. We may store your information in third-party provided services. When we do this, we ensure that such service providers do not have more than the minimum necessary direct access to your information and are contractually bound by the provisions of the UK GDPR (2018) in respect of their role as Data Processors of your information. 

Amongst the data processors we use to process your information are: 

• Microsoft SharePoint Online
• Microsoft Exchange Online
• Microsoft Teams
• Microsoft Azure

As with your Personally Identifiable Information, to minimise risk to your information we have not included all data processors we use in this online policy. This information is available in the Privacy Notice for Client Members of Staff. 

For How Long Do We Keep Your Information? 

We keep your information only for as long as necessary to maintain our business relationship with your company or organisation. If you end your employment with your company or organisation or our relationship with your employer comes to an end, we will delete all Personally Identifiable Information we hold about you. 

Where your Personally Identifiable Information is included in records that we are required to retain for legal, statutory or regulatory reasons, e.g., invoices or other financial records, your information will be retained as part of these records for seven years or as specified by the legal, statutory or regulatory requirement.  

All emails sent from or received by Macnamara ICT Limited are retained for five years and then deleted. 

Privacy Notice 4: Marketing Contacts

Individuals to whom we market our services with a view to establishing a contractual relationship. 

Macnamara ICT Limited is an IT support and consultancy company that wishes to market its services to maintain and grow its business. Macnamara ICT Limited is a Data Controller in respect of the Personally Identifiable Information we hold about you. 

What Information About You do we Store and Process?  

We store and process the minimum Personally Identifiable Information about you to keep you informed about our company and to develop a relationship with you with a view to building a business relationship with your company or organisation.  

To minimise risk to your information we have not detailed the precise information we store and process in this online policy. This information is available in the Privacy Notice for Marketing Contacts.

On What Lawful Basis do we Store and Process this Information?  

We only store and process your information based on your explicit, informed consent which may be withdrawn at any time. 

What Risks do you Face?  

We have assessed the PII we hold about you and have determined that unauthorised disclosure, corruption or unavailability of your information presents you with a close to zero risk to your rights and interests while loss of access to, or corruption of, your information presents you with no identifiable risk. 

Can Anyone Else Access Your Information?  

We do not share your information with any other companies or organisations unless required to do so by law. We may store and process your information in third-party provided services. When we do this, we ensure that such service providers do not have more than the minimum necessary direct access to your information and are contractually bound by the provisions of the UK GDPR (2018) in respect of their role as Data Processors of your information. 

Amongst the data processors we use to process your information are: 

• Microsoft SharePoint Online
• Microsoft Exchange Online
• Microsoft Teams
• Microsoft Azure

As with your Personally Identifiable Information, to minimise risk to your information we have not included all data processors we use in this online policy. This information is available in the Privacy Notice for Marketing Contacts

For How Long do we Keep Your Information?  

We will keep your information until you ask us to delete it, enter a business relationship with us or we consider you are unlikely to be interested in our services. 

All emails sent from or received by Macnamara ICT Limited are retained for five years and then deleted.