This policy is very much a statement of principle which explains why and how data protection is vitally important to Yoke consultancy.
This policy achieves two aims.
First it sets out our commitment to the new standards for protecting personal data set by Regulation (EU) 2016/679 (otherwise known as the General Data Protection Regulation (GDPR)). Second, it shows how we implement that commitment in everything we do at Yoke from the collection, use, and processing of personal data through to its hosting, cloud-storage, and end-uses.
Our 12 Data Commitments:
Yoke is committed to:
The types of personal data that Yoke may be required to handle depends on the services carried out. This can include information about current, past and prospective employees, suppliers, strategic partners, corporate clients, and end-users of Yoke services (who may be individuals). The personal data, which may be held on paper or on a computer or other media, is subject to certain legal safeguards.
Yoke collects this data from information:
Examples of information we may collect includes “identifiers” such as:
Yoke collects and uses personal information to enable it first and foremost to function as an employer and company, responsible for its people, protecting shareholder-value, and delivering its corporate objectives. We also collect and use information for the effective delivery of our portfolio of services. Examples of how we use the information we collect:
Examples of information we may collect (subject to project scope and third party provider) includes:
Yoke does not sell or share personal information to third parties for third party direct marketing purposes.
Yoke will ensure that any personal data we process is optimised and where possible minimised. By this we mean our data sets are accurate, adequate, relevant and not excessive, given the purpose for which they were obtained (rather than used for a whole series of unconnected and different purposes). We will not process personal data obtained for one purpose (recruitment and employment with us) for any unconnected purpose (marketing/sales exercises) unless the person concerned has agreed to this or would otherwise reasonably expect this kind of broader use of their data as part of a wider assessment of our legitimate interests as a business.
In all instances (unless otherwise agreed by the client) individual permission to collect personal data is obtained via either online consent at the start of an assessment or via a consent form at Programme Induction. This consenting process outlines the purpose and scope of the data collected and where relevant the sharing of personal data with Yoke’s third party providers (e.g. Firstbeat and the HSI Lab newsletter platform). The consent form outlines an individual’s ability to retract consent (via email to Yoke) at any stage throughout the process. Yoke will respond to the retraction request within 30 days of receipt.
Where relevant, if a programme is part of a sponsored initiative with a partner (e.g. an insurance provider) the consent form will also state what anonymised output will be shared with this additional party.
Upon receipt of a subject access request, the individual making the request is entitled to receive a copy of the personal data in a structured, commonly used and machine-readable format (this will most likely be sent by email, or provided via USB to disc direct to you). We will endeavour to process without undue delay and within one month, provided the request is not particularly complex and it does not compromise the privacy of other individuals. In line with GDPR expectations, we will not charge for this service except in the most complex of cases.
Yoke retains information collected on its staff, clients, and employees at client organisations for the purpose of contract law, limitation periods, for follow up requests from people, or if necessary for its legitimate business interests, such as fraud prevention, trend-analysis, contract performance reviews, and enhancing the end-user experience at the end of a particular assignment or project.
Individuals may also request that any information we hold is deleted or removed (and we will upon receipt try our best to accommodate such request). There are certain circumstances in which we may have to refuse an erasure request, for example, in order to comply with a legal obligation under contract or legal proceedings, or in connection with a regulatory matter.
Please discuss with us if there are certain personal data sets or personal identifiers that are to be erased as per your preference – we will investigate if this is possible. You can also make choices about Yoke’s collection and use of personal data by informing and engaging with the our Data Champion Rachel (who will endeavour to respond in 30 days from the date of receipt of the request).
Data integrity and cyber security is important to us. To protect personal data we have put in place suitable measures to safeguard our network, our data storage, and through the communication systems we use (voice, email, computing) as part of a responsible approach to the general conduct of our business.
Notwithstanding the security measures that we take, it is important to remember that the transmission of data over any IP connection or for example through a less secure email account will not be completely secure. Anyone doing business with or contacting Yoke is advised to take suitable precautions when transmitting information to us.
The world of risk management, information law, and corporate compliance is rapidly changing. We are pleased to be a business which is cognisant of those changes, and which sees the commercial value and the ethical value in being vigilant where data protection is concerned. Data protection is vitally important to us and to our clients. We therefore will periodically update this policy to reflect changes in the world around us.
For more information on the data collected or further detail on the items below, please get in touch via firstname.lastname@example.org