Data Security and Privacy Policy

SAFETY CLOUD DATA 

We are a Citation Group Business and are committed to Data Protection and compliance under the Data Protection Act 2018 (implementation of General Data Protection Regulation (GDPR) 2018). 

For more information please see our Data Protection Statement here.

Under the Data Protection Act and GDPR we are acting as a data processor. Clients inputting data onto Safety Cloud will be acting as the data controller and will need to ensure that they are fulfilling their obligations under current legislation.

YOUR DATA STORAGE + SECURITY

Safety Cloud data is hosted on Microsoft Azure cloud platform at their UK West data centre. 
Azure is a world leading platform as a service (PAAS) provider and have extremely rigorous security policies using cutting edge technologies to protect your service and data. They are ISO 27018 / 27001 compliant. 
Backup of Safety Cloud data is undertaken on a nightly basis using Azure's built in capabilities.
Azure carry out OS patching, firewall, malware / antivirus provision and DDOS prevention on our servers under their service.
Azure uses the industry-standard Transport Layer Security (TLS) 1.2 or later protocol with 2,048-bit RSA/SHA256 encryption keys
For more information on Azure's security stance see here:
Safety Cloud 2 is constantly monitored for vulnerabilities by Outpost24. They are a leading cyber assessment company who provide this penetration testing service through both automated and manual processes. For more information please see https://outpost24.com/services/penetration-testing

OUR OTHER RESPONSIBILITIES

SUBJECT ACCESS REQUESTS

Citation will comply with any requests that we receive from clients regarding subject access requests.

INCIDENT NOTIFICATIONS

In line with our regulatory requirements, we have a set of processes for incident management, including data breaches. These processes include the required notifications to be sent to the Information Commissioner's Office and to clients.

DATA DELETION

Client data is deleted in accordance with your contract or on written request.

TRANSFERRAL OF DATA

All Safety Cloud data is held within the UK

INTERNAL SECURITY

All our staff undergo yearly government approved Information Security training. We have appropriate security prevention methods in place across our internal IT estate including but not limited to: antivirus software, device patch management and physical access control.

COOKIES

We use cookies to allow the best user experience possible here is a list and purpose of the cookies in use. 

MARKETING

We maintain a marketing database that contains the basic details of individuals who have consented to us  sending information about new products or services to them, usually via email. Each marketing email that is sent provides you with the ability to unsubscribe from receiving marketing emails at any time. Alternatively, you can opt-out by sending a request to hello@citation.co.uk

We are registered with the Information Commissioner's Office (ICO), our certificate number is Z1466486.

If you have any further questions regarding data security and legal compliance or wish to be sent copies of our security certification then please contact us on hello@citation.co.uk.

PRIVACY STATEMENT

This below sets out how we handle your data. You should read it in conjunction with our contract which this Privacy Policy forms part. 

WHAT DATA DO WE PROCESS / COLLECT?
  • Personal data - Name, dob, address, tel, payroll number, email address, next of kin
  • Employee training records
  • Asset / audit inspection records
  • Accident data - for staff and third parties
  • Health surveillance / occupational health data - medical issues, medical reports
  • Enforcement notices from external agencies
  • Internal meeting records / internal safety alerts
WHY DO WE COLLECT THIS DATA?

This data is collected for the purposes of delivering Health and Safety services to you. This is required for business and operational use, audit and analysis.

WHO OWNS OUR DATA?

The data on Safety Cloud is owned by yourselves.

WHO CAN ACCESS OUR DATA?

The data on Safety Cloud can be accessed by yourselves (permissions dependent) and Citation employees for the purposes of support.

LAW ENFORCEMENT REQUESTS

We will attempt to redirect the third party to obtain the requested data from yourselves. We will promptly notify you of any third-party request, and give you a copy unless we are legally prohibited from doing so. For valid requests that we are not able to redirect to you, we will disclose information only when we are legally compelled to do so, and we always make sure that we provide only the data specified in the legal order.

DATA SHARING

We do not share your Safety Cloud data with any third parties.

HOW LONG IS DATA HELD FOR?

This data is held indefinitely on your behalf until a formal request is made to remove the data. On termination of contract client data will be deleted after 10 days unless otherwise formally instructed by yourselves.

WHO LOOKS AFTER DATA PROTECTION

Group Data Protection Office dpo@citation.co.uk

Or 

Data Protection Officer, Melissa Ashdown-Hoff dpo@citation.co.uk

HOW TO MAKE A COMPLAINT
The ICO is the UK’s independent authority set up to uphold information rights.  You can contact them here https://ico.org.uk/Global/contact-us