FAIR PROCESSING Notice April 2024

---

Below we set out our approach to managing personal information.  We don’t have that much of note, but its worth writing down, so we can be held true to our words!

REINBO Consulting Ltd was created by Ralph T O’Brien to assist companies in managing their information, by helping them to better serve the individuals who they hold information on. 

We believe Data Protection is a fundamental human right, and is not simply about keeping secrets, but about allowing individuals the opportunity to self-determine how their data will be used (where possible) and to be transparent and ethical in all cases with its collection, use, storage, retention and transfer. We aim to do no harm when processing nay personal data.

REINBO Consulting believes that making best use of business data and protecting people when using their personal data are complimentary, not mutually exclusive. 

REINBO Consulting itself is a Limited Company registered in England and Wales as company number 10713147, with its registered address at Lytchett House, 13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, England, BH16 6FA.

It also maintains registration with the Information Commissioners Office (www.ICO.org.uk) Registration number ZA418664. 

If you want any further information about REINBO Consulting, its services, the way it manages information, or just want a good old fashioned chat, please use the Email and phone number on this site.  Happy to help you!

REINBO Consulting actively avoids holding personal data.  (Nasty stuff, always talking behind your back!)  Also, It’s just not our business model.  

We serve businesses not private individuals, and therefore we try not to deal with any personal information unless we absolutely have to.  

We don’t advertise, carry out direct marketing or buy and sell data.  Its all word of mouth, recommendations and face to face contacts.

Actually REINBO Consulting delivers most of its work for other businesses where we are “white labelled” as that brand, and it is that business that sets all the rules in that case.

As an example, where REINBO Consulting works for TrustArc (www.trustarc.com) or BSi (www.bsigroup.com), we use their systems and services and follow their privacy notices and policies.  They use things like google mail and drive, and REINBO Consulting will access their systems and services to deliver and ensure that the data and systems remain separated.  This can mean on dedicated devices, or via software based separation.  

From time to time a direct customer might also ask REINBO Consulting to use its own systems and technology rather than ours for security reasons, but again we will only do that upon client instruction after agreement.

REINBO Consulting’s staff may also use its technology and systems (normally limited dot email) when acting in other professional roles and capacities such as;

• Vice chair/Management Committee of the UK Data Protection Forum,
• Serving on BSi and ISO standards Committee,

When it does so, any personal data processing will be covered by those respective organisation’s privacy notices.

Where we act as a processor, it's the controller that establishes legal basis.  This is most likely.  

In law you are required to state what legal basis you process data upon (boring, but massively important to determine what rights an individual has).  Where we deal with individuals directly; we process under the following legal basis;

• Necessary for Contract or pre-contract when delivering our awesome training services directly to individuals
• Legitimate Interests when someone gives us a business card or makes and enquiry and asks us to get in touch
• Legal Obligation or Contract, when processing staff data, such as reporting to the tax office or registering at ICO or Companies house.

Pre Contract

We do hold business to business contact details.  Sorry.  We can’t help that, we need it to do the job.  In order to contract with us, we encourage you to approach REINBO Consulting via this website, one of its staff, on social media, send us an email or even via a good old fashioned telephone.  People have even been known to slip us a cheeky business card.  

We’ll obviously use this data to;

• send you emails or calls (but never for direct marketing mailings or targeted advertising - Yuck!), 
• help you with your enquiry, 
• use it to negotiate/enter into a contract with you, 

We may also, as part of the service provided,

• add contacts lists of that organisation’s staff who we have talked to, such as attendees at a training session or as interviewees in a report appendix.

As you’ve approached us in each of these cases, we feel that we have a legitimate interest to use those contact details to, um… contact you.  But only in order to facilitate the service you have requested.  If you no longer want us to do that, just let us know and we’ll get rid.

Delivery

We do however, come into contact with some other personal data when delivering services on client site.  We try, wherever possible to look at data onsite and not to take it away or process it ourselves.  Where the customer asks us to, (and after a robust debate as to why they want to), we can agree with them the best way to handle this, such as appropriate security measures during the process, and deleting it as soon as we are done!

Post Contract

However, once you have signed up to a contract, it is our policy to retain all that information in case there are problems later and you want us to explain why and how we did something or made a decision.  We think it is then reasonable to hold this information on the basis of contact, and to retain it for up to 7 years after the contract has concluded, in case of a legal challenge.  We’ll then get rid.

Good question, but NO! REINBO Consulting is really against that icky tracking stuff. Passively collecting your Information without your knowledge is just not ethical or anything we want to be doing.

We do use GoDaddy as our website provider, and they have told us that they won’t put cookies on your machine unless we ask them to (www.allaboutcookies.org).  If they do, it wouldn’t be to chase you around the internet or serve you adverts for little blue pills, but simply to understand how many people are visiting which pages on the website.  

REINBO Consulting would never look at this data that GoDaddy holds anyway - we’re too busy delivering!  

If you want any further information about REINBO Consulting, its services, the way it manages information, or just want a good old fashioned chat, please use the Email and phone number on this site.  Happy to help you!

As little time as we can get away with!  If REINBO Consulting can store as little as possible, for the smallest time possible, it lowers our (and your) risks.

Generally speaking we keep;

• Contracts, Financial records and Contract deliverables for up to 7 years after contract completion
• Project notes up to 7 years after project completion in case of challenge
• Business contacts on email, where we have set up for our emails to be deleted after 4 years
• Where we have ongoing relationships that may outlast these retention periods we may hold on to data to manage that relationship as necessary for the relationship
• Data held on other parties systems according to their own retention rules when conducting work for others

In law you have several rights in regards to your personal data.  However as we only keep business to business contact details and the odd list of interviewees or attendees, we think you’d be a pretty odd to be claiming them.

Never the less, if you really want to just send us an email and we will provide you with your rights to;

• Opt out of further contact- If you’ve fallen out of love with us thats fine.  We’ll cry a bit, eat a tub of ice cream, and hit the delete button.
• Access to a copy of the data - we don’t hold much, but you are welcome to a copy.
• Complaint - We do our best to not ever have this occur, but if you are unhappy let us know and we’ll do our best to help. If we’ve failed you, you can of course go to the UK regulator the Information Commissioner’s Office (www.ico.org.uk) and lodge a complaint there, breaking our hearts in the process.
• Accuracy-if we’ve gotten it wrong (normally mis-spelling a name or job title), let us know and we’ll fix it.  However we won’t do it for historical data that was correct at the time, such as updating point in time reports.
• Restriction- If we do end up in an argument about your data, you can ask us not to use it temporarily whilst we finish our debate…

We believe you probably don’t have the right to;

• Automated decision making rights, as we don’t make decisions about people via computer algorithms (long word!)
• Portability, as we are Business to business so you are unlikely to want us to send your data to another provider
• Erasure, as this only applies when processing data relying on consent (which we don’t use), or if we’ve messed up in collecting data outside of what we’ve stated here.
• Objection - we don’t think we process data for any other reasons where the right of objection applies (such as direct marketing)

None that REINBO Consulting is aware of!  If our provider starts to use Cookies, we’ll change this to let you know.

To be cost effective, work efficiently and to be able to recover in the event of a disaster, we use some other Companies to hold data.  Yes, we could set up our own email server or website, but these companies are better at it than we would be, having much more resources to dedicate to things like security.  In fact, we believe it is better to store information at these companies rather than try and do it ourselves.  We try and use these providers in preference to local storage options.  We do have to rely on them, and have to trust them to do their best.  But we will hold them to account if there is a problem.

These companies are;

• Microsoft -That’s our “cloud based” email provider.  They provide and app and a web portal whereby we can access electronic mail from our devices.  We also use some of their software, such as word, excel and powerpoint.  www.microsoft.com
• Apple - That’s for the hardware (laptops and phones), software (operating systems etc), and cloud storage for documents, such as reports, notes and research. www.apple.com
• Go Daddy - These good people host the website for us, but there is no personal data here.  We don’t do a lot on it, except squat on the domain name, and provide some basic information about services and biographies. www.godaddy.com
• UK Postbox- These people scan in mail, so if you send us a letter, there is a good chance they will be the ones scanning it into a system.  They provide an app and portal which enables us to read it wherever we are, and respond faster to you as a result. www.ukpostbox.com
• LinkedIn and Twitter- Not strictly a REINBO Consulting relationship, but often people in our Principal’s professional network choose social networks to make a business enquiry to us.  It’s likely we will transfer contact details in order to deliver a service into our systems as stated above. www.linkedin.com and www.twitter.com

We don’t hold any fancy customer relationship management platforms, direct marketing tools or anything more advanced that that.  We try and keep it simple, that way there is less to go wrong.

We’d love to say that all the data stays in the Europe where privacy laws are strong.  REINBO Consulting has tried to choose providers that offer options for EU personal data storage only.

However, REINBO Consulting’s customer base is often global, and sometimes travel is required to Asia or North America.  

Where REINBO Consulting believes that country to be a high risk, it will take “clean” devices with no personal data on them to these locations, this minimises the chance of anything horrible happening, and if anyone sinister does get hold of the device it won’t place anything else at risk.  Where the country is considered to be of lower risk, the devices may be taken and data may be accessed through the internet and processed locally, though they remain stored with the EU based cloud technology providers above.  Of course the data we store is minimal B2B contacts only, but even though we consider this makes us an unlikely target for rogue security services, we still want to play it safe.

We can’t.  

Wait, no, please don’t leave yet!  We just know that there’s no such thing as 100% secure.  

There’s always a risk, and we would be pretty silly to guarantee that accidents can’t or won’t happen.  However we can promise to do our best to protect the information entrusted to us.  As stated we tend to rely on our external providers for security, but will ensure when we have off the shelf options they provide, such as encryption, 2 factor authentication etc, we will use what we can to provide reasonable guarantees of safety.

Some common sense security arrangements include;

• Mobile phones - locked with a code, Individual App access set to require log in every time, or 2 factor authentication, Remote wipe solutions, device encryption where available
• Laptop- Full Hard disk encryption, Access controls, customer data separation, minimised local storage
• Communications - E mail is not used to send or store personal data outside of business to business contacts details, and we will provide industry standard encryption for documents where this is unavoidable.
• Cloud Storage- Utilise the chosen providers where possible to ensure data is recoverable in the event of a lost device.  Ensure access controls are the highest the provider allows (such as multi factor authentication for example).
• Staff - Only to have on staff long standing experienced data privacy and security personnel, who are quite frankly paranoid about this kind of thing, and will be under strict duties of confidentiality.
• Physical- As a rule we try not to print out data or to have hard copies filed, as it stops us from being able to work in a mobile manner.  Where we do have hard copy data (such as unstructured meeting notes in day books), these are destroyed and shredded when no longer required.  In most cases this is limited to business cards given to us!

Laws change, technology changes, and the way we operate may occasionally change to. 

We like to think of this document as “live” and may make small changes from time to time, but will keep the older versions so we know what was in place when.

Where we make large or significant changes, we’ll do our best to be proactive in letting you know.

This version is dated April 2024.