Privacy Policy

Overview and purpose

Issured offers a range of products and services that specialise in independent programme assurance, business design and information system development, spanning the full development lifecycle. We provide Programme Design and Management, Business Architecture and Analysis, Information System Design, Business Change, Training Development, Information Assurance, Security Risk Management and the provision of SaaS based products.

This Privacy Policy Notice sets out the basis by which any personal data collected from or provided to Issured Limited (hereinafter referred to as “Issured”, “Issured Ltd”, “we”, “us”, “our”) by you, the data subject, will be processed. We are committed to protecting and respecting the privacy of our associates, employees, clients and any users of our services. Please read this Privacy Policy carefully so that you understand our views and practices regarding your personal data and how we will treat it.

The Privacy Policy Notice explains our principles associated with collection, processing, and storage of your information. This policy specifically explains how we hold your information and for what purposes we hold this information.

This notice applies to the interactions Issured has with you and the Issured products and services described below that display this statement.

Please read the “Products provided by an organisation – notice to end user” section and “Your rights as a data subject” section which provide additional relevant information.

Who we are

This Privacy Notice applies to all products, applications and services offered by Issured Limited a company registered in England and Wales (Registration number 08860437) whose registered address is First Floor Unit 18 Bradbourne Drive, Tilbrook, Milton Keynes, England, MK7 8BE.

This privacy notice excludes any products, applications or services that have separate privacy notices which do not incorporate this Privacy Policy Notice.

We are registered with the Information Commissioners Office (ICO) as a data controller in the United Kingdom for the purposes of any UK Data Protection legislation resulting from EU General Data Protection Regulations (GDPR) (ICO registration number ZA220733). The Issured Data Protection Officers (DPO) contact details can be found at the end of this document. For clarity and where mentioned in this document, the Data Protection Act (DPA) 2018, is the UK’s implementation of the General Data Protection Regulations (GDPR).

What personal information do we collect and why do we do it

Unless otherwise stated, the information we process is in relation to our employees, associates, clients and our clients’ customers only (for client customer data please see – Products provided by your organisation – notice to end users section). See ‘Retention Period’ section for our Review, Retention and Disposal (RRD) details. The information shown in table 1 is captured when it is provided directly to us by the data subject.

Table 1 – Information captured from the data subject

Data Subject	Type of Information
Issured Employee	Full name, address, home and/or mobile numbers, e-mail address, date of birth, nationality, passport, driving Licence, emergency contact details or next of kin details. Information captured from your CV includes – experience, qualifications, employment history (including job titles), membership of professional bodies, security clearance levels. Special category data – see Special Category Data section.
Associate	Full name, address, contact number, email address, date of birth. Information captured from your CV includes – experience, qualifications, employment history (including job titles), membership of professional bodies, security clearance levels. Special category data – Financial information.
Client / Customer	Full name, email address, job title, date of birth, telephone contact details (note: details provided vary if relevant for training courses or for providing logon credentials for access to Issured applications). See “Products provided by your organisation – notice to end user section” for further details in regard to our products and data capture. Special category data – See Special Category Data section. Location information whilst using an Issured application (for example Mea: Fuse).
“Leave us a message” “Get in touch” Customer	Full name, email address, phone number, message.
“Enquiry – Let us know how we can help” Customer	Full name, email address, subject, message, work phone number, organisation name.
Members of the public	See “Products provided by your organisation – notice to end user section”.
“Join Us”	First name, surname, email address, area of interest, available date, and LinkedIn profile. If an individual is successful in their application, then the information provided as an ‘Issured Employee’ will apply going forward.
Issured Marketing Brochure Request	Full name, organisation and email address.

Special Category Data

We process a small amount of special category information with regards to our employees and associates that are contracted to Issured Limited. This is limited to the following:

Financial information – This is used to set up the payment for employees and associates. Third party payment processors, who fully comply with PCI requirements, are used for online payments and therefore online payment data is not captured, stored or used by us.
Contract and commercial data – This is held to set up and manage the contracts.

Application usage and data

Although we do not capture or hold any additional special category information, due to the nature of our applications (see “Products provided by your organisation – notice to end user” section), there may be instances where such data is requested as part of a ‘client’ process or requirement, for example, interview process.
In this case the information will be captured as part of the contract between us and the client using the application and between the client and the end user. Issured is committed to protect all information processed through the use of our applications, with all personal data compartmented and secured accordingly.

Cookies and Analytical data

Issured uses cookies. Further information regarding the nature and purpose of cookies employed by us is contained in our Cookies Policy. This is available as a separate document or can be found under Cookies Policy on our website.

The purpose for holding information

We hold, process, use and disclose your information as follows:

To assess the suitability for associate vacancies that maybe suitable for our associates’ job specification.
To maintain our accounts and records to support and manage our employees, associates and shareholders.
To maintain account and access control for client or customer application access.
To carry out obligations arising from any contracts entered into between you as the associate and us.
To carry out obligations arising from any contracts entered into between you as the customer or client and us.
In order to comply with any applicable law and regulatory requirements.
Where data is contractually required for processing, Issured Limited may process data without consent in order to fulfil contractual obligations, for example, bank details to process salary.
In order to register with our accredited professional institutions, for example, Chartered Management Institute.
To improve and customise our application service, conduct data analysis and identify usage trends.
As required by third party service providers for the hosting and maintenance of our websites, application development, backup, storage, payment processing, analytics and other services to support us.
To send transactional messages, including responses to comments, questions and requests, provide customer service and support, send promotional communications and other news or information about us and our partners.

Our legal basis for processing for the personal data

We shall ensure that processing remains lawful to the extent that it is limited to the following:

The data subject has given consent to process their data for specific purposes detailed above.
The processing is necessary for the performance of a contract or training course to which the data subject is party, or, in order to take steps at the request of the data subject prior to entering into a contract.
Processing is necessary for compliance with legal obligations to which the controller is subject. This could include for the purpose of detecting crime, fraud and in order to comply with any other applicable law.

Products provided by an organisation – notice to end users

As part of any contract between you and an approved Issured organisation and its client, the organisation providing the access to an Issured product, the end user is subject to that organisation’s policies and will be part of any contract you may have in place between you and that organisation.

At your point of login to the application you will operating under the provided organisation’s privacy policy. This will be displayed to each user prior to using the application or service. Any privacy inquiries, including any requests to exercise your data protection rights, will need to be made to the organisation’s administrator and/or Data Protection Officer.

Issured is not responsible for the privacy or security practices of our customers, which may differ from those set forth in this privacy statement.
When you use an Issured product provided through an approved organisation, Issured’s processing of your personal data in connection with that product is governed by a contract between Issured and the approved organisation. Issured takes the protection of such data very seriously and the security of any data stored or processed is detailed in the “Data Security” section.

Issured processes your personal data to provide the product to the approved organisation and you, and for Issured’s legitimate business operations related to providing the product and service.

If you have questions about Issured’s processing of your personal data in connection with the provided product to an approved organisation, please contact the organisation. If you have questions about Issured’s legitimate business operations in connection with the provided product to an organisation, then please contact Issured as described in the “Complaints or Concerns” section.

Consent

Where our processing is based on consent, our data controller shall be able to demonstrate that the data subject has consented to the processing of their personal and special category data.

Consent is required for us to process both personal and special category data, but it must be explicitly given. Where, and if, we are asking you for special category data, we will always tell you why and how the information will be used and stored.

By consenting to this Privacy Policy, you are giving us permission to process your personal data specifically for the purposes identified in the “What personal information do we collect and why” section.

You may withdraw consent at any time by contacting our Data Protection Officer (Email: Compliance@issured.com) and stating:

“I, [data subject name], withdraw my consent for you to process my personal data from Issured Limited. Issured Limited no longer has my consent to process my personal data for the purpose of [specify legitimate reason of processing personal data], which was previously granted”.
Once received we shall adhere to the data protection requirements and cease processing your information in line with Article 6, 1 a-f of the lawfulness of processing principle.

Where there is a contractual obligation to process personal information all data processing is carried out in accordance with the handling requirements detailed within each specific contract, with deletion and return of personal data captured as part of the contract.

Where you have provided your details to allow us to contact you regarding services we believe will be of interest to you, this marketing communication will contain instructions to “opt-out” or “unsubscribe” from receiving future marketing communications. If at any time you, do not wish to receive any future marketing communications or you wish to have your name deleted from our mailing lists, contact us as indicated above.

Where there is a contractual obligation to process personal information, consent for use of this information will be in line with the contract specification. All personal information will be deleted or returned as per the requirements captured within each contract at the end of the contract period.

Disclosure

Issured Limited WILL NOT pass on your personal data to any third parties without first obtaining your consent.

With respect to the registration to an approved training course we will request on the application form that your data can be passed on for use in registering you on the approved training course.

COVID and Homeworking – where there is a requirement to send items directly to an employee’s address from a third-party supplier, we will request on the application that this information only be used for a single delivery and removed from their system on completion of the order. Any further or ongoing correspondence will take place between the supplier and Issured.

Retention Period

We implement a Retention, Review and Disposal (RRD) process for all of our information, not just personal data. Our Information Asset Owners (IAO) are consulted with regards to setting suitable retention periods for information assets.
For the purpose of processing personal data, the following applies:

Our staff/employees and associates’ data will be retained during the term of their employment and for 7 years thereafter.
Our associates’, not contracted through us, CVs shall be removed after a 12-month period, with each associate given the option to update their CV or remove their personal information altogether.
For training courses, our customer data shall be retained for the period of account being present on the platform. If a customer requests that their account be suspended, their account and their information will be held for a further 90 days giving the customer the option to retrieve any related course information or certificates. However, if a customer removed/deletes the account themselves all information will be removed immediately and will not be recoverable.
For information provided as part of the “leave us a message/enquiry – let us know how we can help you” contact/customer information, the request of name, email, phone and message are only retained to allow a response to the data subject. This information is only retained for a maximum of 30 days and then removed from the Issured system.
For information provided as part of the “Join Us / Come Work With Us” information, the requested first name, surname, email address and LinkedIn profile are retained to allow a response to the data subject. The outcome of the request will determine the length of time the information is held. If an individual is taken on as an employee, their information will be retained for 7 years. If interviewed, but not successful, information will be retained for 12 months then removed and if information is simply for information purposes, details will be held for 30 days and then removed from the Issured system”.
For information provided as part of the “Issured Brochure” information, the requested name, organisation and email address will be held on our Issured database until instructed to be removed via the ‘opt-out’ or ‘unsubscribe’ process detailed in our “Consent” section.

If there is a business requirement to retain the “leave a message/enquiry – let us know how we can help you” information, such as, for services that are requested and/or a contract has been agreed, the information will be retained as part of that contract/customer account retention period.

At the end of the agreed retention period your information will be securely and confidentially destroyed.

Where there is a contractual obligation to process personal information, the retention period of this information will be in line with the contract specification. All personal information will be deleted or returned as agreed within each contract.

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used, accessed in an unauthorised way, altered or disclosed.

We limit access to your personal information to those employees who have a business need to know. They will only process your information on our instructions, and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal information breaches and will notify you and any applicable regulator where we are legally required to do so.

Use of Artificial Intelligence tools

Our services may utilise artificial intelligence (AI) tools to enhance user experience and improve service efficiency. We ensure that all AI-driven processes comply with applicable data protection laws and regulations. User data processed by AI is handled with the utmost care and confidentiality, and we implement robust security measures to protect this data from unauthorised access or misuse. Where these tools are used, data will not be used for AI training purposes.

Issured uses specific AI translation tools to support its applications, which are used for the following purposes:

Intelligence Speech Services – This includes the use of a speech to text function to convert audio to text and a translation service which provides accurate and efficient translation of content in various languages.

Data handling and privacy for AI tools

Issured is committed to protecting your privacy and ensuring the security of your personal data. Therefore, the use of AI in our services adheres to the following principles:

Transparent – We will be transparent about how AI is used in our services and the data it processes.
Security – Issured implements robust security measures to protect your data from unauthorised access and misuse.
Compliance – Our use of AI complies with applicable data protection laws and regulations.

Your rights as a data subject

Under DPA2018, at any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

Right of access – you have the right to request a copy of the information that we hold about you.
Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
Right of portability – you have the right to have the data we hold about you transferred to another organisation.
Right to object – you have the right to object to certain types of processing such as direct marketing.
Right to object to automated processing, including profiling – you also have the right to be subject to the legal effects of automated processing or profiling.
Right to judicial review – in the event that Issured Limited refuses your request under rights of access, we will provide you with a reason as to why. You have the right to complain as outlined in the “Complaints or Concerns” section.

Data Subject Rights (United States Customers)

Where there is a contractual obligation to process personal information outside of the UK, in particular the United States (U.S), the information will be controlled in line with the contract specification.

There is no single principal data protection legislation in the United States (U.S.), rather, a mixture of hundreds of laws enacted on both federal and state levels serving to protect the personal data of U.S. residents. At the federal level, the Federal Trade Commission Act (FTC Act) (15 U.S. Code § 41 et seq.) broadly empowers the U.S. Federal Trade Commission (FTC) to bring enforcement actions to protect consumers against unfair or deceptive practices and to enforce federal privacy and data protection regulations. The FTC has taken the position that “deceptive practices” include a company’s failure to comply with its published privacy promises and its failure to provide adequate security of personal information, in addition to its use of deceptive advertising or marketing methods.

However, although there is no single legislation the key principles applied broadly align to DPA2018 which all equally apply to the processing of personal information in the United States. Table 2 summarises the key principles for information purposes.

It should be noted that contracts pertaining to US deployment of Issured applications will be via an approved US organisation and the data protection policy will be part of the direct contract between the approved organisation and the client.

Table 2 – Summary of the key principles

Principle	Description
Lawfulness, fairness & transparent (US – Lawful, Transparent and Proportionate)	Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them is collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used. Note: While there is no “lawful basis for processing” requirement under U.S. law, the FTC recommends that businesses provide notice to consumers of their data collection.
Purpose Limitation (UK & US)	Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes. Note: The FTC recommends privacy-by-design practices that include limiting “data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law”.
Data Minimisation (UK & US)	Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum (see also the principle of ‘Storage Limitation’ below).
Retention (US) Storage Limitations (UK)	Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review. Note: The FTC recommends privacy-by-design practices that implement “reasonable restrictions on the retention of data”, including disposal “once the data has outlived the legitimate purpose for which it was collected”. Additionally, state laws may specify specific retention parameters.
Accuracy (UK)	Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information.
Accountability (UK)	Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Confidentiality & Integrity (Security) (UK)	Finally, the controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC.

Principle

Description

Lawfulness, fairness & transparent

(US – Lawful, Transparent and Proportionate)

Any processing of personal data should be lawful and fair. It should be transparent to individuals that personal data concerning them is collected, used, consulted, or otherwise processed and to what extent the personal data are or will be processed.

The principle of transparency requires that any information and communication relating to the processing of personal data be easily accessible and easy to understand, and that clear and plain language be used.

Note: While there is no “lawful basis for processing” requirement under U.S. law, the FTC recommends that businesses provide notice to consumers of their data collection.

Purpose Limitation

(UK & US)

Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes. In particular, the specific purposes for which personal data are processed should be explicit and legitimate and determined at the time of the collection of the personal data. However, further processing for archiving purposes in the public interest, scientific, or historical research purposes or statistical purposes (in accordance with Article 89(1) GDPR) is not considered to be incompatible with the initial purposes.

Note: The FTC recommends privacy-by-design practices that include limiting “data collection to that which is consistent with the context of a particular transaction or the consumer’s relationship with the business, or as required or specifically authorized by law”.

Data Minimisation

(UK & US)

Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. This requires, in particular, ensuring that the period for which the personal data are stored is limited to a strict minimum (see also the principle of ‘Storage Limitation’ below).

Retention (US)

Storage Limitations (UK)

Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed. In order to ensure that the personal data are not kept longer than necessary, time limits should be established by the controller for erasure or for a periodic review.

Note: The FTC recommends privacy-by-design practices that implement “reasonable restrictions on the retention of data”, including disposal “once the data has outlived the legitimate purpose for which it was collected”. Additionally, state laws may specify specific retention parameters.

Accuracy

(UK)

Controllers must ensure that personal data are accurate and, where necessary, kept up to date; taking every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. In particular, controllers should accurately record information they collect or receive and the source of that information.

Accountability

(UK)

Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

Confidentiality & Integrity (Security)

(UK)

Finally, the controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection. Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance, in particular to the DPC.

As individuals’ rights may differ from state to state, the following Table 3 content should be reviewed to support your subject rights, in addition to the information provided in this Privacy Policy under DPA2018. Where applicable the individual should refer to their state’s privacy rights.

Table 3 – State Reference Information

State Privacy Right	Notice Link
California	California Privacy Rights Act
Colorado	Colorado Privacy Act
Connecticut	Connecticut Personal Data Privacy and Online Monitoring Act
Delaware	Delaware Personal Data Privacy Act
Indiana	Indiana Consumer Data Protection Act
Iowa	Iowa Consumer Data Protection Act
Montana	Montana Consumer Data Privacy Act
New Jersey	Session Bill (SB) 332
Oregon	Oregon Consumer Privacy Act
Tennessee	Tennessee Information Protection Act
Texas	Texas Data Privacy and Security Act
Utah	Utah Consumer Privacy Act
Virginia	Virginia Consumer Data Protection Act

Responsibilities

The Data Protection Officer (DPO) is responsible for ensuring that this Privacy Policy is made available to all data subjects prior to us processing their personal data.

All of our employees and associates who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and that their consent to the processing of their data is secured.

Complaints or concerns

If you wish to exercise your rights or raise a complaint or have any concerns with the way that we have handled your personal data, you can contact us using the following contact details:

Issured Data Protection Officer

First Floor Office Suite, Unit 18, Bradbourne Drive, Milton Keynes, MK7 8BE

Email: Compliance@issured.com

If you are not satisfied with our response or any of our data protection activities, you can make a complaint to the Information Commissioners Office at the following address:

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF