This document outlines how ESCA handles data collected from the Public and the ESCA Members.
ESCA has put in place the following data protection policy:
ESCA processes no sensitive or ‘special category data,’ and so according to the GDPR regulations, no Data Protection Impact Assessment is required. ESCA does however consider and apply appropriate precautions to protect the confidentiality of personal data.
ESCA has no employees.
ESCA contracts CJS Subsea Services to oversee all Director and Secretariat services, Peter Barham Environment Ltd for Liaison Advisor Activities and Port Hill Marine Ltd for Fishing Advisor activities. Yates & Co. Accountants provides ESCA with independent accounting services. No personal data that is not related or required by law to be put into the public domain is sent to Yates & Co.
Creative Republic provides ESCA with IT and Web design services.
Personnel working on ESCA activities in CJS Subsea Services and Creative Republic have all successfully passed GDPR training, with refresher training provided as and when required, but at least every 3 years.
Information about ESCA members is held on the ESCA website via a password-protected access process.
The ESCA Secretariat representative assumes the role of Data Controller and Data Processor, supported by Creative Republic. Should escalations or alternates be required, this should be to the ESCA Chairman in the first instance, and to the Vice-Chairman if the Chairman should not be available.
ESCA has prepared the workflow as attached at Appendix 1 – ‘ESCA Personal Data Workflow and Information’ to describe its key data workflow.
Personal Data should be handled by contractors of ESCA in accordance with GDPR regulations and to at least the same standard in which they hold their own personal information. This is intended to include, where possible, two-step authentication for e-mail systems in which ESCA’s personal data is transmitted, and secure (https) servers whose access is password-protected for the storage of Personal Data.
Members and their associated employees registered on the ESCA website can access most of their personal information themselves via the secure area of the ESCA website and make changes to it at any time. Access requests for any other data are to be sent by e-mail to secretary@escaeu.org and the ESCA Secretariat aims to respond to reasonable and lawful requests within timescales stipulated in GDPR regulations. Information is passed back to enquirers as may be appropriate in a data-portable way either by direct e-mail or by documents produced in standard MS Office applications such as MS Word, Excel, PowerPoint or in Adobe pdf format and attached to such e-mails, as appropriate
This is managed by the ESCA Secretariat.
Consent is required by the user on all data collections pages of the website. A ‘check box’ must be clicked granting consent before moving to the data collection page. The Privacy Notice and Privacy Policy and Procedure pages are linked at the bottom of each page on the website and on each of the ‘check box’ consent areas.
After logging in, ESCA members can update their own personal information from the member area of the website. Should they wish to withdraw consent for ESCA to hold other information (other than that lawfully required for the ESCA to function, such as company billing information), requests can be sent to secretary@escaeu.org and the ESCA Secretariat shall act on such requests in a timely fashion in accordance with GDPR regulations.
ESCA endeavours to ensure the accuracy of Personal Data held through interaction with Members in the January of each year. However, some identifying information may be held for long periods by ESCA because of the nature of its work to provide a historical source for cable-related information. This remains a historical record for research purposes and is a fundamental part of the service ESCA supplies to its Members.
Although ESCA does not have staff, GDPR training is provided to the contracted ESCA Secretariat representative and ESCA’s IT support contractor, as considered appropriate.
ESCA disposes of electronic personal records through electronic deletion. Lawful disposal of paper records can be made by shredding on request.
ESCA retains the information of active Members, which can be for a long time, as considered appropriate.
ESCA holds mailing list information pertaining to ESCA Member main reps. and alternates and other individuals that may have requested to be included on the list from the same Member company. Mailing lists for website access only, Call for Papers and Plenary Event contacts are also kept. This information is reviewed on a triennial basis.
ESCA holds a repository of archive and research information related to its purpose. As for any library, its intention is to retain that information in perpetuity.
To ensure continued compliance, the ico.gov.uk website will be visited on a regular basis and any required regulatory action taken accordingly.
As ESCA does not process sensitive, ‘special category’ data, the risk of breach is deemed to be very limited, however this does not relieve ESCA of adhering to its GDPR obligations. Should the risk profile change in the future, ESCA shall consider what changes to its policy is required.
The following potential threats have been identified by ESCA, though such threats remain under review:
After any breach, the ESCA Secretariat, in consultation with the ESCA Chairman, shall consider and document how similar events may be mitigated in future. Should spend be required, this will be raised to the ESCA Executive Committee (EC) for approval.
ESCA shall ensure the following policies and procedures are adhered to:
ESCA shall henceforth seek to minimise the data it collects. It shall not collect Personal Information related to requests for ESCA Guidelines or Documents, as appropriate.
Consideration of minimising data collected for any new Personal Data processes shall be considered by the Data Controller.
The ESCA Secretariat representative shall be the Data Controller and Data Processor.
ESCA is not deemed to require the appointment of a Data Protection Officer, noting the ESCA Secretariat shall address any such issues or respond to any that may be notified, as appropriate.
The following security policies shall wherever possible apply in relation to Personal Data, and compliance shall be checked in the January of each year.
This security policy shall be reviewed triennially, with the first review in 2021.
ESCA is a membership-based organization in the Subsea Cable Industry. An outline of the data ESCA keeps is detailed below:
Membership process: A potential ESCA member organization downloads and completes a Membership Application form from the escaeu.org website and submits it to the ESCA Secretariat via e-mail for EC approval of such application.
The data that is collected from the ESCA membership application form is as follows:
Once the application has been approved by the EC, and fees paid accordingly, the Primary or Alternate contact will be issued with access details for the ESCA website and included on the ESCA Member e-mail distribution list/database. Such contacts can also request other individuals within their company to be added as a ESCA website user and/or be included on the ESCA mailing list, hence such contact information will also be stored in the contact database.
The Member contact/user page on the ESCA website contains:
All Member contacts have a login and password to be able to access the Member side of the ESCA website, which, amongst other things, contains ESCA Guidelines, Policies, Reports and other documents/educational information. Contacts cannot access or view other Contact records. Contacts can access their own information records to change, add or delete the data contained in the record or to change their password. Contacts can request a copy of their contact information at any time.
No financial data is stored on the website.
A back-up of data kept on the ESCA website is backed-up regularly by Creative Republic, with such back-up stored securely.
Procedures for Breach of data: If a breach of the data is reported or detected Creative Republic shall immediately contact the ESCA Secretariat and investigate the full details of the breach to determine the magnitude. Since ESCA does not hold any Sensitive “special categories” of data it would be up to the Secretariat, in consultation with the Chairman, as to whether the relevant authorities should be informed. The ESCA Secretariat would continue to work with Creative Republic on assessing the present or potential future damage of such breach and make recommendations to the Chairman on how best to handle the situation depending on the details of the breach.