EFFECTIVE DATE: 25 May 2018
We are all increasingly aware of companies who stress that the safety of your data is of paramount importance. Well for us, as a provider of lone worker services, protecting people can quite literally be a case of life and death. At SoloProtect, protecting people is in everything we do and the trust our customers (your Employers) place in us extends to our privacy practices.
This policy describes the information we collect or is shared with us by your Employer, how it is used, stored and safeguarded, and your choices regarding this information.
If you are an Account Administrator, Information Governance professional, or a member of your Employer’s Legal or Privacy team we encourage you to integrate the contents of this policy into your own policies, procedures and notices as they apply to your use of our services.
• Privacy Statement
• Privacy Notice (applicable to the use of the website, www.soloprotect.com)
• Retention Policy (applicable to the use of our services and SoloProtect Insights)
This policy outlines how we at SoloProtect collect and use personal information to provide our services. This policy applies to all individuals who, through their Employer, interact with us or our services as they are delivered by SoloProtect Limited and SoloProtect B.V, throughout the European Union.
Specifically, this policy applies to:
• Account Representatives and Billing Contacts: these are individuals responsible for the establishment of the contract with SoloProtect and its day-to-day operation, including ensuring that we meet our commitments, facilitating the purchase of SoloProtect Devices, resolving any issues should they arise or our principal contact for the purposes of receiving and paying our invoices.
• Account Administrators and Escalation Contacts: these individuals are responsible for the management of the services at the Employer as well as the key contacts we call should an incident occur with a Device User.
• Device Users: these are the individuals our services are designed to protect and include any individual the Employer (our customer) has issued a SoloProtect Device to. SoloProtect Devices include any of the following: SoloProtect ID, SoloProtect Go, SoloProtect Mobile App or any Identicom-series device.
We refer to all individuals covered by this policy collectively, however, our use of your data and our reasons for doing so will depend on how you interact with us and the services we provide, and it is important for you to read this policy in full to understand exactly how it applies to you.
This policy also applies to those who provide information to SoloProtect in connection with a request to use our services (where we have provided access to the services or SoloProtect Insights) or for those trialling our services.
DATA CONTROLLER AND DATA PROCESSOR
It is important to understand that SoloProtect is not, for the most part, the company contracting with you for your data (known as the Data Controller); this is your Employer. We provide our lone worker services to your Employer and as part of this relationship we act as the Data Processor.
In certain circumstances, we may act as a Data Controller jointly with your Employer – known as a “Data Controller-in-Common” – in particular, in relation to the information we generate about you through our services (such as your location data, incident records or communications data). We take this approach because as a lone worker and private security industry provider we are subject to some very strict rules on what we can, and more importantly cannot, do with your data. This requires us to exercise judgment, particularly over our incident records and communications data, to ensure that any information not linked to genuine incidents are deleted within short time limits. Finally, for some data, we act as the sole Data Controller, where we collect data directly from you but never share this data with your Employer (such as any medical information you choose to provide us with).
As the principal Data Controller, it is your Employer who is primarily responsible for upholding the various rights you have to your data (as set out below) and we would always advise that you raise any concerns you have about your data with your Employer first.
Depending on where in the EU your services are provided, it may be a different member of the SoloProtect group acting as Data Processor of your data:
If you live in the United Kingdom or Republic of Ireland:
Suzy Lamplugh House
1 Vantage Drive
If you live in any other European Member State:
HOW TO CONTACT US ABOUT YOUR RIGHTS AND DATA
SoloProtect’s General Counsel is the company’s Data Protection Officer and oversees data protection compliance for both SoloProtect Limited and SoloProtect B.V.
For any questions or comments about this policy or, more generally, about SoloProtect’s data protection practices you can contact our Data Protection Officer as follows:
By email at: email@example.com
By post at:
FAO DPO, SoloProtect Limited, Suzy Lamplugh House, 1
Vantage Drive, Sheffield, UK, S9 1RG.
We are regulated by the Information Commissioner’s Office under Registration Number Z1252560 and you can also contact them for advice and support.
INFORMATION COLLECTED OR SHARED WITH US
The following information is either collected by us or shared with us by your Employer:
1. Information provided directly to us (Submitted Information)
This is information you or your Employer provide us directly, either to our Customer Services team or through SoloProtect Insights and includes:
• Personal Master (or Key Personal Data): if you are a Device User, Administrator, Escalation Contact or any other person issued with a SoloProtect Insights account you will be required to make a profile. This profile may include your name, job title, company name, email address, contact telephone number, date of birth and gender.
• Medical Data (optional): if you are a Device User we give you the option of providing any information about your health or medical history that you feel might be required should we need to send the emergency services out to assist you. SoloProtect Insights allows you to enter whatever medical information you feel is appropriate, but typically Device Users include their blood type, any known allergies, any known medical conditions and any medication they may be taking.
• Work Pattern Details: this predominantly includes your hours and place of work, as well as any other similar information such as whether you work shift patterns. For the majority of our services, the supply of this information is optional. However, for our MWM - mobile workforce management - services or where you are supplied with the SoloProtect Mobile App, your Employer may require this information from you in order to ensure passive information (such as location data) is only collected during your hours of work.
• Vehicle Details: if you are a Device User who is very mobile as part of your job (such as a housing inspector, an out-patient nurse or a logistics driver) your Employer may require that you enter your Vehicle Details (be it a company or personal vehicle), including your vehicle make, model, colour and registration number. This information is used to better allow any emergency services we dispatch to locate you.
• Other identity details (optional): while our ARC Operators are all highly trained in both monitoring alarms and dispatching the emergency services (when necessary), we like to ensure that those first responders have as much information as possible to be able to identify you. To that end, Device Users are given the option to enter typical identification information about themselves, such as height, weight, physical description and ethnicity.
2. Information created when you interact with our services (Passive Information)
This is information about you that is created as you use a SoloProtect Device, SoloProtect Insights or interact with us in any way and includes:
• Location Data: our Devices utilise GPS technology to determine your current location; if we do not know where you are we cannot let your Employer or the emergency services know in the event you activate your Device. In addition, if you are using SoloProtect Mobile (the “App”) we do this by collecting the location data of your mobile device and when you install the App you will be asked to consent to your mobile device’s geolocation data being used for this purpose. If you permit the App to access location services through the permission system used by your mobile device, we will also be able to collect your precise location when the App is running in the background.
• Audio and Communications Data: communication is how our Devices work, be it in the case of our ARC Operators monitoring an incident, or communication two-way when an incapacitation alarm is triggered. When we communicate with you we keep a record of that conversation. In addition, our ARC Operators also make a written record of every incident that happens over a SoloProtect Device; we call this an ARC or Incident Record. Both these pieces of information can be very useful evidence should your Employer wish to take further action against a person who may have verbally or physically abused you; we are also required to produce these in line with our own regulatory requirements. We differentiate the types of Audio and Communications Data we produce by incident type (i.e., whether the incident was “false”, “genuine” or “genuine with the dispatch of emergency services”).
• Customer History: in order to allow us and your Employer to monitor our performance in delivering our services we keep a record of how we deliver those services. We call this a Customer History and it will often contain a log of all incidents received per Device User per Device (along with the location of the Device User at the time of that incident), usage figures of our Devices (including statistical information on the number of incidents per Device User per Device and severity of those incidents), changes made by your Employer to your account, and a conversation history of all communications made between you and our customer services team relating to your use of our services.
3. Other information
This includes the various other information we need to deliver our services to you and your Employer and includes:
• For SoloProtect Mobile App: Each time you visit the App or use the services we will automatically collect various technical information about your mobile device, including the type of mobile device you use, a unique device identifier (for example, your Device’s IMEI number, MAC address, and the mobile phone number), mobile network information, your mobile operating system, the type of mobile browser you use, and time zone setting.
• Key Contract Data: this includes any information we collect directly from an Account Representative in order to allow us to manage the contractual relationship with your Employer, including your name, job title, email address and contact telephone number.
• Financial Data: this includes any information we collect directly from an Account Administrator or Billing Contact in order to allow us to send invoices, receive payments and facilitate refunds and includes your name, job title, email address and contact telephone number.
• Contact Data: this includes any information we collect directly from an Account Administrator or Escalation Contact in order to provide the services to you, Devices Users and your Employer and includes, your name, job title, email address, contact telephone number. Both Account Administrators and Escalation Contacts may also be provided with a SoloProtect Insight’s account and we, therefore, will also collect Key Personal Data should you choose to provide this.
• Contract Billing, Payments Data and Cardholder Data (corporate cardholder data only): while any data collected here will, for the most part, be corporate data (i.e. data about your Employer and not about you), it may still include your personal information (such as your name, job title, place of work, contact details). We collect this information to send invoices, receive payment and to facilitate refunds. With regards to Cardholder Data, this only extends to cardholder information for a business card issued to you by your Employer; we do not accept nor collect personal cardholder information.
HOW WE USE YOUR INFORMATION
We collect, process, store and disclose personal data for a variety of different reasons all of which are related to our services. We do not sell, share, disclose or use your data for anything else not covered by the below; we use your data to provide our services and only our services.
To understand exactly how we use your data, please refer to the table in the Appendix for the use of each data type by service.
Those services are as follows:
1. Audio-enabled lone worker services: you are receiving these services if your Employer has supplied you with any of the following SoloProtect Devices: SoloProtect ID, SoloProtect Go, SoloProtect Mobile or any Identicom-series device.
2. Mobile workforce management services: you are receiving this if you have been issued with a MWM plugin for your SoloProtect Device or have the MWM App installed on your mobile device.
3. SoloProtect Insights: our customer-engagement portal.
Use Cases for those Services
1. Audio-enabled lone worker services
(i) To discreetly and remotely monitor you in the event you activate your SoloProtect Device and, if necessary, inform either your Employer and the emergency services about that incident.
(ii) To monitor your location whilst you are using a SoloProtect Device and, in the event you activate your Device, pass your location to your Employer and the emergency services so they can locate you.
2. MWM – Mobile Workforce Management
(i) To monitor your location whilst you are using a SoloProtect Device in order to allow us and your Employer to provide useful safety-related information to you about your surroundings (such as risk-based messaging).
(ii) To allow your Employer to monitor your location, including where you’ve been (known as “breadcrumbing”). Your Employer’s policies and processes on how and why they use this information should be communicated to you by them. However, this is typically used to allow your Employer to manage its mobile workforce (such as if you are a logistics or delivery driver).
3. SoloProtect Insights: SoloProtect Insights is our customer-engagement portal and is a very useful resource both for you and your Employer. It provides you with the ability to manage your profile and add/update/delete information as you require. It also allows your Employer to manage the services, such as by adding new Device Users (which could extend to them inputting information about you on your behalf), access reporting information relating to safety-related incidents, and engaging with our customer services team.
4. Other and Special Category Data: certain information we collect or process is particularly sensitive and we use that information as follows:
(i) Medical Data: adding medical data to your profile is entirely optional, but if you do, we ask that you consent to our using of this data to keep you safe and in line with this policy. We ask for that consent through SoloProtect Insights or through our profile onboarding forms (which your Employer may supply to you). We only use your medical data to keep you safe; should you activate your Device and, based on the incident, our ARC Operators decide to send the emergency services to assist you, we would share any necessary medical data with the emergency services.
(ii) Audio (Communications) Data: audio relating to any Device activations is recorded. Audio data is differentiated by incident type - i.e., depending on whether the incident was “false”, “genuine” or “genuine with the dispatch of emergency services”. Should you activate your Device and, based on the incident, our ARC Operators may decide to involve the emergency services (particularly the police), we may choose to share live audio data with the emergency services to assist them in assessing the urgency of any required response. We may also share audio data for genuine incidents with your Employer to allow them to decide if they wish to take further action against a person who may have verbally or physically abused you.
(iii) Cardholder Data (corporate data only): some of our customers choose to pay for our services through card transactions, specifically by providing their cardholder details to our finance team (known as “card not present transactions”). We use this data solely to facilitate those payments and use a secure payment processor (SagePay) to do so and we are compliant with the applicable standards for handling cardholder information (PCI DSS).
LAWFUL BASIS FOR PROCESSING
The General Data Protection Regulation (“GDPR”) requires that companies processing personal data of EU citizens set out the specific lawful basis on which they process that data. For the personal data identified in this policy we rely on the following lawful basis to processing your data:
1. Consent: we obtain this either on behalf of your Employer or directly ourselves for all Medical Data, Location Data as part of our MWM Service and any other data we consider to be sensitive. You can withdraw your consent to the collecting or sharing of this data at any time, but please be aware we will be unable to provide the services to you if you do.
2. Contractual Obligations: we process information in order to be able to provide the services to you and your Employer.
3. Regulatory Obligations: we process and store certain information in accordance with our own industry requirements, this particularly extends to the manner in which we collect and store audio (communications) data and ARC Records and how long we are required to retain this information.
4. Legitimate Interests: we process and store certain information for various other legitimate reasons such as to improve our services, to provide you with customer support, and for security reasons.
5. Vital Interests Exemption: for all instances where we are required to collect, process or disclose (to your Employer or the Emergency services) sensitive information or information pertaining to an incident, we rely on your vital interests to do so.
6. Employer/Employee Relationship: as we are providing services to your Employer, they may also be replying on their employment (or service) contract with you to justify a number of the above processing activities.
COOKIES AND OTHER TECHNOLOGIES
Cookies come in a variety of forms but are essentially small data files used to collect and store information about you. We use them on SoloProtect Insights for a variety of different functions:
• for the smooth and safe operation of SoloProtect Insights;
• to manage your preferences and remember you for future visits;
• to analyse how you use SoloProtect Insights in order to continually make improvements.
The majority of these cookies are linked to your browser session (session cookies) and disappear once you close your browser. Others remain on your device for a longer period (persistent cookies).
INFORMATION SHARING AND DISCLOSE
We share the information we collect or that is provided to us as follows:
1. With your Employer:
• Personal Master Data, Work Pattern, Vehicle Data & Other Identity Data
• Customer History
• ARC Records
• Audio Communications Data – related to genuine incidents only.
• Location Data – relating to any Device activation only.
• Location Data (for MWM users) – all location data during your specified hours of work.
Note: we never share your Medical Data with your Employer without your explicit consent.
2. With the Emergency Services
• Personal Master Data, Vehicle Data & Other Identity Data
• ARC Records
• Audio Communications Data – relating to genuine incidents only.
• Location Data
• Medical Data
Sharing with our Partners
Delivering lone worker solutions is a complicated task and we, in some cases, rely on our trusted Partners to help deliver certain aspects of those services. We share certain data about you with those Partners (who act as Data Processors on our behalf); however, in all instances we ensure that any data we share is entirely necessary for those Partners to provide those services.
HOW WE SAFEGUARD YOUR DATA
Selecting a lone worker provider is a long and complex process for your Employer. The data we collect and process, and the services we provide are sensitive and can be life critical.
To that end, and because we pride ourselves in the services we provide and the manner in which we provide those services, we take the security of your data, and the technical measures available to us to safeguard that data, incredibly seriously.
A summary of just a number of the technical and organisational controls we have in place follows:
1. Measures to protect the Confidentiality of your Data:
• Physical Access Control: our Data Centre is housed in a 24/7 secure site.
• Electronic Access Controls: we use secure passwords, encryption and various other technologies to stop unauthorised people accessing our systems.
• Pseudonymisation: we process a lot of your data in such a method, that the data cannot be associated with you without access to other additional information.
2. Measures to protect the Integrity of your Data:
• Data Transfer Control: we do not let your sensitive data leave our network. If we do, we encrypt it.
• Data Entry Control: we check, double-check and then check once more for good measure that any data you enter into your SoloProtect Insights profile is entered by you or your Employer.
3. Measures to protect the Availability and Resilience of our Systems:
• Availability: it would take an awful lot to shut our systems down.
• Rapid Recovery: we have a secure secondary data centre within our network, where we can get your data back from in the unlikely event it gets lost.
4. Testing and Certification
• Testing: we essentially pay people to hack-us and try break into our building to ensure it can never happen for real.
• Certification: we have lots of certifications covering how secure of systems are, check our website if you don’t believe us.
RETENTION AND DELETION
Once collected and stored, we retain your data for a set period of time, depending on what data it is. This is because, in addition to our contractual obligations to your Employer, we have a range of both legal and industry requirements we must adhere to.
As summary of our various retention periods is as follows:
Please note that as it is your Employer who acts as the Data Controller for the majority of this data, they may ask that we increase the above retention periods in certain finite circumstances. Where this is the case, we require them to inform you of this.
At any time, you may request, through your Employer, the deletion of certain information we retain about you. Following such a request, we will delete any information that we are not required to retain and will endeavour to explain the reasons why we cannot always comply with such a request.
At the end of the retention periods, we use secure processes to ensure your data is deleted.
For further information about our retention periods and practices, please see our Retention Policy.
YOUR DATA, YOUR RIGHTS
The title of this section says it all and as a citizen of an EU country you have a wide range of rights with regards to your data, which have, as of the 25 May 2018, been enhanced by the General Data Protection Regulation (“GDPR”).
You can enforce your rights directly via your Employer who, in conjunction with the services we provide them, will solicit the answers from us.
1. Right to Correction: if you believe any of the information on your profile to be inaccurate you have a right to request that we correct this. This right also extends to various other information we collect about you which you can request a copy of (see Right to Copies below).
2. Right to Copies of your data: you have a right to request a copy of the information that we hold about you along with an explanation from us as to why we process that information. We will provide this information to you free of charge for a first request, but will charge for reasonable administrative costs for further requests.
3. Right to erasure: you have a right to request the deletion of your data at any time. If you submit such a request to us we will consider carefully and reply with an explanation as to why we are required to retain certain information either by law or for our own legitimate reasons. Where, after review, we identify any data we do not need to retain for these purposes, we will delete that data as per your request.
4. Right to object or complain: you have a right to complain about how we are processing your data to our principal Data Protection Authority, the Information Commissioner’s Office here or in writing at the following address:
Information Commissioner's Office
Should you have any concerns about how we are processing your data, we invite that you submit those questions to our Data Protection Officer first at firstname.lastname@example.org.
UPDATES TO OUR POLICY
As we further enhance our product range and improve our services, we will be making changes to this policy and the other policies of our Privacy series. If we make any major changes, or any changes which directly affect the services provided to you or the data collected or processed by us, we will notify you of those changes. However, we encourage you to periodically review this policy for the most up to date version.
Appendix - Overview of Processing
*For all Device User Data where the Employer acts as the Data Controller, that Employer may also rely on the employee-employer relationship exemption.