GENERAL DATA PROTECTION REGULATION, PRIVACY AND CONSENT STATEMENT
We provide this information so that you are informed about the data held within iRota and how we treat it.
Within the statement:
'iRota' means the cloud based service and data storage.
'Data' means the Organisation’s data stored within iRota.
'Organisation' means the Organisation using the Service, or any representative acting on behalf of the organisation. The Organisation is the Data Controller.
'We' and 'us' means the iRota Service Provider - Gillett Limited. We are the Data Processor processing data on behalf of the Organisation.
'Employee/s' and 'End User' means the data subject and/or people authorised by the Organisation to use iRota. The terms are used interchangeably.
End users should read this statement in conjunction with the Organisation’s own policies, to understand our practices regarding the information stored in iRota.
INTRODUCTION
This statement refers specifically to the iRota service and is in addition to our Company Privacy Statement.
We respect data privacy and are committed to protecting the data through our compliance with this statement.
All parties within our team are fully aware of the importance of data protection, privacy and consent, and the changes within the new GDPR (General Data Protection Regulation).
The latest revision of this statement is available to all at any time. This statement may change from time to time. Please check the statement periodically for updates.
PRIVACY INFORMATION
Personal information is collected and stored within iRota.
We do not share this information with any other organisations.
We do not use any data for tracking, profiling, or marketing.
We only process and report, within iRota on the data, to provide the service required by the Organisation.
We never sell data held within iRota.
We are the developers and service provider of iRota - Gillett Limited, Aizlewood’s Mill, Nursery Street, Sheffield S3 8GG, UK.
Our service is cloud based and hosted by Central Technology Ltd, The Bridge Business Park, Beresford Way, Chesterfield, S41 9FG. The data is held securely. Physical and network security at all data-centre locations are fully ISO 27001 certified by BSI. Central Technology Ltd does not directly process the data and solely provide the platform to support the service.
Neither we, nor Central Technology Ltd, have any commercial interest in the data, nor will it be shared with any third parties.
DATA PROTECTION BY DESIGN
The service has several levels of data protection by design.
Neither the user nor the Organisation has direct access to the data. Access is only through the functionality provided by iRota.
Access to iRota is only via accounts configured by the Organisation or by us on behalf of the Organisation.
Access to the service requires a password, initially configured by an internal (or authorised) email account. The password is hashed (not stored as plain text) for further protection.
Browser verification can be implemented on iRota, by the Organisation, to restrict access on new devices until further security is checked.
Two Factor Authentication can be enabled, by the end user, to further protect access.
INFORMATION HELD WITHIN IROTA
We provide iRota for Staff Scheduling and Management within the Organisation.
In the usual course of communicating and conducting our business with the Organisation we will receive and send information including email, text and other electronic messages.
Information the Organisation may choose to store in the service includes:
Name, email address and log in details, Login time and IP address, Role within the organisation, Typical contracted hours, Rota information, shifts worked on a day to day basis, annual leave taken, other leave taken, and any other type of work related to employment, Annual leave / bank holiday allowance, Sickness episodes and reason, Contractual or preferential agreements, Working patterns, Telephone numbers, Address, Training information, Performance review dates, Free text notes, Payroll number, Date of birth, Emergency contact / next of kin details, Passports / Visas / Permits, Licences and Memberships, Education and Qualifications, Personal Skills, Previous employment history and work experience, Spoken languages, Audit Trail.
Additional information may be stored in the future through improvements in functionality.
HOW THE DATA IS COLLECTED
The Organisation may supply the initial data which enables iRota to be configured.
After initial configuration of iRota, all further data collection is by entry and amendments by the Organisation and its’ employees.
We do not access or interact with the data on the service under normal circumstances.
There may be instances where we access the data for any of the following reasons a) the organisation requests it, for example, for implementation and support services or b) to provide improvements/extra functionality to the service, or c) to maintain, bug fix and update the service, or d) where we are required by law.
We have no control over the quality or accuracy of the data we hold, or the information it contains.
The Organisation is solely responsible for the data, its’ accuracy and for correcting inaccuracies.
CONSENT
The legal basis which allows us to hold the data in iRota is that the Organisation has chosen to use iRota.
When data is supplied/entered by the Organisation, it is on the understanding that the organisation a) has authority to provide the data, and b) is consenting to it being stored within iRota.
By using iRota, the organisation provides ongoing consent, and accepts it has a legal basis to the data being stored within iRota.
We do not have control of the data neither do we take any responsibility for the data stored or its accuracy.
The information stored in iRota is viewable by the organisation, dependent on the security settings of the person accessing iRota. The Organisation has total control over who can view this information.
Any queries over consent or privacy should be raised with the Organisation.
In the event of any unresolved issues, we will, if legally required, liaise with the Organisation and the employee.
CHILDREN
iRota is not intended for children under the age of 16 years of age. iRota is designed for employees of working age and is only provided as a service to Organisations, and as such will not be used by children.
As part of the functionality within iRota, there is an option for Emergency contacts / next of kin, that the Organisation could enter data including naming a child as next of kin. This is the responsibility of the Organisation.
DATA BREACH
On notification, or discovery of a data breach, we will investigate and liaise with the Organisation to minimise risk.
Depending upon the level of risk the Organisation may inform individuals directly, and/or notify the Information Commissioner’s Office.
RETENTION OF DATA
Data will be accessible until the Organisation ceases to use iRota.
The data held within iRota will be destroyed as soon as practically possible unless an alternative is agreed between the Organisation and iRota.
Data may be retained for a period in an inaccessible form as part of the backup of the service.
USE OF COOKIES
iRota uses Cookies and similar technologies to deliver the service, identify users and provide security. Please see the iRota Policy for the use of Cookies for more details.
IROTA DATA PROCESSING ADDENDUM (DPA)
This document should be read in conjunction with the iRota Data Processing Addendum (DPA).
