Data Protection Statement
9 Group Limited and all its associated companies are compliant with the data protection regulations and Data Protection Act, continually monitor and update policies and processes to ensure continued compliance with Data Protection Legislation and Regulations including the General Data Protection Regulations (GDPR) and Data Protection Act 1998/2018. As part of the various services and products we offer our customers, and this includes system maintenance, we may hold or have access to data that can identify individuals in order to be able to provide our customers with the services, products and support that is agreed through our contracts. In all instances, access to such data is controlled and limited to specific individuals.
Scope and purpose or processing
Personal data is held for the purposes of the provision of telecommunication services and related products. The personal data held is obtained in support of contractual arrangements and is necessary under the ‘legitimate interests’ pursued by the controller (9 Group Limited) as defined in article 6.1 of the GDPR. The facility to opt out of marketing communications remains, but excludes operational or pricing communications.
Nature of processing
9 Group limited does not undertake any automated decision making as defined by article 22 of the GDPR. Data will be processed internally by the marketing department for the purposes of objective and permission based marketing.
Duration of processing and retention
9 Group limited will maintain personal data for the duration of contracts during the provision of telecommunication services and products. Thereafter, the data will be held for a ‘reasonable’ period, depending on the nature of the relationship with the customer. The data will be deleted when the retention of that data can no longer be justified under the provisions of the Data Protection Act and is not overruled by competing legislation or regulations. The terms against which data are held vary and are dependent on the business cycle, regulations and legislation.
Requests for information
Persons whose data are held by 9 Group Limited and its associated companies may request their own data. These are called subject access requests. These should be submitted in writing to our postal address or via email to email@example.com . We will need to verify the identity of the requestor and in the unlikely event there is substantial cost to 9 Group in terms of retrieving the data, we may charge a maximum of £10. The regulations require us to respond within 28 days of the request.
Deletion of information
Persons whose data are held by 9 Group Limited and its associated companies may request that their data be permanently deleted as stated in Data Protection Regulations and Data Protection Legislation, and such requests will be complied with as soon as practicable where a customer no longer has a relationship with 9 Group Limited or its associated companies. Where a requestor continues to have a business relationship with 9 Group Limited or its associated companies, we may need to ensure that the requestor’s details are replaced with those of an alternative contact to enable the continued effective management of our relationship with our customers and partners. Any such requests should be submitted in writing to our postal address or via email to firstname.lastname@example.org. We will need to verify the identity of the requestor in all circumstances.
Types of Personal Data
The personal data held will include: Name, Position, Telephone Number(s), email address.
No ‘sensitive data’ (as defined by the Data Protection Act) or ‘special categories of personal data’ (as defined by the GDPR) are held against any current, former or prospective (wholesale only) customers.
Categories of Data Subject
The data subjects whose data may be held by 9 Group Limited is restricted to that of existing, former or prospective (wholesale only) customers and associated contacts. These data fall under the category of ‘personal data’ and do not include any ‘sensitive data’ (as defined by the Data Protection Act) or ‘special categories of personal data’ (as defined by the GDPR).
There is no routine data sharing of person identifiable data. Where exceptions exist, these concern the management of systems where providers require sample data for the purposes of de-bugging systems or processes. In these circumstances we would implement a formal data sharing agreement to ensure the transaction is handled for the purposes of the ‘system fix’ and to obtain a legal platform to ensure that access, security and disposal of the data adheres to our requirements in terms of current and future ISO accreditation and Data Protection legislation.
In terms of transactional data (non person identifiable data), for example direct debit data, there is a robust data sharing agreement and corresponding process for exchanging data with all suppliers. No person identifiable data is exchanged or transferred routinely.
The majority of our data is hosted in secure cloud/data centre environments accessible only through VPN, and or in the case of our CRM, a two factor authentication process, to which we intend to add a fixed IP as an additional protocol. Our data is held within the EU, and where practicable these data will be held in a UK based environment. Some data is held in secure local servers with the relevant backup and security protocols. Access to all systems is managed through robust permission structures based on the requirement of the individual’s role, and these are regularly reviewed.
Out of hours access
There are a number of specific roles within our organisation that require that ‘specified individuals’ have access to data outside of operational hours. For example to manage and react to incidents of exceptional call reporting (fraudulent calls) and to access systems remotely or on site for the purposes of maintenance or in managing system failures or errors. In these circumstances access is either on our premises or is governed by the same security measures outlined in data hosting.
On-site call recording is under the control of each customer; call recording data is not accessible to 9 Group Ltd. Customers should ensure that they are compliant with all relevant regulations and legislation applicable to the customer in terms of consent, security, access, resilience, backups, archiving and deletion.
MiCall hosted call recording is only accessible by the customer, and the platform provides individual customers with full control over the management of call recording data in terms of consent, access, archiving and deletion. Customers are responsible for ensuring that the MiCall platform provides the necessary security, resilience and backup processes to ensure customers remain compliant with all relevant regulations and legislation.
eve hosted call recording is only accessible by the customer, who in turn has the ability to access and download individual call recordings. The customer determines the accessibility of the call recording data and is responsible for ensuring that access is restricted to and managed in accordance with the customer’s own security policies. The customer is able to determine the duration for which the call recording is retained on the server in line with the terms of the customer’s licence. Eve call recordings are stored in a tier 3 data centre on resilient RAID6 servers. Physical access to the data is secure and monitored single person point of entry, physically guarded 24/7 and monitored by integrated digital video surveillance. The data centre conforms to the following certifications: ISO9001:2008; ISO27001:2005; PCI-DSS; BS25999-2:2007; ISO14001. Virtual access to recordings is restricted to company admins and sub access can only be granted by the company call recording administrator. The security of recordings have been, and will continue to be tested by industry leading penetration testers who found no security hole to the call recordings. Unless otherwise agreed in writing with 9 Group Ltd, all call recording data is deleted after 30 days on a rolling basis, or by written request by an authorised and verifiable agent of the customer. Requests for deletion of call recording data sooner than 30 days must be made in writing to 9 Group Ltd (or other retail supplier to the customer), contain sufficient information for the request to be verified and implemented without impacting on the customer’s resilience and operational ability. Where a customer defines longer periods of data retention, these data will be retained and remain accessible to the customer in accordance with the terms of the customer’s licence.
Access to customer’s data for the provision of maintenance and support services
Where 9 Group limited has installed a phone system, we will retain a copy of the installation records and this will include the Programme Requirement Document that contains the user’s information for the system being installed. The data we hold as part of the installation records will not be updated where the data in the customer’s phone system is changed and updated.
As part of an ongoing maintenance contract, 9 Group Limited will provide designated 9 Group staff with remote access to the customer’s telephone system by agreement with the customer. In these instances and for the provision of the maintenance and support functions, 9 Group Limited will access the root system, and this will provide access to information that may identify an individual, including:
- User Name
- User email
- User Direct Dial Number
As a ‘Data Processor’ in the context of the Data Protection Act, these data will only be accessed where necessary and for the purposes of maintenance and service provision. 9 Group Limited is, at the request of the customer able to access, alter and or remove these data, and where required, reset user’s passwords. 9 Group limited is not able to view or access user’s passwords. It remains the responsibility of users to change and update their passwords in line with the customer’s security policies.
ISO and risk management
- 9 Group Limited retains 9001 accreditation and is currently running an implementation programme with BSI to attain 27001 accreditation.
- There have been no significant security incidents in the last 12 months.
- The organisational risk register contains all risks identified to date and these are managed as determined by our internal processes, reporting to the organisational risk management group.