What personal data does RHE collect?
We collect personal data only for the purpose of delivering the services we offer. We do not collect personal data for other unrelated purposes, for example selling access on to third parties for marketing. Our website Terms of Service and Privacy Policy detail what data we collect and why.
What about data submitted by RHE’s users?
Our clients are licensed by us to use our services. Users of our apps may upload data such as GPS location, audio, video, images or text. Some of this data may include details concerning other people. All such data is to be used only to support reporting, analysis, investigation and enforcement action pursuant to the permissions or legal powers that our clients possess. Data submitted by users is securely stored and is controlled by our clients, who can manage the data in accordance with their data protection and retention policies. The roles of data controller and data processor in relation to user data are made clear in the website Terms of Service and Privacy Policy.
What products does RHE supply to its clients?
The products that we supply to clients in this way are:
— Cargo Clear
— The Housing App
— The Noise App
— RIAMS
What services are offered directly by RHE?
Where data is collected directly by us, our data protection and retention policies apply. The services we supply directly to users are:
— Consulting services
— e-Learning
— Training services
What checks are made regarding the relevance and necessity for the collection of personal data?
Our Information Security Policy and practices are reviewed annually, to ensure we maintain good practice and that we collect only the necessary information from our users needed to deliver the services. Annual Cyber Essentials Plus certifications also assist with checking and validating our processes.
Is RHE registered with the Information Commissioner?
Yes.
What is the RHE Data Protection Act Notification Number?
Z1128229
Do RHE contracts contain all the necessary clauses regarding data protection, freedom of information, etc.?
Yes. Before a client can access any of our services, they must sign a licence which includes all relevant provisions concerning GDPR, Freedom of Information (FOI) and privacy. Our contracts are included in the annual IASME certification process.
How is consent for the processing of personal data obtained by RHE?
We collect personal data for the legitimate purpose of delivering the service a user is accessing. Specific consent is captured only if we collect data for a purpose outside the scope of the service we offer. The Terms of Service for each service provider gives details regarding what data we collect, and this information is provided to the user when they register or sign up. Alternatively, they are also accessible from our websites and apps.
How will personal data be kept up to date and accurate?
Each user (public or corporate) can access and maintain their data within an app or by visiting one of our websites. They can also request that their data be amended by contacting the support email provided within each website or app.
Who has access to the personal data?
With our apps, public users can access their personal data and manage it from their in-app account settings. Their service provider (our client) has access to the user’s personal data, although the degree of access depends on their access permissions. The administrator(s) for each client can access and view all of the information submitted to their corporate account; standard users will only have access to data applicable to their normal work. The RHE technical support team can access this data but is only permitted to do so in accordance with our Information Security Policy. The software development and support teams complete annual data protection training.
Is the data used as part of any third-party marketing campaigns?
No. We do not use or sell on personal data submitted by the public user for any marketing. The data submitted by corporate users (e.g. standard users or administrators) is used for marketing our services that are relevant to the sectors we operate within (e.g. software updates, service status, case studies, training events, user groups, newsletters, annual surveys about our products) or similar activities that are relevant to our clients or to help us improve our services. Corporate users can unsubscribe from our marketing emails by clicking ‘unsubscribe’ on a marketing email from RHE Global or by contacting our support team.
Will the processing of personal data cause any unwarranted damage or distress to the individuals concerned?
No. Personal data is supplied by the user and is applied only for the purpose they are aware of, for example, to submit information, a report or evidence. Personal data is not used for any other purpose. The RHE Global Data Protection Officer is responsible for reviewing the extent of the data collected, its relevance and safeguarding. Data protection impact assessments (DPIA) undertaken with our clients have confirmed that no special measures are required.
What is the retention period for the data and how is it controlled?
Where we supply software to our clients, each client is in control of the personal data including the retention period. Our software permits the client to set platform-wide data retention rules to ensure personal data is managed in accordance with their data retention policies. For example, personal data falling outside the retention period will be eligible for deletion. Where we, RHE Global, are the data controller, a user’s data will be deleted when a request is made for the data to be removed. Once deleted, data is immediately removed from the service and securely stored on RHE servers for 30 days before permanent deletion.
Will the data be shared with any third parties?
No. Please note, however, that the platforms listed below are collaboration platforms that facilitate information-sharing within those platforms. These purposes are self-evident and explained in the Terms of Service and Privacy Policy.
— Cargo Clear
— The Housing App
— The Noise App
— RIAMS
In each of these services provided by us, the user is made aware that the information they submit may be shared with third parties, for example, for the purposes of investigating their report or for fulfilling a service request. Only our client can share this information. The user is made aware of this and that our client’s Data Protection Policy will apply.
What measures are in place to mitigate risks and ensure adequate security levels are in place?
Information security is overseen by our Chief Technology Officer and Data Protection Officer, who report directly to the RHE Global company board. Our Information Security Policy is maintained with reference to our IASME certifications for security, compliance and governance. Our Information Security Policy is informed by a risk assessment, which is reviewed annually; in the event we become aware of new or heightened risks, the risk assessment process informs the security measures we have in place to mitigate those risks. Measures implemented include routine data backups, continuous server monitoring, vulnerability scanning, penetration testing, encryption of sensitive data, data and application segregation, user access roles, authentication and server security audits.
How is the information stored and where?
Information is stored across Amazon AWS accounts in London, UK.
What technical and physical security controls are in place?
Application and user data are stored in AWS. Full details on security compliance are available here: https://aws.amazon.com/compliance/.
In addition, industry-standard technical features are in place: logical and physical partitioning, service isolation, roles, permissions, tiered account control, firewalls and encryption.
Does RHE have a security policy and data protection policy in place?
Yes. RHE Global is certified under the IASME Cyber Essentials, Governance and GDPR scheme. Our certification number is: IASME-A-06435
What security auditing is in place to track transactions and any problems that may occur?
Security is audited by our Data Protection Officer and support team to coincide with our annual IASME and Cyber Essentials Plus certification renewal process. Auditing includes an assessment of penetration test requirements across each of our services. Vulnerability scans are conducted continuously across all services. Traffic across our services is continuously monitored with automatic alerts set up for key senior personnel in the event of technical
