“Audiem”, “Company”, “we” “us”, or “our” means Workplace Advantage Ltd. (trading as Audiem), with its registered office at White House Farm, West Rounton, Northallerton, DL6 2LW, with company number 10976073 and VAT number 412702635.
“Audiem Users” refers to employees, contractors and sub-contractors of Audiem.
“Author” means a person that provides textual (Viewpoint) and numerical or categorical (metadata) content data from, or relating to, a Client organisation.
“Client” means the managing organisation commissioning Audiem to either gather data on their behalf and/or generate insights from Author content.
“Client Data” means any data generated by the Client and/or their Authors that is provided to us for processing using our tools, or that we collect using our tools on their behalf.
“Client User” means anyone authorised by the Client (or their nominated parties) to access and administer the Audiem software platform, or otherwise use our Services.
“Controller” and “Processor” have the meaning set forth in the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”) within, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“IT Systems” refers to computer systems, devices, infrastructure, computing environments and any other relevant equipment managed by Audiem.
“UK GDPR” refers to the retained EU Law version of General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 as amended.
This document sets out the measures to be taken by all employees of Workplace Advantage Ltd. (trading as Audiem) and by Audiem as a whole in order to protect Audiem’s computer systems, devices, infrastructure, computing environment and any and all other relevant equipment (collectively, “IT Systems”) from damage and threats whether internal, external, deliberate, or accidental.
This document is a public facing version of our wider Information Security Policy which contains some confidential security information. The wider policy is only accessible by Audiem employees.
This policy, and any policy mentioned within this document, applies to all members of staff, who complete relevant training as part of their induction, on both the relevant policies and best practice information security.
“Data Protection Officer” – Ian Ellison, Director, Co-Founder
“IT Systems Manager” – James Pinder, Director, Co-Founder
All data stored on IT Systems are to be classified appropriately (including, but not limited to, personal data, sensitive personal data, and confidential information) with reference to:
All data so classified is handled appropriately in accordance with its classification and shall be available only to those Users with a legitimate need for access.
Where possible Audiem aims to create an environment of open knowledge exchange, so endeavours to avoid creating barriers around access to data, but with regards to the above-mentioned classifications the appropriate level of access is created in the context of serving the Client.
As an example, an account manager will have access to all data classifications in order to help deliver workplace insights, but members of the finance team would only have access to Client Data unless specifically required; this is assessed on a case-by-case basis.
Audiem’s policy is to have no corporate information held outside of Audiem’s password protected IT Systems. The following tools are used to protect Audiem’s IT Systems:
All employees of Audiem must, where software/computer/device allows, create access passwords that are:
When a Subject Access Request (SAR) is made there are different actions Audiem must take depending on who receives the request. If a SAR is made to a member of staff, their only action is to let the Data Protection Officer know. It will then be the responsibility of the DPO to ensure that Audiem meets requirements under any legislation, along with Client agreements.
Upon receiving a question or notification of a breach, the IT Systems Manager shall, within 24 hours, assess the issue including, but not limited to, the level of risk associated therewith, and shall take any and all such steps as the IT Systems Manager deems necessary to respond to the issue.
Under UK GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’, the Data Protection Officer will notify Clients and Data Controllers ‘without undue delay’ and ensure that this happens within 72 hours.
When deleting or throwing away data/removable media devices (e.g. laptops, printers) Audiem will follow government guidelines:
Audiem shall review this Policy every 12 months and otherwise as required in order to ensure that it remains up-to-date and fit for purpose.