1. Purpose and Scope
FORS recognises and supports the need for reasonable protections regarding the privacy and data protection of Personally Identifiable Information (PII), as defined below. For this reason, FORS is adopting a consistent ‘Data Protection’ process for storing and handling individuals’ data based on globally accepted privacy principles and data protection legislation.
This procedure governs all aspects of how FORS provides privacy disclosures and choices to individuals and the treatment of PII once FORS is in possession of it; including the collection, use, sharing, and storing of the information.
PII will be:
a. Processed lawfully, fairly and in a transparent manner in relation to the individual (‘lawfulness, fairness and transparency’);
b. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes, without prior written consent;
c. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
d. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that PII that is inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay (‘accuracy’);
e. Kept in a form which permits identification of individuals for no longer than is necessary for the purposes for which the data are processed; and
f. Processed in a manner to ensure appropriate security of the PII, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).
It is FORS policy to establish procedures, controls and oversight necessary to safeguard PII in accordance with applicable laws and regulations, as well as the FORS Privacy Statement.
This procedure formalises FORS commitment to safeguarding privacy, including but not limited to, displaying comprehensive disclosures relating to how FORS collects, uses, stores and shares PII, and incorporating “privacy by design” principles into its processes that involve PII.
All FORS functional leaders and support staff whose responsibilities include accessing, collecting, processing or storing PII are expected to assist in the protection of that data by adherence to this procedure.
2.1 Access to PII
FORS documents procedures to comply with the FORS Privacy Statement together with the FORS Terms and Conditions for requesting, modifying or terminating access to PII.
2.2 Data Use Guidelines
The following are general Do’s and Don’ts for safe use of FORS data, classified as Personally Identifiable Information (PII):
- NEVER: Transmit PII data in the body of an email or an unprotected attachment.
- NEVER: Log in to public computers (i.e., library or internet café) and use AECOM credentials to access resources or data.
- ALWAYS: Use VPN when you are connected to public Wi-Fi.
- ALWAYS: Get your laptop encrypted if you regularly handle PII.
- ALWAYS: Ask if you have questions about data handling. Send questions to email@example.com.
2.3 Data Storage and Sharing
We understand our obligation to keep information collected for, and received from FORS secure and remain able to disclose all relevant information to a subject about whom we hold data at any time, as required. AECOM holds UK Cyber Essentials PLUS accreditation. Where appropriate our policies and procedures are aligned and based upon the ISO 27001 Standard.
All data is transmitted securely over HTTPs or via password protected messages. We limit the transmission of licence number and date of birth to only those FORS partners that require it for legitimate FORS processes. Our courses are valid for five years so we maintain data for at least that length of time.
Details of who we share data with can be found in the FORS Privacy Statement.
The FORS EU-GDPR – Procedure for Responding to Personal Data Requests sets out the mechanism by which individuals can notify FORS to update or amend their information on a timely basis.
In the event the individual requests his or her PII to be updated or amended, FORS will respond in writing within 30 days of receipt of request, as per the FORS Procedure for Responding to Data Requests.
2.6 FORS Privacy Statement and Consent
2.6.1 Privacy Statement Requirements
FORS will maintain a privacy statement on its website. The FORS Privacy Statement will cover the following areas:
- Collection of Personal Data
- Purposes of Processing Personal Data
- Legal Basis for Processing of Personal Data
- Disclosure of Personal Data
- Duration of Retention of Personal Data
- Data Access
- Data Security
- Web Browser Cookies
- Changes to this Privacy Statement
- Complaints, Questions and Comments
- Useful links
The FORS Privacy Statement shall be in clear, plain language and contain the following:
a. FORS contact details;
b. The purposes for which PII will be processed;
c. How long the PII will be stored, or the criteria under which it is stored;
d. A description of how (if at all) PII will be disclosed to third parties;
e. Information about the individual’s rights relating to their PII, including the right of access to their PII, right to withdraw consent, right to amend their PII, right to have PII erased, right to restrict processing of their PII, and the right to lodge a complaint with the supervisory authority;
f. Details of any automated processing being performed on the PII supplied;
g. Whether the PII must be supplied to fulfil or enter into a contract, as well as whether there are any possible consequences of failing to provide personal data;
h. Any other information required to demonstrate that processing is fair and transparent.
2.6.2 Consent Requirements
Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. Generally, once the PII is collected for a specific purpose, the PII cannot be used for any other purposes without getting additional consent.
FORS gains consent of the data subject when they register to:
- Become a FORS accredited company or a FORS associate or champion
- Complete a FORS eLearning module
- Book a place on a FORS training course via EventBrite or Gotowebinar
- Use FORS Collision Manager
- Receive the FORS eNews bulletins and other FORS Communications
2.9 Privacy Inquiries, Complaints and Incidents
Our FORS Privacy Statement provides details on how to refer all privacy inquiries and complaints to firstname.lastname@example.org. Should the individual feel that the complaint cannot be resolved by contacting us, he or she has the right to complain to the Information Commissioners Office.
2.10 Sharing with Third Parties
Data will only be shared with third parties in accordance with the FORS Privacy Statement.
3. Terms and Definitions
Personally Identifiable Information (PII)
Means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data will be removed from dormant company records twelve (12) months after the company is made dormant.
FORS Professional or FORS Approved training records will be retained for the validity of the course and for 24 months after the validity of the training expires or as long as the training account is active.
Audit reports will be kept for a minimum of six (6) years from the date of creation, in compliance with the FORS Requirements for Audit Providers.