ILS Privacy Policy

Updated February 2021

International Location Safety Ltd takes privacy and data protection very seriously. This privacy statement explains how ILS collects, stores and uses personal data when clients engage with our services. This policy will be kept under review and will be revised when required; notification of updates will be made on our website and all other marketing channels.

This privacy statement replaces the current Data Protection policy (August 2017) and is fully compliant with the UK General Data Protection Regulation (UK GDPR). The policy about personal data collection is written within the framework of the 6 data protection principles set out in the GDPR: 1. Lawfulness, fairness and transparency; 2. Purpose Limitation; 3. Data Minimisation; 4. Accuracy; 5. Storage Limitation; 6. Integrity and confidentiality.

Definitions

When reading this statement, please note that the terms ‘ILS’, ‘We’, ‘Us’ and ‘Our’ refer to International Location Safety Ltd. The terms ‘You’, ‘Your’, ‘Participant’, ‘Customer’ and ‘Client’ refer to anyone who pays for and engages in the use of our services.

‘Personal data’ refers to any information that directly or indirectly identifies a person (a ‘natural person’ as defined by the UK GDPR) including name, address, email, phone number, job title and employer information.

Special category data’ refers to the UK GDPR definition which is any information concerning race, ethnic origin, religion, politics, trade union membership, genetics, biometrics, health and sexual orientation.

The use of the term ‘Data Controller’ in this policy refers to International Location Safety. The term ‘Data Processor’ refers only to the services we use for payment processing, email campaign software, IT service providers, online survey software services and accommodation providers.

‘SAFA’ refers to our Security Awareness & First Aid training; this is a 3-day residential course which involves some mild physical activity. ‘TSS’ refers to our Travel Safety & Security courses; this is a 1-day classroom-based course. ‘Risk Advisory Services’ refers to all bespoke project work, consultancy and support services to our clients; these are delivered independent of our training courses. ‘Intelli-TRIP’ refers to the online risk management platform and app available through ILS. ‘TTA’ and ‘Travel threat Assessments, refers to the COVID-19 travel threat assessment from our Risk Advisory Team available through our online store.

Your Personal Data

When engaging in any of our services you will be asked to voluntarily provide only the personal data that is necessary to ensure accurate project outputs, successful learning outcomes and safe training experiences.

What data do we collect?

On our SAFA course, the data collected on our booking and registration forms include name, email address, job title, employer, invoicing contact details, next of kin or emergency contact details and medical insurance details.

For our TSS course, the only personal data collected is a name, job title and employer. Participants are invited to opt-in to our email mailing list. All course feedback that we collect is anonymised after the statistics and comments have been collated.

The personal data collected for our Risk Advisory Services include names, email addresses, skype names, telephone numbers, job titles and invoicing contact details of the key contact people within the client’s organisation.

Risk Advisory projects may involve requests for key contact people to voluntarily provide contact details for interviewees who will be requested to provide insights into the client's security culture. These details may include name, email address, skype name, telephone number and job title. The feedback from the interview will be anonymised and the contact details deleted after the project is complete.

Users of our Intelli-TRIP app will provide the following personal data: name, email address and phone number. No personal data that is inputted by the user via the questionnaire during the automated risk assessment process is retained, the only data retained is a record that the user has completed the questionnaire.

Special category data

The special category that we ask you to provide is within the health category and this is generally only collected for our SAFA course participants. Some examples of the information that we need are pre-existing conditions, heart problems, mobility issues, dietary requirements, allergies, pregnancy or any emergency medication etc. We do not collect or require any other special category data as defined by the UK GDPR.

Where Risk Advisory projects are specifically health-related (e.g. involving medical evacuation or incidents), only the medical details required to fulfil the project will be collected.

During the Intelli-TRIP risk assessment process, users will be asked to refer to special category data (race, ethnic origin, religion, politics, health and sexual orientation) in a yes/no format e.g.:

  • · Q. Does your nationality, ethnicity or religion have a negative impact on your risk during travel?
  • · A. Yes/No.

These answers are only used to generate risk assessment and no extra details are requested.

Why do we collect it?

  • Name: We collect your name for identification purposes during trainings, training certification, Risk Advisory workshops and interviews, user setup on Intelli-TRIP, COVID-19 Travel threat assessments and for booking accommodation at our training venues.
  • Email address: We ask all learners and trainees for their email address in order to provide course agendas, joining instructions, follow-up information, an invitation to join the Hpass digital badge scheme, and any information about changes to course dates, venues or cancellations. Participants are invited to opt-in to our mailing list should they wish to. You will not be automatically enrolled on the list. This mailing list is used for keeping clients updated with company news, details of new services, upcoming courses and special offers.
  • Intelli-TRIP users, supervisors and designated admins submit their email address to be used as their account username and for receiving risk assessments and notifications.
  • COVID-19 TTA clients submit email address in order to receive their Travel Threat Assessment.
  • Job title and Employer: The information provided about job title and employer is used to provide our trainers with a general impression of the professional background, experience and knowledge of participants, thus being able to tailor the course and make the training relevant.
  • Invoicing contact details: In order to process fees for our services, we require the contact details of any person responsible for the payment of invoices on behalf of our participants. The details required are a contact name, email and billing address.
  • Emergency contact and medical insurance details: Due to the practical outdoor component of the SAFA training, we require a next of kin contact in case of emergency as well as any medical insurance details that may be relevant. This is part of our duty of care and health & safety obligations.
  • Health details (Special Category Data): The SAFA course involves mild physical exertion, exposure to outdoor elements and practical exercises that may place you in mildly stressful conditions. The information provided allows ILS to account for any personal circumstances that need to be considered to ensure participants health and wellbeing.
  • TTA Clients submit their NHS risk category in order to calculate their potential risk with regard to COVID-19 exposure.
  • Information security handling procedures
  • Data destruction policy
  • Password policy
  • Business continuity plan
  • Data classification and information handling policy
  • Physical and Environmental security policy
  • Asset Management policy
  • Cryptography policy
  • Access control policy

Who do we share it with?

ILS uses a small number of carefully selected third parties to help provide our services to you. These act as ‘Data Processors’ as defined by the UK GDPR. Examples of the services we use are payment processing, email campaign software, IT service providers, online survey software services, Hpass digital badge scheme, app developers and accommodation providers. In choosing to work with any such Data Processors, we will always ensure that the security policies and confidentiality arrangements and UK GDPR compliance of those third parties adhere to the same requirements. No ownership rights to the data will be transferred to any third party.

The data that we collect from you will not generally be transferred outside the European Economic Area ("EEA"). The only circumstance where this may occur is for training courses outside the EEA when we give accommodation providers your name, for booking purposes only. By submitting your data, you agree to this transfer, storing or processing. We will take all reasonable steps to ensure that your data is treated securely and in accordance with this privacy policy.

Intelli-TRIP data is processed by our App developer partner, who use Amazon Web Services which allows your data to be hosted in any region in the world. For UK GDPR compliance, our 3rd party App developer partner ensures servers are hosted in London with an assurance that, in case if disaster, the hosted platform will NEVER move outside of the EEA.

Development of the solution was delivered under the Open Web Application Security Project (OWASP) security framework which provides a continually updated set of best practices that ensure the Intelli-TRIP is secure.

We also ensure our App developer partners operate a full set of InfoSec security policies including:

Data Retention

ILS endeavours to minimise the retention of data as much as reasonably possible. In line with this principle the different circumstances under which we retain some personal data are as follows:

  • SAFA course participants: we retain the name and employer of the graduates alongside the course date to determine who has attended our courses. The SAFA certificate is valid for a period of 3 years and we reserve the right to check the validity of our SAFA certificates. Paper registration forms are only retained for this 3-year period where a serious pre-existing medical condition has been registered; this is for legal and insurance purposes. All other paper registration forms are shredded after feedback has been collated. All feedback is then anonymised. Email addresses are only retained where participants have explicitly opted into the mailing list on their registration form.
  • TSS Course participants: we only retain the name and employer of the participant to keep a record of participation. These records are deleted after 3 years when the training certificate expires.
  • Risk Advisory interviewees: personal data is deleted after survey data has been collated.
  • Intelli-TRIP users’ contact details are retained by ILS for invoicing for the period that they are active users.
  • TTA clients’ contact data is only kept for 30 days after the TTA is complete.

Security

All reasonable steps have been taken to ensure the security of your personal data through the minimalization of collection, IT security measures and best practice in handling data both digitally, and on paper. Our IT system meets UK GDPR requirements, including Hard drive encryption, remote wipe functions and the most up to date security software. This is all done in conjunction with our IT partners.

Access

If you would like to get in touch with us regarding any of your personal data access rights, please email us: data@locationsafety.com.

Or alternatively, use the address and phone number provided below:

FAO: Data Protection Enquiries

International Location Safety

Top Floor

46 High Street

Hurstpierpoint

Hassocks

West Sussex

BN6 9RG

Office Telephone: +44(0) 1273 833070

Office hours: 9am-5pm Monday-Friday