1 Introduction
This statement of compliance sets out how the Chartered Institute of Public Finance and Accountancy (CIPFA) complies with the UK General Data Protection Regulation (UK GDPR).
2 Scope
The scope of CIPFA's UK GDPR compliance acknowledges our role as both a data controller and a data processor. We are a Data Controller where we process the data for our own purposes. We are a Data Processor where we process the data under the instruction of our clients according to their purposes.
The scope applies to all CIPFA operations and services involving the handling of personal data concerning an identified or identifiable natural person, this includes the following activities:
As Data Controller
- processing of student and delegate information to enable administration processes associated with course delivery and examinations
- processing of Memorandum of Understanding member data to enable administration and regulatory requirements of memberships and the delivery of member services
- processing of subscriber data to enable administration process associated with subscription services and the delivery of subscription services
- processing personal data when acting as an employer or when providing other business services
As Data Processor
- provision of software as a service to purchasers of CIPFA Asset Manager and CIPFA FM Model
3 Statement of compliance
CIPFA has implemented the following measures to ensure full compliance with GDPR and to protect all personal data that we process from accidental or unlawful destruction, loss, alteration, access or disclosure.3.1 General technical and organisational information security measures
3.1.1 All CIPFA's policies, procedures and processes have been reviewed and updated for UK GDPR compliance, including our roles as data processor and data controller and incident/breach management.
3.1.2 We will process personal data only in accordance with the data controller’s written instructions which shall be in line with their specified purpose(s), their legal basis of processing and all other principles stated in Article 5(1) of the UK GDPR.
3.1.3 We will assist the data controller in meeting the requirements of UK GDPR with regard to the notification of personal data breaches and data protection impact assessments.
3.1.4 Information security is embedded in all CIPFA policies, processes and procedures.
3.1.5 We have an Information Security Management System (ISMS) in place based on the standards found in ISO 27001. We have, considering the state of the art and costs of implementation, implemented GDPR appropriate Technical and Organisational Measures that ensure our buildings, infrastructure, systems, policies, processes, procedures and controls are adequately robust to protect all personal data that we process.
3.1.6 We have carried out a data audit and produced a full record of our processing activities which is compliant with Article 30 of the UK GDPR.
3.1.7 We operate an integrated risk management framework. We regularly assess and manage the risks associated with protecting the confidentiality, integrity and availability of the personal data that we process and their related assets. We perform a DPIA assessment on all new changed systems.
3.1.8 We have in place a Data Retention Policy to ensure that we destroy any data that is no longer required or has passed its retention period.
3.1.9 We are regularly review our practices to ensure our compliance with the current Data Protection legislation. We will contribute to reasonable audits and inspections required by our data controller. The scope and timelines of such audits will be agreed with the data controller in writing and in advance.
3.1.10 We have robust business continuity and disaster recovery plans in place to minimise the impact of any disruptive incidents or disasters, and our systems and processes are resilient enough to protect the confidentiality, integrity and availability of personal data.
3.1.11 We have a designated Data Protection Officer (DPO) who monitors our compliance to the UK GDPR and is out point of contact with the Information Commissioner.
3.2 CIPFA systems and hardware
3.2.1 We have developed our end-user systems to ensure that they are compliant with the UK GDPR. This includes the development of additional functionality to assist our customers and users with managing the data that we hold on them and its use, retrieval, editing, amendment and deletion.
3.2.2 CIPFA's systems enable us to fulfil our obligations when a data subject exercises their rights, including their right of access, rectification or restriction of personal data. All personal data is backed up, and stored securely. If acting as a data processor we will inform the data controller of any data breaches, requests or complaints that we receive from a data subject regarding the exercising of their rights under the UK GDPR.
3.2.3 Disaster recovery is in place for our critical systems.
3.2.4 We are Cyber Essentials PLUS certified.
3.2.5 We have implemented physical layers of security to protect our systems and our data assets.
3.2.6 All laptops and desktops run the latest security patches and antivirus software. Our laptops are also encrypted at rest and contain personal firewalls.
3.3 Supply chain
3.3.1 We operate a preferred supplier policy – suppliers are only approved and used after they have passed our vetting and due diligence process.
3.3.2 We audit our suppliers for adherence to the UK GDPR or equivalent.
3.3.3 Acting as a Data Controller, we have contracts with all our data processors that conforms to Article 28(3) of the UK GDPR including the requirements to impose those data protection obligations on any sub-processor they may engage with and our right to object to the appointment of a sub-processor.
3.3.4 We ensure that all our suppliers who may have exposure to confidential information have signed confidentiality/non-disclosure agreements.
3.4 Staff education, awareness and integrity
3.4.1 GDPR and information security training and awareness is included in our company induction for all new employees.
3.4.2 All existing members of staff receive training on their responsibilities for UK GDPR, and this is ongoing. They also receive annual training on their roles and responsibilities for information security.
3.4.3 All staff who are authorised to process personal data do so on a strictly 'need-to-know' basis as necessary to perform their role in the provision of required services.
3.4.4 All staff have signed a confidentiality/non-disclosure agreement which forms part of their contract of employment.
4 Declaration
We confirm that the above measures are in place. These measures are monitored for their continued suitability and adequacy for compliance with the UK GDPR.
– CIPFA Data Protection Officer, 01/06/2021