Who are we? 

We are Doherty IT Solutions Ltd, T/A Doherty Associates.  We secure and manage IT systems on behalf of our clients. Our Registered address is Darpen House, 3 Water Lane, Richmond, Surrey, TW9 1TJ. Our company number is: 02678057. 

Privacy Policy 

At Doherty Associates we are committed to protecting and respecting your privacy. 

This policy explains what personal information we collect from you and how we use it.  This personal data, whether it is held electronically or on paper is subject to certain safeguards that are specified under the EU General Data Protection Regulation (GDPR). The GDPR aims primarily to give control to citizens and residents over their personal data and puts a responsibility on us to keep it safe.  This policy says how we will do that.   

As well as your right to your data being safe, you can at any time you can unsubscribe from communications from Doherty Associates or request for your data to be deleted by visiting www.doherty.co.uk/hs/manage-preferences/unsubscribe.  Further details on data erasure are included in this policy. 

To obtain a copy of this policy please use our website at www.doherty.co.uk/privacy-policy , or contact our Data Protection Manager.  The contact details for the Data Protection Manager are below. 

Data Protection Manager 

Doherty Associates is the controller of information that we collect, you can find our contact details below.  Our Data Protection Manager is Kate Gibbons who can be contacted by phone on 0208 987 1199, email at Kate.Gibbons@doherty.co.uk, or by writing to our registered address.  They are authorised by us to be the contact point for any questions regarding data protection.  If you have any questions about this policy please contact the Data Protection Manager.   

If you need to have this information in another format please contact the Data Protection Manager. 

Who is affected by this policy 

This policy applies to: 

  • Visitors to our website 
  • People who download information from our website 
  • People who attend our events 
  • Our clients 
  • Job applicants 
  • Current and former employees 
  • People who make enquiries or requests under the GDPR 

The data protection principles 

The GDPR requires that data is: 

  • Processed lawfully, fairly and in a transparent manner in relation to individuals 
  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes 
  • Adequate, relevant and limited to what is necessary for processing 
  • Accurate and, where necessary, kept up to date 
  • Not kept longer than is necessary  
  • Processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures 

Our responsibilities 

To meet these requirements, we will: 

  • Tell you what data we collect and how it will be used 
  • Process personal data only as needed to fulfil operational or legal requirements 
  • Keep your data up to date 
  • Retain data for only as long as needed to fulfil the requirements 
  • Ensure that the rights of data subjects can be fully exercised 
  • Implement appropriate technological and organisational measures to safeguard personal data and ensure that personal data is not transferred abroad without suitable safeguards 

If you believe that we are not meeting these requirements, please tell us.  You also have the right to report any concerns to the Information Commissioner’s Office. 

Lawful Basis for Processing 

We collect your data based on a specific legal basis.  The data we collect is set out in the table below: 

Data Subject 

Basis of Processing 

Is the data shared and with whom? 

How long is it kept? 

Visitors to our Website 

N/A - no personal information held 

N/A 

N/A 

People who download information from our website 

Consent 

No 

Two years of inactivity or until they unsubscribe 

People who attend our events 

Consent 

Event locations 

Two years of inactivity or until they unsubscribe 

Our clients 

Contract 

In order to provide services to our clients we may subcontract services on your behalf.  See Sub-Processors 

Depends on the service 

Job applicants 

Legitimate Interest 

No 

Minimum to process and review application 

Current staff 

Legal Requirement 

Payroll processing, DBS checks and HR outsourcing 

Information available internally 

Former staff 

Legal Requirement 

No 

As per legal requirements 

People making requests 

Consent 

No 

Minimum to record Subject Access Request 

 

Where we ask for your consent it can be withdrawn at any time. 

Exercising your rights under the GDPR 

In order to exercise your rights under the GDPR please contact the data protection manager either by writing, email or phone at the contact details above.  We will respond to requests as set out below.  For some requests, in order to ensure that we only provide information about you we will require you to identify yourself by supplying proof of identity. 

Your right to be informed 

You have a right to be informed as a data subject of the data we hold and process about you.  This policy is intended to describe how and why we do so.  If this policy does not deal with your concerns or questions please contact our Data Protection Manager on the contact details held above. 

Your right to access 

If we hold information about you we will: 

  • Describe the information we are holding; 
  • Tell you why we are holding it; 
  • Tell you who it is shared with; 
  • And, if possible, provide you a copy of the information.  Where this is not possible, for example, if it would infringe the rights of other data subjects, we may provide redacted information or access to the information at our premises or via screen sharing. 

Your right to rectification 

This is a right to ask us to correct any wrong data we hold about you.  You can ask us to correct any mistakes by contacting the Data Protection Manager. 

Your right to erasure 

This is a right to ask us to delete any data we hold about you.  You can ask us to do this by contacting the Data Protection Manager.  We may be unable to delete data for legal or regulatory reasons and we will explain if this happens.   

Your right to restrict processing 

This is a right to ask us to stop processing any data we hold about you.  You can ask us to do this by contacting the Data Protection Manager or by other technological means such as clicking unsubscribe links in emails.  Where we are unable to do this for legal or regulatory reasons we will explain why.  If this will affect the services we provide then we will explain this to you. 

Your right to data portability 

You have a right to ask for your information to be transferred to another organisation.  You can ask us to do this by contacting the Data Protection Manager.  Where we are unable to do this for legal or contractual reasons we will explain why. 

Your right to object 

If we process your data based on our legitimate interests, you have a right to object to that processing.  You can ask us to do this by contacting the Data Protection Manager. 

Your rights in relation to automated decision-making and profiling 

The GDPR grants rights in relation to automated decision-making and profiling.  We do not perform automated decision making or profiling on your data. 

 

For Visitors to Our Website 

What data do we collect? 

If you are visiting our website we are not able to record this in isolation and as such do not hold any personal information on website visitors. We may use cookies (please refer to our Cookies Policy at https://www.doherty.co.uk/cookie-policy) to analyse repeat visitors to our website, and this information is provided by our website provider, HubSpot. We also use Google Analytics to inform us of the quantity of visitors to our website and the browser they use to access our website, but we do not have access to any personal information on those visits. 

How we use your data 

This is not applicable to visitors of our website as we do not collect personal information for anonymous users through the website. 

Our Legal basis 

This is not applicable to visitors of our website as we do not collect personal information for anonymous users through the website. 

Third Parties 

Data is processed on our behalf by HubSpot as described above, but none of this data is personal information. 

Data Location 

Data within HubSpot is held in the US and is covered by Privacy Shield.  For further information about the data protection policies of our sub-processors, please consult www.doherty.co.uk/sub-processors. 

Is the data transferred abroad? 

The data is held within US data centres by our website provider.  A privacy shield policy is in place with the provider. 

How long we keep the data for? 

This is not applicable to visitors of our website as we do not collect personal information for anonymous users through the website. 

How we safeguard your data 

This is not applicable to visitors of our website as we do not collect personal information for anonymous users through the website. 

 

For people who download information from our website 

What data do we collect? 

If you visit our website and download information, you may be asked for: 

  • Your name 
  • Your company name 
  • Your role within the company 
  • Your contact number 
  • Your email address 

How we use your data 

We will use your data to contact you periodically with further information we think you may value based on your initial request. You can choose not to be contacted when you download the information and can also withdraw your consent to be contacted at any time. 

Our Legal basis 

We use your consent to contact you with further information You can withdraw your consent to be contacted or for your data to be held by Doherty Associates at any time, either by emailing the Data Protection Manager, or calling 0208 987 1150. You can also withdraw your consent by unsubscribing on any Doherty Associates email you have received. 

Third Parties 

We will not transfer your data to any third party for any reason. We use HubSpot to process your data as described in the Visitors to Our Website section (as above). HubSpot's processing of data is covered by Privacy Shield. For further information about the data protection policies of our sub-processors, please consult www.doherty.co.uk/sub-processors. 

Data Location 

Data within HubSpot is held in the US and is covered by Privacy Shield.  For further information about the data protection policies of our sub-processors, please consult www.doherty.co.uk/sub-processors. 

Is the data transferred abroad? 

The data is held within US data centres by our website provider.  A privacy shield policy is in place with the provider. 

How long we keep the data for? 

We will retain the data for a maximum period of two years of inactivity or at any point before that time has elapsed where you withdraw your consent for it to be processed. 

How we Safeguard your data 

If we share information about your data internally it will be protected by email encryption. We will not share your data externally without explicit permission. See Data Location for more details on how your data is safeguarded. 

 

For people who attend our events 

What data do we collect? 

If you register and attend one of our events, you may be asked for: 

  • Your name 
  • Your company name 
  • Your role within the company 
  • Your contact number 
  • Your email address 

How we use your data 

We will use your data to contact you periodically with further information we think you may value based on your initial request, and may also use it to seek feedback on your experience at the event. You can choose not to be contacted after the event and can also withdraw your consent to be contacted at any time. 

Our Legal basis 

We request your consent to contact you with further information You can withdraw your consent to be contacted or for your data to be held by Doherty Associates at any time, either by emailing the Data Protection Manager, or calling 0208 987 1150. You can also withdraw your consent by unsubscribing using the link on Doherty Associates email you have received. 

Third Parties 

We will transfer your data to any external locations who host our events by encrypted email. We will only transfer your name to the external locations for guest list purposes and you may contact the individual external locations under the GDPR to request a removal of this information at any time after you have attended the event.  

Data Location 

We will store your data within our website provider, HubSpot, which is held in the US and is covered by Privacy Shield.  For further information about the data protection policies of our sub-processors, please consult www.doherty.co.uk/sub-processors. For information on where your data will be stored by external locations for guest list purposes, you may contact the individual external locations. 

Is the data transferred abroad? 

The data is held within US data centres by our website provider. A privacy shield policy is in place with the provider. For information on whether your data will be transferred by external locations for guest list purposes, you may contact the individual external locations. 

How long we keep the data for? 

We will retain the data for a maximum period of two years of inactivity or at any point before that time has elapsed where you withdraw your consent for it to be held. 

How we Safeguard your data 

If we share information about your data internally it will be protected by email encryption. When we share your data externally it will be protected by email encryption and access to the data can be revoked at any time. See Data Location for more details on how your data is safeguarded. 

 

Our Clients 

What data do we collect? 

In order to contact you to provide our services we will record names, email addresses and phone numbers for people working with our associated with our clients.  In addition we record technical information required to provide IT services which may include IP addresses and credential information. 

We will have access to personal data hosted in your systems as part of our agreement. 

We record phone calls for training and quality purposes. 

How we use your data 

We use personal details and technical information stored on our systems to supply consultancy or support services to our clients.  This data is not shared outside our organisation. 

We may also process your personal data in order to provide services via third parties such as email hygiene, antivirus, backups, data storage, software as a service or platform as a service (such as Office 365 or Microsoft Azure) at your request. 

Our Legal basis 

Our contract with you as a client provides the legal basis for processing. 

Third Parties 

We may process your data via transferring it to third parties in order to provide additional services to you as described in the ‘How we use your data’ section above.  A list of the third parties that we use can be found at www.doherty.co.uk/sub-processors. 

Data Location 

Personal data held about you is held either at our offices in London, Microsoft Office 365 and Microsoft Azure.  EU locations are used for Microsoft services.  Data locations for our sub-processors can be found in the link above. 

Is the data transferred abroad? 

In addition to staff located at our office in Richmond we provide our 24/7 support service from a solely owned office in Malaysia.  Our fully vetted staff in the office access our systems in London remotely and do not process any data locally except for data held in cloud services that may be synced to local desktops. 

How long we keep the data for? 

Technical and personal information for staff that are not the main contracts will be removed if you cease to be an active client (that is, if you have not purchased anything from us in 2 years).

How we safeguard your data 

We use appropriate technical and organisational measures to safeguard your data including: 

  • Multi-factor authentication on all systems that allow access to personal data 
  • Staff have access to only data appropriate to perform their roles 
  • Access audit logging for systems containing personal data 
  • DBS checks 
  • Strong data encryption at rest 
  • Where appropriate, encryption of data in use 
  • Closed-circuit television 
  • 24/7 Security guards 
  • Strong physical access controls to systems containing personal data. 

 

Job Applicants 

What data do we collect? 

We collect the following information from job applicants as part of the application process 

  • Name 
  • Employment history 
  • Salary details 
  • Contact details of referees 

We may also collect information as part of taking up references: 

  • Dates of employment 
  • Job title 
  • Details of sickness 
  • Personal statements about you from referees 

In addition we collect any other information that is included as part of cover letters, curriculum vitae, any information disclosed during interview and information passed to us by employment agencies.  

How we use your data 

We use this to select candidates for employment. 

Our Legal basis 

This data is collected as part of our legitimate interest as part of operating the business. 

Third Parties 

If we offer you employment we will seek employment referees from you.  You will need to obtain consent from your referees to provide references. 

Data Location 

Personal data held about you is held either at our offices in London, Microsoft Office 365 and Microsoft Azure.  EU locations are used for Microsoft services.  Data locations for our sub-processors can be found at www.doherty.co.uk/sub-processors. 

Is the data transferred abroad? 

No. 

How long we keep the data for? 

Data on candidates that are not successful at interview is held for 1 year after interview in case we wish to contact you for other opportunities and in case of legal claims. 

How we safeguard your data 

We use appropriate technical and organisational measures to safeguard your data including: 

  • Multi-factor authentication on all systems that allow access to personal data 
  • Staff have access to only data appropriate to perform their roles 
  • Access audit logging for systems containing personal data 
  • DBS checks 
  • Strong data encryption at rest 
  • Where appropriate, encryption of data in use 
  • Closed-circuit television 
  • 24/7 Security guards 
  • Strong physical access controls to systems containing personal data 

 

Current Employees 

What data do we collect? 

We store the following information about you as part of your employment with us: 

  • Name 
  • Job title 
  • Salary 
  • Home address 
  • Personal phone number 
  • Personal email address 
  • Next of kin details 
  • Medical details 
  • National Insurance number 
  • Bank details 
  • Sickness details 

For DBS checks we may also collect: 

  • Passport information 
  • Driving Licence  
  • Residence history 
  • Bank and utility statements 

In addition we may collect health data in order to comply with discrimination legislation. 

How we use your data 

We use this information to pay our staff, to operate our staff appraisal process and to comply with appropriate legislation for employment of staff.  As we work with schools we also perform DBS checks on all staff in the UK that may need to visit a school. 

Our Legal basis 

Some data collection is part of our contract with our staff.  We are also obliged to collect and retain information to comply with employment law. 

Third Parties 

We may pass data to our HR advisers, our payroll provider and our provider of DBS checking. 

Data Location 

Personal data held about you is held either at our offices in London, Microsoft Office 365 and Microsoft Azure.  EU locations are used for Microsoft services.  Data locations for our sub-processors can be found at www.doherty.co.uk/sub-processors. 

Is the data transferred abroad? 

No. 

How long we keep the data for? 

Data on current staff is retained for as long as your employment with us continues. 

How we safeguard your data 

We use appropriate technical and organisational measures to safeguard your data including: 

  • Multi-factor authentication on all systems that allow access to personal data 
  • Staff have access to only data appropriate to perform their roles 
  • Access audit logging for systems containing personal data 
  • Strong data encryption at rest 
  • Where appropriate, encryption of data in use 
  • Closed-circuit television 
  • 24/7 Security guards 
  • Strong physical access controls to systems containing personal data 

 

Former Staff 

What data do we collect? 

We store the following information about you as part of documenting your employment with us: 

  • Name 
  • Job title 
  • Salary 
  • Home address 
  • Personal phone number 
  • Personal email address 
  • Next of kin details 
  • Medical details 
  • National Insurance number 
  • Bank details 
  • Sickness details 

How we use your data 

We use this information to pay our staff until any obligations are settled, to comply with appropriate legislation for employment of staff and as required for legal claims.   

Our Legal basis 

We are obliged to collect and retain information to comply with employment law.  Some information is held under our legitimate interest in case of legal claims related to employment. 

Third Parties 

We may pass data to our HR advisers, insurers for benefits purposes or our payroll provider. 

Data Location 

Personal data held about you is held either at our offices in London, Microsoft Office 365 and Microsoft Azure.  EU locations are used for Microsoft services.  Data locations for our sub-processors can be found at www.doherty.co.uk/sub-processors. 

Is the data transferred abroad? 

No. 

How long we keep the data for? 

We retain all data for 6 years in order to comply with employment law and as part of our legitimate interest for operating the basis in case of legal claims related to employment.  Payroll and expenses data is retained for 7 years for legal reasons. 

How we safeguard your data 

We use appropriate technical and organisational measures to safeguard your data including: 

  • Multi-factor authentication on all systems that allow access to personal data 
  • Staff have access to only data appropriate to perform their roles 
  • Access audit logging for systems containing personal data 
  • Strong data encryption at rest 
  • Where appropriate, encryption of data in use 
  • Closed-circuit television 
  • 24/7 Security guards 
  • Strong physical access controls to systems containing personal data 

 

People making requests 

What data do we collect? 

We will collect the following information in order to process subject access requests: 

  • Name 
  • Proof of identity  

How we use your data 

We will use this to verify your identity, process your data subject access request and retain records of subject access requests. 

Our Legal basis 

This is done as a legal requirement. 

Third Parties 

Data is not passed to third parties unless required to fulfil a data subject access request.  We may refer you to the third party if this has been directly contracted by you. 

Data Location 

The data is held within the EU. 

Is the data transferred abroad? 

The data is not transferred abroad. 

How long we keep the data for? 

Information about data subject access requests is retained indefinitely in order to comply with the regulation.  Proof of identity is not retained. 

How we safeguard your data 

We use appropriate technical and organisational measures to safeguard your data including: 

  • Multi-factor authentication on all systems that allow access to personal data 
  • Staff have access to only data appropriate to perform their roles 
  • Access audit logging for systems containing personal data 
  • Strong data encryption at rest 
  • Where appropriate, encryption of data in use 
  • Closed-circuit television 
  • 24/7 Security guards 
  • Strong physical access controls to systems containing personal data.