Technical Information GDPR. May 2018

Transcription

1 Technical Information GDPR May 2018

2 1 DATA PRIVACY - TECHNICAL INFORMATION This document details the technical components of our BluePoint GDPR compliant privacy information. If you haven t read our Privacy Information main document describing Legal Basis and your rights please do so now. Please consult the References section of this document for a link. It s important to understand what we store, what we do with it, who can see it, how we secure it, how long we hold it and where we store it. 1.1 WHAT WE STORE BluePoint is at its heart a Visitor Management Service (aka Software), so we need to store information about people. What we store depends on your role within the system Web User (Visitors and Contractors who can sign in) You can sign into BluePoint but are not a member of a site. You may have been invited to a site with your specified. We store the following information; About You Your name Your Company (if specified. We might guess this from your domain) Your Job Title (if you specified it. If you sign in using LinkedIn, we obtain this from your LinkedIn profile) Your photo (if you specify it, or if you have checked-in to a BluePoint site that requires photos). Your mobile number (optionally) Your support contact number Any secondary notification addresses. Your unique BluePoint Pass code Your password / OAuthv2 tokens About Site Activity The Appointments / Deliveries / Contractor Access Requests you ve been a part of. Metrics of your activity on BluePoint sites o Check-In times o Time on site (entry and exits) o Any assets signed out while on site o Any inductions (Health and Safety induction, NDAs etc) General Activity Changes to your profile and security Site User (Hosts or Operators) You can sign into BluePoint and are a member of a site. We store the following information, in addition to the above Web User fields; Your site contact number Security metadata your permissions on site

3 All activity on site based on your role (e.g. Receptionists; all data check-ins performed, etc) Ad-hoc Visitor You have been invited to a site as a Visitor without an address and cannot sign into BluePoint. We store the following information; Your name Your company name Your photo (at check-in, on sites that require it). Metrics for your Visit o Check-In time o Time on site (entry and exits) o Any assets signed out while on site Note: this cannot be used to uniquely identify you in real terms. 1.2 WHAT WE DO WITH IT This section describes what we (BluePoint system and support staff) do with your personal data we hold Web User (Visitors and Contractors who can sign in) Allows us to identify you and log into BluePoint. Allow us to send you invitations as a new Host or Operator. Record your Appointment / Delivery / Contractor activity in BluePoint sites Call you for support purposes (never marketing) on your Support Contact number Site Users (Hosts or Operators) In addition to the Web User data processing above; Allow you to perform authorised tasks on Site. Determine who can see you on site (see Who can see it ). Show you in Chat to other site users in scope Ad-hoc Visitor We don t do anything with your data, only store it for use at check-in. 1.3 WHAT OTHERS DO WITH IT Who else can view and process your personal data within BluePoint Web User (Visitors and Contractors who can sign in) Unless specified otherwise, your , mobile number and support contact are not visible. You can be invited by anyone with your full address You can be viewed by Operators in the Site(s) you are visiting or have visited o Only the Operators of the Tenancy you visited, or the Operators above them (for example, the Front of Desk team who welcomed you initially) You can be viewed by Hosts for your Appointments, and their delegates You can be viewed by whomever created your Appointment (note it might not be your Host)

4 o They can see your address in their Contacts and can request access to your mobile number, if you ve set one. Your Company administrators can view your BluePoint Activity and full contact details. No one can access (without your permission); Your address, unless they invite you using it Your mobile number Site Users (Hosts or Operators) Unless specified otherwise, your , mobile number and support contact are not visible. These are in addition to Web Users above. Other Site Users in your Tenancy can view you Operators in your Site(s) can view your name and Site Contact details o Limited to Operators above your tenancy, for example Site main reception teams. You can explicitly set to expose your and mobile to your tenant colleagues, your company colleagues and others in your site. By default, this is hidden Ad-hoc Visitor Site Receptionists use this data to identify and welcome you on site. 1.4 RETENTION PERIOD Appointments, Deliveries, Contractor Access Requests and related data are retained for 1 year by default, unless specified otherwise by the Data Controller. Your account / identity will be stored indefinitely until you choose to delete it, if applicable. You can invoke your Right to Restrict at any time. 1.5 HOW WE SECURE IT All data is stored securely in European Microsoft Azure data centres across a mixture of Azure SQL and CosmosDb. We use active breach detection, at rest encryption and complex authentication credentials with limited IP endpoint access, rotating monthly. All data is transmitted using SSL TLS bit encryption over HTTPS. We perform PEN tests on an annual basis using our excellent partners at RedScan the latest test results are available on request. For more information please download our BluePoint Security Design. 1.6 WHERE WE STORE IT We store all our data from go.bluepoint.uk.com in Microsoft s West Region data centre based in Northern Ireland. Some system telemetry does go to the East Coast region data centre in the United States, but this contains no personal data.

5 1.7 DATA BREACHES We actively monitor our infrastructure and storage for signs of data breach. If we suspect a breach, we will immediately investigate and raise details of the breach to the Intellectual Commissioners Office (ICO) within 72 hours. If you are affected by the breach you will be contacted automatically. If you suspect a breach of your personal data, please contact any of our personnel via our usual channels, such as support@bluepoint.uk.com. 1.8 TERMS AND ABBREVIATIONS BluePoint Activities Visit Visitor Appointment Contractor Access Request Delivery Check-In Any workflow that can be started in BluePoint; such as a new Appointment, a new Delivery or a new Contractor Access Request. When a visitor turns up on a BluePoint site. An individual invited to a BluePoint site. The container for one or more Visitors. A system used to permit Contractors to a Site. The BluePoint Delivery system The action of being identified on a BluePoint site for an Appointment / CAR. 1.9 REFERENCES Digital Forge Ltd. (2018, May). BluePoint Security Design. Digital Forge Ltd. (2018, May). Privacy Information. Retrieved from BluePoint: Information Commissioners Office. (2018, May). Guide to the General Data Protection Regulation. Retrieved from ICO.: Microsoft. (2017, January). Windows Azure Trust Centre. Retrieved from Microsoft Azure: