Introduction
Welcome to Pocket App’s privacy notice.
Pocket App respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.
This privacy notice is provided in a layered format so you can click through to the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms used in this privacy notice.
Important information and who we are
Purpose of this privacy notice
This privacy notice aims to give you information on how Pocket App collects and processes your personal data through your use of this website, including any data you may provide through this website when you fill in any forms on our website and through you providing us with your personal data in other ways such as sending us emails. If you are a job applicant or if the business that you work for becomes a customer, potential customer, a supplier or a potential supplier of ours please refer to our other notice: Privacy Notice for the Staff of Customers, Potential Customers, Suppliers, Potential Suppliers and Job Applicants.
This website is not intended for children and we do not knowingly collect data relating to children.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
Controller
Pocket App Limited is the controller and responsible for your personal data (collectively referred to as “Pocket App”, “we”, “us” or “our” in this privacy notice).
We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, please contact the data privacy manager using the details set out below.
Contact details
Full name of legal entity: Pocket App Limited
Name or title of data privacy manager: Paul Swaddle
Email address: paul@pocketapp.co.uk
Postal address: 22 Portman Close, London, W1H 6BS
Telephone number: +44 20 7183 4388.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to the privacy notice and your duty to inform us of changes
This version was last updated on 31 Jan 2023.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
Third-party links
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer the following different kinds of personal data about you which we have grouped together follows:
Identity Data includes first name and last name.
Contact Data includes email address and telephone numbers.
We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. We do not combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you (please also refer to section 3 below).
Google Analytics
This website uses Google Analytics, a web analytics service provided by Google, Inc. (“Google”). Google Analytics uses cookies (see above), to help us analyse how users use our site. The information generated by the cookie about your use of the website will be transmitted to and stored by Google on servers in the United States. We have activated IP-anonymisation, which will anonymise your IP address by cutting it short. In most cases this procedure will be carried out within the area of the European Union and other parties to the European Economic Area Agreement. In exceptional cases the whole IP address will be first transferred to a Google server in the USA and then shortened there. Google will use the information on behalf of DRD for the purpose of evaluating your use of the website, compiling reports on website activity for us and providing us with other services relating to website activity and internet usage. The IP address that your browser conveys within the scope of Google Analytics, will not be associated with any other data held by Google. You may refuse the use of these cookies via the settings in your browser as explained above. You can also opt out of being tracked by Google Analytics in the future by downloading and installing Google Analytics Opt-out Browser Add-on for your current web browser: http://tools.google.com/dlpage/gaoptout?hl=en
How is your personal data collected?
Direct interactions. You may give us your Identity and Contact Data by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you enquire about our products or services.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data simply to reply to an enquiry you have sent us. We will also use your personal data to send you information about our products and services.
Click here to find out more about the types of lawful basis that we will rely on to process your personal data.
Marketing
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:
Promotional offers from us
We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or if you provided us with your details when you have registered with us for updates and, in each case, you have not opted out of receiving that marketing.
Third-party marketing
We will get your express opt-in consent before we share your personal data with any company outside our group of companies for marketing purposes.
Opting out
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Disclosure of your personal data
We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above.
Internal Third Parties as set out in the Glossary.
External Third Parties as set out in the Glossary.
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
All third parties are required to respect the security of your personal data and to treat it in accordance with the law.
Cookies
Cookies are small text files that are placed on your computer by websites you visit. Cookies help make this website work and provide information to us about how users interact with our site. We use this information to improve our website.
The cookies we use help to provide us with anonymised, aggregated technical information. This is principally so that we can make sure that the website is easy to navigate, identify the areas that are of particular interest to visitors and generally improve the site and our services. The information that we collect in this process will not identify you as an individual. We do not seek to identify individual visitors unless they volunteer their contact details through one of the forms on the site. In some circumstances our records will identify organisations visiting our site and we may use that information in managing our relationship with those organisations, for example, in considering how to develop the services that we offer them.
By using our website you agree that we can place these types of cookies on your device.
When you accessed this website our cookies were sent to your web browser and stored on your computer. If you wish to remove them, you can manage this via the settings on your browser, but note that this may impact your ability to utilise this and other web sites. The way to clear cookies varies from one browser to another. You should look in the “help” menu of your web browser for full instructions. For your reference, please click the following links for details on how to manage cookies in each of the major web browsers:
For general information about cookies please visit www.allaboutcookies.org.
International transfers
We do not transfer your personal data outside the European Economic Area (EEA) other than as set out below.
Like most businesses we use software to support our operations. For example, we use Microsoft as our email provider. Your personal data may therefore be transferred out of the EEA as Microsoft and other major players in the software industry store some of their data in the U.S.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data retention
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.
In some circumstances you can ask us to delete your data: see Request erasure below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:
Request access to your personal data.
Request correction of your personal data.
Request erasure of your personal data.
Object to processing of your personal data.
Request restriction of processing your personal data.
Request transfer of your personal data.
If you wish to exercise any of the rights set out above, please contact us.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Glossary
LAWFUL BASIS
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
THIRD PARTIES
Internal Third Parties
Our subsidiary that is based in India and which provides IT and system administration services.
External Third Parties
Service providers based in the U.S. and the UK who provide IT and system administration services.
Professional advisers who provide, for example, consultancy and legal services who are based in the UK.
Regulators and other authorities based in the UK who may require reporting of processing activities in certain circumstances.
YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Privacy Policy Staff of suppliers, customers and job applicants
Introduction
Welcome to Pocket App’s privacy notice.
Pocket App respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we look after your personal data when you contact us or when you have agreed that we can stay in touch with you and tell you about your privacy rights and how the law protects you.
This privacy notice is provided in a layered format so you can click through to the specific areas set out below. Please also use the Glossary to understand the meaning of some of the terms used in this privacy notice.
Important information and who we are
Purpose of this privacy notice
This privacy notice aims to give you information on how Pocket App collects and processes your personal data.
It is important that you read this privacy notice together with any other privacy notice or fair processing notice we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy notice supplements the other notices and is not intended to override them.
Controller
Pocket App Limited is the controller and responsible for your personal data (collectively referred to as “Pocket App”, “we”, “us” or “our” in this privacy notice).
We have appointed a data privacy manager who is responsible for overseeing questions in relation to this privacy notice. If you have any questions about this privacy notice, please contact the data privacy manager using the details set out below.
Contact details
Full name of legal entity: Pocket App Limited
Name or title of data privacy manager: Paul Swaddle
Email address: paul@pocketapp.co.uk
Postal address: 22 Portman Close, London, W1H 6BS
Telephone number: +44 20 7183 4388.
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.
Changes to the privacy notice and your duty to inform us of changes
This version was last updated on 22 May 2018.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
The data we collect about you
Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer the following different kinds of personal data about you which we have grouped together follows:
Identity Data includes first name and last name.
Contact Data includes email address and telephone numbers.
How is your personal data collected?
Direct interactions. By corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you enquire about our products or services, our needs or if there are any staff vacancies.
How we use your personal data
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data simply to reply to an enquiry you have sent us. If the business that you represent becomes our customer or supplier, we will use your personal data to work with you. We will also use your personal data to send you information about our products and services.
Click here to find out more about the types of lawful basis that we will rely on to process your personal data.
Marketing
We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. We have established the following personal data control mechanisms:
Promotional offers from us
We may use your personal data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).
You will receive marketing communications from us if you have requested information from us or if the business that you are involved in has purchased goods or services from us or if you provided us with your details when you have registered with us for updates and, in each case, you have not opted out of receiving that marketing.
Third-party marketing
We will get your express opt-in consent before we share your personal data with any company outside our group of companies for marketing purposes.
Opting out
You can ask us or third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.
Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
Disclosure of your personal data
We may have to share your personal data with the parties set out below for the purposes set out in paragraph 4 above.
Internal Third Parties as set out in the Glossary.
External Third Parties as set out in the Glossary.
Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.
All third parties are required to respect the security of your personal data and to treat it in accordance with the law.
International transfers
We do not transfer your personal data outside the European Economic Area (EEA) other than as set out below.
Like most businesses we use software to support our operations. For example, we use Microsoft as our email provider. Your personal data may therefore be transferred out of the EEA as Microsoft and other major players in the software industry store some of their data in the U.S.
Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.
Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Data retention
How long will you use my personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by contacting us.
In some circumstances you can ask us to delete your data: see Request erasure below for further information.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data. Please click on the links below to find out more about these rights:
Request access to your personal data.
Request correction of your personal data.
Request erasure of your personal data.
Object to processing of your personal data.
Request restriction of processing your personal data.
Request transfer of your personal data.
If you wish to exercise any of the rights set out above, please contact us.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
Glossary
LAWFUL BASIS
Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.
THIRD PARTIES
Internal Third Parties
Our subsidiary that is based in India and which provides IT and system administration services.
External Third Parties
Service providers based in the U.S. and the UK who provide IT and system administration services.
Professional advisers who provide, for example, consultancy and legal services who are based in the UK.
Regulators and other authorities based in the UK who may require reporting of processing activities in certain circumstances.
YOUR LEGAL RIGHTS
You have the right to:
Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data’s accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Information Security Policy
POLICY
It is the policy of Pocket App Ltd that information, as defined hereinafter, in all its forms–written, spoken, recorded electronically or printed–will be protected from accidental or intentional unauthorised modification, destruction or disclosure throughout its life cycle. This protection includes an appropriate level of security over the equipment and software used to process, store, and transmit that information.
All policies and procedures must be documented and made available to individuals responsible for their implementation and compliance. All activities identified by the policies and procedures must also be documented. All the documentation, which may be in electronic form, must be retained for at least 6 (six) years after initial creation, or, pertaining to policies and procedures, after changes are made. All documentation must be periodically reviewed for appropriateness and currency, a period of time to be determined by each entity within Pocket App Ltd.
At each entity and/or department level, additional policies, standards and procedures will be developed detailing the implementation of this policy and set of standards, and addressing any additional information systems functionality in such entity and/or department. All departmental policies must be consistent with this policy. All systems implemented after the effective date of these policies are expected to comply with the provisions of this policy where possible. Existing systems are expected to be brought into compliance where possible and as soon as practical.
SCOPE
The scope of information security includes the protection of the confidentiality, integrity and availability of information.
The framework for managing information security in this policy applies to allPocket App Ltd entities and workers, and other Involved Persons and all Involved Systems throughout Pocket App Ltd as defined below in INFORMATION SECURITY DEFINITIONS.
This policy and all standards apply to all protected health information and other classes of protected information in any form as defined below in INFORMATION CLASSIFICATION.
RISK MANAGEMENT
A thorough analysis of all Pocket App Ltd information networks and systems will be conducted on a periodic basis to document the threats and vulnerabilities to stored and transmitted information. The analysis will examine the types of threats – internal or external, natural or manmade, electronic and non-electronic– that affect the ability to manage the information resource. The analysis will also document the existing vulnerabilities within each entity which potentially expose the information resource to the threats. Finally, the analysis will also include an evaluation of the information assets and the technology associated with its collection, storage, dissemination and protection.
From the combination of threats, vulnerabilities, and asset values, an estimate of the risks to the confidentiality, integrity and availability of the information will be determined. The frequency of the risk analysis will be determined at the entity level.
Based on the periodic assessment, measures will be implemented that reduce the impact of the threats by reducing the amount and scope of the vulnerabilities.
INFORMATION SECURITY DEFINITIONS
Affiliated Covered Entities: Legally separate, but affiliated, covered entities which choose to designate themselves as a single covered entity for purposes of HIPAA.
Availability: Data or information is accessible and usable upon demand by an authorized person.
Confidentiality: Data or information is not made available or disclosed to unauthorized persons or processes.
HIPAA: The Health Insurance Portability and Accountability Act, a federal law passed in 1996 that affects the healthcare and insurance industries. A key goal of the HIPAA regulations is to protect the privacy and confidentiality of protected health information by setting and enforcing standards.
Integrity: Data or information has not been altered or destroyed in an unauthorized manner.
Involved Persons: Every worker at Pocket App Ltd — no matter what their status.
Involved Systems: All computer equipment and network systems that are operated within the Pocket App Ltd environment. This includes all platforms (operating systems), all computer sizes (personal digital assistants, desktops, mainframes, etc.), and all applications and data (whether developed in-house or licensed from third parties) contained on those systems.
Protected Health Information (PHI): PHI is health information, including demographic information, created or received by the Pocket App Ltd entities which relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual and that identifies or can be used to identify the individual.
Risk: The probability of a loss of confidentiality, integrity, or availability of information resources.
INFORMATION SECURITY RESPONSIBILITIES
Information Security Officer: The Information Security Officer (ISO) for each entity is responsible for working with user management, owners, custodians, and users to develop and implement prudent security policies, procedures, and controls, subject to the approval of Pocket App Ltd. Specific responsibilities include:
Ensuring security policies, procedures, and standards are in place and adhered to by entity.
Providing basic security support for all systems and users.
Advising owners in the identification and classification of computer resources. See Section VI Information Classification.
Advising systems development and application owners in the implementation of security controls for information on systems, from the point of system design, through testing and production implementation.
Educating custodian and user management with comprehensive information about security controls affecting system users and application systems.
Providing on-going employee security education.
Performing security audits.
Reporting regularly to the Pocket App Ltd Oversight Committee on entity’s status with regard to information security.
Information Owner: The owner of a collection of information is usually the manager responsible for the creation of that information or the primary user of that information. This role often corresponds with the management of an organizational unit. In this context, ownership does not signify proprietary interest, and ownership may be shared. The owner may delegate ownership responsibilities to another individual by completing the Pocket App Ltd Information Owner Delegation Form. The owner of information has the responsibility for:
Knowing the information for which she/he is responsible.
Determining a data retention period for the information, relying on advice from the Legal Department.
Ensuring appropriate procedures are in effect to protect the integrity, confidentiality, and availability of the information used or created within the unit.
Authorizing access and assigning custodianship.
Specifying controls and communicating the control requirements to the custodian and users of the information.
Reporting promptly to the ISO the loss or misuse of Pocket App Ltd information.
Initiating corrective actions when problems are identified.
Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.
Following existing approval processes within the respective organizational unit for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.
Custodian: The custodian of information is generally responsible for the processing and storage of the information. The custodian is responsible for the administration of controls as specified by the owner. Responsibilities may include:
Providing and/or recommending physical safeguards.
Providing and/or recommending procedural safeguards.
Administering access to information.
Releasing information as authorized by the Information Owner and/or the Information Privacy/ Security Officer for use and disclosure using procedures that protect the privacy of the information.
Evaluating the cost effectiveness of controls.
Maintaining information security policies, procedures and standards as appropriate and in consultation with the ISO.
Promoting employee education and awareness by utilizing programs approved by the ISO, where appropriate.
Reporting promptly to the ISO the loss or misuse of Pocket App Ltd information.
Identifying and responding to security incidents and initiating appropriate actions when problems are identified.
User Management: Pocket App Ltd management who supervise users as defined below. User management is responsible for overseeing their employees’ use of information, including:
Reviewing and approving all requests for their employees access authorizations.
Initiating security change requests to keep employees’ security record current with their positions and job functions.
Promptly informing appropriate parties of employee terminations and transfers, in accordance with local entity termination procedures.
Revoking physical access to terminated employees, i.e., confiscating keys, changing combination locks, etc.
Providing employees with the opportunity for training needed to properly use the computer systems.
Reporting promptly to the ISO the loss or misuse of Pocket App Ltd information.
Initiating corrective actions when problems are identified.
Following existing approval processes within their respective organization for the selection, budgeting, purchase, and implementation of any computer system/software to manage information.
User: The user is any person who has been authorized to read, enter, or update information. A user of information is expected to:
Access information only in support of their authorized job responsibilities.
Comply with Information Security Policies and Standards and with all controls established by the owner and custodian.
Refer all disclosures of PHI (1) outside of Pocket App Ltd and (2) within Pocket App Ltd, other than for treatment, payment, or health care operations, to the applicable entity’s Medical/Health Information Management Department. In certain circumstances, the Medical/Health Information Management Department policies may specifically delegate the disclosure process to other departments. (For additional information, see Pocket App Ltd Privacy/Confidentiality of Protected Health Information (PHI) Policy.)
Keep personal authentication devices (e.g. passwords, SecureCards, PINs, etc.) confidential.
Report promptly to the ISO the loss or misuse of Pocket App Ltd information.
Initiate corrective actions when problems are identified.
INFORMATION CLASSIFICATION
Classification is used to promote proper controls for safeguarding the confidentiality of information. Regardless of classification the integrity and accuracy of all classifications of information must be protected. The classification assigned and the related controls applied are dependent on the sensitivity of the information. Information must be classified according to the most sensitive detail it includes. Information recorded in several formats (e.g., source document, electronic record, report) must have the same classification regardless of format. The following levels are to be used when classifying information:
Protected Health Information (PHI)
PHI is information, whether oral or recorded in any form or medium, that:
is created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school or university or health clearinghouse; and
relates to past, present or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past present or future payment for the provision of health care to an individual; and
includes demographic data, that permits identification of the individual or could reasonably be used to identify the individual.
Unauthorized or improper disclosure, modification, or destruction of this information could violate state and federal laws, result in civil and criminal penalties, and cause serious damage to Pocket App Ltd and its patients or research interests.
Confidential Information
Confidential Information is very important and highly sensitive material that is not classified as PHI. This information is private or otherwise sensitive in nature and must be restricted to those with a legitimate business need for access.
Examples of Confidential Information may include: personnel information, key financial information, proprietary information of commercial research sponsors, system access passwords and information file encryption keys.
Unauthorized disclosure of this information to people without a business need for access may violate laws and regulations, or may cause significant problems for Pocket App Ltd, its customers, or its business partners. Decisions about the provision of access to this information must always be cleared through the information owner.
Internal Information
Internal Information is intended for unrestricted use within Pocket App Ltd, and in some cases within affiliated organisations such as Pocket App Ltd business partners. This type of information is already widely-distributed within Pocket App Ltd, or it could be so distributed within the organisation without advance permission from the information owner.
Examples of Internal Information may include: personnel directories, internal policies and procedures, most internal electronic mail messages.
Any information not explicitly classified as PHI, Confidential or Public will, by default, be classified as Internal Information.
Unauthorized disclosure of this information to outsiders may not be appropriate due to legal or contractual provisions.
Public Information
Public Information has been specifically approved for public release by a designated authority within each entity of Pocket App Ltd. Examples of Public Information may include marketing brochures and material posted to Pocket App Ltd entity internet web pages.
This information may be disclosed outside of Pocket App Ltd.
COMPUTER AND INFORMATION CONTROL
All involved systems and information are assets of Pocket App Ltd and are expected to be protected from misuse, unauthorised manipulation, and destruction. These protection measures may be physical and/or software based.
Ownership of Software: All computer software developed by Pocket App Ltd employees or contract personnel on behalf of Pocket App Ltd or licensed for Pocket App Ltd use is the property of Pocket App Ltd and must not be copied for use at home or any other location, unless otherwise specified by the license agreement.
Installed Software: All software packages that reside on computers and networks within Pocket App Ltd must comply with applicable licensing agreements and restrictions and must comply with Pocket App Ltd acquisition of software policies.
Virus Protection: Virus checking systems approved by the Information Security Officer and Information Services must be deployed using a multi-layered approach (desktops, servers, gateways, etc.) that ensures all electronic files are appropriately scanned for viruses. Users are not authorized to turn off or disable virus checking systems.
Access Controls: Physical and electronic access to PHI, Confidential and Internal information and computing resources is controlled. To ensure appropriate levels of access by internal workers, a variety of security measures will be instituted as recommended by the Information Security Officer and approved by Pocket App Ltd. Mechanisms to control access to PHI, Confidential and Internal information include (but are not limited to) the following methods:
Authorization: Access will be granted on a “need to know” basis and must be authorized by the immediate supervisor and application owner with the assistance of the ISO. Any of the following methods are acceptable for providing access under this policy:
Context-based access:Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of the user, strength of user authentication, etc.
Role-based access:An alternative to traditional access control models (e.g., discretionary or non-discretionary access control policies) that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organization’s structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.
User-based access:A security mechanism used to grant users of a system access based upon the identity of the user.
Identification/Authentication: Unique user identification (user id) and authentication is required for all systems that maintain or access PHI, Confidential and/or Internal Information. Users will be held accountable for all actions performed on the system with their user id.
At least one of the following authentication methods must be implemented:
strictly controlled passwords (Attachment 1 – Password Control Standards), biometric identification, and/or tokens in conjunction with a PIN. The user must secure his/her authentication control (e.g. password, token) such that it is known only to that user and possibly a designated security manager. An automatic timeout re-authentication must be required after a certain period of no activity (maximum 15 minutes). The user must log off or secure the system when leaving it.
Data Integrity: Pocket App Ltd must be able to provide corroboration that PHI, Confidential, and Internal Information has not been altered or destroyed in an unauthorised manner. Listed below are some methods that support data integrity:
transaction audit, disk redundancy (RAID), ECC (Error Correcting Memory), checksums (file integrity), encryption of data in storage, digital signatures
Transmission Security: Technical security mechanisms must be put in place to guard against unauthorized access to data that is transmitted over a communications network, including wireless networks. The following features must be implemented:
integrity controls and encryption, where deemed appropriate
Remote Access: Access into Pocket App Ltd network from outside will be granted using Pocket App Ltd approved devices and pathways on an individual user and application basis. All other network access options are strictly prohibited. Further, PHI, Confidential and/or Internal Information that is stored or accessed remotely must maintain the same level of protections as information stored and accessed within the Pocket App Ltd network.
Physical Access: Access to areas in which information processing is carried out must be restricted to only appropriately authorized individuals.
The following physical controls must be in place:
Mainframe computer systems must be installed in an access-controlled area. The area in and around the computer facility must afford protection against fire, water damage, and other environmental hazards such as power outages and extreme temperature situations.
File servers containing PHI, Confidential and/or Internal Information must be installed in a secure area to prevent theft, destruction, or access by unauthorized individuals.
Workstations or personal computers (PC) must be secured against use by unauthorized individuals. Local procedures and standards must be developed on secure and appropriate workstation use and physical safeguards which must include procedures that will:
Position workstations to minimize unauthorized viewing of protected health information.
Grant workstation access only to those who need it in order to perform their job function.
Establish workstation location criteria to eliminate or minimize the possibility of unauthorized access to protected health information.
Employ physical safeguards as determined by risk analysis, such as locating workstations in controlled access areas or installing covers or enclosures to preclude passerby access to PHI.
Use automatic screen savers with passwords to protect unattended machines.
Facility access controls must be implemented to limit physical access to electronic information systems and the facilities in which they are housed, while ensuring that properly authorized access is allowed. Local policies and procedures must be developed to address the following facility access control requirements:
Contingency Operations – Documented procedures that allow facility access in support of restoration of lost data under the disaster recovery plan and emergency mode operations plan in the event of an emergency.
Facility Security Plan – Documented policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft.
Access Control and Validation – Documented procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.
Maintenance records – Documented policies and procedures to document repairs and modifications to the physical components of the facility which are related to security (for example, hardware, walls, doors, and locks).
Emergency Access:
Each entity is required to establish a mechanism to provide emergency access to systems and applications in the event that the assigned custodian or owner is unavailable during an emergency.
Procedures must be documented to address:
Authorization, Implementation, and Revocation
Equipment and Media Controls: The disposal of information must ensure the continued protection of PHI, Confidential and Internal Information. Each entity must develop and implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain PHI into and out of a facility, and the movement of these items within the facility. The following specification must be addressed:
Information Disposal / Media Re-Use of:
Hard copy (paper and microfilm/fiche)
Magnetic media (floppy disks, hard drives, zip disks, etc.) and
CD ROM Disks
Accountability: Each entity must maintain a record of the movements of hardware and electronic media and any person responsible therefore.
Data backup and Storage: When needed, create a retrievable, exact copy of electronic PHI before movement of equipment.
Other Media Controls:
PHI and Confidential Information stored on external media (diskettes, cd-roms, portable storage, memory sticks, etc.) must be protected from theft and unauthorized access. Such media must be appropriately labeled so as to identify it as PHI or Confidential Information. Further, external media containing PHI and Confidential Information must never be left unattended in unsecured areas.
PHI and Confidential Information must never be stored on mobile computing devices (laptops, personal digital assistants (PDA), smart phones, tablet PC’s, etc.) unless the devices have the following minimum security requirements implemented:
Power-on passwords
Auto logoff or screen saver with password
Encryption of stored data or other acceptable safeguards approved by Information Security Officer
Further, mobile computing devices must never be left unattended in unsecured areas.
If PHI or Confidential Information is stored on external medium or mobile computing devices and there is a breach of confidentiality as a result, then the owner of the medium/device will be held personally accountable and is subject to the terms and conditions of Pocket App Ltd Information Security Policies and Confidentiality Statement signed as a condition of employment or affiliation with Pocket App Ltd.
Data Transfer/Printing:
Electronic Mass Data Transfers: Downloading and uploading PHI, Confidential, and Internal Information between systems must be strictly controlled. Requests for mass downloads of, or individual requests for, information for research purposes that include PHI must be approved through the Internal Review Board (IRB). All other mass downloads of information must be approved by the Application Owner and include only the minimum amount of information necessary to fulfill the request. Applicable Business Associate Agreements must be in place when transferring PHI to external entities (see Pocket App Ltd policy B-2 entitled “Business Associates”).
Other Electronic Data Transfers and Printing: PHI, Confidential and Internal Information must be stored in a manner inaccessible to unauthorized individuals. PHI and Confidential information must not be downloaded, copied or printed indiscriminately or left unattended and open to compromise. PHI that is downloaded for educational purposes where possible should be de-identified before use.
Oral Communications: Pocket App Ltd staff should be aware of their surroundings when discussing PHI and Confidential Information. This includes the use of cellular telephones in public areas. Pocket App Ltd staff should not discuss PHI or Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, stairwells, cafeterias, restaurants, or on public transportation.
Audit Controls: Hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use PHI must be implemented. Further, procedures must be implemented to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. These reviews must be documented and maintained for six (6) years.
Evaluation: Pocket App Ltd requires that periodic technical and non-technical evaluations be performed in response to environmental or operational changes affecting the security of electronic PHI to ensure its continued protection.
Contingency Plan: Controls must ensure that Pocket App Ltd can recover from any damage to computer equipment or files within a reasonable period of time. Each entity is required to develop and maintain a plan for responding to a system emergency or other occurrence (for example, fire, vandalism, system failure and natural disaster) that damages systems that contain PHI, Confidential, or Internal Information. This will include developing policies and procedures to address the following:
Data Backup Plan:
A data backup plan must be documented and routinely updated to create and maintain, for a specific period of time, retrievable exact copies of information.
Backup data must be stored in an off-site location and protected from physical damage.
Backup data must be afforded the same level of protection as the original data.
Disaster Recovery Plan: A disaster recovery plan must be developed and documented which contains a process enabling the entity to restore any loss of data in the event of fire, vandalism, natural disaster, or system failure.
Emergency Mode Operation Plan: A plan must be developed and documented which contains a process enabling the entity to continue to operate in the event of fire, vandalism, natural disaster, or system failure.
Testing and Revision Procedures: Procedures should be developed and documented requiring periodic testing of written contingency plans to discover weaknesses and the subsequent process of revising the documentation, if necessary.
Applications and Data Criticality Analysis: The criticality of specific applications and data in support of other contingency plan components must be assessed and documented.
Compliance [§ 164.308(a)(1)(ii)(C)]
The Information Security Policy applies to all users of Pocket App Ltd information including: employees, medical staff, students, volunteers, and outside affiliates. Failure to comply with Information Security Policies and Standards by employees, medical staff, volunteers, and outside affiliates may result in disciplinary action up to and including dismissal in accordance with applicable Pocket App Ltd procedures, or, in the case of outside affiliates, termination of the affiliation. Failure to comply with Information Security Policies and Standards by students may constitute grounds for corrective action in accordance with Pocket App Ltd procedures. Further, penalties associated with state and federal laws may apply.
Possible disciplinary/corrective action may be instituted for, but is not limited to, the following:
Unauthorized disclosure of PHI or Confidential Information as specified in Confidentiality Statement.
Unauthorized disclosure of a sign-on code (user id) or password.
Attempting to obtain a sign-on code or password that belongs to another person.
Using or attempting to use another person’s sign-on code or password.
Unauthorized use of an authorized password to invade patient privacy by examining records or information for which there has been no request for review.
Installing or using unlicensed software on Pocket App Ltd computers.
The intentional unauthorised destruction of Pocket App Ltd information.
Attempting to get access to sign-on codes for purposes other than official business, including completing fraudulent documentation to gain access.
— ATTACHMENT 1 —
Password Control Standards
The Pocket App Ltd Information Security Policy requires the use of strictly controlled passwords for accessing Protected Health Information (PHI), Confidential Information (CI) and Internal Information (II). (See Pocket App Ltd Information Security Policy for definition of these protected classes of information.)
Listed below are the minimum standards that must be implemented in order to ensure the effectiveness of password controls.
Standards for accessing PHI, CI, II:
Users are responsible for complying with the following password standards:
Passwords must never be shared with another person, unless the person is a designated security manager.
Every password must, where possible, be changed regularly – (between 45 and 90 days depending on the sensitivity of the information being accessed)
Passwords must, where possible, have a minimum length of eight characters.
Passwords must never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the ISO. This feature should be disabled in all applicable systems.
Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them.
When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc…). A combination of alpha and numeric characters are more difficult to guess.
Where possible, system software must enforce the following password standards:
Passwords routed over a network must be encrypted.
Passwords must be entered in a non-display field.
System software must enforce the changing of passwords and the minimum length.
System software must disable the user identification code when more than three consecutive invalid passwords are given within a 15 minute timeframe. Lockout time must be set at a minimum of 30 minutes.
System software must maintain a history of previous passwords and prevent their reuse.
Cookies
Cookies In Use on This Site
Cookies and how they Benefit You
Our website uses cookies, as almost all websites do, to help provide you with the best experience we can.
Cookies are small text files that are placed on your computer or mobile phone when you browse websites
Our cookies help us:
Make our website work as you’d expect
Remember your settings during and between visits
Improve the speed/security of the site
Allow you to share pages with social networks like Facebook
We do not use cookies to:
Collect any personally identifiable information (without your express permission)
Collect any sensitive information (without your express permission)
Pass data to advertising networks
Pass personally identifiable data to third parties
Pay sales commissions
You can learn more about all the cookies we use below
Granting us permission to use cookies
If the settings on your software that you are using to view this website (your browser) are adjusted to accept cookies we take this, and your continued use of our website, to mean that you are fine with this. Should you wish to remove or not use cookies from our site you can learn how to do this below, however doing so will likely mean that our site will not work as you would expect.
More about our Cookies
Website Function Cookies
Our own cookies
We use cookies to make our website work including:
Remembering your search settings
There is no way to prevent these cookies being set other than to not use our site.
Social Website Cookies
So you can easily “Like” or share our content on the likes of Facebook and Twitter we have included sharing buttons on our site.
Cookies are set by:
The privacy implications on this will vary from social network to social network and will be dependent on the privacy settings you have chosen on these networks.
Turning Cookies Off
You can usually switch cookies off by adjusting your browser settings to stop it from accepting cookies (Learn how here). Doing so however will likely limit the functionality of our’s and a large proportion of the world’s websites as cookies are a standard part of most modern websites
It may be that you concerns around cookies relate to so called “spyware”. Rather than switching off cookies in your browser you may find that anti-spyware software achieves the same objective by automatically deleting cookies considered to be invasive. Learn more about managing cookies with antispyware software.
The cookie information text on this site was derived from content provided by Attacat Internet Marketing http://www.attacat.co.uk/, a marketing agency based in Edinburgh. If you need similar information for your own website you can use their free cookie audit tool.