Product Privacy Notice and Policy

V1.4 Updated 01.05.2024

Quantarc Ltd

Baglan Bay Innovation Centre

Baglan Energy Park

Central Avenue

Port Talbot

SA12 7AX

 
Contents 
 
 POLICY .................................................................................................................................................... 1 
 THE QUANTARC SOFTWARE ENVIRONMENT .......................................................................................... 1 
 THE NATURE AND SCOPE OF THE DATA .................................................................................................. 2 
 RIGHTS OF DATA SUBJECTS ..................................................................................................................... 2 
 CONSENT BASED DATA PROCESSING TASKS ON BEHALF OF CLIENTS ...................................................... 3 
1  ANONYMISATION OF PERSONAL DATA ...................................................................................................... 4 
2  DELETION OF CLIENT BACKUPS (WHICH ARE NOT ANONYMISED) ...................................................................... 4 
3  MANAGEMENT OF NON-ANONYMISED CLIENT DATABASES ............................................................................. 4 
4  MANAGEMENT OF ANONYMISED DATABASES ............................................................................................. 5 
5  DATABASES HELD OUTSIDE QUANTARC NETWORKS ...................................................................................... 6 
 PROCEDURES IN THE EVENT OF A DATA BREACH .................................................................................... 6

Page 1

1. Policy

This policy covers any personal data held in client databases that Quantarc handles.

This policy will be reviewed and updated annually. As part of this process, the

procedures herein will be audited to evaluate their effectiveness and corrective action

taken where necessary.

Quantarc acts as a Data Processor as defined by the General Data Protection Regulations

(GDPR) on behalf of its clients who are Data Controllers in respect of the staff and

supplier / contractor information held in their Quantarc database.

Quantarc must comply with the requirements of the Data Protection Act 1998 and

associated regulations including the General Data Protection Register (GDPR). This

includes our notification obligations in the event of a data breach. Quantarc is

registered with the ICO (Information Commissioners Office) and our policies, processes

and procedures have been reviewed by our solicitors for compliance with GDPR.

The GDPR requires data controllers and processors to implement security controls that

ensure the ongoing confidentiality, integrity, availability, and resilience of processing

systems and services. Confidentiality means that data access is permitted on a need-to-

know basis only. Integrity means the data remains accurate and complete. Availability

means that authorized users are able to access the data when needed. Resilience means

that the system can continue to operate even in the event of a failure.

The remaining sections of this document set out the procedures that we must follow to

ensure confidentiality, integrity, availability and resilience of data and the actions we will

take in the event of a data breach.

2. The Quantarc Software environment

Q2 Estates and Facilities Management System (Q2) uses the latest software

development technologies. Only users who are authenticated through the organisation’s

Azure AD or other authentication system can access it. Once authenticated by Azure, the

Q2 system will assign user rights and access levels according to the user’s assigned roles

within the system.

Q2 can be delivered on-premises (ie. hosted on the client’s software environment) or via

Quantarc’s hosting environments.

Where the system is hosted on client servers, server security comes under the

jurisdiction of the client.

For systems hosted by Quantarc, we use Microsoft Azure servers that are located in the

UK. Azure has the benefit of a secure infrastructure that draws upon global security

intelligence. We use the many control options within Azure to protect our hosted

applications and provide cost-effective security for clients.

Page 2

For the Q2 system itself, we use HTTPS and TLS protocols to provide further layers of

security and data protection. Users are authenticated via Azure AD (which can be

synchronised with your own Active Directory system) or through User accounts within

Q2.

Each hosted client has their own independent, isolated Q2 instance and dedicated

database server. Client databases are backed up nightly and retained for an agreed

period of time.

Any exporting of data is strictly controlled and any movement of data is formally

documented and logged.

3. The nature and scope of the data

The bulk of the data within the Q2 Estates and Facilities Management System relates to

site and building information. However, staff will post requests and estates supervisors

and technicians will process the resultant jobs. External contractors and consultants will

also pick up jobs that are assigned to them, consult the asbestos register or permit to

work system etc. This means that some personal data (ie. requestor information and

supervisor / technician / contractor names etc) are held in the system. This includes:

All users (including requestors, estates staff and contractors):

 Login Information from a directory service such as Azure AD and including:

o Name

o Title

o Department or Organization

o Email addresses

o Telephone contact number

Estates users:

 Staff IDs

 Q2 User Account and Profile Information including basic staff names and contact

details

 Service Information (eg. in relation to the modules each user accesses)

 Usage Data

The information held in the Q2 system is limited to work related contact information

only. This does not fall into the GDPR ‘special categories of personal data’ and no

personal financial data or other personal information of this nature is held. There are no

children or other vulnerable groups involved. It is not novel in any way. Clients already

hold and use this information in existing CAFM, IWMS and other systems.

4. Rights of data subjects

Under the GDPR, the data controller and data protection officer (if applicable) are

responsible for ensuring that the rights of data subjects are met.

Page 3

In respect of personal data held for Quantarc staff and suppliers, Quantarc is the data

controller whereas for Client systems, the client organisation is the data controller.

The Q2 Helpdesk includes functionality that allows the client organisation to provide

information for its data subjects. This area is fully flexible and can be configured by each

client organisation in recognition that:

 Data subjects have the right to receive privacy information including the identity and

contact details of the data protection officer. They are also entitled to know the

purposes of processing their data, the legal basis for processing, the recipients or

categories of recipients of personal data, and information about international

transfers.

 Data subjects also have the right to access their personal data. They also have the

right to rectify any inaccurate personal data.

 Data subjects have the right to request erasure of their personal data. This is also

known as the “right to be forgotten” and applies in certain circumstances. Data

subjects also have the right to restrict processing of their personal data.

 Data subjects have the right to receive their personal data in a structured, commonly

used and machine-readable format and have the right to transmit that data to

another controller without hindrance from the controller to which the personal data

has been provided.

5. Consent based data processing tasks on behalf of clients

From time to time, Quantarc is required to assist clients with data processing tasks. This

may be for support purposes, at the outset of a new software, survey or data project or

during a data cleansing exercise.

In order to undertake these tasks, Quantarc must have consent from our clients. This is

in the form of the Data Processing Agreement that is part of the maintenance and

support contract documentation for each Q2 system.

Client organisations must also, in turn, gain consent from their staff and suppliers to

include the data outlined in Section 3 in the Q2 system. It is expected that when

institutions notify their staff and suppliers that the system is available, they will also gain

the necessary consent to hold basic name and contact information in the system.

In the event that users wish to opt out, Quantarc must work with the institution’s Azure

AD (or other authentication system) administrator to ensure that the details of

individuals who wish to ‘opt-out’ are in an appopriately segregated directory that will be

excluded from the Azure AD / Q2 data synchronization process.

The following sub-sections describe the ways in which we must minimise the risks of a

data breach during the processing of client data.

Page 4

5.1 Anonymisation of personal data

Unless otherwise required by a data-processing task or bug fix that requires personal

data requested by an institution, Quantarc will anonymise personal data within the

database as soon as this is restored. This involves running a data script that carries out

the following actions:

1. Staff forenames and surnames are changed to “none”.

2. Staff email addresses are changed to support@quantarc.co.uk

3. The staff number is changed to the database ID for the staff record. The staff

number typically stores the staff member’s unique identified from LDAP or

whichever directory solution they use.

4. The entered by field is cleared, i.e. set to null

5. The staff notes field is cleared, i.e. set to null

6. Labour Individual records have the names set to the database ID for the labour

individual record

7. All user records (including Q_Users and Intranet users) have the username set to

the database ID for the user record

8. All helpdesk records have the originator set to none

9. All helpdesk records have the email address set to support@quantarc.co.uk

10. All helpdesk history records have the update by value set to null

11. All cost values within the financial module are set to zero

12. All contractor records have their email addresses set to none@none.ac.uk

5.2 Deletion of Client backups (which are not anonymised)

By definition, Client database backups are not anonymised as they are a backup of the

client’s live data. They contain personal information and any loss of these backups must

be reported back to the Data Controller (ie. the Client) under the General Data

Protection Regulations (GDPR).

Client backups must be removed from our network as soon as they have been

successfully restored and anonymised.

5.3 Management of non-anonymised client databases

Occasionally it is necessary for Quantarc to hold databases that are not anonymised. For

example, we may be investigating an issue for a specific user and we need to login with

that user’s credentials.

The creation of any non-anonymised databases shall be held on a data register

containing:

i. Date of creation

ii. Purpose

iii. Planned date of removal

iv. Actual date of removal

There will be a diary system in place to ensure that databases are removed as planned.

The register and our network will be regularly audited to ensure that this policy is being

adhered to.

Page 5

5.4 Management of Anonymised databases

Even though the personal data within a database may be anonymised, it will still contain

sensitive information such as an organisation’s financial (not personal) records.

Therefore, they should always be kept to a minimum.

The reasons for holding anonymised databases on Quantarc’s network include:

a) Replica of Live for support purposes

For general ongoing support, there should only ever be one restored client database on

our servers at any one time. This will be a replica of the Client’s Live database.

Important note: For every software client, we must keep a replica of Live for support

purposes. This will use a restored and anonymised copy of their Live database. The

backup of the Live database must always be removed.

b) Copy of Live DB for testing new releases

Whilst we and the client are testing a new release, there will be a second client

database on our servers. This will be used for the new release Test system. This

database must also be anonymised and any new backup of the client’s Live database

must be removed.

c) Copy of Live DB for data projects

In the event that we are undertaking a data project, one or more additional client

database may be required. We will either use a new copy of the client’s live database (if

recent data is required) or we will restore a new backup of the anonymised copy of the

Live database that we already hold.

Summary

In summary, the maximum numbers of client databases that will be kept on our servers

are:

Database type

Number

Disposal method

Support

Delete the original when we obtain a new backup

of Live for support purposes.

Delete the original when a new release goes live

and becomes the support database.

New release

0 or 1

This becomes the support database when a client

goes live with the new release.

Project

Usually 0 but

can be =>1

Delete as soon as project is complete

Project (non-

anonymised)

Usually 0 but

can be =>1

Delete as soon as project is complete

Page 6

5.5 Databases held outside Quantarc networks

Personal Data must never be transfer outside the EU. We have no reason to do so.

Occasionally it is necessary to install a Q2 system on a laptop or other device for the

purposes of a client visit, for example.

In the event of this:

 No personal data is permitted to be held on laptops or PCs that sit outside the office

network. Any client databases that are transferred to other devices must be

anonymised.

 Only a minimal number of essential anonymised databases should be held locally. A

 Client database backup files and non-anonymised databases must never be held

laptops or PCs that sit outside the office network.

6. Procedures in the event of a Data breach

A personal data breach is defined within the GDPR as a breach of security leading to the

accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access

to personal data transmitted, stored or otherwise processed.

Quantarc must report any client data breaches to the client organisation(s) as well as the

Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the

breach.