Rockford Associates, a leading UK Accounts Payable Review provider

Rockford Associates Limited (as Data Processor)

Privacy Notice

This privacy notice provides details of how Rockford Associates Limited (“Rockford”) will process and protect data provided by an organisation (“the client”) who has engaged Rockford to undertake recovery audit services. This data will be Accounts Payable supplier master and transaction data which might include information on individuals (personal data).

Rockford will process the personal data in compliance with the GDPR.

Rockford will process the personal data for the following purposes only:

  • to identify potential overpayments made by the client to their suppliers;
  • to produce management reports for the client.

Rockford will treat the personal data and any other information provided by the client as confidential and will ensure that access to the personal data is limited to only those employees who need to access it for the purposes detailed above. Furthermore, Rockford will ensure that persons authorised to process the personal data have committed themselves to confidentiality.

Rockford will not disclose the personal data to a third party in any circumstances without the permission of the client, unless the disclosure is required by law.

Rockford will not knowingly or wilfully do or omit to do anything that would cause the client to be in breach of the GDPR.

Rockford will notify the client of any security breach that may impact the processing or security of the personal data within twenty-four hours of discovering or becoming aware of any such breach. Rockford will cooperate with the client’s investigation of the incident and implementation of any required corrective action agreed between the parties.

Rockford will not sub-contract any of the processing without the explicit written consent of the client and where such written consent is provided, Rockford will ensure that any sub-contractor it uses to process the personal data will comply with the provisions of this Privacy Notice.

Rockford will employ appropriate operational and technological processes and procedures to keep the personal data safe from unauthorised use or access, loss, destruction, theft or disclosure (please refer to Data Security Statement below). When a data subject access request or other request exercising a Data Subject s rights under the GDPR (right to erasure, rectification, restriction or objection) is received for personal data processed under the terms of this Agreement or where the client is required to respond to any investigation conducted by the Information Commissioner as a result, then Rockford will co-operate with the client to enable compliance with any obligations which may arise from such investigation or request.

Rockford will not transfer the personal data outside of the European Economic Area.

On completion of our services, Rockford shall:

(a) securely delete all instances of client data in all forms (physical or electronic) and shall confirm deletion to the client in writing; and

(b) shall cease processing any personal data on behalf of the client.

Rockford have appointed a Data Protection Officer who is responsible for privacy related matters. If you have any questions about this privacy notice, please contact the Data Protection Officer using the details set out below.

Company Name:  Rockford Associates Limited

Data Protection:   Officer: David Hinds

Email address:     davidhinds@rockfordassociates.co.uk

Postal address:     Aston Court, Kingsmead Business Park, High Wycombe HP11 1LA

Data Security Statement

Any data that is given to Rockford by a client will remain encrypted at every stage during the full lifecycle of our work.

The following data security arrangements will apply during the contract:

Data Collection and Processing

Once data needed for our audit has been extracted by a client, we would ask that it be encrypted and uploaded to our secure Citrix ShareFile site. All file transfers through the ShareFile service are encrypted using 256-bit SSL. Alternatively, Rockford can download the data from a client file sharing site if that is a preferred approach.

Client data received for the purposes of the audit will be stored and processed on a non-networked server in our office. Only our data processing team has access to this server and the server is whole disk encrypted. Our office is a modern building featuring the latest security and card entry system with 24-hour remote monitoring security. Access to the Rockford office within Aston Court is further secured with a key locked entrance.

Review

During the course of our work, client data will also be stored on an employee (auditor) laptop and back-up media, all of which are also whole disk encrypted (Bitlocker). All passwords used by Rockford to login in to processing servers and laptops are 14 characters long, mixed-case and containing mixed alphanumeric characters. All laptops have Norton Internet Security installed and all are configured to automatically apply any operating system and application software updates and patches.

Any physical or electronic transmission or transfer within Rockford (or between Rockford and the client) that may include client data will be encrypted prior to transmission or transfer. All employees have the facility (ShareFile) to encrypt email content and attachments as required.

No item of Rockford IT equipment is ever handed to 3rd parties for repair, disposal or for any other purpose.

Review Close

Rockford will remove and destroy all instances of data at the conclusion of our work with our client. This will require removal of data in electronic format from our processing server, ShareFile site (if this has been used for collecting data from the client) and from our employee laptop(s) and back-up media. We minimise the use of printed material, but will shred any printed material that contains client sensitive data (using a mobile shredding service at our office which is witnessed by a Rockford employee and certified as destroyed by the shredding provider). When all data has been removed as described, we will confirm this in writing to our client.

Employees are required to immediately inform the Directors of the company in the event of loss of equipment or any other actual or suspected breach of data security.

The Directors would immediately report a breach of data security to our client with a view to taking appropriate action to mitigate the impact of such breach.

All Rockford employees are issued with the current version of our Information Security Policies and Procedures document. Rockford employee contracts include a requirement to adhere to IT security, data protection and client confidentiality policy.

Rockford is accredited with the Cyber Essentials and Cyber Essentials Plus Schemes. Our annual certification with these Schemes requires review and audit by a third party of our IT infrastructure, procedures and measures taken to ensure cyber security.