IAMT Data Protection Policy (formerly IABM)

Data Protection Policy

IABM (trading as IAMT) is committed to being transparent about how it collects and uses the personal data of its workforce, and to meeting its data protection obligations. This policy sets out IAMT's commitment to data protection, and individual rights and obligations in relation to personal data.

This policy applies to the personal data of job applicants, employees, contractors, volunteers, interns, apprentices and former employees, referred to as HR-related personal data. It does not apply to the personal data of clients or other personal data processed for business purposes.

IAMT has appointed Lucinda Meek, Finance Director as the person responsible for data protection compliance. Questions about this policy, or requests for further information, should be directed to her.

Definitions

Personal data is any information that relates to a living individual who can be identified from that information. Processing is any use that is made of data, including collecting, storing, amending, disclosing or destroying it.

Special categories of personal data means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life or sexual orientation, and genetic and biometric data.

Criminal records data means information about an individual's criminal convictions and offences, and information relating to criminal allegations and proceedings.

Data Protection Principles

IAMT processes HR-related personal data in accordance with the following principles:

  • Personal data is processed lawfully, fairly and in a transparent manner.
  • Personal data is collected only for specified, explicit and legitimate purposes.
  • Personal data is adequate, relevant and limited to what is necessary for the purposes of processing.
  • Personal data is kept accurate, and all reasonable steps are taken to rectify or delete inaccurate data without delay.
  • Personal data is kept only for the period necessary for processing.
  • Appropriate measures are adopted to keep personal data secure, and protected against unauthorised or unlawful processing, and accidental loss, destruction or damage.

IAMT tells individuals the reasons for processing their personal data, how it uses such data and the legal basis for processing in its privacy notices. Where IAMT relies on legitimate interests as the basis for processing, it will carry out an assessment to ensure those interests are not overridden by the rights and freedoms of individuals.

Where IAMT processes special categories of personal data or criminal records data to perform obligations or exercise rights in employment law, this is done in accordance with its policy on special categories of data and criminal records data.

IAMT will update HR-related personal data promptly if an individual advises that their information has changed or is inaccurate. Personal data gathered during the employment, contractor or volunteer relationship is held in the individual's personnel file (in hard copy, electronic format, or both) and on HR systems. Retention periods are contained in IAMT's privacy notices to individuals.

IAMT keeps a record of its processing activities in respect of HR-related personal data in accordance with the requirements of the UK General Data Protection Regulation (UK GDPR).

Individual Rights

As a data subject, individuals have a number of rights in relation to their personal data.

Subject Access Requests

Individuals have the right to make a subject access request. If a request is made, IAMT will provide the individual with:

  • Confirmation of whether their data is processed, and if so, why - including the categories of personal data concerned and the source of the data if not collected directly from the individual
  • Details of to whom their data is or may be disclosed, including recipients outside the UK, and the safeguards that apply to such transfers
  • The period for which their personal data is stored, or how that period is determined
  • Information about their rights to rectification, erasure, restriction or objection
  • Their right to complain to the Information Commissioner's Office (ICO) if they believe IAMT has failed to comply with their data protection rights
  • Whether IAMT carries out automated decision-making and the logic involved in any such decisions

IAMT will also provide a copy of the personal data undergoing processing. This will normally be in electronic form where the request was made electronically, unless agreed otherwise.

To make a subject access request, the individual should contact Lucinda Meek. In some cases, IAMT may need to verify identity before processing the request. IAMT will normally respond within one month of receipt. Where IAMT processes large amounts of data, it may extend this to three months, and will notify the individual within the first month if this is the case.

If a subject access request is manifestly unfounded or excessive - for example, if it repeats a request to which IAMT has already responded - IAMT is not obliged to comply. It may alternatively agree to respond but charge a fee based on the administrative cost of doing so. IAMT will notify the individual if this applies.

Other Rights

Individuals may also require IAMT to:

  • Rectify inaccurate data
  • Stop processing or erase data that is no longer necessary for the purposes of processing
  • Stop processing or erase data if the individual's interests override IAMT's legitimate grounds for processing
  • Stop processing or erase data if processing is unlawful
  • Restrict processing for a period if data is inaccurate or if there is a dispute about whether the individual's interests override IAMT's legitimate grounds for processing

To exercise any of these rights, individuals should contact Lucinda Meek.

IAMT MAI – AI-Powered Chatbot

IAMT operates an AI-powered chatbot called IAMT MAI, accessible to all visitors to the IAMT website. This section explains how personal data is processed in connection with that service.

How IAMT MAI Works

IAMT MAI is designed to surface information from documents and files uploaded to the IAMT website by members, as well as relevant member profile data, in response to user queries. It does not independently collect personal data beyond what is necessary to generate a response to a query submitted through the interface.

What Data is Processed

When a visitor interacts with IAMT MAI, the following categories of data may be processed:

  • Query content submitted by the user during the chat session
  • Member profile data held on IAMT's systems, where relevant to the query
  • Content from documents and files uploaded to the website by IAMT members

IAMT MAI may therefore surface personal data contained within uploaded documents. Members who upload documents to the IAMT website should be aware that the content of those documents may be accessible via IAMT MAI to any website visitor.

Legal Basis for Processing

IAMT processes personal data through IAMT MAI on the basis of legitimate interests (Article 6(1)(f) UK GDPR), specifically to provide a useful information resource to the MediaTech community in furtherance of IAMT's organisational purposes. IAMT has assessed that this interest is not overridden by the rights and freedoms of the individuals whose data may be surfaced, given the professional and public-facing nature of the content involved.

Where members upload documents containing personal data, they do so on the understanding that such content may be surfaced publicly via IAMT MAI.

Data Minimisation and Retention

IAMT takes reasonable steps to ensure that only relevant and proportionate information is surfaced by IAMT MAI in response to queries. Chat session data is not retained beyond the active session unless the user has otherwise consented or retention is required for security or compliance purposes.

International Transfers

IAMT MAI does not transfer personal data to countries outside the United Kingdom in connection with its operation.

Your Rights in Relation to IAMT MAI

Individuals whose personal data may be surfaced via IAMT MAI retain all rights set out in the Individual Rights section of this policy, including the right to request erasure or rectification. To exercise these rights, or to raise a concern about data surfaced by IAMT MAI, please contact Lucinda Meek.

Data Security

IAMT takes the security of HR-related personal data seriously. IAMT has internal policies and controls in place to protect personal data against loss, accidental destruction, misuse or disclosure, and to ensure that data is not accessed except by employees in the proper performance of their duties. Please refer to IAMT's Data Security Policy for further detail.

Where IAMT engages third parties to process personal data on its behalf, such parties do so on the basis of written instructions, are under a duty of confidentiality, and are obliged to implement appropriate technical and organisational measures to ensure the security of data.

Data Breaches

If IAMT discovers a breach of HR-related personal data that poses a risk to the rights and freedoms of individuals, it will report it to the Information Commissioner's Office (ICO) within 72 hours of discovery. IAMT will record all data breaches regardless of their effect.

If a breach is likely to result in a high risk to the rights and freedoms of individuals, IAMT will notify affected individuals of the breach, its likely consequences, and the mitigation measures it has taken.

International Data Transfers

In the case of employees and contractors working outside the UK, HR-related personal data may be transferred to other countries in order for IAMT to fulfil its obligations as an employer. Data is transferred outside the UK on the basis of a declaration of adequacy where possible.

Individual Responsibilities

Individuals are responsible for helping IAMT keep their personal data up to date. Individuals should notify IAMT if their data changes - for example, if they move house or change their bank details.

Individuals may have access to the personal data of other individuals and of IAMT's customers and clients in the course of their employment or contract. Where this is the case, IAMT relies on individuals to help meet its data protection obligations.

Individuals who have access to personal data are required to:

  • Access only data that they have authority to access and only for authorised purposes
  • Not disclose data except to individuals - whether inside or outside IAMT - who have appropriate authorisation
  • Keep data secure by complying with rules on access to premises, computer access (including password protection), and secure file storage and destruction
  • Not remove personal data, or devices containing or able to access personal data, from IAMT's premises without adopting appropriate security measures such as encryption or password protection
  • Not store personal data on local drives or personal devices used for work purposes
  • Report data breaches of which they become aware to Lucinda Meek immediately

Failing to observe these requirements may amount to a disciplinary offence, dealt with under IAMT's disciplinary procedure. Significant or deliberate breaches - such as accessing employee or customer data without authorisation or a legitimate reason - may constitute gross misconduct and could lead to dismissal without notice.