AMION Consulting is committed to good practice in the handling of personal data and careful compliance with the requirements of the Data Protection Act 2018 (DPA 2018), the UK General Data Protection Regulation (the regulations) and other relevant legislation relating to the safe handling, use, storage, retention and disposal of personal and business data.
We are committed to good data management, in order to protect people from harm. In the main this means:
• keeping information securely, in the right hands; and
• holding good quality information.
AMION Consulting also ensures that it takes account of the legitimate concerns of individuals about the ways in which their data may be used. In particular, we aim to be open and transparent in the way we use personal data and, where relevant, to give individuals a choice over what data is held and how it is used.
All staff will be inducted and trained in AMION Consulting’s policies and procedures regarding data protection and security and the requirement to comply with these.
AMION Consulting is registered under the Data Protection Act for the purposes of providing Consultancy and Advisory Services and undertaking research. AMION maintains an up to date Notification with the Information Commissioner as required by law with registration number ZB638469
Personal Data: any information relating to a person who can be directly or indirectly identified, in particular, by reference to an identifier. Identifiers can include name, identification number, location data or online identifier.
Data Controller: the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data processor: natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Data Protection Officer (DPO): DPOs assist an organisation to monitor internal compliance, inform and advise on data protection obligations, provide advice regarding Data Protection Impact Assessments (DPIAs) and act as a contact point for data subjects and the Information Commissioner’s Office (ICO).
Data subject: refers to any living person who is the subject of personal data (see above for the definition of ‘personal data’) held by the organisation. A data subject must be identifiable by name, ID, address, online identifier or other factors such as physical, physiological, genetic, mental, economic or social.
Information Commissioner’s Office (ICO): the UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
Processing: refers to any action taken in relation to personal data including, but not limited to, collection, adaptation, alteration, recording, storage, retrieval, consultation, use, disclosure, dissemination, combination or deletion, whether by automated means or otherwise.
Special categories of data: racial or ethnic origin; political opinions; religious or philosophical beliefs; trade-union membership biometric data (where used for identification purposes) data concerning health; data concerning a person’s sex life or sexual orientation.
The purpose of our data processing is as follows:
• to recruit, employ and make payments to staff
• to undertake research as part of our consultancy projects
• to operate customer and supplier accounts;
• to provide our consultancy services; and
• to communicate with individuals and other organisations with whom we work.
AMION is committed to adhere to Article 5 of the UK GDPR which lists all the seven principles of data protection:
• lawfulness, fairness and transparency: the organisation is committed to process data lawfully, fairly and in a transparent manner.
• purpose limitation: the organisation collects personal data for specified, explicit and legitimate purposes. the organisation doesn’t further process data in a manner that is incompatible with those purposes.
• data minimisation: the organisation is committed to process data that is adequate, relevant and limited to what is necessary.
• accuracy: personal data are kept accurate and kept up to date.
• storage limitation: the organisation is committed to keep personal data for no longer than necessary.
• integrity and confidentiality: the organisation processes data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
• accountability: the organisation is able to demonstrate compliance.
AMION processes personal data by identifying a ‘lawful basis’ chosen from the six possibilities set out in Article 6 of the UK GDPR:
• with consent of the data subject.
• for a contract involving the data subject.
• to meet a legal obligation.
• to protect any personal vital interests.
• for government and judicial functions.
• in the organisation’s legitimate interests provided the data subject’s interests are respected.
The most common lawful basis that the organisation identifies are consent, contract, legal obligation and legitimate interest. The lawful bases for the different processing activities are recorded in the Record of Processing Activities (ROPA) spreadsheet which is maintained and reviewed regularly.
The organisation collects personal information from different groups of data subjects:
• employees;
• job applicants;
• clients; and
• occasionally, research participants.
The directors recognise their overall legal responsibility for data protection compliance.
Day to day responsibility for data protection is delegated to the Chief Executive, whose main responsibilities are as follows:
• reviewing data protection and related policies;
• advising staff on data protection issues;
• ensuring that data protection induction and regular training takes place;
• approving unusual or controversial disclosures of personal data;
• dealing with data protection breaches;
• approving contracts with data processors (external contractors and suppliers of outsourced services);
• notification (i.e. registration with the Information Commissioner); and
• handling requests from individuals in relation to their personal data.
Staff have the following responsibilities:
• assisting in identifying aspects of their area of work which have data protection implications so that guidance can be provided as necessary;
• ensuring that their activities take full account of data protection requirements; and
• ensuring data protection and confidentiality is included in the induction and training of all staff for which they are responsible.
All staff are responsible for understanding and complying with the procedures that AMION has adopted in order to ensure data protection compliance and to protect personal data from loss, misuse or inappropriate disclosure.
Good data protection practice is, wherever relevant, incorporated into AMION’s everyday operational procedures:
• transparency, so that all the individuals about whom data is collected are made aware of the uses that AMION makes of information about them, and in particular to whom it may be disclosed – see also Privacy notice below and on the website;
• informed consent, where necessary– see Consent below
• good quality data, so that all the data held about individuals is accurate and can be justified as adequate, relevant and not excessive;
• clear archiving and retention periods – see Retention schedule below;
• security proportionate to the risk of information being lost or falling into the wrong hands.
AMION Consulting reviews all contracts with external data processors to ensure compliance with data protection legislation. The business complies with the ICO’s recommendations regarding third party contracts wherever practicable.
AMION maintains a list of categories of individuals, personal data processed, where and how the data is stored, in which format the data is held and the lawful basis of processing the data has been produced.
As soon as is possible, personal data that is no longer required for a given objective is destroyed, deleted or returned to the client when required. In addition, AMION conducts an annual data audit to ensure that personal data is not retained for longer than necessary. Monthly checks are also carried out to ensure that pre-determined retention dates of secure documentation are adhered to.
AMION’s privacy notice, available on our website, sets out the groups of people whose data we process, the basis for processing the data and the purpose of the processing. It describes when we communicate with people and how their data is handled by the business including how long it is kept.
Where we have identified that the lawful basis for processing a person’s data is Consent, evidence will be kept of the provision of this consent. This consent will be in the form of an opt-in to receive information from the business and evidence of consent should be in one of the following forms:
• opt-in using an online link (records from the site collecting the data and the wording shown on the site when the individual opts in and any updates with dates); or
• opt-in using a paper form (the form in pdf).
The business will provide a facility in each communication to allow the individual to opt out of any communication from the business.
Subcontractors – AMION requires all sub-contractors who provide services to AMION that in any way involve access to personal data to comply with data protection legislation and to include a clear statement in the contract to that effect.
IT service providers – AMION makes use of “software as a service” and third parties to store and process data in the cloud. All IT service providers are required to meet security standards for all data stored, whether this is in a database, on our website, or being processed on a third party’s systems. AMION has Cyber Essentials accreditation for all data stored on its own systems and access to the data is restricted to those who need to see it to provide the relevant services.
Article 4.12 of the UK GDPR defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, authorisation, and authorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
These are the steps taken by AMION in case of a data breach:
• Any staff member who discovers a personal data breach is required to immediately inform the Chief Executive who is the data protection lead and to complete the breach reporting form.
• The staff members and/or the Chief Executive need to ensure that the breach is not still occurring and take any immediate mitigating action that may reduce the impact of the breach.
• In conjunction with Article 33.1 of the GDPR, the organisation must report the data breach to the ICO within 72 hours ‘unless the personal data breach is unlikely to result in a risk to the rights and freedom of natural persons. The decision to report such a breach will be made by the organisation. If the breach is reported, the accountable person will make the report using the ICO’s website. Factors that may determine whether a breach is reportable include:
• sensitivity of the categories of data;
• quantity of data concerned; and
• whether there is a potential for a high risk of harm to the data subjects concerned.
• Mitigating factors that may be considered when not reporting a breach.
• The data are retrievable.
• Evidence that data has been contained and that those who may have access will not process the data in such a way as to cause harm or distress to the data subjects concerned.
• If the data breach is reported to the ICO, AMION will make available any documents or records that the ICO requires to peruse the inquires. The organisation will cooperate with the ICO with any request and record any guidance the ICO gives in accordance with the breach in the activity incident and risk reporting spreadsheet.
• If the data breach is likely to result in a high risk to the rights and freedoms of natural persons (e.g., where the breach could result in ID theft or fraud; physical harm; significant humiliation and/or damage to reputation) the organisation would need to communicate the breach of their personal data without undue delay to the affected individuals. In some circumstances, the organisation may decide not to inform the individuals if by doing so it would cause more damage and anxiety to the data subjects than the data breach itself.
• If the individuals are informed of the data breach, the organisation will also ask if they want to log a formal complaint to the ICO for how their personal data has been managed.
• The data breach is then logged into the activity incident and risk reporting spreadsheet in order to identify lessons the organisation can learn and the changes that can be made. If the data breach is reported to the ICO, the case number supplied by the ICO will be recorded in the activity incident and risk reporting spreadsheet.
• Train staff where required to ensure the breach doesn’t happen again.
If there is a possibility that the breach could amount to a criminal offence, the matter shall be referred immediately to the relevant authorities.
AMION Consulting is fully aware of the data subject rights described in Articles 15 to 22 of the UK GDPR and these are listed in the privacy notice. The data subjects’ rights include:
• the right to be informed;
• the right of access;
• the right of rectification;
• the right to be forgotten (erasure);
• the right to restrict processing;
• the right to data portability;
• the right to object to processing; and
• rights in relation to automated decision making and profiling .
Additional rights of the data subjects:
• the right not to receive direct marketing;
• the right to claim damages should they suffer any loss as a result of a breach of the provisions of the GDPR; and
• the right to complain – right to request that the ICO carry out an assessment.
If data subjects wish to exercise any rights, they can contact us at info@amion.co.uk. They are reminded of their rights and how to exercise them in the privacy notice published on our website. www.amion.co.uk/privacy
All staff members are trained to recognise an incoming request to exercise any right, to understand when the right applies and to pass in on without delay to the designated person.
All requests from data subjects to exercise any rights are recorded into the Activity, Incident and Risk reporting spreadsheet.
Under certain circumstances, mostly described in Schedules 2-4 of the DPA (2018), the organisation may not need to comply with the request by a data subject to exercise one of their rights. Those circumstances will be assessed on a case-by-case basis.
Data subjects have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the UK GDPR. The organisation is committed to comply with this right and they do so via the privacy notice.
The right of access and SAR procedure
A data subject has the right to make access requests in respect of personal data that is held and disclosed. To understand how we deal with Subject Access Requests, please view our SAR policy.
AMION Consulting is aware of the provisions in Article 16 of the UK GDPR: if the data subject becomes aware that the organisation is holding incorrect information about them, they have the right for it to be corrected, and if their information is incomplete, they can also submit additional information to be added. In conjunction with Article 19 of the GDPR, we inform, of the right exercised by the data subject to anyone to whom data have been disclosed, unless this ‘proves impossible or involves disproportionate effort’. AMION Consulting will also inform the data subject which recipients’ data have been disclosed to, if they ask.
If a data subject asks the organisation to delete their information, as stated in Article 17, the organisation will do so without undue delay when:
• the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
• the data subject withdraws consent (if that is the basis on which the processing is taking place), and where there is no other legal ground for the processing;
• the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
• the personal data have been unlawfully processed;
• the personal data have to be erased for compliance with a legal obligation; and/or
• the personal data have been collected in relation to the offer of online services to a child.
In addition, if the organisation has made the information public, the organisation must try to get it erased in other locations as well. In conjunction with Article 19 of the UK GDPR, the organisation informs anyone to whom data have been disclosed, unless this ‘proves impossible or involves disproportionate effort’. The organisation will also inform the data subject which recipients data have been disclosed to, if they ask. There are exceptions to the ‘right to be forgotten’ for reasons relating to freedom of expression, public health, archiving, research and statistics, legal claims and legal obligation.
There may also be circumstances where the organisation has no choice but to retain data, for example to mark a record for suppression in order to ensure that no direct marketing is sent to that individual in the future.
AMION will process a request for erasure without undue delay and within one month of receipt.
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
• the accuracy of the personal data are contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
• the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
• the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.
This right applies when processing is based on consent or a contract between the organisation and the data subject and the process and the processing is taking place ‘by automated means’. It allows data subjects to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way, without affecting its usability.
Data subjects are entitled to receive from the organisation a copy of any personal data they have provided, in a ‘structure, commonly used and machine readable format’, so that they can provide the data to a different controller.
Data subjects can object to any processing of their data that AMION is carrying out on the lawful basis of legitimate interests. The organisation will stop processing if not able to demonstrate ‘compelling legitimate grounds’.
Automated decision-making takes place when an electronic system uses personal information to make a decision without human intervention. Profiling refers to any form of personal data processing that is automated, with the intention of assessing personal aspects of a data subject or analysing a data subject’s employment performance, economic status, whereabouts, health, personal preferences and behaviour.
The data subject has the right to object to profiling and a right to be informed of the fact that profiling is taking place, as well as the intended outcome(s) of the profiling. The data subject has the right not to have decisions made about them solely by automated processing if this has a significant effect on them, unless the decision is necessary in conjunction with a contract between the data subject in the controller or the data subject has provided an explicit consent.
AMION Consulting does not currently undertake automated decision making.
Every data subject has the right not to receive direct marketing if that is their choice.
If a data subject has been harmed by a breach of data protection legislation, they can take the controller to court for compensation.
If data subjects wish to make a complaint or share concern, they should be firstly encouraged to liaise directly with the organisation. They can make a complaint or send an email to info[at]amion.co.uk. The email will be forwarded to the Chief Executive, who will respond within 5 working days and lead on the resolution of the complaint within 28 days.
As stated in the privacy notice, we inform the data subject that can also make a complain to the ICO and request that the ICO carries out an assessment as whether any of the provisions of the UK GDPR have been breached. Data subjects can remain anonymous if they wish.
Last updated: 1 September 2025