In compliance with the Data Protection Act 1998 (DPA) Faculti Servers are hosted on Digital Ocean in New York, USA, which comply with the EU-U.S. Privacy Shield Framework as set forth by the US Department of Commerce regarding the collection, use, and retention of Personal Data from European Economic Area ("EEA") member countries.
The Data Protection (Charges and Information) Regulations 2018 requires every organisation that processes personal information to belong to the Information Commissioner’s Office (ICO), unless they are exempt. Faculti is a registered member.
While you are signed-up for Faculti services, Faculti needs to collect, store, use and disclose certain data about you. We require this information for our normal business purposes, such as services to future and current users. When we process data about you, we have to observe the requirements of the Data Protection Act 1998. The Act establishes a framework within which information about living individuals can be legally gathered, stored, used and disseminated. At its core are eight Data Protection Principles which Faculti and other organisations must abide by. These specify that personal information must be:
Processed fairly and lawfully, and only if certain conditions are met.
Obtained for specified and lawful purposes, and not used for purposes other than those for which it was gathered.
Adequate, relevant and not excessive.
Accurate and where necessary kept up to date.
Kept for no longer than necessary.
Processed in accordance with individuals' rights.
These protections apply to information in electronic form, and to many types of data in paper form. Further information about the Data Protection Act is available from the Information Commissioner's Office, an independent body that monitors compliance with the Act.
Faculti Data Protection Policy
Sharing data with Faculti follows two mechanisms:
Data you will be sharing with Faculti via an SSO (Single-sign on authentication) such as IP or Shibboleth.
External single sign-on systems such as Shibboleth create a session that allows the end-user to move from resource to resource without re-entering their credentials. Therefore no data is shared with Faculti other than attribute data (username). IP use the client/server model of communication to enable communication between computers and computer networks of the same or different types. Faculti uses the group's IP address (IP) to make an initial connection to the DB2 location and data that is shared with Faculti is location and attribute data (Faculti assigned username).
Data you will be sharing with Faculti as an Individual User or Group of Users
Faculti will collect data about you in the course of our dealings with you as a registered user or users, for example, when you sign-up for our platform or app, or via your organisation/institution. By commencing or enrolling as a Faculti user, you consent to Faculti collecting, storing, using and otherwise processing data about you for any purposes connected with your usage as a Faculti user. Faculti will only use your data fairly and lawfully in accordance with our obligations under the Data Protection Act (outlined above). This means that we will process your data in a way which respects the Data Protection Principles set down in the Act, and your rights under the Act. Any use by Faculti of your data must also be covered by our registration with the Information Commissioner. This is available on the Information Commissioner's Office website, and describes in a general way how we process personal data about users and other individuals. The Data Protection Act requires us to keep your data secure. This means that your confidentiality will be respected, and all appropriate measures will be taken to prevent unauthorised disclosure. Only members of staff who need access to relevant parts or all of your data will be authorised to do so. Information about you in electronic form will be subject to password and other security restrictions. Although it is not possible to state every purpose for which your information will be used, the following are examples of how it is likely to be used while you are a registered user:
To administer basic functionality of the platform (sign up/login/membership functions).
To administer financial aspects of your registration as a user (e.g. payment of fees, debt collection).
To produce management statistics and to conduct research into the effectiveness of our content and products.
For internal and external audits, and quality assurance exercises.
For Faculti marketing and user relations purposes.
Faculti will only disclose information about you with your consent, or where disclosure without your consent is required or permitted by law. Where this involves the transfer of your data outside the European Economic Area, data will only be transferred if one of the conditions set down in the Data Protection Act has been met.
Faculti do not store credit card details nor do we share customer details with any 3rd parties.
Data is securely stored on Faculti.net servers and may be transferred to, and stored at, a destination outside the European Economic Area.
Faculti Information Compliance Manager
Our Information Compliance Manager is responsible for Faculti's compliance with the Data Protection Act, and can provide general advice on Data Protection issues. For any issues please contact the Information Compliance Manager by writing to: Information Compliance Manager, Faculti Media Limited, Office 7, 35-37 Ludgate Hill, London, EC4M 7JN, United Kingdom.
Access by Data Subjects
A data subject may make a subject access request (“SAR”) at any time to see the information which the Company holds about them.
SARs must be made in writing, accompanied by the correct fee.
The Company currently requires a fee of £10 (the statutory minimum) with all SARs.
Upon receipt of a SAR the Company shall have a maximum period of 40 days within which to respond. The following information will be provided to the data subject:
Whether or not the Company holds any personal data on the data subject;
A description of any personal data held on the data subject;
Details of what that personal data is used for;
Details of any third-party organisations that personal data is passed to; and
Details of any technical terminology or codes.
Notification to the Information Commissioner’s office
As a data controller, the Company is required to notify the Information Commissioner’s Office that it is processing personal data. The Company is registered in the register of data
controllers. Data controllers must renew their notification with the Information Commissioner’s Office on an annual basis. Failure to notify constitutes a criminal offence. Any changes to the register must be notified to the Information Commissioner’s Office within 28 days of taking place. The Designated Officer shall be responsible for notifying and updating the Information Commissioner’s Office.
Implementation of Policy
This Policy shall be deemed effective as of 1st of January 2020. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
This Policy has been approved & authorised by:
Name: Sam Mohammad
Position: Managing Director
Date: 1st of January 2021