Terms and Conditions
Info Secure Ltd. is dedicated to bringing individual’s Personal Data into their possession. There is no reason for another entity to have the Personal Data of an individual. Personal Data should be owned, possessed and controlled solely by the individual.
Info Secure Ltd. is focused on assisting Recruitment Agencies, Businesses and other Organisations to follow the GDPR regulations by providing a “consent” system (Appendix 3) using a central hub platform with instant access to view but not store or print Documentation and Personal Data.
ReferencePass.com is compliant with GDPR and in the case of GDPR, referencepass.com is a Data Controller as determined on GDPR terminology. Referencepass.com is not a Data Processor.
For the purpose of clarity of the role of referencepass.com and Data:
ReferencePass = Data Controller without involvement in Data Processor activities
All control has been handed to the User who is the owner of own data, and so is the controller of data.
For this reason: ReferencePass.com cannot be defined as a Data Controller and will be referred to in this Agreement as “SUPPLIER”
The Supplier is supplying storage space for users’ usage to store users data. This is comparable to a physical safety deposit box where ReferencePass.com does not access and regards the space as PRIVATE to users.
These Terms and Conditions fall in line with GDPR regulations and even if users are not from a GDPR regulated country, it is in all users interest to support GDPR regulations as this legislation was set up for the right to privacy and the exercise of human data protection rights.
Info Secure Ltd. does not use, process, share, own, produce, transfer, store for own purpose or profit from data. Info Secure Ltd. provides a platform for users to store and transfer data in a safe and secure manner with guidance on keeping to GDPR regulations but Info Secure Ltd. plays no part in the activities on the platform.
These Terms and Conditions cover the relationships between Info Secure Ltd, individuals, businesses, agencies, schools, charities and other organisations/institutions.
For the purpose of clear identity:
Info Secure Ltd. = Supplier Individual Users = Controller/Processor
Businesses/Agencies/Schools/Institutions/Other Organisations = Authorised User (AU)
Individual Person = Data Subject
Appendix 1 – Agreement between Supplier and all users
Appendix 2 – Individual Obligation
Appendix 3 – Companies/Businesses/Agencies/Schools/Institutions /Other Organisations Obligations
Appendix 1 – Agreement between Supplier and All Users
This Agreement covers the storing of personal data (the ”Data Storage Agreement”) that regulates Info Secure Ltd., Company registration no. 11479453 (UK) (the ”Supplier”) storage of personal data on behalf of the customer (the ”Controller”) and is classed as a subscription agreement (the ”Main Agreement”), in which the parties have agreed the terms for the Supplier’s delivery of services to the Controller (the ”Main Services”).
- (a) The Data Storage Agreement shall ensure that the Supplier complies with the applicable data protection and privacy legislation (the Applicable Law), including in particular
- (i) The European Parliament and the Council’s Directive 95/46/EF of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. The Supplier does not process data and therefore any regulation regarding processing is not relevant to the service provided by the Supplier. All movement of Data is done by the user known as the Controller.
- (ii) The European Parliament and the Council’s Regulation 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data that entered into force on 24 May 2016 and made applicable on 25 May 2018 (“GDPR”). The Supplier does not access, own, use, process, share, transfer, profit or control the Data uploaded and stored on its platform by the Controller and will not view Data without consent from Controller.
2. Processing of personal data
- (a) In connection with the Supplier’s delivery of the Services to the Controller, the Supplier will never process Controller’s data unless in the rare case from a Controller’s request to do so.
- (i) The Supplier will only use data needed to allow the functioning of the website
- (ii) Controller’s email address will be used by the Supplier for communications with the Controller.
- (iii) Email addresses will not be connected with sensitive information other than Controller’s RP Number.
- (b) “Personal data” include “any information relating to an identified or identifiable natural person” as defined in GDPR, article 4 (1) (the ”Personal Data”). The Supplier is not a data processor and only performs activities that are necessary and relevant to run the service provided.
What Information Info Secure Ltd. (referencepass.com) collects from its Users.
- Data you give on the registration process such as your name, company name, email address, phone number, billing address or credit card information, and location when you call or email us for means of contacting user, verifying user is a real entity, support or otherwise. It is part of the Supplier’s duty to make sure users are genuine.
- Payment information when you purchase some of our services, including credit card data.
- Cookies enable certain functions on the website including letting users access their accounts. Data is not used in order to personalise content and ads. Personal Data is never shared about users usage of this site with advertisers or social media.
- (a) The Supplier is only providing an online safety deposit web space and may only act in accordance with the documented instruction from the Controller (the “Instruction”). The Instruction at the time of entering into this Data Storage Agreement is that the Supplier may only access the Personal Data with the knowledge of the Controller and for the purpose of delivering the Services as described in the Agreement.
- (b) The Controller guarantees that the Personal Data uploaded to the website is done by the Controller in accordance with the Applicable Law, including the legislative requirements re. lawfulness
- (c) The Supplier shall give notice without undue delay if the Supplier considers at the time that any Instruction given to be in conflict with the Applicable Law including GDPR regulations.
- (d) The Supplier can view Controller’s Profile and view the content that the Controller freely offers for public view. The Supplier will not view the Data the Controller uploads with the intention to be unseen.
4. The Supplier’s obligations
- (a) The Supplier shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed in conflict with the Instruction, unless the Controller in writing has agreed to the Supplier doing so
- (b) The Supplier’s employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this Data Storage Agreement with strict confidentiality.
- (c) The Supplier shall implement the appropriate technical and organisational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32.
- (d) The Supplier shall ensure that access to Personal Data is restricted to only the employees to whom it is necessary and relevant to view the Personal Data with the knowledge of the Controller in order for the Supplier to perform its obligations under the Main Agreement of Service and this Data Storage Agreement.
- (e) The Supplier shall also ensure that the Supplier’s employees that may view the Personal Data only view the Personal Data in accordance with the ControlIer’s Instruction.
- (f) The Supplier shall provide documentation for the Supplier’s security measures if requested by the Controller in writing when such information is not compromising to the security of the Supplier’s service operations as too much detailed information could jeopardise security exposure.
- (g) If the Supplier’s assistance is necessary and relevant, the Supplier shall assist the Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.
- (h) If the Controller receives a request from a ‘Data Subject’ for the exercise of the Data Subject’s rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Supplier’s assistance, in such a case, the individual user ceases to be the Controller. In such a case, the Supplier will have to take on the role as the Controller. (For the purposes of legislation and legal terms, and to prevent confusion, the Data Subject and Controller cannot be the same). The Supplier and the Controller (in this case) are one in the same entity and the Supplier shall (as acting Controller) offer assistance by providing the necessary information and documentation only after receiving a written request from the Data Subject to do so, and only if the request is a technical request to gather information in a way that the Data Subject when was one’s own Controller (as permitted with this product and service) is incapable of retrieving without assistance. The Supplier shall be given reasonable time to assist the Data Subject with such requests in accordance with the Applicable Law.
- (i) If the Supplier receives a request from a Data Subject for the exercise of the Data Subject’s rights under the Applicable Law and such request is related to the Personal Data of the Data Subject, the Supplier must respond immediately informing the Data Subject on the procedure in place to fulfil the request. The Supplier shall be given reasonable time to assist the Data Subject with such requests in accordance with the Applicable Law.
- (j) If the Supplier receives a request from a Third-Party concerning information on a Data Subject and such a request is related to the Personal Data of the Data Subject. In such a case, the Data Subject has rights under the Applicable Law and the Supplier will defend the right to privacy of all users on this platform. In such a case, the Supplier is not the Controller. This product and service operates on the premise that all users are the Controllers of own data. If the Supplier receives requests from a Third-Party, the Supplier must immediately forward the request to the Controller and must refrain from responding to that Third Party directly. The data that a Controller stores with the Supplier is never accessible by the Supplier. The Supplier supplies a safety deposit web space locked and secured accessible only by the Controller. There is no Agreement in place for the Supplier to ever attempt to gain access to the Controller’s data and will only ever view the Controller’s Data with knowledge and permission from the User. To enter a Controller’s private web space is classed as trespassing even by the Supplier, and to access Data without permission of the Controller is in the same class as theft. This could be bent in cases of such speculation such as having files stored in relation to abuse. In such cases, the Supplier holds an impartial role to freeze the account and arrange with the Controller to witness the content of the private deposit space. The Controller will be considered innocent. It will be for the Supplier to view data in-house, not open to inspection by Third-Party (unless consent given by Controller) and the Supplier’s inspection will be accepted. If the Controller is then found to be in violation on criminal grounds, the Supplier has a duty to confirm. This platform will remain clean.
- (a) The Supplier shall give immediate notice to the Controller if a breach of data security occurs, that can lead to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to, personal data transmitted, stored or otherwise processed regarding the Personal Data stored on behalf of the Controller (a “Personal Data Breach”).
- (b) The Supplier shall have and maintain a register of all Personal Data Breaches. The register shall at a minimum include the following:
- (i) A description of the nature of the Personal Data Breach, including, if possible, the categories and the approximate number of affected users and the categories and the approximate number of affected registrations of personal data.
- (ii) A description of the likely as well as actually occurred consequences of the Personal Data Breach.
- (iii) A description of the measures that the Supplier has taken or proposes to take to address the Personal Data Breach, including, where appropriate, measures taken to mitigate its adverse effects.
- (iv) The register of Personal Data Breaches shall be provided to the Controller in copy, if so requested in writing by the Controller or the relevant Data Protection Agency.
- (c) The Supplier shall after the Controller’s written request provide documentation substantiating that: Documentation of compliance
- (i) the Supplier complies with its obligations under this Data Storage Agreement and the Instruction; and
- (ii) the Supplier complies with the Applicable Law in respect of the storing of the Data Controller’s Personal Data.
- (iii) The Supplier’s documentation of compliance shall be provided within reasonable time.
- (a) The Supplier is exempted from liability for non-performance with the Agreement if the performance of the obligations under the Agreement would be in conflict with any changed Instruction or if contractual delivery in accordance with the changed Instruction is impossible. This could for instance be the case;
- (i) violation to GDPR regulations
- (ii) if the changes to the Instruction cannot technically, practically or legally be implemented;
- (iii) where the Controller explicitly requires that the changes to the Instruction shall be applicable before the changes can be implemented; and
- (iv) in the period of time until the Agreements is changed to reflect the new Instruction and commercial terms hereof.
- (v) If changes to the Applicable Law, including new guidance or courts practice, result in additional costs to the Supplier, the Controller shall indemnify the Supplier of such documented costs.
7. Breach and liability
The Agreement’s regulation of breach of contract and the consequences hereof shall apply equally to this Data Storage Agreement as if this Data Storage Agreement is an integrated part hereof.
- (a) Each party’s cumulated liability under this Data Storage Agreement is limited to the payments made under the Agreement in the 12 months before the occurrence of the circumstances leading to a breach of contract. If the Data Storage Agreement has not been in force for 12 months before the occurrence of the circumstances leading to a breach of contract, the limited liability amount shall be calculated proportionately based on the actual performed payments.
- (b) The limitation of liability does not apply to the following:
- (i) Losses as a consequence of the other party’s gross negligence or willful misconduct.
- (ii) A party’s expenses and resources used to perform the other party’s obligations, including payment obligations, towards a relevant data protection agency or any other authority.
- (c) The Data Storage Agreement shall remain in force until the Agreement is updated or terminated.
- (a) The Supplier’s authorisation to store Personal Data for the Controller shall be annulled at the termination of this Data Storage Agreement.
- (b) The Supplier will send 3 email reminders to Controllers and AU’s approaching the end of subscription advising for renewal.
- (c) The Controller and the AU is expected to withdraw all Personal Data from their Profile (Safety Deposit web space) before termination.
- (d) The Supplier shall continue to store the Personal Data for up to 20 days after the termination of the Data Storage Agreement to the extent it is necessary and required under the Applicable Law. In the same period, the Supplier is entitled to include the Personal Data in the Data Supplier’s backup. The Supplier’s storing of the Controller’s and AU’s Personal Data in the TWENTY days after the termination of this Data Storage Agreement shall be considered as being in accordance with the Instruction. However, the Controller and the AU has TEN days after termination to request in writing for an extraction of the Personal Data to be sent to the Controller/AU in a manner agreed to both parties. After the TEN days after termination, the Controller’s/AU’s Personal Data will be moved to archive for a further TEN days in preparation to be destroyed Data. The Supplier will be able to extract the Personal Data from archive for a fee to the Controller/AU. After the Twenty day period after termination, the Personal Data will be destroyed.
- (e) The RP Number will remain the Users ID after termination and may be reactivated.
9. Contact information
- (a) The contact information for the Supplier is provided on the website.
- (b) The contact information for business users, agencies, schools, institutions, charities are found on their Profile.
- (c) The contact information for Controllers (average users) can be obtained directly from the Controller and cannot be obtained from the Supplier.
Appendix 2 – Individual Obligation (Subscriptions for Individuals)
Info Secure Ltd. is dedicated to bring individual’s Personal Data into their possession. There is no reason for another entity to have the Personal Data of an individual. Personal Data should be owned, possessed and controlled solely by the individual. The standard user has the right to grant permission or deny access to own data on this platform.
Your Permission to other parties to view your data is Your Consent
Individual = Controller AU = Companies/Businesses/Agencies/Schools/Institutions (Authorised Users)
- (a) Controllers will have their own double-sided Profile and a RP Number. This Profile acts as an online safety deposit web space.
- (b) The Profile will only display non-sensitive information for public viewing
- (i) The Controller must not display personal details for public viewing such as date of birth, address, email address. Your RP Number is enough information for users to navigate the website, any other required information can be acquired with your permission. Controller consent.
- (c) The Controller will be able to store Personal Data inside/behind the Profile for viewing/sharing/ transferring with Controller permission
- (d) Controller can use Profile to share documentation for viewing not for giving away.
- (i) Passport
- (ii) Driving Licence
- (iii) Certificates
- Birth Certificate
- Deposit certificates and bonds
- (iv) Title deeds
- (v) Professional Licences
- (vi) Proof of address
- (vii) Proof of Social Security
- (viii) References
- (ix) Criminal Records Document (Institutions, future employers, Schools)
- (x) Other electronic documents
- (e) The controller shall only upload the data corresponding to the Controller known as Own Data onto Profile. The controller will not upload Data that does not correspond to the Controller.
- (i) Exception to rule (Appendix 2. 1. d) is to upload data of Own children under the age of 16.
- (ii) All images of Controller’s children are classed as sensitive data. Images may be uploaded onto Controller’s Profile as hidden, not to be displayed as viewable. There can be a reason to display children on Profile if the images correspond to the purpose of the Profile. Example: Profile used to promote children activities require images with children. In-house-assessment will be exercised in such circumstance.
- (iii) Children are minors and may have a Profile and RP Number of their own with Parental/Guardian/School guidance and supervision.
- (a) Only AU Visitors to Controller’s Profile can view a document or Personal information of Controller by asking the Controller to view. The Controller must actively release the data to the AU. The act of releasing information to another party is automatic Controller Consent.
- (b) The AU should not attempt to print the information shared by Controller for viewing.
- (c) The AU will receive warning that printed information is time sensitive and must be destroyed within a time period, hard copy of of a document will have an expiry date.
- (d) Controller MUST provide written consent via email to AU if Controller agrees the AU is allowed to hold their printed document for a longer time period.
3. Double Consent
- (a) Some AU’s may need to print a document for a hard copy of Controller information. AU’s cannot print documents without the Controller’s permission.
- (b) The AU’s first request is to view a Controller’s document. If Controller allows a viewing this is the Controller’s First Consent. To print that document, AU will send a second request via email to the Controller asking permission to print document. If Controller allows AU to print the document, this is the Controller’s Second Consent = Double Consent.
- (c) The Supplier will send a message to AU reminding that the hard copy data held by them on the Controller must be destroyed after the purpose of holding that data has expired. This falls in line with GDPR regulations.
4. RP Number
- (a) Giving your RP Number allows a party to visit your Profile and see information volunteered by the Controller for viewing. There should not be sensitive information displayed on Controller Profiles.
- (b) The Supplier is not liable for the information freely displayed by the Controller and shall advise should the Supplier be of the belief that the information on Controller Profile is in violation of Agreement. The Supplier has the right to make Controller Profile inactive if the information displayed is in violation of the terms and conditions.
- (c) RP Number can be shared with banks, businesses, employers, recruitment agencies, landlords, schools, shops, credit card agencies and any organisation that Controller makes transactions with.
- (d) RP Number can be used as an additional security measure against fraud.
- (e) RP Number can be added to application forms, placed on printed CV’s for access to your updated Profile CV.
- (f) RP Number should not be shared freely with friends and other irrelevant people that have nothing to do with your professional life. This could lead to unwelcome visitors to your Profile.
- (g) RP Number is needed to find a Controller’s Profile. Controller Profiles cannot be found with a name search.
- (a) A reference placed on a Controller’s Profile is semi-owned by the Controller.
- (b) The Controller has full possession and control of the reference.
- (c) The Controller can allow reference to be viewed by an AU, and can allow transfer for printing the reference.
- (d) The Controller cannot view the reference personally.
- (e) The Controller can show/hide/delete references on Profile.
- (f) The Controller will be restricted from viewing references and the Controller must not try to gain access to references. This is a violation of the terms and conditions.
- (g) If knowledge comes to the Supplier that a reference has been viewed by a Controller whether through the website (security breach) and/or off site, the reference will be destroyed and the reference would have to be re-submitted through normal avenues allowing the Supplier’s reference check system to be in place.
- (h) References viewed by Controllers by ways of a security breach will result in termination of Agreement.
- (i) Character references can be viewed by Controller.
- (a) It is the Controller’s responsibility to create a strong password and never reveal password to another party.
- (b) It is the Controller’s responsibility to notify the Supplier of any security dangers arising from negligence so that the Supplier can take relevant action to limit any possible security breaches as a result.
- (c) It is the Controller’s responsibility to take care when sharing information with other parties
- (d) The Controller should be expecting requests from parties before a party requests to see a document. The Controller should have had communication with each visitor to Profile or have knowledge beforehand about the visiting party.
Appendix 3 – Subscriptions for Companies/Businesses/Agencies/Schools/Institutions
Double consent is the consent from the Controller to the AU to view their data and obtain a hard copy. An organisation can view data with only one consent from the individual which is acted out by permission granting. The AU can try to produce a hard copy of data as long as a second consent is received from the Controller. Second consent is in the form of an email from Controller to AU confirming permission given to AU to hold possession of a particular document for a set amount of time. This is the only way of proof that the AU has to show the right to possess any hard copies of Personal Data or documents derived from the ReferencePass.com platform. However, an organisation that has a hard copy of a document in their possession makes that organisation liable for any breach of that document. The AU that obtains hard copies has taken a responsibility to destroy the hard document after relevant use and it is the AU duty to do so.
Nature of relationships between AU and Controllers – Organisations and Individuals
Individual = Controller AU = Companies/Businesses/Agencies/Schools/Institutions (Authorised Users)
- (a) The AU will have one or several double-sided Profile(s) depending on how many users belong to organisation with accounts. These Profiles act as personal website pages for the organisation and will carry the responsibility of representing the organisation in a professional manner.
- (b) The AU will have a RP Number or several RP Numbers
- (c) The AU Profile will display AU details
- i. Establishment Name
- ii. Establishment Address
- iii. Establishment Registration Number
- iv. About AU
- v. Contact Details
- (d) The AU can provide reading materials and downloadable forms for Profile visitors to read and/or download for completion.
- (e) The AU can put promotions or any advertising or offers for visitors to see on Profile and take part in the RP ALERT SYSTEM once probationary period ends.
- (a) The AU can access Controller Profiles once Controller’s RP Number is known to AU.
- (i) AU can see picture and other non-sensitive data of Controller including CV/resumè
- (ii) All these viewable datas are volunteered data by the Controller.
- (b) The AU can request to view documents instantly from a Controller after gaining
permission which is classed as Controller Consent
- (i) Passport
- (ii) Driving Licence
- (iii) Certificates
- (iv) Proof of address
- (v) Proof of Social Security
- (vi) References
- (vii) Criminal Records Document (Institutions, future employers, Schools)
- (a) AU ‘s can view a document or Personal information of a Controller by asking the
Controller to view. The Controller must actively release the data to the AU. The act of releasing information to another party is automatic Controller Consent.
- (b) The AU should not attempt to save or try to print the information shared by Controller for viewing and choosing to do so automatically brings into effect GDPR regulations. There are guidelines with handling personal data that must not be violated and data MUST BE DESTROYED once used for the purpose intended that is agreed by the Controller. With printing comes added responsibility measures that is unnecessary. The AU should not try to print or find ways of obtaining a hard copy of Data shared by the Controller with only the permission given primarily for the purpose of viewing.
Viewing a passport and writing the Passport Number and other relevant information
from the Passport is proof that you have seen the passport
- (c) The AU should not attempt to print Controller’s shared Data without permission from the Controller and this terms and conditions is against printing.
- (d) If AU prints document, the documents become time sensitive. The AU must destroy the document within the time given.
- (e) If AU requires to keep the hard copy document longer than the time given, the AU
must obtain a written consent via email from the Controller verifying that the Controller is happy for AU to hold a hard copy of the document. This will override the time sensitive frame given for holding the document.
- (f) The AU must destroy the hard copy document when the reason for holding the
document has expired.
- (g) The Supplier has the right to terminate the Agreement with the AU with immediate
effect if GDPR rules are broken or there is a violation to the terms and conditions.
4. Double Consent
- (a) The AU may need to print a document for a hard copy of Controller information.
AU’s cannot print documents without the Controller’s permission.
- (b) The AU firstly makes a request to view a Controller’s document. If Controller allows
a viewing this is the Controller’s First Consent. The AU will send a second request by email asking permission to print a document. If Controller allows AU to print the document, this is the Controller’s Second Consent = Double Consent.
- (c) Double Consent is needed for any organisation to hold a hard copy of Controller
Data with Controller’s permission and the Controller can keep track of which organisation holds the Controller Data in its possession.
- (d) The Supplier will send a message to AU reminding that the hard copy data held by
them about the Controller must be destroyed after the purpose of holding that data has expired. This falls in line with GDPR regulations.
- (e) The Supplier can verify that an organisation has received permission/consent to
have a hard copy of a Controller’s Data but the Supplier cannot defend the Organisation’s possession of the Data should there be a breach of security regarding that Data.
5. RP Number
- (a) An AU’s RP Number(s) allows Organisation’s to have one or several Profiles which is
personal to the staff member owning the specific RP Number. This can be used as a focused website page displaying specific services of the organisation. It can be a more target-based webpage in comparison to the organisation’s main big website.
- (b) The RP Number can be turned into a QR Code. Useful for displaying on shop windows, shop counters, literature. Easy way for Controllers to scan AU RP Number with mobile device which will direct Controller to your Profile.
- (c) The Supplier is not liable for the information displayed by the AU and shall advise should the Supplier be of the belief that the information on the AU’s Profile is in violation of Agreement. The Supplier has the right to make AU Profile inactive if the information displayed is in violation of the terms and conditions.
- (d) If any information, promotions, advertisements, messages displayed by AU is found not to be true or misleading, the Supplier has the right to warn AU to adjust, amend, remove from Profile. The Supplier has the right to make AU Profile inactive if there is no movement on any advice given.
- (e) RP Number should be taken advantage of by banks, businesses, employers, schools, shops, credit card agencies and any organisation that Controller comes in contact with.
- (f) RP Number should be used as an additional security measure against fraud and can be used as identification or/and as an additional identifying method.
- (i) Only RP owner can access own Profile and give permissions to a Profile visitor
- (ii) There is enough information on a Controller’s Profile to prove who the person is.
- (g) RP Number should be taken from clients/customers/clients/students for verification on future visits.
- (h) RP Number can be used on AU’s application forms, or looked for on printed CV’s for access to candidate’s updated Profile CV/resumès and additional information.
- (i) RP Number is needed to find a Controller’s Profile. Controller Profiles cannot be found with a name search
- (a) A reference placed on a Controller’s Profile by an AU is not fully accessible to the Controller.
- (b) The Controller has full possession and control of the reference.
- (c) The Controller can allow reference to be viewed by other AUs.
- (d) The Controller cannot view the reference personally.
- (e) The Controller will be restricted from viewing references and so the Controller cannot read their reference.
- (f) If knowledge comes to Supplier that a reference has been viewed by a Controller whether through the website (security breach) and/or off site, the reference will be destroyed and the reference would have to be re-submitted through avenues allowing the reference check system to be in place.
- (g) The AU must not reveal references to a Controller after the reference has been disclosed to the AU whether online or offline. If AU reveals reference to Controllers, this action is equally a security breach and will result in termination of Agreement with AU.
- (a) It is the AU’s responsibility to create a strong password and never reveal password to another party even to other work colleagues.
- (b) The AU must inform the Supplier should there be any breach of security regarding password made insecure or other methods of accessing AU Profile.
- (c) Each AU may have several accounts/Profiles but must not share Profiles.
- (d) It is the AU’s responsibility to limit the amount of printing of Personal Data.
- (i) To have hard copies of Personal Data adds unnecessary responsibilities to your organisation.
- (ii) It is unnecessary to obtain a hard copy of Personal Data as the Personal Data will always be instantly accessible online under the Controller’s supervision corresponding to GDPR.
It is the AU’s responsibility to take care when sharing information with other third parties. It is
advisable not to share information shared in confidence to the AU by the Controller.
Out of respect, AU should refer other third parties directly to the
Controller of whom is the owner of any information concerning them.