Last Update: 26 September 2019
- Purpose and Overview
This policy covers how the MAPS team at Kura Human Factors (KHF)(“us”, “we”, or “our”) treat
personal information for the MAPS website and the standards you can expect from us. We are
committed to safeguarding your privacy and to complying with UK Data Protection legislation and
- What is personal information?
Personal information is information about you that is personally identifiable such as your name,
address, email address, or phone number as well as other information that may not otherwise be
- What personal information do we collect?
3.1 Personal Information
Personal information will be collected by KHF using the online contact form on the MAPS webpage,
which is held within the KHF website, to allow us to provide the required services. Personal
information collected will include, but not be limited to: Name, Email Address and Telephone
Please note: You are not obligated by law to provide us with any information. You hereby
acknowledge, warrant and agree that any information you do provide us is provided of your own
free will and consent, for the purposes and uses described herein.
3.2 MAPS Webpage
You can access the MAPS webpage either directly or via the KHF website without using any
registration process or providing any personal information.
When you use the MAPS webpage we automatically collect certain technical and routing information
about your visit using Cookies, so we can continuously improve what and how the site delivers. For
example, we may log the Internet Protocol (IP) address of your computer and measure your
browsing patterns when on this site.
This information is held in aggregate form and is not matched with your personal information so no
individual user is identified.
cookies means we can tell how many people per month are accessing the site and which pages are
visited most often. A cookie is a small piece of information sent to your web browser by a web
server and can only be read by the server that gave it to you. It cannot be executed as code or used
to deliver viruses to your computer.
Most browsers are initially set to accept cookies. You can set your browser to notify you when you
receive a cookie, giving you the chance to decide whether to accept it. By using this site you consent
- Who will have access to personal information?
We do not rent, sell or share personal information about you with other people or non-affiliated
organisations except to provide services you’ve requested or under any of the following
i) In response to subpoenas, court orders, or as otherwise required by legal process, or to establish
or exercise our legal rights or defend against legal claims;
ii) We believe it is necessary to share information for us or the appropriate authorities to investigate,
prevent or act regarding suspected illegal or fraudulent activities, potential threat to personal or
iii) Information is transferrable due to our acquisition or merger with another company. In this event
you will be notified by email prior to transfer.
- Confidentiality and security
We limit access to personal information about you to employees who we believe reasonably need to
meet that information to provide products or services to you or to do their jobs.
All electronic communication and records are securely stored within encrypted systems and are
compliant with the Data Protection Act and GDPR. For more information about confidentiality please
6.1 Right to be informed & Right of access
You have a right under GDPR legislation to see what information we hold about you and how we
process this information, subject to certain conditions.
If you want to exercise these rights, you should make an application to us in writing. We may ask you
to provide us with sufficient information so that we can be sure of your identity. We also reserve the
right to make a charge of a reasonable fee for providing you with the information you are requesting
if a request is excessive or repetitive.
If you would like to proceed with a request to see what data we hold about you and how it is
processed, please write to us at the address within the contact us section of this policy.
6.2 Right of rectification
You have a right under GDPR legislation to request the rectification of information we hold about
you and how we process this information, subject to certain conditions.
If you want to exercise this right, you should make an application to us in writing. We may ask you to
provide us with sufficient information so that we can be sure of your identity. This request will be
actioned within one month, or up to two months if the request is complex in nature.
If action is not taken in response to a request for rectification, CAP will explain why this is the case. If
you are unsatisfied with our response, you then have the right to complain to the supervisory
authority and to a judicial remedy.
6.3 Right of erasure
You have a right under GDPR legislation to request the erasure of some or all information we hold
about you, subject to certain conditions, listed below:
▪ Where the personal data is no longer necessary in relation to the purpose for which it was
▪ When the individual withdraws consent.
▪ When the individual objects to the processing and there is no overriding legitimate interest for
continuing the processing.
▪ The personal data was unlawfully processed (ie otherwise in breach of the GDPR).
▪ The personal data must be erased to comply with a legal obligation.
▪ The personal data is processed in relation to the offer of information society services to a child.
If you would like to proceed with a request for the erasure of some or all of your data, please write
to us at the address within the contact us section of this policy. In some circumstances, CAP may
refuse to comply with the erasure request. This may be due to one or more of the following reasons:
▪ To exercise the right of freedom of expression and information;
▪ To comply with a legal obligation for the performance of a public interest task or exercise of official
▪ For public health purposes in the public interest;
▪ Archiving purposes in the public interest, scientific research historical research or statistical
▪ The exercise or defence of legal claims.
6.4 Right to restrict processing
You have a right under GDPR legislation to request the restriction of processing of some or all
information we hold about you, subject to certain conditions, listed below:
▪ When an individual contests the accuracy of the personal data, the processing will be restricted
until the accuracy of the personal data has been verified.
▪ Where an individual has objected to the processing (where it was necessary for the performance of
a public interest task or purpose of legitimate interests), and CAP is considering if legitimate grounds
exist to override the request of the individual.
▪ When processing is unlawful and the individual opposes erasure and requests restriction instead.
▪ If KHF no longer need the personal data but the individual requires the data to establish, exercise
or defend a legal claim.
If KHF have disclosed the personal data in question to third parties, we will inform them about the
restriction on the processing of the personal data, unless it is impossible or involves disproportionate
effort to do so.
6.5 Right to object
Wherever possible, KHF will inform their clients and prospective clients of the right to object at the
point of first communication.
You have a right under GDPR legislation to object to the processing of some or all information we
hold about you, subject to certain conditions, listed below.
Individuals have the right to object to:
▪ Processing based on legitimate interests or the performance of a task in the public
interest/exercise of official authority – including profiling
▪ Direct marketing – including profiling
▪ Processing for purposes of scientific/historical research and statistics.
KHF will stop processing personal information with immediate effect if the right to object is invoked
▪ KHF can demonstrate compelling legitimate grounds for the processing, which override the
interests, rights and freedoms of the individual.
▪ The processing is for the establishment, exercise or defence of legal claims.
6.6 Rights of automated decision making and profiling.
The individual shall have the right not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects concerning him or her or similarly
significantly affects him or her.
- Breach Management
7.1 Identification and Classification
KHF have put in place procedures that will allow any staff member to report any information/data
▪ We ensure that all staff are aware to whom they should report such a breach.
▪ Having such a procedure in place will allow for early recognition of the breach so that it can be
dealt with in the most appropriate manner.
▪ Details of the breach will be recorded accurately according to procedure, including the date and
time the breach occurred, the date and time it was detected, who/what reported the breach,
description of the breach, details of any ICT systems involved, corroborating material such as error
messages, log files, etc.
▪ In this respect, staff are made fully aware as to what constitutes a breach. In respect of this policy a
breach maybe defined as the unintentional release of customer confidential or personal
information/data to unauthorised persons, either through the accidental disclosure, loss or theft of
7.2 Containment and Recovery
Containment involves limiting the scope and impact of the breach of data/information. If a breach
occurs, KHF will:
▪ Decide on who would take the lead in investigating the breach and ensure that the appropriate
resources are made available for the investigation.
▪ Establish who in the affected organisation/s need to be made aware of the breach and inform
them of what they are expected to do to assist in the containment exercise.
▪ Establish whether there is anything that can be done to recover losses and limit the damage the
breach can cause.
7.3 Risk Assessment
In assessing the risk arising from any security breach, KHF will consider what would be the potential
adverse consequences for individuals, i.e. how likely it is that adverse consequences will materialise
and, in the event of materialising, how serious or substantial are they likely to be. In assessing the
risk, the following points will be considered:
▪ What type of Information/data is involved?
▪ How sensitive is the information/data?
▪ Are there any security mechanism’s in place (e.g. password, protected, encryption)?
▪ What could the information/data tell a third party about the individual/s?
▪ How many individuals are affected by the breach?
7.4 Notification of Breaches
All information/data breaches are reported to KHF’s Information Security Manager. The ISM will
complete a Security Incident Report.
Where it is deemed the breach is likely to result in a high risk to individual’s rights and freedoms,
KHF will notify the Information Commissioners Office within 72 hours.
Where it is deemed the breach is likely to result in a high risk to individual’s rights and freedoms,
KHF will notify the affected customer/s within 96 hours. This will include a copy of the completed
security incident report if requested by the affected individuals.
KHF document all breaches of information security, even if they don’t all need to be reported.
7.5 Evaluation and Response
After any information/data security breach, a thorough internal review of the incident will occur.
The purpose of this review is to ensure that the steps taken during the incident were appropriate
and to identify areas that may need to be improved.
Any recommended changes to policies and/or procedures should be documented and implemented
as soon as possible thereafter.
- Email messages
With your consent, we may occasionally send emails requesting feedback on your experience using
We will have offered you the option to give consent to do this when we collected your personal
If you do not wish your details to be stored, please get in touch with us using the contact details
below and we will endeavour to remove your information with immediate effect.
The site contains links to affiliated websites and other information related services. This Privacy
Policy does not apply to such linked third-party websites and services.
- Notification of changes
material sense whether because of a change in the law or our internal policy, or both, we will publish
a notice of the same on this site.
- Contact Us
You can contact us at any time to discuss the data we hold about you and how to access it.
75 Western Road
- Policy Review
The Policy will be subject to review whenever any relevant technological or regulatory changes occur
and will, as a minimum, be formally reviewed on an annual basis.