Famli adheres to all of the seven key principles set out by UK GDPR. These are broken down and explained below.

Lawfulness, fairness and transparency

Famli follows all common UK criminal and civil law obligations when it comes to processing personal data. The processing is always fair and lawful, through handling personal data in ways that ensure there are no adverse effects on our users. We also maintain complete transparency when processing personal data, being clear, open and honest with our users about who we are, and how and why we use their personal data. Users always have a choice about whether they wish to enter into a data exchange with Famli, and can always make an informed decision on the collection of their personal data. More detail on this can be found in our privacy policy here.

Our lawfulness, fairness and transparency checklist;

✔️ We have identified an appropriate lawful basis (or bases) for our processing.

✔️ If we are processing special category data or criminal offence data, we have identified a condition for processing this type of data.

✔️We don’t do anything generally unlawful with personal data.

✔️We have considered how the processing may affect the individuals concerned and can justify any adverse impact.

✔️ We only handle people’s data in ways they would reasonably expect, or we can explain why any unexpected processing is justified.

✔️ We do not deceive or mislead people when we collect their personal data.

✔️ We are open and honest, and comply with the transparency obligations of the right to be informed.

Purpose limitation

Famli ensures that we are clear and open about our reasons for obtaining personal data, and that what we do with the data is in line with the reasonable expectations of the individuals concerned. We comply with documentation and transparency obligations under Article 30, as well as the requirement to specify our purposes for collecting and processing personal data.

Our purpose limitation checklist;

✔️ We have clearly identified our purpose or purposes for processing.

✔️ We have documented those purposes.

✔️ We include details of our purposes in our privacy information for individuals.

✔️ We regularly review our processing and, where necessary, update our documentation and our privacy information for individuals.

✔️ If we plan to use personal data for a new purpose other than a legal obligation or function set out in law, we check that this is compatible with our original purpose or we get specific consent for the new purpose.

Data minimisation

Famli only collects and holds the personal data we need to provide our products and services. We periodically review our processing to check that the personal data we hold is still relevant and adequate for our purposes, and delete anything we no longer need. All users also have the right to get in contact with Famli and request us to delete any data.

Our data minimisation checklist;

✔️ We only collect personal data we actually need for our specified purposes.

✔️ We have sufficient personal data to properly fulfil those purposes.

✔️ We periodically review the data we hold, and delete anything we don’t need.

Accuracy

As defined by the Data Protection Act 2018, Famli does not use ‘inaccurate’ or ‘misleading’ data collection processes. Famli is always clear about what data we collect and that we take reasonable steps in the circumstances to ensure the accuracy of the information we keep. We recognise that users have the absolute right to have incorrect personal data rectified, and Famli takes all reasonable steps to erase or rectify inaccurate data without delay.

Our accuracy checklist;

✔️ We ensure the accuracy of any personal data we create.

✔️We have appropriate processes in place to check the accuracy of the data we collect, and we record the source of that data.

✔️ We have a process in place to identify when we need to keep the data updated to properly fulfil our purpose, and we update it as necessary.

✔️ If we need to keep a record of a mistake, we clearly identify it as a mistake.

✔️ Our records clearly identify any matters of opinion, and where appropriate whose opinion it is and any relevant changes to the underlying facts.

✔️ We comply with the individual’s right to rectification and carefully consider any challenges to the accuracy of the personal data.

✔️ As a matter of good practice, we keep a note of any challenges to the accuracy of the personal data.

Storage limitation

Famli collects and stores personal data fairly and lawfully, and we do not keep it longer than we actually need it. In line with UK GDPR Article 5(1)(e), data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. We erase or anonymise personal data when we no longer need it, this reduces the risk that it becomes irrelevant, excessive, inaccurate or out of date. We regularly review the storage of personal data, and erase or anonymise it unless there is a clear justification for keeping it for longer. When needed we permanently delete data in accordance with the 1998 UK GDPR Act. 

Our storage limitation checklist;

✔️ We know what personal data we hold and why we need it.

✔️ We carefully consider and can justify how long we keep personal data.

✔️ We have a policy with standard retention periods where possible, in line with documentation obligations.

✔️ We regularly review our information and erase or anonymise personal data when we no longer need it.

✔️ We have appropriate processes in place to comply with individuals’ requests for erasure under ‘the right to be forgotten’.

✔️ We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research, or statistical purposes.

Integrity and confidentiality

Famli processes its data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures, ensuring Famli adheres to Article 5(1)(f) of the UK GDPR regulations.

Famli has all appropriate security in place to prevent the personal data we hold being accidentally or deliberately compromised. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Famli implements the appropriate technical and organisational measures to ensure a level of security appropriate to the risk. Therefore, adhering to Article 32 of the UK GDPR.

Our data can be accessed, altered, disclosed or deleted only by those who have authorisation to do so, and we regularly review the personal data we hold and the way we use it in order to assess how valuable, sensitive or confidential it is. Clear accountability of data security ensures we do not overlook data sensitivity issues, and that our overall security posture does not become flawed or out of date. Famli also regularly tests, assesses and evaluates the effectiveness of its security measures, this includes techniques such as vulnerability scanning and penetration testing. These are essentially ‘stress tests’ of our network and information systems, which are designed to reveal areas of potential risk and things that we can improve.

Our integrity and confidentiality checklist;

✔️ We undertake an analysis of the risks presented by our processing, and use this to assess the appropriate level of security we need to put in place.

✔️ When deciding what measures to implement, we take account of the state of the art and costs of implementation.

✔️ We have an information security policy (or equivalent) and take steps to make sure the policy is implemented.

✔️ We make sure that we regularly review our information security policies and measures and, where necessary, improve them.

✔️ We have assessed what we need to do by considering the security outcomes we want to achieve.

✔️ We use encryption and/or pseudonymisation where it is appropriate to do so.

✔️ We understand the requirements of confidentiality, integrity and availability for the personal data we process.

✔️ We make sure that we can restore access to personal data in the event of any incidents, such as by establishing an appropriate backup process.

✔️ We conduct regular testing and reviews of our measures to ensure they remain effective, and act on the results of those tests where they highlight areas for improvement.

✔️ We ensure that any data processor we use also implements appropriate technical and organisational measures.

Accountability

In accordance with Article 5(2) of UK GDPR, we are responsible for, and be able to demonstrate compliance with data accountability. Famli takes full responsibility for what we do with personal data and the steps we take to protect people’s rights, showing and proving how we respect people’s privacy. Famli is proactive and organised about its approach to data protection, putting in place a privacy management framework to create a culture of commitment to data protection, by embedding systematic compliance across our organisation. This framework includes; robust program controls informed by the requirements of the UK GDPR; appropriate reporting structures; assessment and evaluation procedures.

At Famli we ensure a high level of understanding and awareness of data protection amongst our staff, implement comprehensive but proportionate policies and procedures for handling personal data. We also implement technical and organisational measures to ensure, and demonstrate, accountability compliance according to Article 24(1) of the UK GDPR. These measures are risk-based, proportionate, and reviewed and updated as necessary.

Following the guidance under Article 30 of the UK GDPR, Famli maintains a record of its processing activities, covering areas such as processing purposes, data sharing, retention, records of consent and any personal data breaches. If we experience certain types of personal data breach, we report these to the Information Commissioner’s Office (ICO), and in relevant circumstances, to the affected individuals as well.

Our accountability checklist;

✔️ We take responsibility for complying with the UK GDPR, at the highest management level and throughout our organisation.

✔️ We put in place appropriate technical and organisational measures, such as:

✔️ Adopting and implementing data protection policies (where proportionate);

✔️ Taking a ‘data protection by design and default’ approach - putting appropriate data protection measures in place throughout the entire lifecycle of our processing operations;

✔️ Implementing appropriate security measures;

✔️ Recording and, where necessary, reporting personal data breaches;

✔️ Carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests;

✔️ Appointing a data protection officer (where necessary); and

✔️ Adhering to relevant codes of conduct and signing up to certification schemes (where possible).

✔️ We review and update our accountability measures at appropriate intervals.