Privacy notice

This privacy notice tells you what to expect when we (Churchill Hui) collect personal information.

We comply with data protection legislation including the Data Protection Act 1998, GDPR and PECR. We aim to be clear and transparent about why and how we collect personal information. The data controller is Churchill Hui Ltd, Churchill Hui Ltd – registered in England and Wales, Co. No. 07829078. Registered Address Grosvenor House, 4–7 Station Road, Sunbury, TW16 6SB.

In line with GDPR requirements, we strive to:

  • Process data in a manner that is compatible with what it was collected for and in accordance with the rights of the data subject
  • Only collect the minimum amount of data necessary
  • Take steps to ensure data is accurate and up to date
  • Only store data for as long as it is necessary
  • Ensure we have appropriate technical and organisational measures to keep data secure and confidential
  • Carry out due diligence concerning all third parties who process personal information on our behalf


This privacy notice applies to:

Clients and contractors

Where processing is necessary for the performance of a contract, for example when we submit a tender, respond to an enquiry or agree a contract with an organisation or business, the personal information provided will be held securely by us and/or our data processors whether the information is in electronic or physical format.

We primarily store business contact information for our clients, prospective clients and their staff, such as an office address, job title, business email and contact telephone numbers. We do not request or hold non-essential or sensitive information.

We will store the contact information provided by the end user, whether that is their home address or business address. We act as the controller for the above information.

Individuals can request at any time to access or amend their personal data that we hold or exercise their right to portability.

Read more about our database security.

Residents (18+) in the housing where we have a contractual maintenance responsibility

Where processing is necessary for the performance of a contract, for example if we have a contractual housing maintenance responsibility, personal data of residents (including name(s), address and phone numbers) will be held securely by us and/or our data processors whether the information is in electronic or physical format. This is so we can contact residents and arrange inspections or carry out maintenance. We store this data on our secure database (currently Rapport). We do not ask for, or hold, non-essential or sensitive information or information on children. All our employees have access to records via a secure login and we do not sell or share details with third parties for marketing.

We will only use the information supplied to us to deal with the contractual obligation or enquiry, any subsequent issues and to check on the level of service we provide. We will keep such personal information in line with our retention policy. This means that information relating to a resident will be retained for 12 years from conclusion of our appointment (in line with contractual requirements).

Individuals can request at any time to access, amend or delete their personal data that we hold, or exercise their right to portability. Note this may mean historical details of works we have carried out, or information pertinent to housing maintenance, will also be deleted.

Database

Our main application is Rapport/Gekko, which acts as our customer information database. Rapport is a cloud-based solution hosted and managed by Cubic Interactive Ltd, who are responsible for the security of the platform.

We do not sell or share details with third parties for marketing. We may need to share details with data processors such as Mimecast (robust, cloud-based, cyber-resilience services for email) and Mailchimp (email service provider) who are committed to GDPR compliance.

Cubic act as a data processor on our behalf and are registered with the Information Commissioner’s Office (ICO), which means that they are already committed to delivering services in compliance with the current Data Protection Act and have also committed to comply with all the requirements of the GDPR.

Churchill Hui has named users within the system who gain access with an individual password and we have a policy requiring the use of complex passwords. As with our environment, when staff leave Churchill Hui, their account is disabled immediately.

Cubic’s support and development centre holds Cyber Essentials security accreditation, and server access for Cubic Interactive staff is restricted and monitored. Access is IP restricted to only the Cubic offices and access to the website servers is audited. Passwords to these systems expire every 30 days and logins no longer needed are removed immediately.

The system is penetration tested on a regular basis and any actions raised are immediately processed by the relevant internal team or third party to ensure all known security risks are minimised.

Within the cloud-based services, Churchill Hui has a dedicated database stored on the Microsoft Azure platform which is secured to only allow access from the Rapport services and Cubic Interactive offices. This prevents any attempt to access this database outside of the provided software and support tools. The database makes use of advanced Microsoft Azure security functions such as Transparent Data Encryption to ensure data is stored in an encrypted format and Threat Detection to monitor for malicious activity. The Rapport3 website is served over HTTPS with an SSL certificate to prove to the end user the site is genuine.

Currently the Rapport3 website is served from dedicated servers and hosted by Rackspace UK. This is monitored for malicious activity and hardware issues whilst being kept to a strict security standard covered by Rackspaces ISO accreditations (ISO27001 certificate is available upon request). Microsoft Azure and Rackspace internal traffic is monitored and managed by the relevant providers to ensure network integrity and operational security of the environment (further details are available directly from these suppliers).

Regarding support queries, maintenance and updates, Team Cubic is split into dedicated departments for each business function. Only staff members involved with support and commissioning work have access to our data, via a dedicated account. All support calls are comprehensively logged in a service desk tool and commissioning activities are carried out by a named account manager.

Visitors to our website

You do not have to give us personal information to access our website. When you visit www.churchill-hui.com we use a third party service, Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things such as the number of visitors to the various parts of the site. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google to make, any attempt to find out the identities of those visiting our website. If we do want to collect personally identifiable information through our website, we will clearly explain what we intend to do with it and offer an unsubscribe option where relevant.

Our site www.churchill-hui.com may have links to other websites. Churchill Hui is not responsible for the contents of, nor does it warrant the reliability or accuracy of any material appearing on any linked site. A link does not imply any endorsement or recommendation of that site.

Cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Most web browsers allow some control of most cookies through the browser settings.

We use the following cookies to allow Google Analytics to track web traffic to the site, including page views and clicks: __utma__utmt__utmb__utmc__utmz.

To opt out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout.

To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.aboutcookies.org or www.allaboutcookies.org.

Security

We take reasonable precautions to prevent the loss, theft, alteration or misuse of your personal information although we cannot guarantee or predict internet security.

Personal and technical information is stored within the environment owned and managed by Mimecast and Ramsac hosted within our offices and at a secure datacentre facility. It is also held within selected cloud-based services, primarily Mailchimp for sending email communications such as newsletters, event invitations, general business updates and marketing of relevant Churchill Hui services.

Our main application is Rapport/Gekko, which acts as our customer information database. Rapport is a cloud-based solution hosted and managed by Cubic Interactive Ltd, who are responsible for the security of the platform.

We have received confirmation from all third parties who process personal information on our behalf that either they are GDPR-compliant.

Our systems are protected by multiple layers of security. The server is protected by a SonicWALL firewall, email is scanned by Mimecast and Office 365, and all machines, devices and servers are protected using McAfee anti-virus / anti-malware software.

Next generation firewalls are deployed in our offices. Local firewalls are enabled on all laptops and desktops. Email (and attachments within) sent and received are scanned for malware by Mimecast before arriving at Office 365, which then undertakes further scanning.

Remote access is via a Citrix server. A SSL certificate is installed to ensure the connection from the user’s machine to Citrix is secure.

From a management perspective we ensure our environment remains secure. Our systems are proactively monitored for potential issues and threats and we have a patch/update schedule for all hardware and software.

Only a small number of key individuals have named administrative accounts which are solely used for administrative tasks. All staff receive information security training as part of their induction and when they leave Churchill Hui their account is disabled immediately, and all equipment and data is returned to head office.

Marketing

People who consent (opt-in) to receive our newsletter are able to unsubscribe at any time, simply by clicking an unsubscribe button on a previous electronic communication from us or emailing london@churchill-hui.com. Please also email us to change your marketing preferences or update your details. We may also send postal or email company updates, event invitations or job vacancies on the lawful basis of legitimate interest.

We use a (third party) data processor, Mailchimp, to deliver emails to people on our database who have opted-in to receive our marketing and other non-marketing emails. We gather statistics around email opening and clicks using industry standard technologies to help us monitor and improve our e-newsletter. MailChimp may collect (e.g. via sign-up forms) and store your personal data (e.g. within Churchill Hui’s MailChimp account) in order to allow us to create and use distribution lists, send marketing email campaigns, place online advertisements and transfer personal data to MailChimp’s sub-processors (who perform some critical services, such as helping MailChimp prevent abuse and providing support to customers). For more information, please see Mailchimp’s privacy policy(https://mailchimp.com/legal/privacy/).

We will never sell your details to third parties. We won’t share data without making our intentions clear.

Data transmitted over email

We monitor all emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law. We store emails for a minimum of 12 years following the conclusion of any appointment. Emails from Churchill Hui staff will be transmitted to fulfil a contract or prospective contract, legitimate business communications etc.

We take reasonable precautions to prevent the loss, theft, alteration or misuse of your personal information although we cannot guarantee or predict internet security.

We store all the personal information you provide on our secure servers. Office 365 uses Transport Layer Security (TLS) to encrypt the connection (not the email content) to the recipient’s email server assuming this also supports TLS. If the receiving server doesn’t support TLS the message will be sent insecurely.

Job applicants

Job applicants can download our Job Applicant Privacy Notice here (pdf)

Complainants and other individuals in relation to a data protection or freedom of information complaint or enquiry

You have a right to lodge a complaint with a supervisory authority. In the UK, that is the Information Commissioner: www.ico.gov.uk.

If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our retention policy. This means that information relating to a complaint will be retained for 12 years from closure. It will be retained in a secure environment.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Usually we do not identify any complainants unless the details have already been made public.

Sale of the business

In the event that the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.

If our privacy notice changes, any updates will be reflected in this policy. If you have any queries about our data policy please contact us on 020 8891 9191 or email london@churchill-hui.com.

Churchill Hui Ltd, Churchill Hui Ltd – registered in England and Wales, Co. No. 07829078. Registered Address Grosvenor House, 4–7 Station Road, Sunbury, TW16 6SB.

This policy was last updated May 2018