Data Management Policy

The purpose of this document is to establish guidelines and procedures related to the management of data within the Air Tightness Testing & Measurement
Association (ATTMA). This policy document applies to all member entities and by extension to the individuals involved in the collection, processing, storage, and
dissemination of data related to those entities. ATTMA is committed to complying with all applicable privacy and data protection laws and regulations while maintaining the highest standards of data security and confidentiality.

Key Members of Staff
Data Protection Officers

Under the General Data Protection Regulation, all businesses that market goods or services to customers and collect data as a result must appoint a data protection officer. The data protection officer keeps up with laws and practices around data protection and ensures that all other matters of compliance pertaining to data are up to date.
The key members of staff who are responsible for the data within the ATTMA are:
• Barry Cope – Scheme Director
• David Pickavance – Chairperson
There are multiple members of staff who use data to conduct their everyday jobs but do not have overall responsibility, such as the Membership Co-ordinator, Scheme Auditors, and Quality Manager.

Processing

All personal data is processed in accordance with GDPR. This means that all personal data is processed lawfully, fairly, and in a transparent manner, and is only
used for the purposes of certification/recertification and other associated requirements. ATTMA ensures that personal data is accurate, up-to-date, and not
kept longer than is necessary and that access to personal data is limited to authorised personnel only.

Policy Statement

Any personal data that is collected during the certification and recertification process shall only be used for the purpose of assessing and maintaining certification. The collection of personal data shall be limited to what is necessary and relevant to the certification process. Personal data shall only be collected with the consent of the individual concerned.
All test data uploaded by individuals to the ATTMA lodgement systems may be used and shared with pre-approved research bodies and home nation governments. Any personal data that may be included in the test data shall be strictly managed in accordance with applicable privacy and data protection laws and regulations.

Types of Data

Broadly speaking, ATTMA manages four types of data:
1. Tester data: In this context, the term ‘tester data’ refers to the personal data of individuals throughout the certification process (applicants, candidates, and
certified persons). This may include names, addresses, contact information, and associated company information.
2. Lodgement data: This refers to test data that has been uploaded to the ATTMA lodgement system. This may include tester data, test location, and test results.
3. Emails: This refers to personal data contained in emails that have been sent and received by ATTMA while conducting certification business. This may
include names, contact information, and any other personal information contained in email correspondence.
4. Letters: This refers to personal data contained in letters sent and received by ATTMA while conducting certification business. This may include names, contact
information, and any other personal information contained in postal correspondence.

How is Data Collected

Member companies collect all required data through the following methods:
• Application Process:
All individuals that wish to join ATTMA are required to complete an online application.
All applicants to any ATTMA are required to have completed the assessment process as defined within the relevant Methods &
Routes of Entry publication.
• Audits (Initial and Surveillance)
All scheme members are subject to auditing, both in order to gain certification and then to maintain their certified status.
• Telephone (Direct Contact)
Members of ATTMA may choose to contact the scheme via telephone and ask for details to be updated.
• Lodgement System (Portal)
Certified persons can upload certificates, update, and edit their personal details through the relevant Lodgement system.

Data Storage & Security

In order for ATTMA to conduct its core business operations, different data points may be stored in the following locations:
Accounting Software: ATTMA uses a cloud-based accounting package to store member details for the purpose of creating accurate invoices, credit notes etc.
Security is maintained by way of being:
• Secured with a username and password.
• Encrypted with a class 2 SSL certificate.
• Contracted with the accounting software provider to not share data in accordance with its own GDPR processes.
Lodgement System: ATTMA operates specialised lodgement systems to record conducted testing. Portals are saved on Microsoft servers (Azure platform).
3.5.5 Security for this system is maintained by way of:
• Contracts containing NDA agreements are in place between the member companies and developers that ensure that no data is to be shared externally.
• All data is saved on a Microsoft server and is password protected.
• The website is secured with a class 2 SSL certificate.
Email Accounts: ATTMA may hold some tester data within its email accounts, including a list of contacts for the purposes of communication.
“Emailing is hosted by Microsoft Office 365, which provides email services via Microsoft’s email platform. Passwords are set by the users when registering. Additional security is maintained by way of:
• All data is saved on a Microsoft server and is password protected.
• Websites are secured with class 2 SSL certificates.
Mobile Telephones (work-phones): ATTMA holds some tester data within employees’ work phones. This is required for field-based employees to make and
receive calls whilst out of the office.
Security is maintained by way of:
All mobile phones are secured with a thumbprint and/or a password to enter.
SharePoint: ATTMA keeps its data stored within SharePoint systems with each SharePoint only being accessible to the employees of that particular company (local copies of data may be saved to office computers).
For the account to be accessed, a two-step verification is required. Firstly, a complex password requiring alphanumeric, non-alphanumeric characters, and a number is required. To then gain access, a 6-digit password is sent to the Group Managing Director’s mobile telephone each time access is required.
Additional security is maintained by way of:
• All data is saved on a Microsoft server and is password restricted.
• Websites are secured with a class 2 SSL certificate.
• All computers are password protected and have antivirus softwareinstalled to minimise the risk of malware and viruses.
• Only users authorised by the Group Managing Director can access the files stored in SharePoint.

Data Retention

ATTMA will keep test data that is used as part of the lodgement system indefinitely. The legal justification for this is that ATTMA records and test buildings multiple years in the future and it is therefore necessary to know who tested a building and when.
Records of testers that are secured within the relevant SharePoint but not lodgement, such as contracts, reports, audit reports and corrective actions, complaints and other testing-relevant information should be kept securely for a period of no less than 10 years.
Testers’ personal data shall be retained for no less than five years after membership ceases but may be archived after two years

Destruction of Files

Electronic and paper files are destroyed once the relevant statutory or regulatory periods for retention or periods of limitation have elapsed, and the relevant scheme is satisfied that there is no further purpose in retaining them.
Disposal of paper copies of documents will take place through confidential waste disposal. The disposal of electronically stored material should be done in a manner which preserves confidentiality.

Data Files

All individuals that provide personal data to ATTMA have the following GDPR-related rights:
a. Right to Access: Any individual has the right to obtain confirmation as to whether or not their personal data is being processed, and if so, to access their
personal data and related information.
b. Right to Rectification: Any individual has the right to request the rectification of their personal data if it is inaccurate, incomplete, or out of date.
c. Right to Erasure: Any individual has the right to request the erasure of their personal data in certain circumstances, such as if the personal data is no longer necessary for the purpose for which it was collected.
d. Right to Restriction of Processing: Any individual has the right to request the restriction of processing of their personal data in certain circumstances, such as if the accuracy of the personal data is contested.
e. Right to Data Portability: Any individual has the right to receive their personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
f. Right to Object: Any individual has the right to object to the processing of their personal data in certain circumstances, such as if the processing is for direct marketing purposes.
g. Right to Withdraw Consent: Any individual has the right to withdraw their consent to the processing of their personal data at any time.
6.1.2 At any time, users may access a copy of all the data that is held with their personal details. ATTMA acknowledges that it has 30 days to comply with any request.
6.1.3 Access can be granted by making a formal request to the Group Managing Director in writing (email requests are considered acceptable).

External Users of Data

ATTMA will never give or sell applicants’, candidates’, or certified persons’ data to any company.
ATTMA will never release information from applicants, candidates, or certified persons without prior express consent except when required by law.
Lodgement data, minus any personal or identifying information, may be provided to research bodies that are pre-approved by the relevant member company. The data that may be shared will only be:
• Building type
• Construction type
• Result
• Target
• Town and/or postcode of site
Examples of companies that may use this data for research purposes are:
• Universities
• Home nation governments*
• Public health authority
• HSE
*Home nation governments may periodically request specific data from the scheme,
such as:
• Membership numbers
• Complaints
• Financial information (not for public dissemination)
• Information regarding third party audits (not for public dissemination)
7.1.6 Should a request be made for data that falls outside of research use (e.g., a company wishing to purchase data), we would require permission from each tester in order to do so. This would be done on a case-by-case basis. There is no blanket ‘yes’ or ‘no’ for all data being shared

Enforceable Arrangements
Members Code of Conduct

As part of the Application Process that is completed by all applicants when looking to join a ATTMA is the ‘Members Code of Conduct,’ this is a signed agreement
between the relevant company and the member. 
Part of the Code of Conduct is the requirement that all members are to ‘inform the Scheme Management without delay of matters that can affect your capability to continue fulfilling your certification requirements…’

Members Code of Conduct

ATTMA Members that have been registered with TrustMark are subject to an enhanced Code of Conduct as defined by TrustMark

Ref: QMA007 – Issue 2.3