Eminent Crisis Management Group Ltd is a security risk management and investigations company that is committed to securing information in a manner that protects and preserves the privacy of others. The business operates globally and supports the recovery of debts, enforcement of legal judgements and awards, together with a variety of consultancy services surrounding risk and journey management. This policy document is designed to cover the company’s entire group structure, which includes the following registered organisations:
- Eminent Crisis Management Group Ltd
- Eminent Investigations Ltd
- Eminent Security Ltd
- Eminent Crisis Management Group PTY Ltd
During the course of our work we are required to research and record information held fort parties we are working with, or those under investigation during the course of legal processes, such as planned recovery of money that may be owed. The company has invested heavily in the protection of data, with various cyber security software elements and holds both UKAS ISO27001 and Cyber Essentials Plus.
2 How and what information do we obtain
The information that the company collects and retains may relate to residential address data, business data, or other data available in the public domain. This may include items, but not limited to, email addresses, telephone numbers, car registration details and adverse information such as County Court Judgements, or Bankruptcy records. On occasions this may also extend to financial information belonging to a business or individual.
This data is obtained from a variety of lawful sources, which may be free to access or subject of a license fee. Information can also be obtained from other methods, such as interviewing witnesses or suspects. We do not process unlawfully obtained financial information or banking details, unless obtained through a legitimate process, such as obtaining a parties consent to access such data.
In addition, the company may on occasion utilise analytic software to monitor its company website and the traffic visiting the site. This is completed to assist in marketing strategies and also to comply with potential attacks to the site and follow up investigations that may be required.
3 What is the information for
The information obtained is designed to assist our clients/customers, in successfully recovering the money they are owed and enforcing court judgements, completing any necessary due diligence or Know Your Customer (KYC) processes. Other data may be held regarding our customers information for the purposes of processing invoices and receiving or making payments that relate to invoices raised for such services. The information may also be used to complete due diligence and AML checks prior to engaging with a client. We will also hold data to ensure the safety of others and in planning various projects involving risk and ensuring safety. The information is held securely and is treated confidential in the terms of the contract for which we are engaged.
4 On what basis do we process information
Given the nature of our work, there are a variety of areas that cover our legitimacy to obtain the information we hold and process it. These reasons include:
- Legitimate Interest – we are required to assist in the locating of persons or businesses who owe money or are subject of debt recovery, legal processes, enforcement proceedings, due diligence checks or Know Your Customer (KYC) processes.
- Consent – clients may provide consent for us to complete credit or other checks against their details, in order to agree a credit limit on their account. We may also have consent from our clients to pursue certain avenues of investigation.
- Contractual Arrangements – the company enters into contractual arrangements with its clients to complete certain pieces of enquiry work that relates to legal processes.
- Legal Obligation – The company will assist clients to enforce legal judgements, which may include the tracing of persons or recovery of assets belonging to a company or individual.
- Public Interest – The company is involved with criminal investigations that are processed through either the criminal or civil court process.
5 Who do we share our data with
The data obtained is shared with our clients during the legitimate process of the work we undertake. The work is subject of contractual obligations or agreement with the client. The data is provided in a report format that is protected with a password or protectively marked in an email. When the data is provided, clients are informed that the company will only retain it for a maximum period of 12 months, unless longer periods are requested and justified. For the purposes of legal proceedings and processes this can be automatically extended in line with any limitation of proceedings rules.
6 Where do we store and process the data
The vast majority of data is stored at the companies office premises in the United Kingdom. As we operate a global client list, it may be that some data is required to be sent overseas, such as with Eminent Crisis Management Group PTY Ltd in South Africa. Prior to engaging with enquiry work of any nature, the case is vetted to ensure it meets the test required to process the data lawfully.
When data is sent outside of the United Kingdom, the same principles and rules apply regarding retention. If notice is not given and any case is discontinued, the data held is destroyed once our legal obligations to meet storage and retention on those grounds have been met.
The company holds UKAS ISO27001 and Cyber Essentials Plus accreditations.
7 How do we secure our data
The company possesses a substantial information security policy that outlines in full how data should be treated, transmitted and stored. This policy is part of our obligations to retain the UKAS ISO27001 and Cyber Essentials Plus accreditation. Policies include the use of strong passwords and operating a fully encrypted network. The network is subjected to a minimum annual penetration test to ensure it is robust. Contractors used by the company are required to comply with their terms and conditions contract or substantive None-Disclosure Agreement (NDA) covering the protection and transmitting of data.
All information regarding our information security policy is made available to employees of the company. The company holds the relevant UKAS ISO7001 standard together with Cyber Essentials Plus, providing further assurances regarding how it operates and processes information.
8 Your rights to access information
There are occasions when you may wish to access information held by the company. This is your right to do so under General Data Protection Regulation (GDPR) guidelines. If you wish to access any data you believe we hold about you, then this request must be placed in writing to the company registered address in the United Kingdom. This is displayed at the end of this document.
Once your request has been received, then it will be assessed to establish if you have proper purpose to obtain a copy of the data and that the company is not breaching its own legal obligations or privileges in doing so. The company will then respond to you within 30 days of the letter being received. 30 days meaning working days and a working day representing Monday through to Friday and excluding public holidays.
The company reserves the right to charge a reasonable administration fee to cover the time taken to process the request. General ‘fishing’ requests will not be considered and a full outline of your purpose for requesting the information should be provided in your letter to the company. On receipt, we may wish to discuss your request with you, so providing easy methods of contact should be provided.
At any time, with proper notice given, a client can withdraw consent and the data will be destroyed within a reasonable timeframe. The same will apply with any contract termination followed by a request to destroy such data. The company is also registered with the Information Commissioners Office (ICO), who can be contacted and receive complaints about the company and the way in which it processes and handles data.
9 Contact Details
The company can be contacted using the following details:
|Eminent Crisis Management Group Ltd
Malvern Hills Science Park
+44(0) 844 282 1819