1. Introduction and Scope
Storm Intelligent Communication Limited (“Storm”, “we”, “us” or “our”) recognises that the privacy of the personal information that our clients provide to us is critically important. We take the privacy and security of personal information very seriously. We are committed to complying with our legal obligations under the General Data Protection Regulation (“GDPR”), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003 (“UK Data Protection Laws”) and other data protection laws around the world.
2. Who are Storm Intelligent Communication Limited?
Storm Intelligent Communication Limited is a company, registered in England and Wales under No. 07455436, whose registered office is at Cardale House Cardale Court, Beckwith Head Road, Harrogate, North Yorkshire, HG3 1RY. Storm has been trading since early 2011. The business of Storm is that of a reseller of Push To Talk over Cellular and Wi-Fi products and services, developed by Mobile Tornado Group plc (“MTG”), which is a company, registered in England and Wales under No. 05136300, whose registered office is at Cardale House Cardale Court, Beckwith Head Road, Harrogate, North Yorkshire, HG3 1RY. MTG’s technology enables our clients to offer Push To Talk, Push To Message, Push To Alert and Push To Locate services to their userbases, (altogether “PTT Services”). These technologies facilitate two way communication between users. Push To Talk, for example, allows users to exchange real time voice messages between mobile phones and/or personal computers. Push To Message, for example, allows users to message individuals in their contact list one-on-one, or broadcast to a larger group of contacts (one-to-many).
Storm is registered with the Information Commissioner’s office under Registration No. A8789201. MTG is also registered with the Information Commissioner’s office under Registration No. ZA800391.
Our clients are public and private sector organisations and service providers (such as mobile phone operators who offer PTT Services), rather than individuals.
3. Contacting Storm
There are three ways to contact Storm to discuss any data protection issues you may have:-
The Data Protection Officer
Storm Intelligent Communications Limited
Cardale House Cardale Court
Beckwith Head Road
Harrogate, HG3 1RY
+44 (0)1423 513335 and ask for the data protection officer.
4. Who is responsible for the management of data protection at Storm
We have appointed Marcus Emptage as the Data Protection Officer for Storm. The Data Protection Officer is responsible for managing data protection at Storm and ensuring that we comply with our legal obligations relating to personal information. The Data Protection Officer can be contacted using the contact details given in section 3 above.
5. What types of personal data does Storm process?
Under data protection laws, personal data is any information relating to an individual from which that person can be identified. It does not include data from which the identity of an individual cannot be identified (which is anonymous data).
6. The Personal data Storm processes relating to users of our PTT Services
How our clients use our PTT Services determines what types of personal data Storm itself processes. Some of our clients procure their own PTT server and manage it themselves, via a private or public network, whilst other of our clients access, over the internet, a PTT server owned and operated by Storm on a Software as a Service (SaaS) model.
Where our clients use a Storm server on a SaaS model then certain types of personal data about end users of our PTT Services may be stored in a database that sits on the Storm server. End users (“Subscribers”) are mobile users, who either use a client app on their smart phones or use a rugged/dedicated device or a computer. Such personal data may for the Push To Talk product typically include the following:-
The types of personal data, listed above, are relevant to the provision of the PTT Services and are used by organisations or Subscribers to better manage their operations.
For any particular Storm client the types of personal data processed and stored on our IPRS Platform are determined by that client and not by Storm. Our clients have full control over how much personal data will be kept on the IPRS Platform and have the option not to provide any data that personally identifies any particular Subscriber. For example, the full name and display name of a Subscriber is a field that can be filled with any data and is not verified or checked by Storm. Similarly, the phone number of a Subscriber can be replaced with an artificial identifier which is defined by the client. Location tracking can be turned off by the client or generally by an individual Subscriber: where that is the case the location coordinates are not transmitted from the PTT application to the PTT server. Similarly, the client can disable the ability to raise alarms for particular Subscribers. Storm can generally access call initiator and call participants data.
Under UK Data Protection Laws sensitive personal data is information relating to someone’s racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
None of the types of personal data listed above (and which are typically collected by our clients) will constitute sensitive personal data, with the possible exception of certain Subscriber names and addresses. However, as noted above, Subscriber personal identifiers, such as names and addresses, are optional and their collection is solely dictated by the client.
Storm does not record the voice traffic processed by the IPRS Platform. Storm personnel have no way to retrieve the content of Subscriber discussions conducted over the IPRS Platform. Our clients typically appoint a controller/dispatcher to manage the Subscribers in their organization. They do this via a despatch console installed in a Windows environment on a PC typically located at the client’s premises. The despatch console communicates with the IPRS Platform over the Internet. Voice recording is a feature that can be enabled on the despatch console and is automatically enabled during a Push To Alert event (see further below). Through the despatch console, a controller/dispatcher can record, retrieve and playback audio communications made by Subscribers. The recordings are stored only locally on the computer on which the despatch console is running. The despatch console is capable of:
An important feature of Storm’s IPRS Platform is the Push To Alert functionality. This allows Subscribers at risk to send a notification from their devices to control rooms, dispatchers and dedicated groups, by pressing an SOS button. Whenever the dedicated SOS button is clicked, a notification is sent to the relevant PTT server (which notification Storm can access) and from there it is forwarded to the control rooms or emergency groups of the relevant client. All steps in delivery, approval, and treatment are monitored and recorded for later debriefing. Once the emergency alert notification is received by the IPRS Platform then a number of processes are automatically triggered:
A further important feature of our IPRS Platform is the Push To Locate functionality. This allows for the tracking of individual Subscribers who carry a GPS-enabled device. Storm software installed on the GPS-enabled device automatically attempts to derive its location at pre-defined update intervals. Controllers/dispatchers can also request a location update, set and track geo-fencing events, and initiate location based group calls. The precise details of how the Push To Alert function operates for any of our clients are determined by the relevant client. In many instances Storm personnel will be able to ascertain where a given Subscriber is.
Where our clients use their own PTT server (and in effect only license software from Storm) then Storm will generally not itself process any Subscriber personal data during the ordinary operation of the IPRS Platform. When such clients require us to access their own PTT server to inspect its operation, maintain it, rectify faults, deal with reported user issues or to update or alter the software on it, then such clients are responsible for providing us with a secure connection to their server, which restricts our service engineer access to client Subscriber personal data. When a client uses their own PTT server they are responsible for backing up any Subscriber personal data stored on it.
7. Storm’s role in relation to Subscriber personal data processed on our IPRS Platform
Our clients are for the purposes of UK Data Protection Laws, data controllers in relation to Subscriber personal data handled by our IPRS Platform because they determine the purposes for which and the means by which such Subscriber personal data is processed. Further information about how our clients manage such Subscriber personal data and their policies in relation to it will typically be available on our client’s websites, intranet sites or from their own data protection personnel.
Storm is the data processor in relation to Subscriber personal data processed on our IPRS Platform as we process that Subscriber personal data on behalf of our clients. Our obligations in relation to such personal data are set out in section 8 below.
8. Storm’s Responsibilities in relation to Subscriber personal data
As noted in section 7 above, Storm are a data processor in relation to Subscriber personal data that we process on the IPRS Platform. In relation to Subscriber personal data Storm has a number of legal obligations, which are set out below together with brief details of how we comply with them:
9. Our client’s responsibilities in relation to Subscriber personal data
Our clients, as data controllers in relation to the personal data of their Subscribers, are responsible for, amongst other things, the following:-
In particular it is the responsibility of our clients to ensure that their Subscribers, controllers/dispatchers and organisation managers do not misuse any personal data collected during their use of our IPRS Platform.
10. Who has access to Subscriber personal data held on our IPRS Platform
On the client side, there are potentially two types of person who may have access to Subscriber personal data: controllers (dispatchers) and organisation managers.
Controllers/Dispatchers – their role is to manage the Subscribers in their organisation via a despatch console installed on Windows/PC station. The access they have to Subscriber personal data is determined by the client and not by Storm.
Organisation managers – Their role is to manage the Controllers/Dispatchers and/or Subscribers in their organisation. They control access to the IPRS Platform for Subscribers in their organisation. The access they have to Subscriber personal data is determined by the client and not by Storm.
In addition Storm’s customer care engineers may have access to Subscriber personal data. Storm’s customer care engineers typically access the IPRS Platform remotely using a secure connection. They maintain the IPRS Platform and ensure that it is working properly and provide assistance to Subscribers with problems. There are two levels of engineers: lower level engineers only have access to run time logs, while senior level engineers may access the Subscriber database but only for troubleshooting purposes.
11. What personal data does Storm itself collect?
Storm holds and processes personal data relating to individuals who work for or represent our current and prospective clients or who are, work for or represent suppliers to Storm (altogether “Storm Contacts”). Storm Contacts tend to be our principal or historic points of contact with an organisation, client administrative & technical personnel, organisation managers and controllers/dispatchers and those involved in the supervision and/or provision of our PTT Services and the software and hardware that are used to run them.
That personal data includes all or at least some of the following items:
This data will not generally be regarded as sensitive personal data, with the possible exception of certain names and addresses.
In order to improve the Website, we may also collect anonymous data about how users navigate through and use the Website.
We do not collect or process personal data about children.
12. Updating or changing Storm Contacts personal data
If you are or believe that you may be an Storm Contact then please do help us to keep your personal data up to date by notifying us of any changes relating to for example your name, work address or marketing preferences.
You can update any information Storm holds about you by contacting your usual contact at Storm or by contacting the data protection officer, whose details are in sections 3 & 4 above or our client services team on 01423 513335. They will be delighted to help you.
14. How does Storm collect Storm Contacts personal data?
We collect personal data about Storm Contacts when we engage with existing and prospective clients and suppliers. This can be during marketing activities, when a contract to provide PTT Services is concluded or in connection with the provision of the PTT Services. The personal data can be collected in meetings, via our Website, during phone or video calls or during the client set up/registration process to use our PTT Services.
15. How does Storm use Storm Contacts personal data?
We will use Storm Contacts personal data in the following ways:
16. What is the legal basis on which Storm processes Storm Contacts personal data?
UK Data Protection Laws provide that a data controller can only lawfully process personal data if it satisfies at least one of up to six possible legally defined grounds or bases for doing so, which are set out in the GDPR. We set out below the bases that Storm relies on in relation to its processing of Storm Contacts personal data.
The legally defined reasons Storm relies on are as follows:-
As Storm is not a data controller but only a data processor in relation to Subscriber personal data, Storm does not need to satisfy at least one of the six permissible grounds in relation to Subscriber personal data but its clients have to.
If you are a contact of an existing client, or a prospective client who has shown an interest in our products or services, we may contact you by post and by telephone with marketing material and information about our PTT Services. We may also email such contacts to promote our PTT Services, unless, when the contact first provided their details to us or subsequently, the contact indicated that they didn’t want to receive or no longer want to receive such marketing emails messages from us. In addition, all our promotional emails contain an opt out option, which can be used to tell us to stop sending marketing emails.
We regularly check (or ensure third parties appointed by us to run certain of our business services regularly check) our Storm Contact databases against lists maintained by the Telephone Preference Service (https://www.tpsonline.org.uk/tps) and the Mail Preference Service (https://www.mpsonline.org.uk) to ensure that we don’t call or post items to Storm Contacts who have registered with these services not to receive marketing calls or mailings.
18. Changing your marketing preferences
You can tell us at any time to stop marketing to you by using any of the methods set out in section 3 above or by submitting a request via this email address: firstname.lastname@example.org
Each time you receive a marketing email from Storm, you will be given the opportunity to opt-out of receiving further marketing emails or texts.
We will try to implement any change to your marketing preferences as soon as reasonably possible.
18. Who do we share personal data with?
Storm does not share Subscriber personal data with any other entity except, where lawfully requested by the relevant data controller (our client).
We do not share Storm Contact personal data with any third party.
19. What are your legal rights in relation to your personal data?
Individuals (“Data Subjects”) have a number of legal rights in relation to the personal data we hold about them. These include:
If you would like to exercise any of your legal rights in relation to the personal data we hold about you, you can submit a request through our Website using this link: www.storm.co.uk or by contacting the data protection officer whose details are set out in sections 3 & 4 above.
Generally Data Subjects will not have to pay a fee to exercise any of their legal rights. However, we are entitled to charge a reasonable fee if any request is clearly unfounded, repetitive or excessive. We can also refuse to comply with an unfounded or excessive request. We may need to request information from a Data Subject to confirm their identity, in order to make sure that personal data is not disclosed to someone who is not entitled to have it. We may also need to ask a Data Subject for additional information to help us respond to their request. We will try to respond to a Data Subject’s request within one month but, if the request is very complex or if a Data Subject has made a number of requests, it could take longer. In such circumstances, we will explain to the Data Subject why it will take longer to respond and we will keep them updated.
20. How long will we keep your personal data?
We retain Storm Contact personal data for as long as reasonably necessary to fulfil the purposes it was collected for and to enable us to comply with our legal obligations. This will often be for as long as a client uses our PTT Platform or a supplier supplies us or if longer for up to six years after the last recorded transaction or interaction with the client or supplier. Six years is generally the limitation period under UK law for a client or supplier to bring a breach of contract claim against us. At the end of the relevant period, personal data will be irretrievably deleted.
Generally, Storm stores Subscriber personal data (and a back-up of it) for a limited retention period, as specified by individual clients. Call logs are typically retained for 36 days. Location history is typically retained for 1 year. After the retention period has expired then the Subscriber personal data and any back-up of it will be irretrievably deleted.
21. How do we protect personal data?
Storm takes the security of personal data very seriously. We use appropriate security measures to protect personal data from unauthorised access, disclosure, alteration or loss.
In relation to Subscriber data, we understand the importance of secured communications when any Subscriber is communicating privately and does not want a third party to listen in. In order to achieve that, the IPRS Platform needs to eliminate the risk of interception. Storm’s IPRS Platform is built with security by design principles, meaning confidentiality, integrity, and availability.
The development of our IPRS Platform, its installation and maintenance are carried out in accordance with the rules set out by the latest security standards. Our products and services comply with the security and privacy requirements of GDPR, ISO 27000 and AES-256.
When Subscribers, organisation managers, controllers/dispatchers communicate using our IPRS Platform, either over a cellular data connection or Wi-Fi, the PTT server uses a proprietary Mobile Tornado communications protocol, which would make it very hard for an unauthorised third party to intercept the communications.
Additionally sensitive information like user credentials/passwords is encrypted using state of the art third party encryption software.
In order to increase the safety and privacy of the subscribers, Storm has further introduced the following features in the PTT service:
Our security model can be represented by four different layers: physical, logical, data and code. Physical access to relevant hardware is restricted to authorised personnel. Access to the management portal is protected by the use of cryptographic protocols (TLS), logical protection deployed over the firewalls, switches, load-balancers, and the use of single board computers (SBCs), which allow for enhanced security.
Where a client uses a Storm server, there is a state of the art firewall between that server and the internet. The firewall is a network security device, which monitors incoming and outgoing network traffic and permits or blocks data packets passing through it based on a set of security rules, which are continually updated so as to target current threats such as malicious viruses and hackers.
Further Storm’s security methodology utilises several mechanisms in connection with the encryption of data sent between us and our clients’ IT systems, the main ones being as follows:
All Storm Contact personal data, which we store electronically, is stored on our private, secure network of computers. Access to our IT systems is password protected. Our IT provider regularly monitors our computer and network systems for possible vulnerabilities and attacks and use state of the art firewalls and anti-virus software, which is regularly updated.
22. Where is your personal data processed?
We only process personal data in the UK or the EEA.
23. Personal data of international Subscribers and Storm Contacts
Storm is based in the UK and is committed to complying with UK Data Protection Laws. UK Data Protection Laws are amongst the strictest in the World and we generally take the view that if we comply with UK Data Protection Laws that such compliance will help us ensure compliance with local data protection laws that apply outside the UK. However where we contract with a client based outside the UK we endeavour to ensure that we also comply with any particular local data protection law requirements.
25. How do you make a complaint to the regulator?
You also have the right to make a complaint to the Information Commissioner’s Office (ICO), which is the UK data protection supervisory authority, if you feel that your personal data has not been handled properly or if you are not happy with the way that we have responded to any request you have made relating to the personal data we hold about you. The ICO can be contacted by telephone on 0303 123 1113 or online at www.ico.org.uk/concerns. We would appreciate the opportunity to resolve any data protections issues with you, so please contact us in any of the ways set out in section 3 above, in the first instance.
Cookies and How We Use Them
What are cookies?
Computer cookies are small text files that a website transfers to your computer. Cookies cannot harm your computer and are anonymous. They do not contain any information that could be used to identify you, nor do they contain any confidential information such as your email address or credit card details.
Are cookies safe?
Yes. The information stored in cookies is anonymous and secure. It cannot be used to identify you personally and cannot harm your computer.
Can I switch cookies off?
FORCE24 cookies & tracking
Our organisation utilises Force24’s marketing automation platform.
Force24 cookies are first party cookies and are enabled at the point of cookie acceptance on this website. The cookies are named below:-
They allow us to understand our audience engagement thus allowing better optimisation of marketing activity.
f24_autoId – This is a temporary identifier on a local machine or phone browser that helps us track anonymous information to be later married up with f24_personid. If this is left anonymous it will be deleted after 6 months . Non-essential, first party, 10 years, persistent.
f24_personId – This is an ID generated per individual contact in the Force24 system to be able to track behaviour and form submissions into the Force24 system from outside sources per user. This is used for personalisation and ability to segment decisions for further communications. Non-essential, first party, 10 years, persistent.
The information stored by Force24 cookies remains anonymous until:
The Force24 cookies will remain on a device for 10 years unless they are deleted.