UK General Data Protection Regulation (GDPR)

Noah Facial Recognition Pty Ltd ("NoahFace") is committed to privacy and adheres to the requirements of the UK General Data Protection Regulation ("UK GDPR").

You can learn about the UK GDPR from the Information Commissioner's Office.

Definitions

Using the terminology of the UK GDPR:

• Our Partner's Customers ("Customers") make use of the NoahFace System. They decide which Data Subjects use the NoahFace System, what specific Personal Data elements are stored, and how the system is configured to meet their needs. In doing so, our Customers act as Data Controllers.
• Our Partners sell, implement, and support the NoahFace System. In doing so, our Partners act as a Data Processor on behalf of Customers.
• NoahFace operates the NoahFace System. In doing so, NoahFace acts as a Data Processor on behalf of our Partners, or a Data Sub-Processor for Customers.
• The NoahFace System runs on Amazon Web Services (AWS). AWS is a Data Processor on behalf of NoahFace, or a Data Sub-Processor for Partners and Customers.

Principles

NoahFace adheres to the UK GDPR Principles as follows:

Lawfulness, Fairness, and Transparency

NoahFace only uses data in a manner that is both lawful and fair. This is covered further in the Lawful Basis of Processing section.

NoahFace provides complete transparency as to:

• What data is captured by NoahFace?
• How does NoahFace use that data?
• How does NoahFace protect that data?
• When does NoahFace destroy that data?

These questions are answered in detail in our Privacy Statement.

Purpose Limitations

The NoahFace System stores Personal Data only for the purpose of allowing our Customers to perform the business functions they decide they need, which may include:

• Time and Attendance
• Access Control
• Visitor Registration
• Temperature Screening

NoahFace does not use the stored data for its own purposes, nor does it provide access to the stored data to any third parties for their own purposes.

Data Minimisation

The NoahFace System only stores data that is needed to perform the business functions our Customers decide they need. The NoahFace System provides features to help Customers further minimise stored data. Specifically, our Customers can choose to:

• Use avatars instead of photos for user profile pictures.
  
• Not capture and store photos with each event.
• Not store specific data elements (eg: email addresses, access expiry dates, etc).
  
• Obscure specific data elements (eg: record a person's name as "1003" instead of "John").

Accuracy

The NoahFace System provides features to synchronise Personal Data from source systems (eg: a payroll system or an access control systems), so that this data is as accurate as these source systems. When capturing event data, the NoahFace System uses automated sources of data (eg: the date/time, the location on a device, or a specific button that was pressed) so that the captured data is accurate.

Storage Limitations

The NoahFace System only retains event data for as long as our Customers decide they need it (or for 90 days by default).

Integrity and Confidentiality

NoahFace has appropriate security measures in place to protect the data held in the NoahFace System. This is covered further in the Security section.

Accountability

NoahFace has appropriate measures and records in place to be able to demonstrate compliance with the UK GDPR. This is covered further in the Accountability and Governance section.

Lawful Basis of Processing

Contract

NoahFace enters into a Contract with our Partners to process data on their behalf. In turn, our Partners enter into a Contract with each of their Customers to process data on their behalf.

Special Category Data

The NoahFace System can capture, store, and process biometric data, which is considered a Special Category of Personal Data under the UK GDPR. The UK GDPR allows for the processing of biometric data when explicit Consent is provided by Data Subjects, as is required by the NoahFace system. This is covered further in the following section.

Consent

‍Data Subjects are required to provide explicit Consent to the capture and processing of Personal Data, and biometric data in particular. The NoahFace System:

• Provides a clear and simple explanation of the data it captures and what it is used for.
  
• Provides alternative means of identification for individuals who do not grant Consent.
• Records the date and time that Consent was granted by each individual.
  
• Allows Consent to be easily withdrawn.
• Allows Customers or Partners to extend the privacy statement if additional disclosures are required.

‍

Individual Rights

NoahFace recognises and supports the fundamental Individual Rights defined by the UK GDPR:

• Right to be informed.
• Right of access.
• Right to rectification.
• Right to erasure.
• Right to restrict processing.
• Right to data portability.
• Right to object.
• Rights related to automated processing.

NoahFace has developed specific product features to make it easy for Customers to deliver these rights to individuals.

Right to be Informed

The NoahFace System clearly discloses in the privacy statement (which Data Subjects consent to) what data is captured and what it is used for. Customers can augment this privacy statement if they want to add additional disclosures.

Right of Access

The NoahFace System allows Customers to export all of the Personal Data for an individual. When an individual makes a request for their data, all of their data (including event photos) can be packaged up into a "ZIP" file, which can be easily provided to them.

Right to Rectification

The NoahFace System allows Customers to edit data the Personal Data for an individual.

Right to Erasure

The NoahFace System allows Customers to immediately and permanently erase all of the Personal Data for an individual. This includes all of their profile data (eg: their name), their profile picture, their recorded events and associated photos, and their biometrics.
‍

Right to Restrict Processing

The NoahFace System allows Data Subjects to withdraw their consent. This deletes their biometrics and they will no longer be recognised.

Right to Data Portability

The NoahFace System allows Customers to export all of the Personal Data for individuals.  Data is exported using industry standard file formats (eg: JPEG, CSV, etc) for ease of portability.

Right to Object

The NoahFace System allows Data Subjects to withdraw their consent. This deletes their biometrics and they will no longer be recognised.

Rights Related to Automated Processing

The NoahFace System:

• Can be configured by Customers to require manual confirmation by Data Subjects of all events.
• Does not use profiling to automate decision making.

Accountability and Governance

NoahFace is committed to Accountability and Governance as defined by the UK GDPR:

Contracts

NoahFace enters into a Contract with each of our Partners to process data on their behalf. NoahFace has entered into an agreement with its Sub-Processors (ie: Amazon Web Services).

Documentation

NoahFace maintains comprehensive documentation regarding our data processing.

Data Protection Impact Assessment (DPIA)

NoahFace has formally conducted a Data Protection Impact Assessment (DPIA).

Data Protection Officer

NoahFace has formally appointed a Data Protection Officer. If you have any questions or concerns about data protection, please contact our Data Protection Officer at: privacy@noahface.com

Data Protection by Design and by Default

NoahFace has designed data protection into our core processes and systems. In particular:

• The core concept of the NoahFace System is based on self service and Consent.
• To minimise risk, NoahFace uses a single Sub-Processor (ie: Amazon Web Services) for all compute, storage, network, and communication (eg: SMS and Email) services underpinning the NoahFace System.

Security

Encryption

The NoahFace System uses appropriate encryption techniques to protect data including:

• AES-256 is used to encrypt data at rest in the Cloud.
• TLS/SSL (2048 bit keys) is used to encrypt internal network communications.
• Biometric encryption keys are stored in the the Apple KeyChain, which uses AES-256 encryption.
• A one way SHA-256 hash is applied to passcodes before they are stored in the Apple KeyChain.
• TLS/SSL is used to encrypt external network communications (eg: integrations with payroll systems).

Passwords

The NoahFace System uses appropriate  password management techniques to protect data including:

• Obscuring the display of passwords during on screen entry.
• Applying a one-way hash to passwords prior to their storage.

International Transfers

The NoahFace Cloud service is hosted on Amazon Web Services (AWS) and utilises an Australian based data centre. As such, when a UK based Customer is utilising the NoahFace service an International Transfer of data takes place.

NoahFace enters into a Contract with each of our Partners to process data on their behalf. This contract incorporates standard data protection clauses recognised or issued in accordance with the UK data protection regime. These are known as ‘Standard Contractual Clauses’ (‘SCCs’ or ‘model clauses’). The SCCs contain contractual obligations on the Partner (the data exporter) and NoahFace (the data importer), and rights for the individuals whose personal data is transferred.