Data protection practices
We have adopted the following principles for the collection, use, retention, transfer, disclosure and destruction of personal information, with which workers must comply:
- We will process personal information lawfully, fairly and in a transparent manner;
- We will collect personal information for specified, explicit and legitimate purposes only;
- We will only process the personal information that is adequate, relevant and necessary for the relevant purposes;
- We will keep accurate personal information, and take reasonable steps to ensure that inaccurate personal information is deleted/corrected without delay;
- We will keep personal information for no longer than is necessary for the purposes for which the information is processed; and
- We will take appropriate technical and organisational measures to ensure that personal information is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
Storage and protection of data
WYWM operates as a services-based organisation leveraging Microsoft 365 and approved third-party SaaS platforms. We do not operate our own hosted data centres or custom cloud infrastructure.
Personal information is stored within secure cloud environments provided by trusted vendors, including Microsoft and other approved service providers.
Security controls include:
- Encryption of data in transit (HTTPS/TLS 1.2 or higher)
- Encryption of data at rest where supported by the platform provider
- Multi-factor authentication for administrative access
- Role-based access controls aligned to least privilege
- Conditional access and device compliance enforcement
- Centralised logging and monitoring of authentication activity
- Regular review of vendor security assurances (e.g., ISO 27001, Cyber Essentials)
We conduct due diligence when onboarding new service providers to ensure appropriate data protection safeguards are in place.
We retain personal information only for as long as required for business, legal, or regulatory purposes, after which it is securely deleted or de-identified.
