WJP Software Policies and Certificates

Company Name: WJP Software Limited
Date Policy is Effective: 16/01/2019


1. Introduction

This document sets out the obligations of WJP Software Limited (“the Company”) with regard to data protection and the rights of people with whom it works in respect of their personal data under the Data Protection Act 2018 (“the Act”).

This Policy shall set out procedures which are to be followed when dealing with personal data. The procedures set out herein must be followed by the Company, its employees, contractors, agents, consultants, partners or other parties working on behalf of the Company.

The Company views the correct and lawful handling of personal data as key to its success and dealings with third parties. The Company shall ensure that it handles all personal data correctly and lawfully.

2. The Data Protection Principles

This Policy aims to ensure compliance with the Act. The Act sets out six principles with which any party handling personal data must comply. All personal data:

  1. Must be processed lawfully, fairly and in a transparent manner in relation to the data subject; (and shall not be processed unless certain conditions are met);
  2. Must be obtained only for specified, explicit and lawful purposes and shall not be further processed in any manner without further consent;
  3. Must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed;
  4. Must be accurate and where necessary kept up-to-date; ensuring any inaccurate personal data is erased or rectified without delay.
  5. Must be kept in a form which permits identification of data subjects for no longer than necessary;
  6. Must be processed in a manner ensuring appropriate security of the personal data including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

3. Rights of Data Subjects

Under the Data Protection Act 2018, data subjects have the following rights:

  • The right to be informed that their personal data is being processed;
  • The right to access any of their personal data held by the Company within one calendar month of making a request;


  • The right to have incorrect data updated;
  • The right to have data erased;
  • The right to stop or restrict the processing of their personal data; and
  • The right to object to how their data is processed (in certain circumstances).

4. Personal Data

Personal data is defined by the Act as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

The Act also defines “sensitive personal data” as personal data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; their genetic and biometric data (where used for identification) and the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

The Company only holds personal data which is directly relevant to its dealings with a given data subject. That data will be held and processed in accordance with the data protection principles of the GDPR, the Data Protection Act 2018 and with this Policy.

5. Processing Personal Data

Processing of personal data is defined in the Act as ‘collection, recording, storage, adaption and alteration, disclosure by transmission, erasure or destruction.’ Any and all personal data collected by the Company is collected in order to ensure that the Company can facilitate efficient transactions with third parties including, but not limited to, its customers, partners, associates and affiliates and efficiently manage its employees, contractors, agents and consultants. Personal data shall also be used by the Company in meeting any and all relevant obligations imposed by law.

Personal data may be disclosed within the Company. Personal data may be passed from one department to another in accordance with the data protection principles and this Policy. Under no circumstances will personal data be passed to any department or any individual within the Company that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed.

The Company shall ensure that:

  • All personal data collected and processed for and on behalf of the Company by any party is collected and processed using at least one of the following valid lawful bases: Consent; Contract; Legal obligation; Vital interests; Public task and Legitimate interests;
  • Data subjects are made fully aware of the reasons for the collection of personal data and are given details of the purpose for which the data will be used;


  • Personal data is only collected to the extent that is necessary to fulfil the stated purpose(s);
  • All personal data is accurate at the time of collection and kept accurate and up-to-date while it is being held and /or processed;
  • No personal data is held for any longer than necessary in light of the stated purpose(s);
  • All personal data is held in a safe and secure manner, taking all appropriate technical and organisational measures to protect the data;
  • All personal data is transferred using secure means, electronically or otherwise;
  • No personal data is transferred outside of the UK or EEA (as appropriate) without first ensuring that appropriate safeguards are in place in the destination country or territory; and
  • All data subjects can exercise their rights set out above in Section 3 and more fully in the Data Protection Act 2018.

6. Data Protection Procedures

The Company shall ensure that all of its employees, contractors, agents, consultants, partners or other parties working on behalf of the Company comply with the following when processing and / or transmitting personal data:

  • All emails containing personal data must either be; set up as a password protected document and emailed separately from the password details; or where possible encrypted;
  • Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances;
  • Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
  • Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;
  • Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
  • Where Personal data is to be transferred in hardcopy form it should be passed directly to the recipient. Using an intermediary is not permitted;
  • All hardcopies of personal data should be stored securely in a locked box, drawer, cabinet or similar;
  • All electronic copies of personal data should be stored securely using passwords and suitable data encryption, where possible on a drive or server which cannot be accessed via the internet; and
  • All passwords used to protect personal data should be changed regularly and should not use words or phrases which can be easily guessed or otherwise compromised.


7. Organisational Measures

The Company shall ensure that the following measures are taken with respect to the collection, holding and processing of personal data:

  • A designated officer (“the Designated Officer”) within the Company shall be appointed with the specific responsibility of overseeing data protection and ensuring compliance with the Act and GRPR.
  • All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company are made fully aware of both their individual responsibilities and the Company’s responsibilities under the Act and shall be furnished with a copy of this Policy.
  • All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data will be appropriately trained to do so.
  • All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data will be appropriately supervised.
  • Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed.
  • The Performance of those employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data shall be regularly evaluated and reviewed.
  • All employees, contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data will be bound to do so in accordance with the principles of the Act and this Policy by contract. Failure by any employee to comply with the principles or this Policy shall constitute a disciplinary offence. Failure by any contractor, agent, consultant, partner or other party to comply with the principles or this Policy shall constitute a breach of contract. In all cases, failure to comply with the principles or this Policy may also constitute a criminal offence under the Act.
  • All contractors, agents, consultants, partners or other parties working on behalf of the Company handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of the Company arising out of this Policy and the Act.
  • Where any contractor, agent, consultant, partner or other party working on behalf of the Company handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless the Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.


8. Access by Data Subjects

All data subjects have the right to make a subject access request (“SAR”) at any time. This is a request to access all personal data which the Company may hold about them.

  • SARs must be made in writing either by letter or email.
  • Upon receipt of a SAR the Company shall have a maximum period of one calendar month within which to respond. The following information will be provided to the data subject:
  • Whether or not the Company holds any personal data on the data subject;
  • A description of any personal data held on the data subject;
  • Details of the purposes for processing of the personal data;
  • Details of the retention period for storing the personal data for, and where this is not possible, criteria for determining how long you will store it;
  • The existence of their right to request rectification, erasure or restriction or to object to such processing;
  • Their right to lodge a complaint with the ICO or another supervisory authority;
  • Information about the source of the data, where it was not obtained directly from the individual;
  • Details of any third-party organisations that personal data is passed to and the safeguards provided for the transfer.
  • The existence of any automated decision-making (including profiling); and
  • Details of any technical terminology or codes.

9. Notification to the Information Commissioner’s Office

As a data controller, the Company is required to notify the Information Commissioner’s Office that it is processing personal data. The Company is registered in the register of data controllers.

Data controllers must renew their notification with the Information Commissioner’s Office on an annual basis. Failure to notify constitutes a criminal offence.

Any changes to the register must be notified to the Information Commissioner’s Office within 28 days of taking place.

The Designated Officer shall be responsible for notifying and updating the Information


10. Implementation of Policy

This Policy shall be deemed effective as of 09/01/2019. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

Purpose - In general, acceptable use means respecting the rights of other software and system users, the integrity of the system and all pertinent license and contractual agreements.

Scope of the policy – This policy applies to all WJP Software Limited clients that use or host our software including but not limited to Microbiological Reporting System (MRS), Microbiological Reporting System Additional Features (MRS AF), Environmental Water Testing (EWT), Emergency Box Management (EBM), Web Communication System (WCS) and webhosting users.

1.1          The Client may not use the Service (including, but not limited to, the Hosting Hardware and/or the Hosting Software) for any unlawful or otherwise inappropriate purposes.  This includes, but is not limited to:

          1. Introduction and distribution of computer viruses, malware, spyware or any other form of code designed to cause harm or nuisance to hardware or software or to obtain data without consent;
          2. Distribution of pirated material including, but not limited to, software, videos, music and written works; and
          3. Distribution of obscene or illegal material including that which is pornographic, abusive, threatening, malicious, harassing, fraudulent, defamatory or that which encourages criminal activities.
          4. Spamming by email or any other channel.
          5. Making unauthorised representations.
          6. Circumventing device and network security.
          7. Disclosing confidential information, except where permitted as a business purpose.
          8. Revealing account passwords to anyone else.

      1. The Client may not use the Client Website to link to any other websites or systems hosting any material described in sub-Clause 1.1.
      2. The Client undertakes to monitor and supervise any and all third party activity on the Client Website (including, but not limited to, the submission of material by users and the use of communication systems such as forums).  Any third party activity that may fall within the provisions of sub-Clause 1.1 must be stopped or removed, as appropriate.
      3. The Client undertakes to ensure that any and all personal information collected through the Client Website is gathered, processed and held in accordance with the relevant provisions of the Data Protection Act 2018 and GDPR (General Data Protection Regulations) 2018. As the data processor, WJPS complies with the GDPR guidelines in relation to the website software and information held on it. WJP Software Limited is registered with the ICO (Information Commissioner’s Office) company number ZA370204.
      4. The Client undertakes to ensure that any and all e-commerce conducted through the Client Website complies with all relevant laws in force at the relevant time including, but not limited to, the Distance Selling Regulations 2000 and the EU E-Commerce Directive 2000.
      5. The Client shall be responsible for all activity relating to the Client Website.
      6. The Client shall use reasonable endeavours to ensure that the Host is furnished with any information reasonably required by the Host to provide the Service in a timely manner. This includes completing Schedule 4 on page 9 of this contract with the names and contact email addresses for all website users with administrator access to the website.
      7. Remote Access: the Client will authorise WJPS staff remote access to Client hardware and software for essential updates and maintenance where necessary.

WJP Software Limited Terms & Conditions:

Please read our terms and conditions carefully. We will assume you agree to the terms and conditions listed below unless you contact us directly to discuss them.

Introduction: WJP Software Limited (Company Number 7578111) has been operating since 2004, becoming limited in 2011. We specialise in developing data management systems and providing process consultancy for the healthcare sector.

Scope of Consultancy: WJP Software Limited will aim to provide you with a software solution to fit your need. We will also discuss any other development required and any further costs it might incur. However, WJP Software Limited reserves the right to refuse to carry out any work that is deemed to be inappropriate or that is felt cannot be completed satisfactorily.

WJP Software Limited Personnel:  WJP Software Limited undertakes to provide suitably qualified and competent personnel to create and support the software solutions. All WJPS employees are required to sign confidentiality agreements concerning any confidential information to which they are exposed.

Changes to your Organisation: You must appoint a main project contact and an IT project contact for us to work with for the duration of the project. It is a condition of this agreement that you inform WJPS of any substantive changes that take place in your staff structure or project contact.

Terms of Payment: WJP Software is a VAT registered company (VAT Number: GB 110 437659). 
Our standard payment terms are 30 days from invoice date. All invoices contain BACS payment details, which is our preferred method of payment.

The Annual MRS Support & Maintenance Contract fee may be subject to increase in line with the rate of inflation. Project Costs will be invoiced as 50% to start the project and 50% on completion of the project. The work will not begin until a PO has been received for the initial 50% costs.

Cancellation: Should the Client wish to terminate the project they should contact WJPS as soon as possible. The Client should put a formal request to terminate the project in writing. The Client is entitled to full refund of the initial 50% costs if the cancellation is within 14 days from payment. If the cancellation comes after 14 days from payment of the initial costs then these will be forfeit by the Client. WJP Software Limited reserve the right to terminate any project by providing the termination in writing to you with no less than 14 days’ notice.

Quality Management: WJP Software Limited became an ISO 9001:2015 accredited company in 2016. Our current certificate number is 18ACM4587Q. We comply with the standard under the scope of IT Consultancy and Software Development. Copies of our certificates can be made available on request.

Information Security Management: Data protection and information security are very important to our business and as such we are an ISO 27001:2013 accredited company, having gained the status in 2016. Our certificate number is 18ACM45871. We comply with the standard under the scope of IT Consultancy and Software Development and copies of our certificates can be made available on request.

We follow the NHS Information Governance Toolkit guidelines and have been accredited since December 2016. Our company number is 8JK77.

GDPR (General Data Protection Regulation): WJP Software Limited is registered with the ICO (Information Commissioner’s Office) company number ZA370204 and comply with the GDPR regulations.

Cyber Essentials: WJP Software Limited holds certification to confirm we comply with the requirements of the Cyber Essentials Scheme. Certificate number IASME-CE-003685.

Insurance: We are covered by a £1,000,000 public liability indemnity provided by and £500,000 professional indemnity which is provided by HCC International Insurance Company PLC.  Any documents can be provided on request.

Disclaimer: WJP Software Limited will not be liable for any failure or delay in performing their obligations where such failure or delay results from any cause that is beyond the reasonable control of the business.  Such causes include, but are not limited to: power failure, internet service provider failure, industrial action, civil unrest, fire, flood, storms, earthquake, acts of terrorism, acts of war, governmental action or any other event that is beyond the control of WJP Software Limited.

Please note that these Terms and Conditions relate to the Project as specified in this document. Full contracts for both the MRS Software Licence and Annual Support will be sent to you on completion of the project.

WJP Software Limited are happy to discuss either solution further as required. If you have any further questions please contact James Proctor (james.proctor@wjps.co.uk, 0845 557 7856).

All WJPS software Users are supplied with a system-generated password when they are added to the system. Please ensure you follow the below password security guidelines:


  • Any initial system-generated passwords or those set by IT personnel in an organization must be changed the first time they are used by the user.
  • Passwords should be no less than 8 characters in length and consist of both number and letters.
  • Passwords MUST NOT be written down either on paper or retained electronically. If the password is written down at any point the paper must be destroyed as soon as possible.
  • Passwords must be kept confidential and not be shared or given to anyone else within a user’s organisation.

WJP Software Limited – Privacy Policy

This privacy policy (together with any other documentation referred to) explains how WJP Software Limited and WJP Software Limited (the hosts) uses and protects any information that you submit when you use this website. It explains who we are, how we collect, share and use information about you and how you can exercise your privacy rights in accordance with The General Data Protection Regulation (GDPR) (EU) 2016/679.

Please read the policy carefully to understand how any personal information is used. If you have any questions or concerns then please contact james.proctor@wjps.co.uk

WJP Software Limited (WJPS) may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This privacy policy is effective from 25/05/2018.


About the WJP Software Limited Privacy Policy

WJP Software Limited is committed to ensuring that your privacy is protected and to respecting the privacy, safety and security of our registered (and prospective) users. Should we ask you to provide certain information by which you can be identified when using this website, then you can be assured that it will only be used in accordance with this privacy statement.


Who we are?

WJP Software Limited (Company Number: 7578111) supply web hosting software solutions through consultancy, development and ongoing support of our Web Communication System (WCS) product. Our servers are located in the UK.

How does WJPS collect personal information?             

The personal information collected about Users broadly falls info the following categories:

Information that you provide voluntarily: this is information which is required for us to fulfil a request from a site visitor. This information will be obtained directly from you by submitting an enquiry/ contact request form on site or via phone or email contact. Typically, the information requested will be:

  • name and job title
  • contact information including email address

Information that we collect automatically: this is the information that we may collect automatically when a User visits our site from their device. Under the GDPR this information may be considered personal information. Specifically, the information we collect automatically may include a User’s IP address and Network Location, device type, time zone setting and approximate geographic location.

Information that we obtain from a third party source: we do not receive any personal data information from third party sources.

Some of this information may be collected using cookies and similar tracking technology. This is further explained in the Cookie Policy below.

What we do with the information we collect?

Collecting this information enables us to better understand the Users that come onto our site, where they are located and what content on the site is of particular interest. We use this information for internal analytics to access User requirements and improve the provision of our service and Site. In particular the information collected is used to:

  • Administer and manage accounts and to fix any problems with accounts
  • Provide information, offers and updates about products and services
  • Notify you about changes, improvements and upgrades to products and services
  • Improve our products and services through data analysis, quality control and research

Lawful Basis for Processing Personal Information

We retain personal information we collect for Users where we have an ongoing legitimate business need to do so.  

Who does WJPS share my personal information with?

WJPS will not, in any circumstances, share your personal information with other individuals or organisations. We will not sell, distribute or lease your personal information to third parties unless we have your permission or are required by law to do so.


WJP Software Limited Cookie Policy

A cookie is a text file which typically contains two pieces of information: a site name and unique user ID. When you visit a site that uses cookies for the first time, a cookie is downloaded onto your computer’s memory. The next time you visit that site, the site then ’knows’ that you have been there before and sometimes can be tailored to take that into account. To help us to better understand your needs, we also use analytical software, Google Analytics. This software will save a cookie onto your computer’s hard drive in order to analyse and track your usage of our Site. It will not collect, store or save personal information. You can read Google’s Privacy Policy regarding the use of cookies for further information.

So that site visitors are aware of the use of cookies on our Site, an information bar will be displayed at the foot of the screen explaining that ‘We have placed cookies on your computer to help make this website better. We use a Goolge Analytics script which sets cookies. More details can be found in our privacy policy.’

The message can only be removed by clicking on the grey dialogue box which says ‘Do not show this message again’.

Once clicked, it will not display again when you visit our Site. This is considered proof that you as a site visitor/ User are aware of the cookie script running and are happy to continue using our Site.

Google Analytics stores an anonymized version of your IP address – which means some of the digits from the address are not stored. This will only allow approximate geographical location information (ie town/ area) of the Site User. This information is used for research and statistics and is held on the Google Analytics system for 14 months then deleted in accordance with Google Analytics policy.  

You will be able to configure your browser so that it disables cookies however the site might not function correctly without them and is not recommended.

Links to other websites

The website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. Therefore, we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites and such sites are not governed by this privacy policy. You should exercise caution and look at the privacy policy applicable to the website in question.

How does WJPS keep my personal information secure?

We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online. The data we collect from you is stored on our secure servers located in the UK.

The measures in place are designed to provide a level of security appropriate to the risk of processing your personal information. We review all security processes and protocols to ensure compliance with GDPR requirements, the standards WJPS hold for Quality Management System ISO 9001:2015 and Information Security Management Systems ISO 27001:2013and to ensure consideration of new technology and methods.

Users and Site Administrators are responsible for keeping your passwords confidential. We ask Users not to share their passwords with anyone. See Password Advice here.

Google Analytics stores an anonymized version of your IP address – which means some of the digits from the address are not stored. This will only allow approximate geographical location information (ie town/ area) of the Site User. This information is used for research and statistics and is held on the Google Analytics system for 14 months then deleted in accordance with Google Analytics policy.  

We also expect all of our employees and contractors to comply with this Privacy Policy and we will take appropriate action to address breaches by employees and contractors in relation to the obligations imposed by the Privacy Policy.

Data Retention

We retain personal information we collect from Users where we have an ongoing legitimate business need to do so.

The information collected via Google Analytics is retained for 14 months and then deleted in accordance with Google Analytics policy.

User Data Protection Rights and Controlling Your Personal Information

Users have the following data protection rights and can choose to restrict the collection or use of your personal information in the following ways:

  • If a User wishes to access, correct, update or request deletion of their personal information they can do so at any time by emailing us at proctor@wjps.co.uk
  • Users can object to processing of their personal information by contacting us emailing us at proctor@wjps.co.uk
  • Right to withdraw consent (also known as the right to be forgotten) – if we have collected and processed a User’s personal information with their consent, Users can change their mind at any time and withdraw their consent at any time by emailing proctor@wjps.co.uk . Withdrawing consent will not affect the lawfulness of any processing conducted prior to withdrawal.
  • Users have the right to complain to a data protection authority about our collection and use of their personal information. For more information please contact your local data protection authority.
  • Users can exercise the right to access their personal data and the right to obtain confirmation that their data is being processed. All requests for details of personal information which we hold about you should be made by emailing us at proctor@wjps.co.uk
  • If you have previously agreed to us using your personal information for direct marketing purposes, you may change your mind at any time by emailing us at proctor@wjps.co.uk


We will promptly respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with the applicable data protection laws.


Updates to this Privacy Notice

We may update this Privacy Policy from time to time in response to changing legal, technical or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you in accordance to the significance of the changes we make. You can see when this Privacy Policy was last updated by the ‘policy effective from’ date displayed at the top of this Privacy Policy.


How to Contact Us

If you have any questions or concerns about our use of your personal information, please contact us using the following details: james.proctor@wjps.co.uk or by submitting a Contact Us form on the website.

The data controller of your personal information is WJP Software Limited which is registered with the Information Commissioner’s Office (ICO) with registration number ZA367006.


WJP Software Limited is committed to ensuring digital accessibility for people with disabilities. We are continually improving the user experience for everyone and applying the relevant accessibility standards.

Measures to support accessibility

WJP Software Limited takes the following measures to ensure accessibility of WJP Software Limited:

  • Include accessibility throughout our internal policies.
  • Provide continual accessibility training for our staff.

Conformance status

The Web Content Accessibility Guidelines (WCAG) defines requirements for designers and developers to improve accessibility for people with disabilities. It defines three levels of conformance: Level A, Level AA, and Level AAA. WJP Software Limited is partially conformant with WCAG 2.1 level AA. Partially conformant means that some parts of the content do not fully conform to the accessibility standard.


We welcome your feedback on the accessibility of WJP Software Limited. Please let us know if you encounter accessibility barriers on WJP Software Limited:

Contact us using our Contact form.

We aim to respond to feedback within 2 Business Days.

Assessment approach

WJP Software Limited assessed the accessibility of WJP Software Limited by the following approaches:

  • Self-evaluation