Privacy Policy - Data

Data Protection & Information Security Policy

1. Purpose

PEAK4 exists to improve health, wellbeing and performance through data-led insight, technology and expert delivery. We work with people, organisations and communities in environments where trust, care and integrity matter. Protecting information and personal data is fundamental to how we operate and how we earn and retain the confidence of our clients, partners and programme participants.

This policy sets out how PEAK4 protects information and personal data, supporting confidentiality, integrity and availability across all PEAK4 services. It defines the principles, governance arrangements and responsibilities that apply to employees, contractors and relevant third parties.

This policy is practical and proportionate to PEAK4's cloud-based operating model and the sensitive nature of wellbeing and performance data. It supports compliance with UK GDPR, the Data Protection Act 2018, contractual obligations and client information security expectations.

2. Scope

This policy applies to:

All PEAK4 employees, contractors and temporary staff
All information assets owned, managed or processed by PEAK4
All systems, platforms and tools used to deliver PEAK4 services (including supplier-managed cloud services)
All personal data, wellbeing/performance data and confidential business information processed in the course of PEAK4 activities
Information relating to employees, clients, programme participants, partners and suppliers

3. Definitions

Personal data: Any information relating to an identified or identifiable individual.
Special category data: Personal data revealing racial/ethnic origin, political opinions, religious beliefs, trade union membership, genetic/biometric data, health data, or sex life/sexual orientation.
Wellbeing/performance data: Data PEAK4 processes in relation to wellbeing and performance programmes (may include health-related data depending on context).
Controller / Processor: As defined under UK GDPR. PEAK4 may act as controller or processor depending on the service and contract.
Incident: An actual or suspected event that compromises confidentiality, integrity or availability of information.
Personal data breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

4. Policy principles

PEAK4 applies the following principles to all information and personal data processing:

Lawfulness, fairness and transparency. We process data lawfully and explain clearly how it is used.
Purpose limitation. We use data only for legitimate service, operational, legal or contractual purposes.
Data minimisation. We collect and use only what is necessary.
Accuracy. We take reasonable steps to ensure data is accurate and up to date.
Storage limitation. We retain data only as long as necessary and dispose of it securely.
Integrity and confidentiality. We apply appropriate security measures to prevent unauthorised access, loss or misuse.
Accountability. We maintain governance, records and evidence of compliance.

5. Legal basis, participant trust and ethical use

PEAK4 processes personal data only where a lawful basis applies under UK GDPR, including (as applicable):

Contractual necessity
Legitimate interests
Legal obligation
Consent (where required or appropriate)

PEAK4 recognises that programme participants place a high level of trust in the organisation. Participant wellbeing and performance data is treated with particular care.

Participation in PEAK4 programmes is supported by clear information at sign-up/onboarding about how data will be collected, used and protected. PEAK4 processes participant data only for legitimate service purposes and in line with contractual arrangements. PEAK4 does not use participant data in ways that are unexpected, intrusive or not aligned to the programme purpose.

Where special category data is processed, PEAK4 applies additional safeguards and ensures appropriate UK GDPR conditions are met.

6. Data subject rights

Individuals have rights under UK GDPR, including:

Right of access
Right to rectification
Right to erasure (where applicable)
Right to restrict processing
Right to object
Right to data portability (where applicable)

PEAK4 will respond to valid requests within statutory timeframes and will verify identity where appropriate. Requests and outcomes are recorded in line with PEAK4 governance practices.

7. Governance and responsibilities

7.1 Director (Senior Management Accountability)

Overall accountability sits with the Director, who is responsible for:

Approving this policy and ensuring it is reviewed at least annually
Providing oversight of information security and data protection risk
Ensuring appropriate controls are in place across PEAK4
Ensuring suppliers and partners meet appropriate security and data protection standards
Ensuring security and privacy are embedded into service planning, delivery and change
Ensuring PEAK4 maintains appropriate records (including Records of Processing Activities, incident logs and training logs)

7.2 Employees and contractors

All employees and contractors are responsible for:

Complying with this policy and related contractual obligations
Handling PEAK4, client and participant information responsibly
Applying good judgement when accessing, using or sharing information
Completing required onboarding/awareness activities
Promptly reporting suspected or actual data protection or information security incidents

A breach of this policy may result in disciplinary action and/or termination of contract engagement.

8. Information classification and handling

PEAK4 information may include:

Personal data
Wellbeing and performance data
Client confidential information
Commercially sensitive business information

Information must be:

Accessed only where there is a legitimate business need
Stored securely using PEAK4-approved systems and platforms
Shared only with authorised individuals/organisations
Protected from unauthorised access, disclosure, loss or damage

PEAK4 applies data minimisation and retention controls. Information must not be copied into unapproved locations, personal accounts, or unmanaged devices.

9. Access control and least privilege

PEAK4 applies least privilege. Access is:

Granted on a role-based basis
Approved by senior management or delegated role owners
Reviewed and adjusted when roles change or engagements end
Removed promptly when no longer required

Access controls are primarily enforced through core cloud platforms and supplier-managed systems. Elevated/administrator access is restricted and granted only where required.

10. Acceptable use of systems

PEAK4 systems, devices and information must be used:

For legitimate business purposes
In a lawful, professional and responsible manner
In line with confidentiality, data protection and contractual obligations

Unauthorised or inappropriate use that could compromise security, confidentiality or PEAK4's reputation is not permitted. This includes attempting to bypass security controls, sharing accounts, or introducing unapproved software/tools that may increase risk.

11. Mobile devices and remote working

PEAK4 operates a flexible, cloud-based working model. When working remotely or using mobile devices, individuals must:

Take reasonable steps to prevent unauthorised access
Secure devices when unattended (including screen locks)
Use PEAK4-approved platforms and systems where possible
Avoid accessing sensitive information in public/shared environments where risk is increased
Not leave devices visible/unsecured in vehicles or public places
Report loss or theft promptly to the Director

12. Passwords and authentication

Authentication controls are enforced through PEAK4's core platforms and supplier-managed systems. Controls include:

Minimum password requirements
Protection against repeated failed login attempts
Account lockout or similar safeguards

Where supported and appropriate to risk, PEAK4 uses additional authentication measures (e.g., multi-factor authentication).

Users must never share passwords, reuse passwords across sensitive services, or store passwords insecurely.

13. Cloud services and suppliers

PEAK4 uses third-party cloud services and specialist technology partners. PEAK4 takes a risk-based approach to supplier assurance, which includes:

Proportionate due diligence and supplier selection
Contractual confidentiality and data protection obligations (including processor terms where applicable)
Role-based access control and secure handling of data
Governance oversight of supplier-managed services
Secure handling of information throughout the service lifecycle, including exit/termination

Where services are supplier-managed, PEAK4 relies on supplier controls and certifications supported by contractual protections and ongoing governance.

14. Data lifecycle management (onboarding, delivery and offboarding)

PEAK4 manages information across the full lifecycle:

14.1 Onboarding

Access is granted appropriately based on role
Data collected aligns with programme/service requirements
Individuals are provided with clear information on data use where applicable

14.2 Service delivery

Information is used, stored and shared securely to support delivery, insight and reporting
Client reporting and dashboards are managed through approved platforms
Any change that may affect data protection or security is assessed proportionately for risk and contractual impact

14.3 Offboarding and exit

Access is removed promptly when no longer required
Data is deleted or lawfully retained in line with contractual, regulatory and business need
Offboarding actions are supported by PEAK4 operational checklists (including the Leaver IT Asset & Access Checklist)

Further detail is defined in the Client Contract Termination & Data Handling Procedure.

15. Backup, resilience and recovery

Service resilience is supported through supplier-managed backup/recovery arrangements and PEAK4's Disaster Recovery and System Testing approach (where applicable). PEAK4 maintains proportionate oversight of resilience based on service criticality and supplier assurance.

16. Clear desk and clear screen

PEAK4 expects sensible steps to prevent unauthorised access, including:

Locking screens when unattended
Keeping physical information secure and out of view in shared environments
Avoiding unnecessary exposure of information in public or shared spaces
Minimising printing and physical records where digital controls are stronger

17. Removable media

Use of removable media is discouraged in favour of approved cloud systems. Where removable media is used, individuals must:

Follow acceptable use and confidentiality requirements
Encrypt and handle information securely where possible
Minimise the information stored
Ensure secure deletion/disposal when no longer required

18. Data retention and secure disposal

PEAK4 retains records only for lawful, contractual or legitimate business need and disposes of them securely at the end of the retention period.

Retention periods are defined within PEAK4's Records Retention Policy and Retention Schedule. Where PEAK4 acts as a processor, retention follows the controller's written instructions unless legal obligations require otherwise.

Secure disposal includes secure deletion for digital records and secure disposal of physical records where applicable.

19. Incident management and breach response

19.1 Reporting

All suspected or actual incidents must be reported immediately to the Director.

19.2 Response

PEAK4 will:

Assess scope and severity
Take proportionate containment and remediation actions
Preserve evidence where appropriate
Determine whether the incident constitutes a personal data breach

19.3 Notification

Where required, PEAK4 will notify the ICO within 72 hours of becoming aware of a notifiable personal data breach. PEAK4 will notify affected clients/individuals where there is a high risk to rights and freedoms.

Incident handling is managed in line with the Incident Response Plan.

20. Contract termination and data handling

When a client contract ends, PEAK4 ensures:

Access is removed where no longer required
Data is deleted or lawfully retained in line with contractual, regulatory and business requirements
Data within supplier-managed platforms is handled securely and in line with supplier terms and contractual obligations

Detailed steps are defined in the Client Contract Termination & Data Handling Procedure.

21. Artificial Intelligence (AI) use

PEAK4 may use AI-enabled functionality in a limited, controlled and transparent manner within PEAK4's management dashboards ("Peakie AI"), delivered by PEAK4's technology partner, to support insight and interpretation.

AI outputs are advisory and do not replace human judgement. PEAK4 does not use AI to make automated decisions about individuals that would have a material impact (e.g., employment, disciplinary, health eligibility decisions) without appropriate governance, assessment and explicit client agreement.

AI use is governed by PEAK4's Artificial Intelligence (AI) Policy and is subject to this Data Protection & Information Security Policy.

22. Training and awareness

PEAK4 embeds responsibilities through onboarding and day-to-day working practices. All employees and contractors must:

Understand this policy and follow it
Complete required training/briefing appropriate to role
Request support or clarification if unsure

Policy acceptance and key training activity are recorded within PEAK4's Training Log.

23. Monitoring, assurance and continuous improvement

PEAK4 maintains proportionate monitoring and assurance through:

Access reviews and leaver controls
Supplier oversight and governance
Incident logging and post-incident review
Periodic review of policies and procedures
Continuous improvement based on lessons learned, client expectations and organisational growth

24. Exceptions and non-compliance

Any exception to this policy must:

Be approved by the Director in advance
Be documented with rationale, duration, and compensating controls
Be reviewed periodically and removed where possible

Non-compliance may result in disciplinary action, termination of contract engagement, and/or contractual consequences.

25. Review and approval

This policy is reviewed and approved at least annually and updated following material changes, significant incidents, or changes to PEAK4 services, suppliers, legal obligations or client requirements.

Approved by the Director. Date: 10/12/2025