Data Protection Policy Statement

ExPharmaceutical Inspectors Consortium Limited (Trading as EPIC Auditors) is committed to meeting its obligations under the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR). EPIC Auditors will strive to observe the law in all collection and processing of subject data (i.e. information (data) about any person (subject) in connection with EPIC Auditors: client, consultant, employee, enquiry). EPIC Auditors will only use data in ways relevant to carrying out its legitimate purposes and functions as a company providing consultancy advice to the pharmaceutical industry and other associated companies and individuals, in a way that is not prejudicial to the interests of individuals. EPIC Auditors will take due care in the collection and storage of sensitive data. EPIC Auditors will do their utmost to keep all data accurate, timely and secure.

All EPIC Auditors and its associated consultants must be aware of the requirements of the Act and Regulations when they collect or handle data about an individual. EPIC Auditors’ consultants must not disclose any data except where there is subject consent, or legal requirement. Data sent to outside agencies must always be protected by a written contract. All collection and processing must be done in good faith.

Data storage will be monitored and regulated by the appointed Director and the Data Controller. All records of Data Protection complaints will be kept securely, together with all related Data Protection compliance and information about any contacts made with the Data Protection Registrar. This information will be available to employees, consultants and data subjects on request.


ExPharmaceutical Inspectors Consortium Limited is the Data Controller under the Act, which means that it determines what purposes personal information held will be used for. It is also responsible for notifying the Information Commissioner of the data it holds or is likely to hold and the general purposes that this data is used for.

The Data Controller is the Company’s central point of contact for all data compliance issues and will ensure that the Company is in compliance with the Act. Their role is to make sure the Company is registered with the Information Commissioner’s Office. The appointed Director is responsible for ensuring that all Directors, employees and consultants are aware of their data protection responsibilities through the circulation of this policy, standard operating procedures and training.

Relevant data protection issues will be included in induction processes. EPIC Auditors requires all consultants to comply with the Act in relation to information about other consultants. Failure to do so will be regarded as serious misconduct and the consultant’s contract can be terminated in accordance with EPIC Auditors terms and conditions.

Principles of Data Protections Outlined in the Data Protection Act

Anyone processing personal data must comply with the eight enforceable principles of good practice. They say that data must be:

  • Fairly and lawfully processed
  • Processed for limited purposes
  • Adequate, relevant and not excessive
  • Accurate
  • Not kept longer than necessary
  • Processed in accordance with the subject’s rights
  • Secure
  • Not transferred to countries without adequate protection
  • Only record facts not opinions

Policy on Collecting Subject Data

EPIC Auditors will only collect data that is relevant to the carrying out of the legitimate purposes and functions of the company in a way that is not prejudiced to the interests of individuals. All data on individual subjects will be treated in a consistent way. Contact information relating to initial enquiries will not be held for marketing purposes but will be held for 5 years for future reference. All files are kept securely and electronic files stored on servers of mainstream suppliers with appropropriate security standards. EPIC Auditors will only record information that is needed to carry out the work requested by our clients and will not share this information with any other party without the express permission of that client.

EPIC Auditors will strive to ensure that data collection is as accurate as possible. Data may be stored in many ways such as databases, manual files or electronic files.

Data Storage and Processing

EPIC Auditors will strive to ensure that sensitive data is accurately identified on collection so that proper safeguards can be put in place. EPIC Auditors will only hold data that is relevant to carrying out of the legitimate purposes and functions of the company in a way not prejudicial to the interest of individuals. Information will be accurate and timely and will be held in an environment as secure as possible. Data no longer required for the legitimate purposes of EPIC Auditors will be regularly purged.

All individual data will be kept secure, by regular office security procedures or through passwords on electronic devices. Sensitive data will be treated with appropriate security. EPIC Auditors’ consultants will be asked to take care to meet high standards of security by disposing appropriately of any sensitive information. Any data processing will only be allowed where there is a clear rationale for the activity, which meets the Data Protection Act criteria. A database will be maintained and the data controller/processor will be responsible for keeping this up to date. If, despite EPIC Auditor’s best endeavours, a data security breach should occur EPIC Auditors will inform all individuals affected within 72 hours of the event.

Procedure for Data Storage and Processing

  1. All appropriate data processing should be included in existing databases
  2. Data no longer needed will be archived and usually destroyed after 5 years. A clear
    rationale must be supplied for personal data kept beyond 5 years.
  3. All data will be stored in secure cabinets and precautions will be taken to avoid
    letting data become accidentally disclosed.
  4. Any agent employed to process data on EPIC Auditors’ behalf will be bound to
    comply with EPIC Auditors’ Data Protection policy by a written contract.
  5. Information stored electronically will be password protected.


EPIC Auditors will not allow data collected from subjects to be disclosed to third parties except in circumstances which meet the requirements of the Data Protection Act. This will be either:

  1. Carrying out a legal duty or as authorised by the Secretary of State
  2. The Data Subject has already made the information public.
  3. Conducting any legal proceedings, obtaining legal advice or defending any legal rights

The swapping of any data collected by EPIC Auditors will only take place where the subject has been informed about this use of their data and offered the chance to opt-out.

Procedure on Disclosures

  1. EPIC Auditors must ensure any general disclosure is recorded on the appropriate records. The record will include a clear rationale as to why this is taking place.
  2. Any request for data based on a legal requirement e.g. from the Police or other body, must be put in writing and be checked against the advice of the Data Protection Registrar.
  3. EPIC Auditors has a duty to protect individual’s data from accidental disclosure:
    • Do not give out passwords to other people, who will then have access to the
    data you are entitled to view
    • Do not recycle reports that contain personal data
    • In particular, take care to ensure that data is not left in files where they can be accessed by other people
  4. In cases where data is disclosed to non EPIC Auditor employees, employees must ensure that subjects have been informed of this use of their data and why this is done. They must have had an opportunity to opt-out.

Where sensitive data is involved, workers should not disclose data to outside agents except as agreed by the Directors.

Subject Access Policy

EPIC Auditors will provide information in response to any reasonable subject access request. EPIC Auditors will ensure data is kept in an accessible form to facilitate subject access.

Procedure on Subject Access Policy

  1. Employees will make every effort to ensure that immediate action is taken when a data access is requested. They will discuss this with the appointed Director immediately.
  2. A letter will be sent to the subject stating EPIC Auditor’s policy on subject access. This will promise to provide the required data to the best of EPIC Auditor’s ability within 40 days. EPIC Auditors reserves the right to ask for payment.
  3. A search will be set up by the appropriate Director to ensure that all relevant data will be collected and collated ready to present to the subject. The search will include all electronic and manual files if required.
  4. The data will be offered to the subject in the most appropriate manner, whether at a face to face meeting or by mail or electronically where the opportunity for a telephone or video call to discuss any queries or interpretations will be offered.

Policy on Complaints and Queries

EPIC Auditors will respond to any complaints as quickly and responsively as possible. Any letter we receive in relation to the Data Protection Act that questions our policy and/or procedure will be dealt with immediately. Records will be kept of all correspondence for 5 years.

Procedure on Complaints and Queries

  1. Notify the appointed Director
  2. Continue to inform the appointed Director of any correspondence and developments that occur
  3. Process complaint alongside the EPIC Auditors’ Complaints Procedure.