Ensuring the security of private data and the systems on which it is hosted is a top priority to fulfill our obligations to the providers of this data and to protect the data and systems from accidental or deliberate damage, loss or corruption.
The term data encompasses all electronically stored information and paper reproductions of that information.
Any private data stored by us or produced by persons as part of their client duties is considered to be owned by the member or client and is therefore subject to this policy.
Every person handling private data is accountable for their actions and has a duty of care to ensure due diligence is afforded to data security.
Access and use of data must be made in compliance with all appropriate legislation. This includes but is not limited to:
- Data Protection Act 1998
- The Computer Misuse Act 1990
- Regulation of Investigatory Powers Act 2000
- Copyright Designs and Patents Act 1988
- Malicious Communications Act 1988
- Criminal Justice and Public Order Act 1994
3.1. Our team all have a responsibility to give full and active support to the policy.
3.2. Our team are expected to observe the data security policy and associated procedures.
3.3. All categories of data are the responsibility of a designated officer. This person is responsible for the security of that data and determines the standards of confidentiality and requirements for access that apply. Unless specified otherwise this is Matthew Richardson, Director whose team operates our systems.
3.4. The security and operation of central systems is the responsibility of the IT team. It is their responsibility to ensure that all data systems meet agreed access requirements.
4. Classification of Data
For the purposes of this policy three classifications of data exist
4.1. Non-sensitive Data
a) Any data which has been made a matter of public record
4.2. Sensitive Data
a) Any data identified by the Data Protection Act (1988) as personal sensitive data, specifically data relating to racial or ethnic origin, political opinions, religious beliefs, membership of trade union organizations, physical or mental health, sexual life, offenses or alleged offenses.
b) Data that if lost or stolen would be likely to cause damage or distress to one or more individuals. This includes, but is not limited to, human resources data and exam or assessment results which are not a matter of public record.
c) Any data which may reasonably be expected to be considered sensitive, personally confidential or commercially confidential. For example, data or materials which may be of interest to a competing organization.
4.3. Extremely Sensitive Data
Data, which if used inappropriately may have a significant impact upon an individual or organization. In particular, bank account details or any other data which it is believed could be used for illegal purposes.
5. Actions to Implement and Develop Policy
5.1. Data Confidentiality
All personal data is maintained for the purpose defined within the notification under the Data Protection Act. Matthew Richardson is responsible for maintaining the data protection notification, dealing with subject access requests, maintaining awareness of Data Protection legislation and offering advice on compliance with the Act.
5.2. Data Access & Disposal
Access to data is restricted to those who need such access to carry out their duties. Anyone who has been granted access is personally responsible for ensuring compliance with this policy, the relevant legislation and the confidentially of the data to which they have been granted access.
When no longer required data must be disposed of in a manner which is compliant with the Data Protection Act. IT are responsible for the correct disposal of data which is stored on our servers.
5.3. Physical Security
All reasonable measures are taken to prevent physical access by unauthorized persons to data. Sensitive data are destroyed when no longer required.
6. IT Systems
6.1. Access Controls
Electronic access to data is controlled by means of a user’s email address and password. Control of network accounts is the responsibility of IT.
Backups of central servers are carried out in line with the IT Backup Policy.
The privacy of members’ files will be respected, but we reserve the right to examine systems, folders, files and their contents, to ensure compliance with the law.
We never launder activities for which a client wants to avoid public scrutiny.
6.4. Remote Access
Responsibility for ensuring that policies are complied with when accessing systems remotely lies with the individual undertaking the access.
The IT Backup Policy defines requirements for backup and restoration for all central servers.
7. Monitoring & Evaluation
We monitor the operation of the policy; report on breaches of the policy and changes to relevant legislation.
8. Breaches of Policy
Breaches of this policy and/or security incidents are incidents which could have, or have resulted in, loss or damage to Company or client assets, including IT equipment and information, or conduct which is in breach of the Company's security procedures and policies.
All The Company, it's contractors and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible. through the Company's Incident Reporting Procedure. This obligation also extends to any external organisation contracted to support or access the Information Systems of the Company.
In the case of third party vendors, consultants or contractors non-compliance could result in the immediate removal of access to the system. If damage or compromise of the Company's ICT systems or network results from the non-compliance, the Company will consider legal action against the third party. The Company will take appropriate measures to remedy any breach of the policy through the relevant frameworks in place.
Date Reviewed: 24 January 2018
Version Number: 1.2
Revised by: Matthew Richardson (Director)
Approved by: Edward Chanter (Director)
Next Review Date: 24 January 2019