Data Security Policy

  1. Policy Statement

1.1. This policy is to be read in conjunction with our Data Protection Policy and any other related policies or documents, including any Data Protection Privacy Notices supplied to individuals we deal with. 

1.2. We have a commitment to ensuring that personal data is processed in line with GDPR and relevant UK law and that all members of staff, and people who have access to personal data and company systems, conduct themselves in line with this and other related policies. We have strict obligations to process personal data securely and to adopt sufficient procedural and technological safeguards. 

1.3. This Data Security Policy does not form part of any employee’s contract of employment and it may be amended at any time. Any breach of this policy will be taken seriously and may result in disciplinary action. 

2. Status of the Policy

2.1. The purpose of this policy is to set our rules on how to safely and securely deal with personal and confidential data. 

2.2. Our Data Protection Officer is the Head of Operations. Our Data Protection Officer is responsible for ensuring compliance with GDPR and with this policy. Any questions or concerns about the operation of this policy should be referred in the first instance to the Data Protection Officer. 

2.3. If you consider that this policy has not been followed in respect of personal data you should raise the matter with either your manager or the Data Protection Officer. 

3. Terminology used in the Policy 

3.1. Our Data Protection Policy sets out clearly the key principles of good practice and sets out definitions of the terminology commonly used. 

3.2. For ease of reference we repeat the relevant definitions in our Data Protection Policy and set out below some further definitions. 

Data is personal information about an individual who can be directly or indirectly identified from that information. Data can be factual (such as a name, address or date of birth) or it can be an opinion (such as a performance appraisal). 

Data Subjects for the purpose of this policy include all living individuals about whom we hold Data. A Data Subject need not be a UK national or resident. All Data Subjects have legal rights in relation to their Data. 

Data Controllers are the people who or organisations which determine the purposes for which, and the manner in which, any Data is processed. They have a responsibility to establish practices and policies in line with relevant laws. We are the Data Controller of all Data used in our business. 

Data Users include employees whose work involves using Data. Data Users have a duty to protect the Data they handle by following our data protection and security policies at all times. All employees have a responsibility, when using Data, to comply with any security safeguards and procedures we put in place. 

Processing is any activity that involves use of Data. It includes obtaining, recording or holding Data, or carrying out any operation or set of operations on Data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transferring Data to third parties. 

Special Categories of Data are sensitive categories of Data about a person’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health or condition, sexual life, or sexual orientation. It also includes genetic and biometric Data (where used for ID purposes). Special Categories of Data can only be processed under strict conditions, and may require the explicit consent of the person concerned.  

Criminal Offence Data is Data which relates to an individual’s criminal convictions and offences. It can only be processed under strict conditions and may require the explicit consent of the person concerned. 

Confidential Information is information which is marked as confidential or information which is not marked confidential but when applying common sense it is clear that it is information we do not want an unauthorised person to see. For example, details of our products, lists of our customers and what they purchase from us, individual and company customers, business information about us which if it got into the hands of a competitor or someone setting up in competition would give them an unfair advantage over us. If you are in doubt whether someone is confidential, please ask your Manager. 

Sensitive Data is Special Categories of Data, Criminal Offence Data and sensitive and valuable Confidential Information. 

Confidential Data means Data and Confidential Information. 

Equipment means computers, devices including, smart phones, tablets and storage devices, including USB sticks, whether personal or owned by us. 

4. Expectations of Rambert Grades employees and contractors 

4.1. As Data Users, you are expected to understand the key principles of data protection contained in our policies relating to data protection and to understand the promises we are required to make to Data Subjects in our Privacy Notices. If you fail to meet your obligations as a Data User and/or unlawfully process Data and/or Sensitive Data, you may be held personally liable and may face legal action. If in doubt about how you can comply with our data protection policies, please do not guess but ask your manager. 

4.2. You are also expected to safeguard Confidential Information of all levels of sensitivity and take steps to ensure it does not fall into the wrong hands. 

4.3. Your obligations include complying with any rules we give you on how you handle the information you will have access to, whether about us, staff members, clients, customers, candidates or any other individuals. 

4.4. If you feel you require training or guidance on any of our policies or any instructions we give you, it is your responsibility to speak to your manager. 

5. Risks to confindential data and sensitive data 

5.1. You are required to consider and assess the security risks involved when working with Confidential Data and Sensitive Data. In cases of Sensitive Data, you will need to be even more vigilant. 

5.2. The risks involved include: 

5.2.1. Confidential Data being overheard by an unauthorised person. 

  5.2.2. Theft e.g. someone purposefully downloading customer records from the Company database before leaving. 

5.2.3. Loss e.g. a database has been accidentally wiped and there is no back up 

5.2.4. Disclosure (intentional or unintentional) e.g. emailing the wrong recipient or giving out information to a t third party. 

5.2.5. Hacking e.g someone purposefully accessing the Company network via an individual’s account. 

5.2.6. Interception e.g. listening in to someone’s phone calls or interception through hacking 

5.2.7. Unauthorised storage e.g. backing up files onto a personal memory stick.

6. General Confidential Data and Sensitive Data safeguards 

6.1. Do not process Confidential Data or Sensitive Data unless we have authorised you to do so. 

6.2. If you are required to talk about Confidential Data or Sensitive Data, whether in the office, consider carefully whether you can be overheard by unauthorised persons. If you are in any doubt, consider delaying the conversation until you cannot be overheard or moving to a place you cannot be overheard. 

6.3. Set your Equipment to ‘sleep’ or ‘automatically lock’ after a short-period of non-use. 

6.4. Use a secure password on Equipment to prevent unauthorised access and change your password regularly. Do not share your password with anyone and do not use the same password for other services. We recognise that your passwords need to be memorable to avoid you needing to write them down, but we encourage you to use passwords which are hard to predict by ensuring that each password is at least 8 characters long and that each contains a mix of upper and lower case characters, numbers and symbols. 

6.5. Ensure that passwords used to access any Confidential Data or Sensitive Data are not automatically remembered. 

6.6. Ensure that any Confidential Data or Sensitive Data is not on display on your desk or your screen when not being used. 

6.7. Ensure that you close down your work when you leave your desk and make sure you do not allow others to use your Equipment unless there is no risk involved. 

6.8. Lock away any paper copies of Confidential Data or Sensitive Data when not being used. 

6.9. Unless it is absolutely necessary, and we have given you permission to do so, do not use personal email accounts to send Confidential Data or Sensitive Data. 

6.10. Unless it is absolutely necessary, and we have given you permission to do so, do not save Confidential Data or Sensitive Data on the local drive of Equipment, external storage devices or on external ‘cloud’ storage (eg Dropbox or iCloud). Use our system so that it can be securely held and backed up. 

6.11. Unless it is absolutely necessary, and we have given you permission to do so do not store Confidential Data or Sensitive Data on USB sticks or other storage devices. If you are given permission to use such a storage device, the files must be encrypted and password protected. The use of a storage device should only ever be a temporary measure and you should delete the files as soon as you no longer need to store it there. 

6.12. Think carefully before sending any Confidential Data in the post and consider using special delivery options or using a courier. Always follow up to ensure that Data or confidential information has reached the intended recipient. Sensitive Data should not be sent in the post unless it is absolutely necessary and we have given you permission to do so. 

6.13. If sending Confidential Data or Sensitive Data via email, check carefully that you have the correct email address, the recipient is authorised to process the information and consider encrypting and password protecting any files. 

6.14. Securely dispose of paper copies of Confidential Data or Sensitive Data, for example, by shredding them. 

6.15. Do not use social media (Facebook, WhatsApp, Messenger etc.) to process any Confidential or Sensitive Data, even if you think it is safe. 

6.16. Always report any breaches of security or suspicions of breaches or potential breaches to us without any delay and comply with any policies we may introduce in this regard. 

6.17. If you feel you need to derogate from these general rules, then speak to us so that we can assess the risks involved. 

7. Using Equipment that we do not manage 

7.1. The general safeguarding rules above also apply to you using Equipment not owned by us and/or not managed by us ‘Personal Equipment’. 

7.2. By using your Personal Equipment, you agree to give us access to it in the event of any security issues and whilst we will not actively seek to access any personal files, eliminating the security issues may result in such access. If you are concerned about this, we recommend that you do not use Personal Equipment for work and that you discuss your equipment needs with your manager. 

7.3. Most commonly, members of staff may wish to access our IT and communications systems via their smartphones or devices or home computers. We recognise the flexibility this can give to members of staff and the benefits to us. 

7.4. If you lend, borrow, sell or give Personal Equipment, you need to think carefully about whether the recipient could gain access to the work you were doing on it. If in doubt, please contact us and we will assess the risks involved, which may involve wiping its data. 

7.5. If you are accessing our system via programmes or apps, ensure that they are not accessible without a password. For example, if you are accessing outlook on your smart phone, ensure that you have a password to access your smart phone and that any apps or programmes you are using to access information, are also password protected with a different password. 

7.6. Ensure that passwords used in relation to work are not automatically remembered on Personal Equipment. 

7.7. Always back up any work you do on your Personal Equipment, please discuss this with your manager, if you are unsure what this involves. 

7.8. If you wish to use your own personal computer or laptop, you should ensure that it can encrypt files and has the necessary security software. If in doubt, speak to us. 

8. Remote/mobile/homeworking safeguards 

8.1. When you are mobile, keep Equipment with you at all times, for example, do not use luggage racks on public transport and do not leave equipment unattended in vehicles or public places. 

8.2. When you have finished using Equipment, consider putting it in a locked cupboard or in a locked room. 

8.3. If you are working from home, ensure that your home is secure. 

8.4. If you are processing Confidential Data or Sensitive Data, consider who can see your screen whilst you are working (even if you are at home). If you are in a public place, e.g. on a train or whilst sitting in a café, take extra care that no one can see your screen and never leave a screen open on unattended Equipment. 

8.5. Consider discussing with your manager any additional security measures that need to be taken, for example installing remote wiping agents so that Equipment can be wiped of all data in the event of loss or theft or installing software which prevents the hard-drive from being removed. 

9. Training 

9.1. New employees must read and understand this policy as part of their induction and may, if necessary, have training on data security. All employees receive training covering basic information about confidentiality, data protection and the actions to take upon identifying a potential Data Breach. 

 

10. Monitoring and review of the policy 

10.1. We will continue to review the effectiveness of this policy to ensure it is achieving its stated objectives.  

Version Number : 2 

Date Created: March 2020 

Date Reviewed: November 2023 

Next review date: June 2024