Data security policy
This document supplements our policy towards data protection. It sets out the ways in which we secure the personal data we hold to protect it from loss and unauthorised access.
The General Data Protection Regulation (GDPR) requires that personal data should be processed in a manner that ensures appropriate security and confidentiality and that any personal data breach be notified to the supervisory authority (Information Commissioner’s Office for the UK) and, where necessary, to affected data subjects. Our ability to provide a service to customers and the reputation of our business as well as the customer’s interests would be harmed by any significant breach of the regulation, especially loss of data. In addition, the ICO has the power to impose large fines for any breach of the GDPR.
Data security is not just an IT issue, rather it is a strategic risk management issue which has senior management support.
All employees and others entrusted with access to personal data must be aware of and understand this policy.
Vulnerability of data
The data we hold – in particular any information concerning our clients, both consumers and commercial, our employees and business partners – could be compromised in a number of ways including:
- Exposure by personnel either intentionally or unintentionally
- Cybercrime such as virus, hacking, malware and ransomware attacks
- Data lost or stolen on or off the premises
- Data lost during transfer due to poor levels of, security
The perpetrators of a cyber-attack can include organised crime groups, competitors, disgruntled employees and politically motivated groups.
We record the nature of the information we hold and why and classify it within our Information Asset Register and Data Flow Map. This helps us to review and control who has access to the data and to understand our vulnerabilities.
We are particularly vigilant as regards any special category data (such as information about health, race, religion etc.) and information about an individual’s criminal record.
We take steps to check that staff are who they say they are. We undertake vetting for new recruits, agency staff and current employees. Our vetting process includes:
- previous employment references
- verification of home address
- verification of qualifications
- checks for County Court Judgements, Insolvency Voluntary Arrangements and Bankruptcy
- checks for Directorships on Companies House Register; and
- checks for criminal convictions via the Disclosure and Barring Service
As part of their training a security briefing is given to all personnel who have access to personal data. Such training covers the basic requirements of GDPR and is regularly refreshed.
In particular we ensure staff are aware of the dangers of sending or using hard copy and electronic data outside the firm, particularly if it contains “high risk” personal data such as information on proposal and claims forms about a person’s health, property, criminal records or bank account details.
We take steps to ensure that personnel have read and understood our security controls and comply with them.
Data is protected by controls such as password protection (see Password Protection Policy), access restriction on the system and encryption.
We keep all our anti-virus and firewall protection up-to-date including for all our systems, software and apps.
Our access control includes identification of the specific products and devices on which the personal data we control is or may be accessed. This covers data held on individual computer workstations, networked systems, laptops, smart phones and other computing devices (e.g. PDAs).
– Our computer network is configured to prevent unauthorised access.
– Any information stored in our web-based system is suitably secured and any information transferred to a third party or backed-up is encrypted.
– We use encryption software to protect critical information from unauthorised access to minimise the risks of unauthorised interception.
– We check the settings of any new software and devices and where possible, make changes which raise their level of security.
– Storage devices such as USB sticks are never used to carry high risk data – they are only used as a temporary data store for duplicate files and used in a highly controlled way with encryption. They are suitably destroyed once they have fulfilled their purpose.
– Any new removable media is scanned for malware before importing onto our system.
– Mobile devices such as smartphones and tablet PCs use secure connections – such as a VPN (Virtual Private Network) – when they connect with servers to access customer data.
– We ensure data is not retained on obsolete IT equipment – ensuring the hard drives of any computer equipment disposed of are wiped.
– Backups of customer data are maintained as part of our business continuity planning.
– We operate a “clear screen” policy so that when temporarily leaving their desks staff members lock their screens and/or engage a password-protected screen savers in accordance with our “Clear desk and clear screen policy”.
– We use guidance from the National Cyber Security Centre: https://www.ncsc.gov.uk/guidance/10-steps-executive-summary
Hard copy storage
All documents containing personal data are marked accordingly and placed in locked cupboards or drawers when they are not in use. Access to the containers is carefully controlled.
When staff are absent from work stations or desks, protectively marked documentation should be locked away. Whilst this may be impractical for short staff breaks or during meetings, it must is mandatory for longer breaks, overnight and at weekends. Staff are instructed to follow a clear desk policy.
We are aware of the dangers of sending hard copy by post or other methods. Before sending any item, we consider what information is being sent, the method it should be sent by and the volume of data to be sent in a single package to enable safe and secure delivery.
Use of personal or company owned mobile IT equipment
Privately-owned devices must not be used to access either locally or remotely computer networks and data controlled by the firm unless the owner of the device has specific permission to do so. In that case the owner must agree to protect the security, confidentiality and integrity of the information accessed and must not allow any other person to use the device while connected to the firm’s network.
Company-owned mobile devices are protected by mobile device management (MDM) software which may monitor emails, text messages and photos, along with the physical location of the device. Employees may not use any cloud-based apps or backup that allows company-related data to be transferred to unsecure parties and mobile devices may not be synchronized to other devices in the employee’s home. Family and friends are not permitted to use personal devices that are used for company purposes.
Physical security of premises
Our office premises where personal data are contained are protected from unauthorised entry by an appropriate entry control system. They are otherwise secured by locks and alarms in accordance with the relevant British Standard and/or in accordance with the requirements of our insurers.
Visitors and contractors are not permitted to enter the premises without permission and are supervised at all times.
We continuously monitor all systems and networks and analyse logs for unusual activity that could indicate a cyber-attack or mis-handling by staff and regularly (at least quarterly) review compliance with our physical security arrangements.
This policy and processes arising from it are reviewed annually by Patsy Sweeney Operations Manager, The Risk Hub Limited.