Data Protection
Data security policy
This policy outlines behaviors expected of employees when dealing with data and provides a classification of the types of data with which they should be concerned.
ReTRRAC must protect restricted, confidential, or sensitive data from loss to avoid reputation damage and to avoid adversely impacting its customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. Its primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy, and a rationale.
Scope
These measures must be applied to all protected personal or otherwise sensitive data. Protected personal data is defined in Annex A and is any material that links an identifiable individual with information whose release would put them at significant risk of harm or distress. It also covers any source of information relating to 1,000 or more individuals that are not in the public domain, even if the information about an individual is not considered likely to cause harm or distress.
- During business, the Company may hold personal data relating to individuals. The Data Protection Act 1998 requires the Company to maintain strict security about personal data held by it relating to individuals whether those individuals are clients or suppliers, or prospective clients or suppliers, or prospective employees;
- No information referring to private individuals should be taken or sent from the Company’s offices and each employee must understand the importance of not divulging any such information to persons other than other employees within the Company. Employees asked to transfer personal data to recipients outside the Company (e.g. giving out a home telephone number of an employee or details of a customer) should satisfy themselves that the transfer is authorized by the Company before carrying out such a request;
- Employees should be aware that it is a criminal offense to access or disclose personal data held by the Company without authority;
- Employees who have access to or control over personal data held by the Company, e.g. employee records/lists or details relating to customers or private individuals, should ensure that access to the data within the Company is restricted on a need-to-know basis and that it is stored following the data security provisions set out below;
- Protected Personal Data (as defined in Annex A) which is held on paper must be locked away when not in use and offices in which it is held must be secured;
- All computers (whether remote or otherwise) are password protected, configured so that functionality is minimized to its intended business use only, and have up-to-date software patches and anti-virus software;
- All material that has been used for protected data should be subject to controlled disposal;
- All laptops, drives, or removable electronic data media containing personal data should be encrypted. Laptops and drives or any other removable electronic media containing protected personal data are to be held in locked cabinets or drawers when not in use;
- It is company policy that protected personal data may not be transferred to third-party-owned laptops, PCs, USB keys, external drives, and any other removable electronic media. Staff are not able to download information from our database apart from information that is already in the public domain. When working from home our systems are restricted in such a way that printing and saving data is not possible;
As part of the Company’s terms and conditions of employment, employees consent to the Company holding and using personal data relating to them. Personal data includes names and addresses, bank details, health records, and most of the information that it needs to hold about employees for employment purposes. On joining ReTRRAC, the employee will be required to notify the Company of such personal details. Any relevant changes to such personal information must be notified to the management;
For the Data Protection Act, the Company needs to specify the purposes for which we will use that information. The Company will of course only use it for legitimate purposes. Those purposes include:
- Complying with obligations to its employees. It needs personal data so it can perform activities such as contacting and paying employees and complying with its obligations under health and safety regulations.
- Assessing employees, their performance, and suitability for particular roles.
- Doing anything for the benefit of the welfare of employees, their families, and dependants.
- Complying with its obligations under the general law, e.g. about taxation, social security, or law enforcement.
- Providing information about employees to those who require it in connection with services that they provide to it or we to them, or who do or may own the Company or who may need it in connection with the assumption by them of responsibility for any of its employees (e.g. in outsourcing arrangements).
- The prosecution or defense of any legal proceedings.
- Information risk management.
The data protection measures outlined in this policy are to be implemented through the following processes:
- Initial induction training for all staff.
- Regular refresher training for all staff, as required.
- Publication of data protection policy in the staff handbook and on the company intranet.
Quarterly risk assessments as described below;
- To assess compliance and effectiveness, the Company will conduct a quarterly risk assessment to ensure the confidentiality, integrity, and availability of information.
- All staff should be aware that failure to apply this data handling procedure is a serious matter, and in some situations amounts to gross misconduct.
The company actively encourages whistle-blowing so that staff can raise concerns with their team leader or managing director should they believe that the correct procedures are not being followed.
Annex A
Definition of protected personal data
As a minimum, personal data includes all data falling into either category A or B below:-
A: Any information that links one or more identifiable living persons with private information about them.
There should be protection for a data set that includes:-
- One or more of the pieces of information through which an individual may be identified (name, address, telephone number, driving license number, date of birth, photograph, etc.), combined with.
- Information about that individual whose release could cause harm or distress, including:-
- DNA or fingerprints;
- Bank/financial/credit card details;
- National Insurance number;
- Passport number/information on immigration status;
- Travel details (for example at immigration control, or Oyster records);
- Tax, benefit, or pension records;
- Place of work;
- School attendance/records;
- Conviction/prison/court records/evidence;
- Groups/affiliations/political or other sensitive personal data as defined by the Data Protection Action (Section 2)
Note: this is not an exhaustive list.
B: Any source of information about 1,000 identifiable individuals or more, other than information sources from the public domain.
Note that this is a minimum standard. Information on smaller numbers of individuals may justify protection because of the nature of the individuals, source of the information, or extent of information.