1 Disclosure of Information
You should not directly or indirectly disclose to any unauthorised person any confidential knowledge or information relating to the business of the company or that of any of the company’s customers without first obtaining permission in writing from the company. You will not use for your own purposes or profit, or any purposes other that those of the company, any information which you may acquire in relation to the company’s and/or its customer’s business.
The rules concerning disclosure of information apply both during and after your employment with the company.
Unauthorised access to company information, whether computerised or manual, may lead to disciplinary action. In the case of computerised information, ‘hacking’ is considered as gross misconduct and can be considered as a dismissible offence.
At the time of leaving the company, for whatever reason, you are required to return all products, documentation and any other information related to the company and if requested, confirm compliance of the same in writing. In addition, the company reserves the right to request such information to be returned during the period of notice should the company deem it possible that there could be a risk, intentional or otherwise, of commercially sensitive information being made available to other parties.
2 Data Protection
2.1 Introduction
The Data Protection Act (1984) became effective on 11 November 1987 and the 1998 Act came into effect 1 March 2000. These Acts gives individuals the right of access to stored personal data.
The Act covers manual records, such as those recorded on paper or media such as microfiche, as well as computerised records and is concerned with the processing of ‘personal data’, that is, data relating to identifiable living individuals.
In 2018, the General Data Protection Regulation (GDPR) was implemented, replacing previous data protection laws in the UK. The GDPR provides a comprehensive framework for data protection, giving individuals more control over their personal data and placing greater obligations on organisations that process such data.
The eight principles of the Act make sure that data is handled properly. They say that data must be:
- fairly and lawfully processed
- processed for limited purposes
- adequate, relevant and not excessive
- accurate
- not kept for longer than is necessary
- processed in line with individual’s rights
- secure
- not transferred to countries without adequate protection.
2.2 Responsibilities and Reporting Structure
The Managing Director has overall responsibility for the Policy. Furthermore they are responsible for ensuring that the company takes the necessary steps to ensure compliance with the Act. Together with the relevant Senior Management Team (SMT) they will endeavour at all times to maintain compliance.
2.3 Notification
The Data Protection Commissioner maintains a public register of data controllers. Each registered entry includes the name and address of the data controller and a general description of the processing of personal data by a data controller. Individuals can consult the register to find out what processing of personal data is being carried out by a particular data controller.
Notification is the process by which a data controller’s details are added to the register. The Act requires every data controller who is processing personal data to notify unless they are exempt.
The Directors will ensure all services which process personal data are registered with the Commissioner.
2.4 Employee Access to Information
If a staff member requires details of stored personal data, they must approach Human Resources, in writing, and ask for access to such data. Under the conditions of the above Acts the Company must comply with their request within a prescribed timescale.
If such information is stored in such a manner that the company do not have available or immediate access (such as archived where access is not available, or on computer store that they have no access to) this timescale may be reasonably extended in consultation with the member of staff concerned.
2.5 Customer Access to Information
The Acts also give customers the right to access stored personal data. If a customer requires details of stored personal data, they must, in writing, request a copy of information from the Regional or Service Manager.
3 Employee Security
Part of the company’s duty is to ensure that it does not employ or make use of the services of a person who could pose a threat to the safety and well being of customers and staff. This procedure will ensure that appropriate checks are made on employees and those carrying out services for the company, as required.
Please see our recruitment of Ex-Offenders policy for information on how we conduct checks, and how we recruit ex-offenders.
3.1 Employee Records
The company has a duty to keep all employee records confidential. As such information shared with the company will only be released on a need to know bases. Normally, this would be to the Human Resources Department, and Line Manager.
3.2 Criminal Record Checks
Checks on current or potential employees with the Criminal Records Bureau (CRB), or DBS, will be carried out under the strictest confidence.
All results from the DBS will be retained by Human Resources department, and only shared with managers if it has an immediate and significant effect on their job role.
Human Resources must keep all DBS checks in a secure and locked cupboard, for a maximum of 3 months from the date the company receives the information.
It is our policy to undertake Criminal Records Checks for anyone in a position of trust.
Positions of trust is defined as anyone who during the course of their duties will have access to vulnerable adults or children. The Managing Director will have the final decision if there is any uncertainty in which job roles require this check.
If the event of a DBS being returned with convictions that would make the employee unsuitable to work in the capacity in which they are or would be employed, the employee will not be appointed, or in the case of an employee who is already employed their contract will be terminated.
4 Information Security
4.1 Introduction
This policy covers the security of company information and must be distributed to all company employees. Management will review and update this information security policy at least once a year to incorporate relevant security needs that may develop.
4.2 Ethics and Acceptable Use Policies
The company expects that all employees conduct themselves in a professional and ethical manner. An employee should not conduct business that is unethical or illegal in any way, nor should an employee influence other employees to act unethically or illegally. Furthermore, an employee should report any dishonest activities or damaging conduct to an appropriate supervisor.
Security of company information is extremely important to our business. We are trusted by our customers to protect sensitive information that may be supplied while conducting business. Sensitive information is defined as any personal information (i.e. name, address, phone number, e-mail, NI number, driver’s license number, bank account, credit card numbers, etc.) or company information not publicly available (i.e. – clients, financial information, employee information, schedules, technology, etc.). It is important the employees do not reveal sensitive information about our company or our customers to outside resources that do not have a need to know such information.
4.3 Disciplinary Action
An employee’s failure to comply with the standards and policies set forth in this document may result in disciplinary action up to and including termination of employment.
4.4 Protect Stored Data
Employees must protect sensitive information stored or handled by the company and its employees. All sensitive information must be stored securely and disposed of in a secure manner when no longer needed for business reasons. Any media (i.e. paper, floppy disk, backup tape, computer hard drive, etc.) that contains sensitive information must be protected against unauthorized access. Media no longer needed must be destroyed in such a manner to render sensitive data irrecoverable (i.e. shredding, degaussing, disassembly, etc.).
Credit Card Information Handling Specifics:
4.5 Protect Data in Transit
If sensitive information needs to be transported physically or electronically, it must be protected while in transit (i.e. to a secure storage facility or across the Internet).
Credit Card Information Handling Specifics
4.6 Restrict Access to Data
The company must restrict access to sensitive information (business data and personal information) to those that have a need-to-know. No employees should have access to credit card account numbers unless they have a specific job function that requires such access.
4.7 Physical Security
Restrict physical access to sensitive information, or systems that house that information (ex. computers or filing cabinets storing cardholder data), to protect it from those who do not have a need to access that information. Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.
4.8 Security Awareness and Procedures
Keeping sensitive information secure requires periodic training of employees and contractors to keep security awareness levels high. The company will therefore:
4.9 Security Management
There will be an employee of the company designated as the security officer. The security officer is responsible for communicating security policies to employees and contractors and tracking the adherence to policies. In the event of a compromise of sensitive information, the security officer will oversee the execution of the incident response plan.
4.9.1 Incident Response Plan
http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_if_compromised.html
5 Marketing Data
This section applies only to data collected for marketing purposes.
Where information is given by an individual or company solely to obtain further information from the company, this information will not be retained for more than 2 weeks from the date received.
An individual or company may request, or give approval, for their data to be included in marketing database(s). If such approval is received, then the data may be stored until the individual or company request it to be removed.
On receipt of a request for data to be removed from a marketing database(s), the request must be completed within 2 weeks. In exceptional circumstances this deadline can be extended.