Data and Cyber Security Policy

This policy

This policy sets out the measures the Company will take and practices all employees, contractors and other staff ("Users") should follow in respect of the use of computer systems, software, hardware, devices and other IT infrastructure ("Systems").

The measures and practices described in this policy are designed to ensure that the Systems are secure and protected against internal and external threats.

In following this policy, Users should pay particular attention to anything that relates to or may include personal data and the processing of such data.

This policy should be read in conjunction with the Company's Privacy Notice and internal Data Protection Policy.

Users should not use the Systems until they have read this policy.

Software

Users must not install or download any software to any Company device without the express approval of the Data Security Lead.

All software installation must be carried out by or with the approval of a member of the Data Security Lead. Any software downloaded should be from an authorised, recognised source and should be subject to virus scans before the software is operated or installed.

Users must comply with all instructions of the Data Security Lead in respect of updates, installations and changes to software which may include allowing the Data Security Lead to access their device for a period.

If a User suspects that any software has a defect or has become corrupted or may in some other way present a risk to the security and integrity of the Systems then they must notify the Data Security Lead immediately.

The Data Security Lead will regularly monitor and consider the software requirements of the business to ensure that it is using the most up-to-date or appropriate versions of all relevant programs and applications.

Hardware and Desktop devices

Desktop devices and other physical parts of the Systems will be located in a safe and secure environment which is only accessible by Users and other authorised people.

All desktop devices and other physical parts of the Systems will, where practicable, be held securely and in such a manner as to reduce the risk of damage or theft.

Desktop devices must be protected if possible with a password protected screensaver or lock-out mechanism.

All other hardware that is not ordinarily used by Users such as servers must be kept in a safe and secure environment and such hardware is only accessible by such members of the Data Security Lead as is necessary for the proper functioning of the Systems.

If a User suspects that any hardware has a defect or has become corrupted or may in some other way present a risk to the security and integrity of the Systems then they must notify the Data Security Lead immediately.

Users must not use or insert removable media received from third parties without the approval of the Data Security Lead. The Data Security Lead may require a User to provide them with removable media so that they can access the contents securely.

Any office premises at which hardware is accessed must be accessed using an authorised security pass.

All data, and in particular personal data, should be stored securely using passwords and high-level data encryption.

All data stored electronically on physical media, and in particular personal data, should be stored securely in a locked box, drawer, cabinet, or similar.

No personal data should be stored on any mobile device (including, but not limited to, laptops, tablets, and smartphones), whether such device belongs to the Company or otherwise.

No data, and in particular personal data, should be transferred to any computer or device personally belonging to a User unless the User in question is a contractor or sub-contractor working on behalf of the Company and that User has agreed to comply fully with the Company's Data Protection Policy and the UK GDPR.

Mobile devices

All mobile devices (including phones, laptops and tablets) must be transported safely and securely and should be treated with due care and attention at all times.

Mobile devices should not be left unattended at any time and must be stored safely overnight when at a User's home or otherwise not on Company premises.

Mobile devices must be locked when not in use and only accessible by password.

If a User suspects a mobile device has been accessed by or tampered with by another person they must notify the Data Security Lead as soon as they become aware of such unauthorised use.

Users will comply with all requirements of the Data Security Lead in respect of mobile devices and may be required to return or replace such devices at any time.

Data should not be transferred or accessed on any mobile device unless the device is securely password protected in accordance with this policy.

Passwords

All Systems will be password-protected.

Each User will be responsible for creating appropriate secure passwords to enable them to access the Systems. Users may be required to create different passwords for different devices and parts of the Systems.

Passwords must be at least six characters long, non-obvious, contain a mixture of letters, numbers and symbols and (if possible) combine lower and upper case letters.

Passwords should be changed regularly and in any event every three months.

Users must not share their passwords with any other person and must not record them anywhere in writing (either physically or electronically). If a User forgets a password they must contact the Data Security Lead to resolve the issue and enable them to access the Systems again.

All devices must be set to lock when they are not in use and must be set up so that they can only be accessed by entering the relevant password each time they are used.

Data stored by the Company will be password protected and encrypted with strong encryption.

Account Management

This policy refers to two kinds of Systems user accounts: "standard accounts" and "systems accounts".

All accounts are under the supervision and management of the Data Security Lead.

On first login to a new account, the user must change the default password (if any).

Users may not share login details with any other user, and accounts may not be used by more than one member of staff or as a generic account.

The Data Security Lead shall conduct regular reviews of all accounts (both standard accounts and systems accounts) to ensure that the account users, permissions and levels of access granted remain secure, appropriate and in line with business need. Such reviews shall occur not less than once every 90 days.

Standard Accounts

Employees and staff working with the Company may be given access to various accounts and logins including a network account, an email account, accounts with business-related SaaS providers and may also be given access to certain shared drives and information. These are referred to as "standard accounts".

When a team member joins the Company they will be given access to standard accounts. Access to standard accounts may also be granted from time to time to existing staff members.

Standard accounts must be deactivated when a staff member leaves and accounts may only remain active for the period needed for that staff member to fulfil the relevant need.

Users are not permitted to access their accounts after leaving the Company. Systems will be put in place by the Data Security Lead to ensure that accounts are deactivated when staff leave the Company.

Systems Accounts

The Data Security Lead (and other users who have been authorised by the Data Security Lead) may be given access to more privileged and secure accounts including systems or network administrator accounts or accounts which allow for services or systems used by the Company to be managed. These are referred to as "systems accounts". Any account which allows a user to access any back-end Systems or change any settings for another user or standard account will be deemed to be a systems account.

Access to systems accounts may only be granted by the Data Security Lead and may be withdrawn at any time.

Systems accounts must be reviewed periodically to ensure that levels of access and permission remain appropriate. Systems accounts must be withdrawn if they are no longer required or if the relevant staff member no longer needs access to the account.

Systems accounts must be operated by users only for the agreed and intended purposes, and must be operated separately from standard accounts which are operated by the same users.

No Systems accounts may be accessed using a default username or password and any default usernames or passwords must be changed at the earliest opportunity.

Systems accounts must not be used to attempt to or gain access to Systems and information that the user does not have authority or a proper purpose to access.

Personal data

The Company has various statutory obligations in relation to personal data, including under the UK General Data Protection Regulation (the "UK GDPR") and the Data Protection Act 2018. Users must only process personal data in accordance with the Company's Data Protection Policy (which may be updated from time to time), this policy and all other instructions in respect of the handling of personal data.

All personal data must be stored securely using passwords, encryption or such other technological and security measures that the Data Security Lead deems necessary and appropriate.

Personal data must only be transferred onto removable electronic media (including USB sticks and CDs) when strictly necessary and with the approval of the Data Security Lead. Any such removable electronic media containing personal data must be password protected and handled and transported safely and securely at all times.

Breach

If a User becomes aware of a breach of the Systems or suspects that a breach has occurred or is about to occur then they must notify the Data Security Lead immediately.

Users must follow all instructions of the Data Security Lead and will provide all necessary assistance to address a breach as soon as practicable.

If a User learns of a suspected or actual personal data breach, it must be reported in accordance with our Data Breach Policy immediately. The report should include full details of the incident, when the breach occurred (dates and times), the nature of the information concerned, and how many individuals are involved.

The Data Protection Manager will perform an internal investigation and take appropriate remedial measures in a timely manner.

Users must not attempt to address a breach of the Systems or a data breach on their own and without notifying the Data Security Lead in accordance with this policy.