02.13 – Data Security

For security of personal data;

  • All Employees/Staff are responsible for ensuring that any personal data that <<organisation name>> holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any third party unless that third party has been specifically authorised by <<organisation name>> to receive that information and has entered into a confidentiality agreement.
  • All personal data should be accessible only to those who need to use it, and access may only be granted in line with the Access Control Policy. All personal data should be treated with the highest security and must be kept:
    • in a lockable room with controlled access; and/or
    • in a locked drawer or filing cabinet; and/or
    • if computerised, password protected in line with corporate requirements in the Access Control Policy; and/or
    • stored on (removable) computer media which are encrypted in line with secure disposal of storage media

Care must be taken to ensure that PC screens and terminals are not visible except to authorised Employees/Staff of <<organisation name>>. All Employees/Staff are required to enter into an Acceptable Use Agreement before they are given access to organisational information of any sort, which details rules on screen time- outs.

Manual records may not be left where they can be accessed by unauthorised personnel and may not be removed from business premises without explicit written authorisation.

Personal data may only be deleted or disposed of in line with the Retention of Records Procedure. Manual records that have reached their retention date are to be shredded and disposed of as ‘confidential waste’. Hard drives of redundant PCs are to be removed and immediately destroyed as required by before disposal.

Processing of personal data ‘off-site’ presents a potentially greater risk of loss, theft or damage to personal data. Staff must be specifically authorised to process data off-site.

Contracts with second-level subcontractors will only be approved if they are required to comply with at least the same security and other provisions as the primary subcontracting organisation (the vendor/supplier) if the subcontractor specify that, when the contract is terminated or upon the request of the data subject on legal grounds, related personal data will either be destroyed or returned to <<organisation name>>, and so on down the chain of sub-contracting.

Data Disclosure

<<organisation name>> must ensure that personal data is not disclosed to unauthorised third parties. All Employees/Staff should exercise caution when asked to disclose personal data held on another individual to a third party. It is important to bear in mind whether or not disclosure of the information is relevant to, and necessary for, the conduct of <<organisation name>>’s business.

All requests to provide data for one of these reasons must be supported by appropriate paperwork and all such disclosures must be specifically authorised by the Data Protection Officer.

Data Encryption

Data Encryption is the process of converting data or information into a code to prevent unauthorised access by human and/or computer systems. Data encryption can be used during data storage or transmission and is typically used in conjunction with authentication services to ensure that keys are only provided to, or used by, authorized users.

It is the policy of <<organisation name>> to protect sensitive data or asset from unauthorized access (whether stored on a system within the office environment or on other location, or in transit) by the use of encryption technologies.

Procedure.

Data Storage Devices

  • All personal data storage devices that are owned by <<organisation name>> or contains data related to <<organisation name>> must be encrypted.
  • Examples of data storage devices are, but not limited to: Laptops, Desktop Computers, USB Flash Drives, External Hard Drives, Smartphones, etc.

Encryption Administration

  • <<organisation name>> IT must ensure that all portable data storage devices purchase or in use, for the organization’s business are encrypted.
  • Only encrypted devices should be use to access <<organisation name>> portal or storage

Data Transmission

Sensitive data or information must be encrypted before transmission. Data transmissions should be conducted using a Secure Socket Layer (SSL) or an equivalent encryption protocol pre-approved by IT.

File Encryption

  • In instances where a whole device cannot be encrypted, measures should be taken to ensure individual files are encrypted before transit or storage. Files encrypted must meet the barest minimum standard for encryption.

Encryption Standard

  • All encryption technology must meet a minimal standard.
  • Technology used to encrypt devices that exceed the standard are permitted to be used while Devices or transmissions that fail to meet the standard may not be employed to store or transmit sensitive data.

Encryption Key Management

Keys used for encryption should be stored separately and must not be shared in sight or publicly.