1 Introduction: what is customer data
Customer data is any identifiable personal information about a customer held in any format, such as national insurance numbers, address, date of birth, family circumstances, bank details and medical records.
2 Why is it important
Customer data is a high value commodity for fraudsters and since Hirett Ltd activity require this data from our customers, securing it also is our responsibility.
3 How do we ensure physical security of our customers’ data
We implement strict security protocols over our customers data, such as;
- CCTV – with a minimum of 30-day recording period
- Restricting access to the office by use of door buzzers
- Monitoring all visitors to our office by recording access, using signing in books with departure times and ensuring all visitors are supervised at all times
- Regular staff training
- Keeping files/filing cabinets locked and only accessible to appropriate staff
- Maintaining a clear desk policy
- Not sharing passwords
- Ensuring computer servers are secured at all times
4 Recruiting the right staff
As a small firm, it is imperative that we have the right staff to work in our Company and whose
responsibility it will be to manage data and implement security.
When considering staff, we operate a risk-based approach as this, we believe, will help to reduce financial crime and hence, conducting good assessment and checks before and during recruitment is imperative.
We shall:
- Recruiting appropriate staff who are honest and fit and proper.
- Conducting credit and criminal records checks (not hiring staff with adverse financial history, criminal records, CCJ’s
- Hold monthly appraisals / 121’s (which will help identify signs or any circumstances which might make staff more susceptible to financial crime)
5 Training
We are aware that many firms simply rely on staff signing an annual declaration to confirm they have read policies and procedures but do not check whether staff understand them. Hirett Ltd intend to educate, guide and raise awareness of security through:
Group discussions | Raising awareness emails | Newspaper articles |
---|---|---|
Monthly 121’s | Rewarding examples of good practises | Posters in our branch |
These are simple, yet effective techniques to help our staff be vigilant and help Hirett Ltd implement security.
6 IT Systems
Our staff need access to customer data in order perform their jobs and duties, but this is limited to our staff having only ‘relevant access’. By this we mean that staff should not be able to access information that they do not require to perform their roles.
6.1 IT Rights
When, and if, staff are to change roles, their IT rights will be reviewed.
6.2 Random Checks
Management is tasked to conduct random and periodic checks to ensure that staff are accessing only relevant information and customer data.
6.3 Deleting of data
It is against Company policy to delete customer data without written approval from the Management.
6.4 Storage, management and backing up of Customer data
Management will conduct security checks and consider things such as:
- disabling USB ports/Drives, CD ports on computers if staff do not need them to do their jobs -clearing records/information when issuing laptops to new staff
- staff to change passwords on a monthly basis
- ensuring staff do not exchange passwords with colleagues
- ensuring staff do not write down passwords
- check which staff take computers home
- have a system in place to manage stolen computers
- data encryption
6.5 Data Back-up Policy
Introduction
Hirett Ltd has created this data back-up policy to help our firm, staff, management in the backing up and management of data that is held by our Company.
Scope
The service and hence this policy have been designed and implemented with disaster recovery/business continuity (i.e. the ability to recover recent live data in the event of a partial or total loss of data) as key deliverable and is not therefore designed as a method of archiving material for extended periods of time.
The ‘data’ backups cover all systems managed by the Hirett Ltd IT department. Data held and managed locally in departments is excluded unless departments have entered into specific arrangements with IT. All staff are reminded that they are individually responsible for data held locally on their desktop or laptop computer and all critical data must be stored on the network drives provided or central e‐ mail services.
Backup Policy
Full backups of all Hirett Ltd data are performed weekly. Full backups are retained for 3 months before being overwritten. Incremental backups of all Hirett Ltd data are performed daily. Incremental backups are retained for 1 month before being overwritten. Where possible backups are run overnight and are completed before 8am on working days. Upon completion of backups, media copies are moved automatically to a secure remote site for disaster recovery purposes. Backups are stored in secure locations. A limited number of authorised personnel have access to the backup application and media copies. Requests for backup data from 3rd parties must be approved by Mr. __________
Backup
The IT Backup systems have been designed to ensure that routine backup operations require no manual intervention. The IT department monitor backup operations and the status for backup jobs is checked on a daily basis during the working week. Any failed backups are re‐run immediately the next working day.
Restore
Data is available for restore within a few minutes of a backup job completing on the daily schedule. Data will be available during the retention policy of each backup job – which is currently defined as 3 months. Recent data is available from this system on completion of the daily backup jobs, which means that there is potential data loss during a working day on some systems. The IT systems at Hirett Ltd have been specified to minimise data loss between backup windows by having elements of system redundancy. Requests for data recovery should be submitted to the IT Service desk and will need to be signed off by our management before being restored.
Policy Review
This policy will be reviewed on an annual basis and be tabled for approval with the written approval of our Management.
7 DATA PROTECTION POLICY
1. INTRODUCTION
1.1 Hirett Ltd needs to keep certain information about its employees, customers and other users to allow it to monitor performance, achievements, and health and safety, for example.
It is also necessary to process information so that staff can be recruited and paid, customer transfers completed and legal obligations to report. To comply with the law, information must be collected and used fairly, stored safely and not disclosed to any other person unlawfully.
To do this, Hirett Ltd must comply with the Data Protection Principles which are set out in the Data Protection Act 1998 (the 1998 Act) and revisions. In summary these state that personal data shall:
- be obtained and processed fairly and lawfully and shall not be processed unless certain conditions are met
- be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose
- be adequate, relevant and not excessive for those purposes
- be accurate and kept up to date
- not be kept for longer than is necessary for that purpose
- be processed in accordance with the data subject’s rights
- be kept safe from unauthorised access, accidental loss or destruction
- not be transferred to a country outside the European Economic area, unless that country has equivalent levels of protection for personal data
Hirett Ltd and all staff or others who process or use any personal information must ensure that they follow these principles at all times. In order to ensure that this happens, Hirett Ltd has developed the Data Protection Policy.
STATUS OF THE POLICY
This policy does not form part of the formal contract of employment, but it is a condition of employment that employees will abide by the rules and policies made by Hirett Ltd from time to time. Any failures to follow the policy can therefore result in disciplinary proceedings.
Any member of staff, who considers that the policy has not been followed in respect of personal data about themselves, should raise the matter with the HR Department. If the matter is not resolved it should be raised as a formal grievance.
NOTIFICATION OF DATA HELD AND PROCESSED
All staff and customers and other users are entitled to;
- know what information Hirett Ltd holds and processes about them and why
- know how to gain access to it
- know how to keep it up to date
- know what Hirett Ltd is doing to comply with its obligations under the 1998 Act and its revisions
Hirett Ltd will therefore provide all staff and customers and other relevant users with a standard form of notification. This will state all the types of data Hirett Ltd holds and processes about them, and the reasons for which it is processed. Hirett Ltd will try to do this at least once every three years.
4. RESPONSIBILITIES OF STAFF
4.1 All staff are responsible for:
- checking that any information that they provide to Hirett Ltd in connection with their employment is accurate and up to date
- informing Hirett Ltd of any changes to information, which they have provided i.e. changes of address
- checking the information that Hirett Ltd will send out from time to time, giving details of information kept and processed about staff
- informing Hirett Ltd of any errors or changes. Hirett Ltd cannot be held responsible for any errors unless the staff member has informed Hirett Ltd of them
4.2 If and when, as part of their responsibilities, staff collect information about other people, (i.e. about customers course work, opinions about ability, references to other academic institutions, or details of personal circumstances), they must comply with the guidelines for staff, which are at Appendix 1.
4.3 All staff will complete training in Data Protection as component of their Induction to employment at Hirett Ltd.
5. DATA SECURITY
5.1 All staff are responsible for ensuring that: Any personal data which they hold is kept securely. Personal information is not disclosed either orally or in writing or accidentally or otherwise to any unauthorised third party.
5.2 Staff should note that unauthorised disclosure and/or failure to adhere to the requirements set out in 5.3 to 5.7 inclusive below will usually be a disciplinary matter, and may be considered gross misconduct in some
5.3 Personal information should be; kept in a locked filing cabinet; or in a locked drawer; or if it is computerised, be password protected; or when kept or in transit on portable media the files themselves must be password protected.
5.4 Personal data should never be stored at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites,
5.5 Ordinarily, personal data should not be processed at staff members’ homes, whether in manual or electronic form, on laptop computers or other personal portable devices or at other remote sites. In cases where such off-site processing is felt to be necessary or appropriate, the agreement of the relevant Data Controller must be obtained, and all the security guidelines given in this document must still be followed.
5.6 Data stored on portable electronic devices or removable media is the responsibility of the individual member of staff who operates the equipment. It is the responsibility of this individual to ensure that:
- Suitable backups of the data exist
- Sensitive data is appropriately encrypted
- Sensitive data is not copied onto portable storage devices without first consulting a Data Controller, in regard to appropriate encryption and protection measures.
- Electronic devices such as laptops, mobile devices and computer media (USB devices, CD’s etc.) that contain sensitive data and not left unattended when offsite.
5.7 For some information the risks of failure to provide adequate security may be so high that it should never be taken home. This might include payroll information, addresses of customers and staff, disciplinary or appraisal records or bank account details. Exceptions to this may only be with the explicit agreement of the Principal.
6. CUSTOMER OBLIGATIONS
6.1 Customers must ensure that all personal data provided to Hirett Ltd is accurate and up to date.
They must ensure that changes of address, etc. are notified to our office.
7. RIGHTS TO ACCESS INFORMATION
7.1 Staff, customers and other users of Hirett Ltd have the right to access any personal data that is
being kept about them either on computer or in certain files.
7.2 In order to gain access, an individual may wish to receive notification of the information currently being held. This request should be made in writing, in the first instance to Hirett Ltd Data Protection Officer (Mr. __________).
7.3 Hirett Ltd makes a charge of £10 on each occasion that access is requested, although Hirett Ltd have discretion to waive this.
7.4 Hirett Ltd aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within
8. SUBJECT CONSENT
8.1 In many cases, Hirett Ltd can only process personal data with the consent of the individual. In some cases, if the data is sensitive, express consent must be obtained. Agreement to Hirett Ltd processing some specified classes of personal data is a condition of acceptance of a student onto any course, and a condition of employment for staff. This includes information about previous criminal convictions.
8.2 Hirett Ltd will also ask its staff members for information about particular health needs, such as allergies to particular forms of medication, or any conditions such as asthma or diabetes.
8.3 Hirett Ltd will only use the information in the protection of the health and safety of the staff member but will need consent to process in the event of a medical emergency, for example.
8.4 All prospective staff and customers will be asked to sign a consent to process data, regarding particular types of information when an offer of employment or a course place is made. A refusal to sign such a form can result in the offer being withdrawn.
9. PROCESSING SENSITIVE INFORMATION
9.1 Sometimes it is necessary to process information about a person’s health, criminal convictions, race and gender and family details.
This may be to ensure Hirett Ltd is a safe place for everyone, or to operate other Company policies, such as the sick pay policy or equal opportunities policy.
Because this information is considered sensitive, and it is recognised that the processing of it may cause particular concern or distress to individuals. Staff will be asked to give express consent for Hirett Ltd to do this.
Offers of employment may be withdrawn if an individual refuse to consent to this, without good reason.
10. THE DATA CONTROLLER
10.1 Hirett Ltd as a body corporate is the data controller under the Act, and the board is therefore ultimately responsible for implementation. However, there are designated data controllers who deal with day to day matters.
10.2 The Company has designated 1 data controller, who is the primary point of authorisation for receipt and supply of data requests. Our data controller is: Mr __________