1. Purpose and scope
This document sets out the Company’s policy on processing personal data and sensitive information or on an external network, including the use of portable and mobile equipment.
Its aim is to ensure that the Company complies with data protection legislation and that sensitive information is protected from unauthorised access, dissemination, alteration or deletion. It complements and supports the General Data Protection Regulation and Guidelines.
It applies to all Hirett staff and others who process Personal and Sensitive information.
2. Definitions
2.1 Processing
means any operation on data, including organisation, adaptation and alteration; retrieval, consultation or use; disclosure, transmission, dissemination and otherwise making available; or alignment, combination, blocking, erasure and destruction. Processing includes the sending of information via email and other mechanisms such as Instant Messaging and Twitter.
2.2 Sensitive Payment Data
Sensitive payment data is very broadly defined as data, including personalised security credentials which can be used to carry out fraud. The GDPR increases information requirements for banks and TPPs, such as having to provide customers with the legal basis for the processing and transfers of personal data.
2.3 Personal Data
Data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
2.4 Personal Information
“Personal data” is any information from which a person (a data subject) can be identified or
potentially identified from. This would include surnames and nicknames.
2.5 Encryption
The process of converting information so that it cannot be read by unauthorised people.
3. Background
Art. 9 GDPR sets out Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.
4. Policy Statement
Any personal data or sensitive information is to be processed must be stored and transmitted in an encrypted form of the required standard.
Key principles-The following key principles underpin the policy statement in 4 above and this policy generally.
5. Key Principles
All staff must comply with these principles when using mobile devices and portable storage media or otherwise processing personal data or sensitive information on an external network.
• Avoid processing personal data
• If processing personal data is necessary, then consider anonymising the information to obscure the
identity of the individuals concerned
• Use the IT-authorised remote access facilities that are both secure and encrypted to access personal data and sensitive information on the central servers instead of transporting it on mobile devices and portable media.
• Do not use non IT-authorised third party hosting services, like Dropbox when processing high risk personal data or sensitive information.
• If there is no option but to use mobile devices, portable media or email for high risk personal data
or sensitive information, use encrypted devices or encryption software.
• Do not use personal equipment, such as home PCs or personal USB sticks, to process high risk
personal data or sensitive information.
• Avoid sending high risk personal data or sensitive information by email or using email to store such information. If you must use email to send this sort of information, encrypt it. If you are sending unencrypted high-risk personal data or sensitive information to another Hirett email account, indicate in the email subject line that the email contains sensitive information so that the recipient can exercise caution about where and when they open it.
• Do not process high risk personal data or sensitive information in public places. When accessing your email remotely, exercise caution to ensure that you do not download unencrypted high-risk personal data or sensitive information to an insecure device.
• Consider the physical security of high-risk personal data or sensitive information, for example use locked filing cabinets/cupboards for storage.
• Implement the Company’s records management policy and retention and disposal policies so that you do not keep personal data and sensitive information that you do not need.
• Where the master copy of record is held in an electronic form, it should be stored on Company’s
servers. In identifying master copies of records, staff should seek advice from the IT Service Desk
• Electronic keys for encryption, e.g. passwords, must be appropriately managed so that the
company can always access the information.
6. Minimum required encryption standards
The minimum required standard of encryption is RSA512.