Statement of policy
PostApex is committed to the highest standards of information security and treats data security and confidentiality extremely seriously.
Purpose of policy
In relation to personal data, under the UK General Data Protection Regulation (the UK GDPR), the PostApex must:
- ensure the security of personal data, including protection against any unlawful or unauthorised data processing and accidental loss, damage or destruction, by utilising appropriate technical or organisational measures;
- demonstrate the consideration and integration of data compliance measures into data processing activities, by implementing appropriate technical or organisational measures; and
- be able to demonstrate the use and implementation of such appropriate technical or organisational measures.
The purpose of this policy is to:
- protect against any potential breaches of confidentiality;
- protect informational assets and IT systems and facilities against any loss, damage or misuse;
- raise awareness of and clarify the responsibilities and duties of Staff in respect of information security, data security and confidentiality.
We may amend this policy at any time, in our absolute discretion, and we will do so in accordance with our data protection and other obligations. A new copy of the policy will be circulated whenever it is changed.
For the purposes of this policy:
- Business Information means any of the business-related information other than personal data about customers, clients, suppliers and other business contacts;
- Confidential Information means any trade secrets or other confidential information
- Personal Data means any information that relates to an individual who can be identified from that information, either directly or indirectly; and
- Sensitive Personal Data means information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), health, sex life, sexual orientation, genetic information or biometric information (where this is used to identify an individual).
Roles and responsibilities
- We have a responsibility for information security. The Employer’s Data Protection Officer (DPO) has overall responsibility for this policy.
Specifically, they must:
- implement and maintain this policy;
- monitor potential and actual security breaches;
- ensure Staff are aware of their responsibilities in relation to information security and confidentiality; and
- ensure compliance with the UK GDPR and all other relevant legislation and guidance.
Scope of this policy
This policy covers all written, verbal and digital information held, used or transmitted by or on behalf of the Employer, irrespective of media. This includes, but is not limited to:
- paper records;
- hand-held devices;
- telephones;
- information stored on computer systems; and
- information passed on verbally.
The information covered by this policy may include:
- Personal Data relating to Staff, customers, clients or suppliers;
- other Business Information; and
- Confidential Information.
This policy supplements policies relating to data protection, internet, email and communications, and document retention.
The content of these policies must be considered and taken into account alongside this policy.
General principles
All information is:
- treated as commercially valuable; and
- protected from loss, theft, misuse or inappropriate access or disclosure.
Through the use of appropriate technical and organisational measures all Personal Data, including Sensitive Personal Data, is protected against:
- unauthorised and/or unlawful processing; and
- accidental loss, destruction or damage.
Any Personal Data must only be processed for the specified, explicit and legitimate purpose for which it is collected.
Information management
Any Personal Data must be processed in accordance with:
- the data protection principles;
- the Employer’s policies on data protection generally; and
- the Employer’s other relevant policies.
All Personal Data collected, used and stored must be:
- adequate, relevant and limited to what is necessary for the relevant purposes; and
- kept accurate and up to date.
The Employer will take appropriate technical and organisational measures to ensure that Personal Data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage. These measures include:
- The encryption of Personal Data.
- The pseudonymisation of Personal Data.
- Dual-factor authentication.
- The use of strong passwords.
- Password protection on any documents containing Sensitive Personal Data.
- Strictly limited access rights to certain datasets to ensure only those authorised to process Personal Data have access.
- Any Personal Data and Confidential Information must not be kept any longer than is necessary and will be stored and destroyed in accordance with our policies on data retention.
Computers and IT
Where available on our systems, password protection and encryption is used to maintain confidentiality.
- All computers and other electronic devices are password protected. Such passwords must be changed regularly and must not be recorded anywhere (e.g. written down) or made available to others.
- To minimise the risk of accidental loss or disclosure, all computers and other electronic devices must be locked when not in use, including when left unattended at a desk.
- All data held electronically must be securely backed up as soon as possible in accordance with the Employer’s internal backup procedure.
- Confidential Information must not be copied onto removable hard drives, CDs or DVDs, floppy disks or memory sticks, without the express permission of the IT Department. Any Personal Data held on such devices must, as soon as possible, be transferred to the Employer’s computer network to be backed up and then deleted from the device.
Staff must:
- ensure that they do not introduce viruses, malware or malicious codes onto the Employer’s systems.
- not install or download from the internet any software without it first being checked for viruses.
Staff should speak to the IT Department for more information and guidance on appropriate steps to be taken to ensure compliance.
Transfer to third parties
Third party service providers should only be engaged to process information where appropriate written agreements are in place to ensure that they offer appropriate data protection, confidentiality and information security protections and undertakings. Care must be taken to consider whether any such third party service providers will be considered data processors for the purpose of the UK GDPR.
Staff involved in the process of setting up new arrangements or altering existing arrangements with third parties should speak to and consult with the DPO for more information and guidance.
International data transfers
There are restrictions on (onward) transfers of Personal Data to international organisations outside of the UK. Staff may only transfer Personal Data outside the UK (including to international organisations outside the UK) if there are sufficient and adequate protections in place. Before making any transfers, Staff should speak to, and seek written authorisation from, the DPO.
For more information, please contact the DPO or Legal Department.
Reporting data breaches
We are under an obligation to report actual or potential data protection compliance breaches
For more information on the our reporting procedure, contact the DPO.
Consequences of non-compliance
If you have any questions or concerns about anything in this policy, please contact the DPO at [email protected].