To provide clarity on the company position on system and data security to ensure we meet the expectations of our employees, customers and suppliers.
Definitions
The business – Netmetix Limited, 4 Sycamore Court, Birmingham Road, Allesley, Coventry, CV5 9BA.
The business follows a set of general industry best practices and recommendations to continually improve and enhance the policies we apply to our IT systems and ultimately the protection of company data.
These policies are based on our interpretation of what is current industry best practice and our understanding of current legislation on data protection and security such as the DPA, GDPR (May 2018) and the Cyber Essentials Framework
As a business we maintain and secure our own data which may contain personal information of internal company employees and our suppliers and customers. As such, we have a duty to ensure that this data is stored as safely and securely as possible.
We only process personal data for core business purposes, so therefore do not have to register with the Information Commissioners Office (ICO).
This document has been produced based upon the guidance issued by the ICO and in lines with general best practice.
Although we do not require a full-time data protection officer, the business has appointed Greig Schofield – Technical Director for overall responsibility of system and data security.
Following an internal review, the business has classified itself as a data controller for internal systems and data processor for external (client) systems.
The business has also identified that a number of supplier organisations, predominantly Microsoft, are data processors or have access to personal data. Such organisations have compliance with the GDPR regulation and security of any data they may receive, hold or have access to.
This data code of practice governs how we protect and handle sensitive data and is based on the following principles:
All company staff have undergone data protection training and are versed in the six principals of the GDPR act and are aware of the process and procedures to follow in respect to GDPR legislation.
Sensitive Data and High-Risk Processing
The business understanding of sensitive data is;
This is personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation.
The business has determined it does not directly process any data belonging to customers or suppliers. Any personal data collected is in the normal remit or normal business and any such data is used for essential daily operations. Any such data will only be used for such a purpose. The business has policies in place to ensure any such data is checked to ensure it is still required and deleted securely if it is determined there is no further requirement. Any such data will be fully removed from our secure archive system within 1 year.
Risk to Individuals
The business has determined there is minimal risk to individuals based upon the data stored, the data is minimal, and business related, held securely and not used for any other purpose than conducting essential business.
This includes profiling or processing that could lead to discrimination, identity theft, damage to the reputation or reversal of pseudonymisation. It includes any processing of sensitive personal data or personal data about children or other vulnerable persons or processing that involves large amounts of personal data.
Six General Principles
All business staff have been trained in GDPR and are aware of the six principles being defined as:
Conditions
It is anticipated that the business will process data where there is either:
Legitimate interests – The processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. Public authorities cannot rely on this condition.
OR:
Consent – The individual has given consent to the processing for one or more specific purposes
OR In the case of sensitive information:
Conditions will be established on a case by case basis.
OR In the case of a child:
Consent will be authorised by a parent.
Data Security
The business has determined that data security is satisfactory in respect to access rights, relevant data and infrastructure security however is also investigating additional measures such as:
Overview / Responsibilities
As a business we support a number of organisations, providing Third Party external IT Services. At some time or another we may have a requirement to access their internal systems to provide support. To ensure the security of our and their systems, a number of data and basic steps should be followed when accessing.
We configure Third Party systems following best practice for performance and security.
Where applicable: