Rees Draper Wright is a wholly owned subsidiary of InterQuest Group.
This policy outlines behaviours expected of employees when dealing with data and provides a classification of the types of data with which they should be concerned.
InterQuest Group must protect restricted, confidential or sensitive data from loss to avoid reputation damage and to avoid adversely impacting its customers. The protection of data in scope is a critical business requirement, yet flexibility to access data and work effectively is also critical.
It is not anticipated that this technology control can effectively deal with the malicious theft scenario, or that it will reliably detect all data. Its primary objective is user awareness and to avoid accidental loss scenarios. This policy outlines the requirements for data leakage prevention, a focus for the policy and a rationale.
These measures must be applied to all protected personal or otherwise sensitive data. Protected personal data is defined at Annex A and is any material that links an identifiable individual with information whose release would put them at significant risk of harm or distress. It also covers any source of information relating to 1,000 or more individuals that is not in the public domain, even if the information about an individual is not considered likely to cause harm or distress.
o Complying with obligations to its employees. It needs personal data so it can perform activities such as contacting and paying employees, and complying with its obligations under health and safety regulations;
o Assessing employees, their performance and suitability for particular roles;
o Doing anything for the benefit of welfare of employees, their families and dependants;
o Complying with its obligations under the general law, e.g. in relation to taxation, social security, or law enforcement;
o Providing information about employees to those who require it in connection with services that they provide to it or we to them, or who do or may own the Company or who may need it in connection with the assumption by them of responsibility for any of its employees (e.g. in outsourcing arrangements);
o The prosecution or defence of any legal proceedings
The data protection measures outlined in this policy are to be implemented through the following processes:
o Initial induction training for all staff;
o Regular refresher training for all staff, as required;
o Publication of data protection policy in the staff handbook and on the company intranet;
o Quarterly risk assessments as described below;
All staff should be aware that failure to apply this data handling procedure is a serious matter, and in some situations amounts to gross misconduct.
The company actively encourages whistle-blowing so that staff can raise concerns with their team leader or managing director should they believe that the correct procedures are not being followed.
Definition of protected personal data
As a minimum, personal data includes all data falling into either category A or B below:-
A: Any information that links one or more identifiable living person with private information about them
There should be protection for a data set that includes:-
o DNA or finger prints;
o Bank/financial/credit card details;
o National Insurance number;
o Passport number/information on immigration status;
o Travel details (for example at immigration control, or Oyster records);
o Tax, benefit or pension records;
o Place of work;
o School attendance/records;
o Conviction/prison/court records/evidence;
o Groups/affiliations/political or other sensitive personal data as defined by the Data Protection Action (Section 2)
Note: this is not an exhaustive list.
B: Any source of information about 1,000 identifiable individuals or more, other than information sources from the public domain.
Note that this is a minimum standard. Information on smaller numbers of individuals may justify protection because of the nature of the individuals, source of the information, or extent of information.
Chris Eldridge, Chief Executive Officer, InterQuest Group