lbq.org Data Protection – Data Security Policy
Learning By Questions Ltd (hereafter also referred to as 'The Company' ) takes practical,
technical and organisational security measures to protect the personal data we control and
process as required under the Privacy and Data Protection Legislation. This is an on-going
obligation to ensure that security arrangements remain in compliance with Privacy and
Data Protection Legislation as it may be amended or supplemented from time to time.
This policy forms part of The Company’s suite of data protection policies. It is drafted so as to comply with the GDPR (General Data Protection Regulation) which comes into force in England on the 25th of May 2018 and which replaces the Data Protection Act 1998.
This policy sets out The Company’s position on data security including (but not limited to) security of personal data as defined by Data Protection legislation. For the purposes of this policy, “data” includes “personal data” but also all information belonging to The Company or in the possession of The Company which is of a sensitive or confidential nature.
This policy may be made public to data subjects, including employees and others engaged in providing services to The Company.
This policy has contractual effect within the organisation and all employees and others engaged in providing services to The Company are expected to abide by it.Legal Framework
Data protection legislation requires that organisations process personal data in a manner that ensures its security. This includes ensuring protection against unauthorised or unlawful processing and against loss, destruction or damage.
Organisations must put in place policies to ensure that only authorised people can access, alter, disclose or destroy personal data, that everyone acts within the scope of their authority and that so far as possible, breaches are drawn to the attention of the organisation and steps are taken to minimise the effect of any breaches and to recover any lost data so as to prevent damage or distress to affected data subjects.
The more sensitive the data an organisation holds, the greater the measures that the organisation should take to protect it.
Outside the sphere of data protection, organisations are entitled to protect confidential information and trade secrets and may also be bound to protect information provided by third parties which is of a sensitive or personal nature.
1. Physical Security
- The Company's premises are secure, alarmed, fitted with remote CCTV which is monitored round the clock by our security contractor.
- Access to the premises is by keycard or invitation only, visitors to The Company's premises are not left unattended in sensitive areas.
- The use of removable media is not permitted for the storage of personal data or business critical information except when the media is routinely kept in the most secure location.
- Removable media is permitted for the immediate transfer of personal data or business critical information only under the supervision of a senior manager.
- All digital storage media (removable and fixed) is to be physically destroyed prior to disposal.
- Long term documentary records containing personal data are kept in locked storage facilities on The Company's premises.
- Any documents containing personal data not required for long term use are securely disposed of (shredded by an approved 3rd party contractor on The Company's premises) as soon as possible.
- Offsite backups are regularly made of crucial data namely the lbq.org database, The Company's accounting records, marketing database and business related email.
- The Company will only store or transfer personal data in the UK. This means that it will be fully protected under the GDPR.
- Equipment used away from The Company's premises is logged to prevent unidentified loss and employees are required to act responsibly to ensure against loss or theft.
2. Technological Measures
- All of The Company's computing equipment and software is kept up to date and any software updates issued by software publishers are promptly installed.
- All of The Company's computing equipment has anti-virus software installed. This software is routinely used and updated.
- All incoming and outgoing data whether downloaded or uploaded, email or from physical media is scanned for viruses and malware.
- The company segments its internal network to isolate different categories of business critical functions and personal data away from unrelated activities.
- Employees and visitors are only permitted to connect their own devices to The Company's guest WIFI network.
- Employees are not permitted to store or transmit data using personal devices.
- The Company's entire internal network infrastructure is protected by hardware firewalls.
- All data and information connected with the development of The Company's internet assets (lbq.org & learningbyquestions.org) is stored on fully encrypted drives or partitions.
- The Company's internet assets (lbq.org & learningbyquestions.org) are located in external data centres on dedicated servers with full backup and recovery facilities located elsewhere.
- The servers hosting The Company's internet assets (lbq.org & learningbyquestions.org) are all covered by SSL certificates and all traffic to and from the servers is under https and TLS protocols.
- The Company maintains and monitors its servers via secure VPN. The servers are regularly monitored to check performance and identify potential compromise.
- Employees working away from The Company's premises are only able to access The Company's network via secure VPN.
- Equipment used away from The Company's premises to the fullest extent practical will only contain minimal data necessary and will be both encrypted and password protected. If available, device specific tracking and remote shut down features will be deployed.
3. Access Controls
- All passwords used to protect data should be changed regularly and should not use words or phrases that can be easily guessed or otherwise compromised. All passwords must contain a combination of uppercase and lowercase letters, numbers, and symbols.
- Under no circumstances should any passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of The Company, irrespective of seniority or department. If a password is forgotten, it must be reset using the applicable method.
4. Culture and Practices
- The Company's intent is at all times to minimise the amount of personal data accessed and the number of employees who need to access it.
- Employees will normally only access personal data in response to a specific enquiry or in relation to a transaction.
- Where the need to access personal data arises employees are trained to identify the nature of the requirement and if necessary which other employees/teams are best equipped to assist. It is additionally company practice to circulate data internally with the minimum possible duplication of personal data.
- Data may only be transferred to agents, contractors, or other parties working on behalf of The Company where the party in question has agreed to comply fully with this policy, with Data Protection legislation and with confidentiality more widely, which may include demonstrating to The Company that all suitable technical and organisational measures have been taken.
- Employees who change roles or leave the company will have any access rights to The Company's systems promptly updated or removed.
- In responding to enquiries requiring access to personal data employees are trained to first act to verify the identity of the enquirer and the validity of their request. If deemed necessary explicit consent may be sought from the individuals the data relates to.
- Unless entirely anonymised no employee is permitted to share data outside the company, or inside the company without a clear business reason, except with the express written consent of any individuals potentially identified by the data.
- In respect of incoming email employees are trained to evaluate the necessity and appropriateness of further circulating any information contained in the email.
- Incoming and outgoing e-mails will be stored on The Company’s e-mail system. E-mails will be deleted from time to time. Any data contained in the body of an e-mail (whether sent or received) which needs to be kept for any period of time should be stored securely. Where that data is personal data, it should only be copied and stored where it is necessary to do so for one or more purposes outlined in The Company’s privacy notices.
Where data is to be sent by facsimile transmission, wherever possible the recipient should be informed in advance of the transmission.
- Where data is to be transferred in hard copy form it should be passed directly to the recipient or sent using the recipient’s name and marked “private & confidential – for addressee only”.
- Desks should be left clear at the end of each working day and hard copies of data should not be left on desks unless the room in which the data is located can be locked.
- No data may be transferred other than in the normal course of business to any person, whether such parties are working on behalf of The Company or not, without advance authorisation
- Data must be handled with care at all times and should not be left unattended or on view to unauthorised employees, agents, sub-contractors or other parties at any time;
- If data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.
- All computer users should log out of the computer system when they finish work for the day and switch the system off. Do not simply leave the system on standby.
- When developing systems and processes the company undertakes the appropriate risk assessments and aims to produce solutions requiring the minimum of data capture and processing.
- The Company may share personal data within the group of companies of which The Company is a part. All companies within the group must follow the same rules with respect to data usage. Where data is shared with companies outside the EEA, certain rules apply. These are known as “binding corporate rules”. More information on binding corporate rules is available from the ICO website (https://ico.org.uk/for-organisations/guide-to-data-protection/binding-corporate-rules/)
5. Personnel and Training
- All employees are subject to integrity/background checks prior to employment.
- All employees are required to undergo basic information security training at the start of their employment.
- Where roles/responsibilities require employees are given additional specific training.
- The Company promotes a culture of awareness and encourages employees at all levels to take responsibility for data security.
6. Agents and Subcontractors
- All agents, contractors, or other parties working on behalf of The Company are made fully aware of both their individual responsibilities and The Company’s responsibilities under data protection legislation and under The Company’s suite of data protection policies , and, where necessary, shall be provided with a copy of The Company’s suite of data protection policies.
- Only agents, sub-contractors, or other parties working on behalf of The Company that need access to and use of data in order to carry out their assigned duties correctly shall have access to personal data held by The Company.
- All agents, contractors, or other parties working on behalf of The Company handling data will be appropriately trained to do so.
- All agents, contractors, or other parties working on behalf of The Company handling data will be appropriately supervised.
- Methods of collecting, holding and processing data shall be regularly evaluated and reviewed.
- All agents, contractors, or other parties working on behalf of The Company handling data will be bound to do so in accordance with the principles of data protection legislation and The Company’s data protection policies.
- All agents, contractors, or other parties working on behalf of The Company handling data must ensure that any and all of their employees who are involved in the processing of data are held to the same conditions as those which apply to employees of The Company.
- Where any agent, contractor or other party working on behalf of The Company handling data fails in their obligations regarding personal data or confidential information, wherever practicable that party shall indemnify and hold harmless The Company against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
7. Incident/Response Management & Business Continuity
- Employees are trained to recognise and respond to potential data security incidents. The Company has clear procedures to identify actual data security incidents and escalate our response accordingly.
- The Company maintains a log of potential and actual security incidents and uses that information to improve our data security.
- In the event of an identified data breach The Company expeditiously acts to comply with its contractual and legal obligations.
- The Company maintains a business recovery plan and anticipates no more than 24 hours loss of service in the event of serious incidents including but not limited to: power loss, equipment failure, natural disaster, serious accidents, data compromise, inability to access company premises and loss of key employees.
8. Information Security Audit, Testing and Improvement
- The Company regularly tests the security and resilience of its systems and assets using both automated and manual processes.
- The Company maintains a thorough log of its testing procedures and acts to implement any improvements identified either immediately or by updating our data security improvement plan.
- The Company maintains a data security improvement plan and continually works to implement security improvements in response to changes in legislation, technology, system functions, user requirements and a changing risk environment.