Purpose of Policy
This policy is intended to communicate to employees, directors, customers, suppliers, agents and associates the approach that Safe4 Information Management takes to the protection of personal information, and the security of data in general.
This statement is part of a wide-ranging standards-based philosophy adopted by Safe4 to address governance and compliance issues relating to all of its activities. This is managed and evidenced through the company’s Compliance Framework, which has been developed based on the Cyber Primed information security standard and utilises the functions provided within the Safe4 system itself. This framework sets out and records all activities that reflect the mechanisms in use within the company to pursue and adopt best practice in all its operations.
Who is covered by this Policy
This policy covers all individuals working at all levels and grades, including senior managers, officers, directors, employees, consultants, contractors, trainees, homeworkers, part-time and fixed-term employees, casual and agency staff and volunteers.
It also relates to external parties that interact with Safe4, principally suppliers and business partners who either supply the company with goods or services, or who represent the company in specific market sectors.
Data Protection Principles
The company is committed to processing data in accordance with its responsibilities under the GDPR. This section of the policy addresses the general principles of data protection, with specific reference to the requirements of the GDPR.
Article 5 of the GDPR requires that personal data shall be:
- processed lawfully, fairly and in a transparent manner in relation to individuals
- collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals; and
- processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Lawful, Fair and Transparent Processing
- To ensure its processing of data is lawful, fair and transparent, Safe4 shall maintain an Information Asset Register
- The Information Asset Register shall be reviewed at least annually
- Individuals have the right to access their personal data and any such requests made to Safe4 shall be dealt with in a timely manner.
- All data processed by Safe4 must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task or legitimate interests
- Safe4 shall note the appropriate lawful basis in the Information Asset Register
- Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data
- Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be clearly available and systems should be in place to ensure such revocation is reflected accurately in Safe4
Safe4 shall ensure that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
- Safe4 shall take reasonable steps to ensure personal data is accurate
- Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.
Removal or Deletion of Data
- To ensure that personal data is kept for no longer than necessary, Safe4 shall put in place an information retention and deletion policy for each area in which personal data is processed and review this process annually
- The archiving policy shall consider what data should / must be retained, for how long, and why.
- Safe4shall ensure that personal data is stored securely using its own highly secure system whenever possible
- Access to personal data shall be limited to personnel who need access and appropriate security should be in place to avoid unauthorised sharing of information
- When personal data is deleted this shall be done safely and in such a way that the data is irrecoverable
- Appropriate back-up and disaster recovery solutions shall be in place
In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data, Safe4 shall promptly assess the risk to people’s rights and freedoms and if appropriate report this breach to the Information Commissioner’s Office.
Specific Issues Relating to the Safe4 System
In addition to its own internal processing of personal information, Safe4 is a provider of a highly secure information delivery and storage service that is used by a range of different service providers in the course of their business. Safe4 recognises that it has a duty to provide its customers with the means of complying with the provisions of the GDPR, and has taken specific measures to address this obligation.
The modifications made to the Safe4 system specifically to address the requirements of the GDPR include:
- Deletion of providers: provider accounts are one of the fundamental components of the Safe4 product architecture. This is the level at which system administration activity is managed, and from where client vaults are created and controlled. Many Safe4 customers operate multiple provider accounts in order to take advantage of the individual branding and terminology options that this offers. The system allows the complete removal of a provider account, with all of the vaults, folders, files, asset records and users that it contains, in such a way that the deleted information is not recoverable
- Deletion of vaults: Safe4 vaults provide a means of storing information in the form of files and asset records in folder structures, and making them available to designated users who may access the contents of specific vaults only. Removal of vaults will permanently delete the entire contents of a vault, including the folders, files, asset records and users that it contains.
- Deletion of users: both provider and vault users can be removed by deleting their accounts from the system. This deletion will prevent any further access to the specific providers or vaults from which the user has been removed. If access is required again in the future, the deleted user must be reinvited.
- Deletion of previous versions of files: Safe4 is a system of record, and whilst online editing of files is supported, any changes made to documents held in Safe4 will be stored as a new version, leaving the original version unchanged. If historic versions of files need to be removed because they contain data that should not be retained in accordance with any of the 6 reasons for retention described in section 6 above, this can be achieved by selecting the point from which earlier versions should be deleted.
- Subject Access Requests: Safe4 provides a function for creating a Subject Access Request report. This will detail the information that users have chosen to store about themselves in a PDF document that can be used in any way required. Safe4 does not control the content of vaults, and thus cannot report on any personal information that is contained within a vault.
Retention of Data
Following the removal of providers, vaults, users or previous versions of files, the data that was contained in those elements of the system will not be recoverable. However, Safe4 does maintain an audit trail of activity in the system, and this will be retained in order to allow legitimate reporting to be carried out should any evidence of improper conduct emerge relating to a previous user or data subject.
Responsibility for Implementation of the Policy
The Safe4 Board of Directors has overall responsibility for the effective operation of this policy.
All staff are responsible for their own compliance with this policy and for ensuring that it is consistently applied. All staff should ensure that they take the time to read and understand it. Any breach of this policy should be reported to a member of the Safe4 Board of Directors.
Questions regarding the content or application of this policy should be directed to the Safe4 Board of Directors.
Policy Review and Update
The Safe4 Board of Directors has overall responsibility for the review and update of this policy at the beginning of each calendar year or more regularly as required.