Data Protection & Information Security Guide

This information is taken from : This doc

This section of the handbook sets out our approach and some key concepts around data protection and information security. NDP has legal obligations to meet on both fronts.

What do we mean by information security?

We mean best practices about keeping information safe.

What do we mean by data protection?

We mean the Data Protection Act and our obligations under it.

The two are closely related and are both covered in this section.

The data protection act… some background

The Data Protection act is legislation which covers what you can and can’t do with data that we hold about living individuals - data which can be used to identify them. In simple terms, it requires us to make sure that data is:

fairly and lawfully processed
processed for specified purposes
adequate, relevant and not excessive
accurate and, where necessary, kept up to date
not kept for longer than is necessary
processed in line with the rights of the individual
kept secure
not transferred to countries outside the European Economic Area unless the information is adequately protected*
Until recently, the US/EU Safe Harbor agreement helped us to comply with this. That agreement is now invalid, and so we must take that into consideration in our work.

We comply with the requirements of the data protection act.

What data do we work with?

We work with:

Internal data (concerning our employees and the clients we are working with)
Marketing data (concerning people we are in contact with for marketing purposes)
Client data (data that belongs to our clients, which we have access to while we work on their websites. For example, the members list of a membership organisation).

What does this mean for you?

Day-to-day security for everyone

You must choose a secure password for access to the systems covered in your company induction. From time to time we will ask you to change your passwords. Don’t share your passwords with anyone else, verbally or via email.

You must keep a tidy desk and avoid printing out documents containing personal information. For most of you, there is generally no need to do this as part of your job. Documents which are printed and contain personal information must be shredded when they are finished with.

Avoid keeping copies of data on removable media such as external hard drives, DVDs and USB drives. If you really must have a copy, the media must be kept securely and are ideally password protected.

Read and understand our IT policy during your induction. Run through the data protection checklist. We will provide additional training as required, and you can always ask for a refresher.

Accompany any non-staff visitors in and out of the offices.

Log out of company software and your computer when you are not using it.

Lock up the office if you are the last one in. If you don’t have keys and will be working late, speak with the office manager.

What to do if you think something is wrong:

Flag it up to management immediately - email or conversation is fine. Don’t include any personal information via email.

Security and data protection for our different teams

You’ll have some responsibilities and things to think about as part of your specific role. This isn’t an exhaustive list but it will help you identify key areas for consideration.

Office admin and marketing

You will have access to client contact details, staff personal details including banking and payroll, recruitment information for job applicants, and marketing data.

Make sure we have up-to-date client and marketing information on our agency systems, including the accounting software. If a member of the client’s team leaves they must be removed from the system immediately.
Make sure we provide opt-out and unsubscription options for our marketing mail-outs and that these are automatically removed from our mailing list.
Recognise a Subject Access Request (someone asking for information about what we hold on them) and know how to respond. Alert management immediately - we have 40 days to respond.
Make sure we have up-to-date staff information on our agency systems, including payroll. Collect this information during their induction and explain why we need it. Make changes to the information when needed. Staff who have left should be removed within 1 working day of their leaving date.
Make sure we have appropriate back-ups in place for staff and client data.
You are likely to be responsible for distributing payslips to staff. You must hand these to the staff member concerned - don’t leave them on the desk to be picked up later.
You’re likely to have to maintain some printed records as part of your day-to-day job. These should be kept in a physically locked filing cabinet and you should keep the key safe. Don’t lend the key to other staff members. Destroy any records which aren’t needed any more by shredding them.
We must avoid collecting and storing information about an employee’s health unless we consider it to be absolutely necessary. For example, don’t collect information about the specifics of a staff member’s sick leave reasons within our HR system. If you think there is an argument to capture this information, you must discuss this with management before taking action.
Check the general status of the office and meeting rooms. We want to know that:
- Printed documents aren’t sitting on the printer for collection for a long time
- Piles of paper aren’t hanging around on desks - discuss this with the individual concerned if you think there is a problem
- Computers are not left logged in. On shared meeting room computers, make sure that users have logged out from any applications they opened during the meeting.
- Offices are locked at night or when empty. Know who has a set of office keys. If a person with keys leaves, make sure you get them back.

Project management and Quality Assurance

You will have access to client’s contact details, information about their project which may be confidential, and may also have access to data owned by the client, such as a user database.

Ensure the right members of the client’s team have access to the Basecamp project. If a client informs you that a member of their team has left, you must remove that person from the Basecamp project immediately. Refer to our named contact on the client’s side if you are unsure.
If you are asked to add external suppliers to the client’s project - such as marketing agencies - add them as a separate organisation, not as part of the client’s.
Know if a project is under NDA or not. Project folders will have an NDA sticker on them. Know what the NDA covers. If you don’t know and can’t find out, assume there is one.
Do not make copies of client websites or data onto portable removable media such as external hard drives, DVDs or USB sticks. Discourage clients from transmitting data to you this way too. A secure file delivery system such as WeTransfer is a better option. If you do receive data in this way, we must either return the media or destroy the data once we have finished using it.
Know which developers are working on your project and what copies of client sites they might need to do their job. They should delete any copies once their work is complete - make sure this is happening.

Digital strategy

You will have access to client’s contact details, information about their project which may be confidential. You may be given access to a current site as part of an audit, and their site may contain personal data.

Know if a project is under NDA or not, and what the NDA covers. Make sure all client documentation (such as proposals) is labelled as appropriate.
If you have site access as part of a site audit, be clear about what your audit is meant to cover and stick to those areas.
You’ll probably do a lot of printing in relation to client briefs, proposals and requirements. Make sure you know if these documents contain personal or confidential information. Destroy them when you’ve finished with them, ideally by shredding.
Keep your eyes peeled for any client needs which potentially have a data protection implication. Direct the client to the ICO or the Direct Marketing Association for advice where needed.

UX and design

If you have site access as part of a site audit, be clear about what your audit is meant to cover and stick to those areas.
Know if a project is under NDA or not. Project folders will have an NDA sticker on them. Know what the NDA covers. If you don’t know and can’t find out, assume there is one.

Development

For those working in the development team, we must adhere to an increased level of security. Our client’s websites can contain the kinds of personal information covered by the data protection act, and as part of your day-to-day job you may find that you have access to this.

Copying information

Do not make any copy of a client’s website without being directed to do so by your project manager, and keep any copies within agreed parameters - avoid using laptops for this purpose for example. Document where your copy is made, and delete it when you have finished your work.
Do not make copies of client websites or data onto portable removable media such as external hard drives, DVDs or USB sticks. Discourage clients from transmitting data to you this way too. A secure file delivery system such as WeTransfer is a better option. If you do receive data in this way, we must either return the media or destroy the data once we have finished using it.
Use drush sql-sanitize when copying databases - for example into development environments. This removes sensitive information from the database.

Credentials

Use individual, not shared login credentials, in all our development environments. Do not allow other developers to use your credentials. Wherever possible, use access keys rather than username/password credentials.
If you believe a developer has access to a development environment that they should not have, report this to management immediately.
If a developer outside of NDP requests information to a development environment, ensure we have written approval from our named client contact for this. If possible and appropriate set time limits on their access.
Set up distinct CMS users for the client to log into their website. They shouldn’t be sharing logins any more than we should. Ensure permissions are set appropriately to the client’s required use. Passwords should be strong: use a password generator for this.
Be confident that you know who you are giving access to. If you’ve been asked to set some up but aren’t sure, check with the project manager or the named client contact.
Don’t send credentials to the client over email or Basecamp.

Website development

Make use of the drush sql-sanitize hooks when building functionality which interacts with personal information: for example, if you are storing information added by the user during registration.
Custom code must be peer reviewed and signed-off as part of your planned testing.
Ensure that sites and or environments that are no longer being worked on locally are removed/destroyed.
Familiarise yourself and adhere to any specific security protocols expressed in the contract/scope.

Training

Attend developer upskills sessions. These are run weekly and will periodically contain updates around best practices for developer security.

Management and data protection officer

Our data protection officer is Kat Elliott. Her responsibilities are:

Putting together this document and updating it
Being appropriately knowledgeable about changes to information security and data protection policy
Know what software is used by the company and what for - have an understanding of the security credentials of such software
Provide induction and training to the team
Review and update team policy
Monitoring day-to-day implementation of information security practices
Reporting to management on the above

The management team (Simon Whittaker, Sofia Asztalos, Jan Lodey) are ultimately responsible for ensuring we meet our legal obligations.

Data Policy