Data Protection
The following good practices details the measures taken by the company to secure personal information against unlawful or unauthorized use for disclosure, accidental loss, damage or destruction;
- We have a person in charge for all our day-to-day responsibility for security measures, whether it is discussing with senior colleagues what measures should be adopted, writing procedures for staff to follow, organizing training for staff, checking whether they are following procedures and that the measures work, monitoring change or investigating a security incident.
- We have spent considerable time looking into our company activities which includes the personal information we have and how we use it for our business, our premises, computer systems, how many staff we have and what access they have to personal information and so on.
- We have so identified the organizational changes needed to make the information safe by conducting a risk assessment that identified all data that are to be protected, the security problems that could happen and also gave us an idea of how effective our current security measures were.
- We also assessed the responsibility of the person in-charge of security mainly his knowledge and other resources needed to address the security issues identified and we make sure he gets all the support he needs from the top management all the time.
- We make sure to give only minimal access to anyone from outside the company and try to be clear about what they need access to and why, and the security we need to have in place to oversee what they do.
- We have well set infrastructure which takes care of data protection and recovery of personal information we hold. Also, we make sure that we are in compliance with all necessary legal obligations and other licensing terms.
- Analysis of security incidents everywhere show a high proportion are staff related and so this has been our key area to consider especially the reliability of employees that have access to personal information. We have placed steps at the recruitment stage to check identity and reliability of our staff.
- We make sure to lay down in our employment contract what staff can and cannot do with personal information they handle. Employees are trained in their responsibilities about personal information we process to identify confidential information and the restrictions associated with it.
- The staff is trained to be aware of phishing attacks, other identity forging attacks and the associated dangers. They are made aware of the criminal offence if they deliberately give out personal information with out the consent of the company/authority. All staff is told what personal use they can make of computers to avoid virus infection, spam or visiting illegal material.
- We make sure our premises are secure at all times. Good quality doors and locks are used and all our working areas are well lit. We make sure all documents and other paper based documents are locked during night and off days. Visitor entry into the company is restricted and supervised with security and receptionists.
- Staff is not allowed to use/carry Computer media and portable equipments like memory sticks, CD/DVD are restricted inside the company. Any paper waste containing personal data is shredded so as to prevent unauthorized access.
Computer Security
- Our company works under a networked infrastructure and we understand a networked system will need more controls than a stand-alone computer especially more when connected to the internet. Taking into account the nature of information we have adopted necessary security controls to manage our system securely
- We make sure all operations of the computer systems are done in accordance with procedures and all changes to the system is documented. All our servers are extra secured using policies and other security measures.
- Uninterrupted power supply is made sure using separate in house power backup which takes care of the possibility of possible loss of information due to power supply fails. Computers have limited access and staff has their own password and can only access their system and no-one else's. All passwords are strengthened to prevent them from easily broken.
- Shared files are accessed through shared folders or mapped drives with only limited privileges to certain parts of the network. When unattended the computers go into a blocked mode which requires password to open.
- Procedures are set to securely delete information held on computers. Also information can be recovered even if someone deletes unintentionally. But a permanent deletion of the hard disk or other media containing confidential data is done securely using software's making a retrieval of deleted data impossible.
- We make sure backups for all information at our company is taken as per a written schedule and the backup data is stored at a different location where it is recoverable incase the original is destroyed.
- Internet and email security is our prime area of concern. Firewalls are in place that blocks unwanted programs from being downloaded. All staff are not allowed access to the internet and mail services. Our virus protection software's are always up to date. Routine scheduled checks are done on systems to check virus infections or hacking
- All staff are warned of email insecurity and sensitive information sent is always electronically encrypted
Retaining Client Data
As per our current policy, we keep the client input data (e.g.:- Scanned copies of vouchers) only for a period of one year after finalization. We recommend the clients to keep the same for a period of 3 years for easy reference.
