AppCan Security Policy

Introduction

This Data Security Policy is AppCan Ltd’s (hereafter referred to as “us”, “we”, or “our”) policy regarding the safeguarding and protection of sensitive personal information and confidential information as is required by law.

Purpose

The purpose of this document is to outline how we prevent data security breaches and how we react to them when prevention is not possible. By data breach we mean a security incident in which the confidentiality, integrity or availability of data is compromised. A breach can either be purposeful or accidental.

  • This Data Security Policy covers:
  • Physical Access procedures;
  • Digital Access procedures;
  • Access Monitoring procedures;
  • Data Security Audit procedures;
  • Data Security Breach procedures.

Scope

  • This policy includes in its scope all data which we process either in hardcopy or digital copy, this includes special categories of data.
  • This policy applies to all staff, including temporary staff and contractors.

Physical Access Procedures

  • Physical access to records shall only be granted on a strict ‘Need to Know’ basis.
  • During their induction each staff member who requires access to confidential information for their job role will be trained on the safe handling of all information and will be taught the procedures which govern how data is used, stored, shared and organised in our organisation.
  • Our staff must retain personal and confidential data securely in locked storage when not in use and keys should not be left in the barrels of filing cabinets and doors.
  • All offices, when left unoccupied, must be locked unless all personal and confidential information has first been cleared off work stations/desks and secured in locked storage.

Digital Access Procedures

  • Access shall be granted using the principle of ‘Least Privilege’. This means that every program and every user of the system should operate using the least set of privileges necessary to complete their job.
  • We will ensure that each user is identified by a unique user ID so that users can be linked to and made responsible for their actions.
  • During their induction each staff member who requires access to digital systems for their job role will be trained on the use of the system, given their user login details.
  • In the instance that there are changes to user access requirements, these can only be authorised by an AppCan Ltd Director.
  • As soon as an employee leaves, all their system logons are revoked.
  • As part of the employee termination process the AppCan Directors are responsible for the removal of access rights from the computer system.
  • The AppCan Directors will review all access rights on a regular basis, but in any event at least once a year. The review is designed to positively confirm all system users. Any lapsed or unwanted logons which are identified are disabled immediately and deleted unless positively reconfirmed.
  • When not in use all screens will be locked.

Access Monitoring Procedures

  • The management of digital access rights is subject to regular compliance checks to ensure that these procedures are being followed and that staff are complying with their duty to use their access rights in an appropriate manner.
  • Areas considered in the compliance check include whether:
  • Allocation of administrator rights is restricted;
  • Access rights are regularly reviewed;
  • Whether there is any evidence of staff sharing their access rights;
  • Staff are appropriately logging out of the system;
  • Our password policy is being followed;
  • Staff understand how to report any security breaches.

Data Security Breach Procedures

  • In order to mitigate the risks of a security breach we will:
    • Follow the Physical Access, Digital Access, Access Monitoring and Data Security Procedures;
    • Ensure our staff are trained to recognise a potential data breach whether it is a confidentiality, integrity or availability breach;
    • Ensure our staff understand the procedures to follow and how to escalate a security incident to the correct person in order to determine if a breach has taken place.
  • In the instance that it appears that a data security breach has taken place:
    • The staff member who notices the breach, or potential breach, will inform an AppCan Director without delay;
    • The AppCan Director will conduct a thorough investigation into the breach;
    • In the instance that the breach is a personal data breach and it is likely that there will be a risk to the rights and freedoms of an individual then the Information Commissioner’s Office (ICO) will be informed as soon as possible, but at least within 72 hours of our discovery of the breach;
    • As part of our report we will provide the following details:
      • The nature of the personal data breach (i.e. confidentiality, integrity, availability);
      • The approximate number of individuals concerned and the category of individual (e.g. employees, mailing lists, service users);
      • The categories and approximate number of personal data records concerned;
      • The name and details of our Directors;
      • The likely consequences of the breach;
      • A description of the measures taken, or which we will take, to mitigate any possible adverse effects.
    • The Director(s) will inform any individual that their personal data has been breached if it is likely that there is a high risk to their rights and freedoms. We will inform them directly and without any undue delay;
    • A record of all personal data breaches will be kept including those breaches which the ICO were not required to be notified about.

Responsibilities

The AppCan Directors are responsible for:

  • physical security;
  • digital access;
  • managing breaches;
Scroll to Top