Personal Data: Any information relating to an identifiable person (living individual), who can be directly or indirectly identified by reference to an identifier.
This definition provides for a wide range of personal identifiers to constitute personal data, including name, identification number, location data or online identifier.
Sensitive Personal Data: The General Data Protection Regulation (GDPR) refers to sensitive personal data as “special categories of personal data”.
The special categories include data relating to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, health, or a person’s sex life or sexual orientation.
Prospus Group Limited holds personal data and recognises that this could be a high value commodity for fraudsters.
It is Prospus Group Limited’s responsibility to secure customer data and as a business we have put in place systems and controls to counter the risk that the business might be used to further financial crime.
As a business we adhere to the requirements of the General Data Protection Regulation (GDPR) and are on the data protection register. This can be checked by visiting https://ico.org.uk/about-the-ico/what-we-do/register-of-data-controllers/
As a business we take personal data security seriously and have given Alistair Fell, Director overall responsibility for the business’s approach to personal data security. This does not diminish each individual’s responsibility to ensure that the customer data in their possession is kept secure at all times. As a business, training is provided to ensure that staff understand their responsibilities and the ultimate risks of a breach of customer data security.
As a business we recognise that customer data security issues permeate all departments and that it is not restricted to an IT issue.
We ensure that our premises are secured when unoccupied and access to the premises is continually monitored with all employees and visitors signing in and out.
We constantly assess our security measures for our IT systems and office premises to minimise the risk of data theft and/or a break in. Visitors are not left unattended with access to personal data even when the business is confident of the visitor’s integrity.
We do not sell or provide any third parties with your personal data except for those that provide certain services such as our email client, CRM data base, and online GDPR compliant processing and marketing service providers such as Campaign Monitor, Survey Monkey, and DropBox. The data held with these third parties is for our use only and in line with the consent provided by an individual to contact them/manage their account.
As a business we are confident that our employees have the integrity to handle personal data. The business undertakes appropriate checks at the point of recruitment and if anything comes to light that questions an employee’s integrity the matter is sensitively and promptly reviewed.
As a business we do not leave personal data on desks unattended.
Whenever possible, we adhere to a clear desk policy.
We ensure that personal data is not shared unnecessarily.
Staff are required to sign and abide by the business’s confidentiality agreement.
The business encourages staff to raise concerns about customer data security with the Data Protection Champion, however insignificant they are felt to be.
The business only collects the personal information that is needed for a particular business purpose.
Records are updated promptly if information changes (e.g. a change of address).
Personal data is disposed of in accordance with the business’s Personal Data Retention Policy and in accordance with GDPR once it is no longer required.
We are aware that people may try to trick staff into giving out personal information and therefore identity checks are carried out before releasing personal information to someone over the telephone.
Education and training:
Training on GDPR is ongoing as the business recognises the quickly evolving nature of financial and internet crime and the need to ensure that employees awareness on these topics is maintained.
As part of the business’s induction process employees are advised of the importance and relevance of customer data security and are provided with a copy of this policy.
We ensure that each member of staff has their own username and password.
We instruct staff not to write passwords down or share them with colleagues.
As a business we are aware of the importance of strong passwords and the importance of changing passwords regularly.
Staff are advised that passwords must be at least seven characters in length and contain a mix of upper and lower-case letters, numbers, and key board symbols.
Staff lock or log-off from unattended computer terminals.
Any portable IT equipment issued to an employee is their responsibility and they must do their utmost to keep it safe.
The business does not permit sensitive customer data to be removed from the premises unless essential.
Staff who work remotely use online GDPR compliant service providers and/or encrypted and password protected devices for data processing and marketing purposes to protect the security of customer data.
The IT systems are backed up daily and the data held securely off site.
Data is encrypted.
Any concerns regarding IT and customer data security should be raised immediately with Alistair Fell, Director.
Customer data that is removed from the premises is encrypted if it would cause damage or distress if lost or stolen.
To minimise the likelihood of the business’s IT System being hacked into or being affected by a virus, we have installed security software and the business ensures that this is upgraded regularly.
Disposal of data:
The business disposes of data appropriately depending on its nature/sensitivity.
The business encourages any concerns that customer data is not being disposed of appropriately to be raised.
Data security breach management:
In the event that customer data security is lost or stolen, the matter is to be reported immediately to Alistair Fell, Director who will:
- Contain the security breach and recover data where possible.
- Assess the ongoing risk.
- Notify the persons concerned including the appropriate regulatory body.
- Evaluate the breach and the effectiveness of the business’s response to it.
This Policy will be reviewed annually.