Skip to content

Commit

Permalink
Update Staff handbook page “data-protection-and-confidentiality”
Browse files Browse the repository at this point in the history
  • Loading branch information
NeilDabsonDxw committed Oct 30, 2023
1 parent 1f0be34 commit 5eb8a86
Showing 1 changed file with 34 additions and 25 deletions.
59 changes: 34 additions & 25 deletions src/staff-handbook/data-protection-and-confidentiality.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ redirect_from:
- /working-here/data-protection-and-confidentiality
last_reviewed_at: ""
---
At dxw we have an [information security management system](https://docs.google.com/document/d/1pYX6-VOZtiPOmjiq_wJvRrkQdx0ue8YGshSQO32QAeE/edit?usp=drive_link) that helps us to look after all the information we control. It instructs and guides us all in how we keep data safe for ourselves and our clients.

Though dxw doesn't control much personal data, our clients generally do. And
some of it may be held on sites that we host. Everyone at dxw has a
Expand All @@ -13,32 +14,42 @@ responsibility to keep that data safe, and process it in accordance with the

In particular, we:

- only process personal data as part of work on the service that we're
* only process personal data as part of work on the service that we're
contracted to provide to a client
- don't access personal data unless we need to in order to do our jobs: don't
* don't access personal data unless we need to in order to do our jobs: don't
read people's personal data or private communications without good reason
- we do not ever disclose people's personal data to anyone outside dxw unless
* we do not ever disclose people's personal data to anyone outside dxw unless
specifically instructed, and are satisfied that it is legal to do so

If you have any questions about data protection, talk to the Data Protection
Officer, Gurps.

## Protective marking scheme
## Information security at dxw

Our information security management system (ISMS) is what we use to ensure we look after the data we have access to. We structure and run this system to be compliant with the ISO 27001 standard, to which we are [externally assessed](https://docs.google.com/document/d/1pYX6-VOZtiPOmjiq_wJvRrkQdx0ue8YGshSQO32QAeE/edit?usp=drive_link). Our ISMS team has the responsibility of owning our ISMS and is always evolving and improving it. They do this with the help of our senior leadership team and specialists at URM consulting. Together they help us manage risks to the security of our data. 

If you have any questions about either our ISMS or the safety of our data, talk to the ISMS team.

You can find our Information security policy in the [ISMS manual](https://docs.google.com/document/d/1pYX6-VOZtiPOmjiq_wJvRrkQdx0ue8YGshSQO32QAeE/edit?usp=sharing). (we have two version of this, this one that is suitable for sharing outside dxw as it has some contact details redacted) 

## Document labelling

This guidance is supported by the [Documents policy](https://docs.google.com/document/d/1lynCayxE4PyMWXCBIgWcMHSLUIEySuNq1uTNrpC1yxs/edit?usp=sharing), which is available to be viewed by dxw staff.

Some information that we have is confidential. We use a protective marking
scheme so that everyone understands how to handle this material, and who they're
allowed to disclose it to. All of the documents and data we hold will fall into
one of the categories below.

- **Management-in-Confidence**: internal documents whose circulation within dxw
* **Management-in-Confidence**: internal documents whose circulation within dxw
needs to be restricted.
- **Company Confidential**: information owned by dxw which would be of value to
* **Company Confidential**: information owned by dxw which would be of value to
those outside the company, such as competitors, and whose loss or theft would
potentially damage the company.
- **Client Confidential** or **Commercial in Confidence**: information owned by
* **Client Confidential** or **Commercial in Confidence**: information owned by
dxw or its clients, which needs to remain confidential between dxw and the
client.
- **Unclassified**: information, which would not be of significant commercial
* **Unclassified**: information, which would not be of significant commercial
value to those outside dxw.

Some of our clients also have protective marking schemes. For example, all
Expand All @@ -64,17 +75,16 @@ or external to dxw.

This information:

- must be clearly labelled or described as "Management-in-confidence"
- when printed

- stored only in a locked container
- transported only via courier, recorded delivery or personally by dxw staff
- destroyed by cross-cut shredding when no longer required
* must be clearly labelled or described as "Management-in-confidence"
* when printed

- when digital
* stored only in a locked container
* transported only via courier, recorded delivery or personally by dxw staff
* destroyed by cross-cut shredding when no longer required
* when digital

- stored in an encrypted format
- communicated only when encrypted or via an encrypted connection, unless
* stored in an encrypted format
* communicated only when encrypted or via an encrypted connection, unless
emailed from one dxw.com address to another

### Company Confidential
Expand All @@ -99,16 +109,15 @@ falls into this category.

This information:

- must be clearly labelled or described as "Client Confidential" or "Commercial
* must be clearly labelled or described as "Client Confidential" or "Commercial
in Confidence"
- when printed:

- stored out of sight
- destroyed by cross-cut shredding when no longer required
* when printed:

- when digital:
* stored out of sight
* destroyed by cross-cut shredding when no longer required
* when digital:

- stored in an encrypted format when on exchangeable media or a mobile device
* stored in an encrypted format when on exchangeable media or a mobile device

As a rule of thumb, label a document as Client Confidential if it mostly
contains the client's confidential information, or Commercial in Confidence if
Expand All @@ -120,4 +129,4 @@ Anything not captured by the sections above is unclassified. Examples are
external marketing material, general emails and letters.

Beyond a general duty to treat information carefully, unclassified information
is not subject to any specific restrictions.
is not subject to any specific restrictions.

0 comments on commit 5eb8a86

Please sign in to comment.