Policy document


 

Policy heading

 

Purpose of Policy

The purpose of this policy is to enable Texthelp to:

  • Comply with the law in respect of the data it holds about individuals;

  • Follow best practice; and

  • Protect Texthelp’s customers and users.

 

Policy Statement

Texthelp will:

  • Comply with both the law and best practice regarding data security and privacy

  • Respect individuals’ rights

  • Be open and honest with individuals whose data is held

  • Provide training and support for staff who handle personal data, so that they can act confidently and consistently

 

Texthelp  recognises that its first priority regarding data security and privacy is to avoid causing harm to individuals.  Predominantly  this means keeping information securely, on a need to know basis, in the right hands.

 

Key Risks & Mitigations

 

Texthelp has identified the following potential key risks, which this policy is designed to address:

Risk

Mitigation

Breach of security by an external entity

The development and implementation of Data Security Standards to minimise the risk of data being obtained by hacking or interception.

Release of data by a staff member

Staff Awareness Training will be delivered to help staff understand their responsibilities when handling personal data.


Regular Audits will be conducted to ensure that staff are complying with this policy

Not being able to respond to a security breach effectively

Texthelp will develop and manage a data security management system to maximise data security and manage security incidents.

 

Responsibilities

 

Data Security Committee

The role and responsibilities of this committee will be to provide:

  • Leadership - this is primarily the role of the Data Protection Officer who deals with both the day to day management of the security team as well as continuous communication of the importance and value of security measures.

  • Analysis & Design - The committee is also responsible for the analysis and design of the system to ensure a meaningful security policy as well as effective security solutions exist.

  • Administration - To look after the day to day administration of access rights, passwords, etc.

  • Monitoring - To continuously monitor the security status of the organization, and manage incident response procedures.

  • Awareness communication - To ensure awareness communication is conveyed throughout the company to ensure ongoing security awareness and also to provide the necessary training programs.

  • Data Security Committee - To provide executive custody and governance - represented by the Data Security Committee.

 

Data Protection Officer

The Data Protection Officer is currently Martin McKay, with the following responsibilities:

  • Briefing the board on Data Protection responsibilities

  • Reviewing Data Protection and related policies

  • Advising other staff on Data Protection issues

  • Ensuring that Data Protection induction and training takes place

  • Notification

  • Handling subject access requests

  • Approving unusual or controversial disclosures of personal data

  • Approving contracts with Data Processors

 

Specific other staff

IT & Network Administrator:

  • Maintaining a secure network

  • Maintaining access control lists to core services

  • Implement and run the Business Continuity Plan and Disaster Recovery Plan

  • Provide computing resources to deliver the Data Security Policy

 

CRM And Customer Data Manager:

  • Manage and control access to Customer Data in the company CRM System

  • Ensure that the customer data is stored in compliance with the Data Security Standards

 

Staff

All staff are required to read, understand and accept any policies and procedures that relate to the personal data they may handle in the course of their work.

 

Enforcement

Significant breaches of this policy will be handled under Texthelp’s disciplinary procedures.

 

Confidentiality

Because confidentiality applies to a much wider range of information than Data Protection, Texthelp has a separate Privacy Confidentiality Policy.

 

Scope

This Policy applies to all employees and third-party agents of Texthelp as well as any other Company affiliate who is authorized to access customer Data. Third party agents of Texthelp will be required to have a Data Security Policy at least as stringent as this policy.

 

What we do with customer data

Texthelp has a privacy policy for Users, setting out how their information will be used.

Texthelp Staff Responsibilities

All Texthelp Staff are required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities.  (See Appendix A)



Data Security Standards

All data that that is stored by Texthelp is classified as one of the following data types:

 

  • Public Information

  • Company Intellectual Property

  • Customer/Personal Information

 

All data that is classified as Customer/Personal Information must be stored in compliance with the following standards.

 

All data must be:

  • Encrypted at Rest

  • Encrypted in Transit using SSL Encryption

  • All Access to the information is Logged

  • Access protected by two factor authentication

  • All data must be stored in an ISO27001 facility

  • All data must be backed up regularly and securely

  • All data should be recorded in the data security management system

  • Any relevant data security contracts that have been entered into between Texthelp and a Customer must be recorded in the Data Security Management System

 

In order to comply with relevant legislation:

  • If Texthelp is storing information relating to or created by a student (Student Data), that data should be deleted if a request to do so is made by a parent of the student.  If appropriate Texthelp will ask the Parent, School or District to verify that the request is valid.

  • Texthelp has a policy not to retain Student Data once 180 days after a subscription has lapsed.  Any data that is stored is only stored to deliver the functionality of the product for the district which is strictly for Education Purposes.

 

Texthelp must operate a Business Continuity Plan to deliver continuity of service in the event of a disaster.  This plan should cover situations such as:

  • Fire

  • Flash flood

  • Pandemic

  • Power Outage

  • Theft

 

Data Security Management System

A system must be maintained to manage and control the security of all data stored by Texthelp.

 

The system must:

  • List all data entities including:

    • Their Physical Location

    • Their Data Classification

    • The method of encryption for storage at rest

    • The method of encryption for data in transit

    • Whether the entity contains user data

    • Who can access the data

  • List all data contracts including:

    • What products the customer is using

    • What data entity their data is stored in

    • Who to notify in the event of a security breach

  • Manage Security Incidents including:

    • Provide a means of notifying all relevant customers and staff

    • Record all security incidents

    • Resolve the security incident and record steps taken to prevent recurrence

  • Where relevant, record access to data entities by staff members including

    • Which staff member

    • Which data

    • What date and time

 

Staff training & acceptance of responsibilities

 

Documentation

Information for staff and temporary workers is contained in the staff handbook.

Induction

All staff who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.

 

Data Protection will be included in foundation training for all staff.

Continuing training

Texthelp  will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.

Procedure for staff signifying acceptance of policy

 

Specific Focus Training for Key Handling Roles

 

Software Developers

Software Developers at Texthelp will be trained to ensure that the architecture  of any system that stores personal data is in compliance with the Data Security Standards above.

Prior to release the software will be tested to ensure that it is in compliance.

 

Marketing Staff

Marketing Staff who have access to personal customer information will receive specific training regarding the secure transit and storage of personal data for the purposes of outbound marketing.



Policy review

 

Responsibility

David Hankin (Quality Manager) will be responsible for reviewing this policy. This Data Security Policy will be audited as a part of the company’s scheduled ISO 9001 audits. Audits of all processes within the company will take into account this Data Security Policy at all times.

Procedure

An annual review will be carried on the policy  to ensure continuing relevance. The results of this review will be available on request.

Timing

An audit of this policy will be carried out once per year. However, the requirements of this policy, with regard to data privacy/security, will form a part of the company’s regular ISO 9001 internal audits. The ISO 9001:2008 audits are performed twice annually.

Data Security Incidents

Data security incidents will be classified according to severity.  Incidents such as unsuccessful exploit attempts that do not involve data loss will be classified as Level 1 - Non Critical Incidents. Level 1 incidents should not trigger a customer notification since there has been no impact to privacy.

 

Incidents that do involve data loss will be classified as Level 2 - Critical Incidents & should trigger a notification to all customers that are impacted by the data loss.  

 

Appendix A:  Confidentiality statement for staff

 

When working for Texthelp , you will often need to have access to confidential information which may include, for example:

 

  • Personal information about individuals who are customers or users of Texthelp software.

  • Information about the internal business of Texthelp.

  • Personal information about colleagues working for Texthelp.

 

Texthelp  is committed to keeping this information confidential, in order to protect people and Texthelp.  ‘Confidential’ means that all access to information must be on a need to know and properly authorised basis.  You must use only the information you have been authorised to use, and for purposes that have been authorised.  You should also be aware that under the Data Protection Act, unauthorised access to data about individuals is a criminal offence.

 

You must assume that information is confidential unless you know that it is intended by Texthelp  to be made public.  Passing information between staff members in our international office, or between Texthelp  and a 3rd party marketing partner who is in compliance with our policy, or vice versa does not count as making it public, but passing information to another organisation does count.

 

You must also be particularly careful not to disclose confidential information to unauthorised people or cause a breach of security.  In particular you must:

  • not compromise or seek to evade security measures (including computer passwords);

  • be particularly careful when sending information between our international offices;

  • not discuss confidential information, either with colleagues or people outside Texthelp;

  • not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to, and that they are authorised to have it.

 

If you are in doubt about whether to disclose information or not, do not guess.  Withhold the information while you check with an appropriate person whether the disclosure is appropriate.

 

Your confidentiality obligations continue to apply indefinitely after you have stopped working for Texthelp .

 

Data Security & Privacy Requirements for Developers

When working for Texthelp, software products that you are working on may store Student Data, or personally identifiable information.  When designing products care should be taken to ensure that:

  • All data is encrypted at rest

  • All data is encrypted in transit

  • We only store data that is required for the fulfillment of the products purpose

  • Access to the data is protected by 2 factor authentication

  • The data is listed as a Data Entity in the data security management system

  • Staff members who have access to the data are listed in the data security management system

  • Where appropriate all access to the data is logged in the data security management system

 

If you become aware of a product or system at Texthelp that is not in compliance with the Data Security Policy you should bring it to the attention of the product manager or a member of the data security team to ensure that remedial engineering is scheduled to bring the product into compliance.