- 1.1. RAM Tracking (“the Company”) is required to comply with the law governing the management and storage of personal data, which is set out in the General Data Protection Regulation (“GDPR”).
- 1.2. Articles 5 and 23 of the GDPR requires the Company to process personal data securely to ensure protection against unauthorised or unlawful processing and against accidental loss, destruction or damage by using appropriate technical or organisational measures. This is commonly referred to as the GDPR’s Security Principal.
- 1.3. Information management and the associated security of information for the Company is made up of a combination of:-
- 1.3.1. Information systems used for handling data, information and knowledge.
- 1.3.2. Information technology which supports our information systems represented by the variety of hardware and software which is available to the Company.
- 1.3.3. Business systems that are operational processes and procedures for the conduct of our business and which require the support of information technology while inevitably in the development of our information systems.
- 1.3.4. Information assets is the information, personal data and knowledge that the business collects in the course of our activities, be it about our customers, the business, our employees or other third parties which we deal with.
- 1.4. This policy is our approach to the identification to the monitoring and safeguarding of the areas identified at 1.3 and the policy applies to all Company personnel who processes Personal Data on the Company’s behalf its employees, staff, customers, clients or third parties.
2. The Company’s Approach to Data Protection and Information Security
- 2.1. The Company ensures that we are compliant with data protection legislation, including the GDPR, by undertaking to perform a data mapping process of what personal data we hold and who has access to such personal data. A data mapping process will be considered and prepared on a quarterly basis to consider the continued development of our information systems and information technology.
- 2.2. We have developed, implemented and maintained safeguards appropriate to our size, scope and business, our available resources, the amount of personal data that we own or maintain on behalf of others and identified risks. These systems will be monitored and improved on a continual basis.
- 2.3. The Company has a number of practices in place to ensure that we remain compliant with the Security Principal with a view to ensuring that the integrity, confidentiality and availability of our information management systems and services.
- 2.4. The persons with overall responsibility for this Information Security Policy is Scott Chesworth, Operations Director. This responsibility includes conducting an annual review of the policy to ensure its effectiveness and to answer any questions in terms of the Company’s position on information security.
3. The Purpose
- 3.1. This policy should be read alongside our Privacy Standard and Data Retention Policies. The Company’s Data Protection Leads are Sandy Noble and Scott Chesworth they have overall responsibility of ensuring all company personnel are aware of their obligations under data protection law and to ensure compliance with the principals of the GDPR.
- 3.2. The purpose of our policy is to prevent mismanagement of our information systems and procedures wherever possible in order to avoid or at least mitigate the following (the list is not exhaustive):
- 3.2.1. proceedings under the General Data Protection Regulation
- 3.2.2. the inability to provide services
- 3.2.3. reputational and/or financial damage
- 3.2.4. negligence claims
- 3.2.5. breaches of confidentiality
- 3.2.6. identity fraud
4. Our obligations to ensure the security of information
- 4.1. The Company recognises under the GDPR that we need to ensure the confidentiality, integrity and availability of personal data (including any sensitive data) is maintained.
- 4.2. The Company ensures that personal data can only be accessed, altered, disclosed or deleted by Company personnel who the Company has provided authority to do so.
- 4.3. The Company ensures and has in place measures to ensure that the personal data we do hold is accurate and complete in relation to the lawful processing reason the Company holds the information in the first place.
- 4.4. The Company ensures that personal data remains accessible and usable and has appropriate measures in place to recover data should it be lost, altered or destroyed in order to prevent any damage or distress to the individual(s) concerned.
- 4.5. In order to meet these obligations the company has in place organisation and technical measures. Such measures will be reviewed in line with our data mapping and risk assessment process as set out in this policy.
5. Organisational Measures
- 5.1. The Company has undertaken, and will continue to undertake the following measures to ensure that we comply with our obligations under the GDPR and in particular the security principal of the GDPR:-
- 5.1.1. Regular data mapping and risk assessments of all types of personal data we obtain, hold or record in line with our Privacy Standard;
- 5.1.2. Nominate an individual (as set out in this policy) who will have overall responsibility for information security;
- 5.1.3. Provide training to all members of staff on data protection and the procedures they must follow in line with Company procedure (including the correct use of our Information Technology and Computer Systems);
- 5.1.4. Annual reviews of this Information Security Policy to ensure that it is compliant and the Company’s measures are maintained;
- 5.1.5. Personal data collated and stored (in line with our Privacy Standard and Data Retention Policies) will be backed up on a weekly or nightly basis (depending upon the type of personal data) to ensure that it can be easily recovered if there was a security breach, incident which resulted in data being lost, altered or destroyed;
- 5.1.6. Data Retention Policies set out how long personal data will be stored and when it will be erased in line with data protection principals and to ensure data is not kept longer than the lawful reason for processing as identified in our Privacy Notices;
- 5.1.7. Any third party who acts as a data processor on behalf of the Company (as data controller) will be audited and appropriate terms in compliance with the GDPR will be agreed in writing;
- 5.1.8. Procedure to change personal details is available and all staff are aware of the Company’s process.
- 5.2. This list is not exhaustive and will be continually reviewed as part of the review of this policy.
6. Technical Measures
- 6.1. The Company has undertaken, and will continue to undertake the following measures to ensure that we comply with our obligations under the GDPR and in particular the security principal of the GDPR:-
- 6.1.1. All hard copy personal data is kept in lockable storage devices (access is limited to personnel who have the authority to access such personal data);
- 6.1.2. Storage of electronic personal data is protected with approved security measures such as Echo Sign, password protected documents etc;
- 6.1.3. The Company uses reputable companies and ensures they are compliant with data protection regulation to store and back up personal data such as Node4 Amazon Web Services and Salesforce, to assist with the recovery of data following any incident;
- 6.1.4. The Company uses CCTV on site (please see the company’s CCTV policy);
- 6.1.5. The Company is aware and has measures in place to ensure its cyber security is monitored and compliant with guidelines in place this includes the use of Amazon Web Services and Sophos (an anti-virus system);
- 6.1.6. The Company’s website is hosted by a company who is compliant and registered with ISO27001;
- 6.1.7. All data is wiped from all electronic devices (including computers, phones, tracking devices etc) by a third party (currently P2). The Company ensures that the nominated third party is compliant with GDPR;
- 6.1.8. Paper waste is disposed on site by use of shredding machines and we operate a clear desk procedure meaning all notes must be shredded on a daily basis;
- 6.1.9. Any visitors to the Company premises are required to sign in and a nominated manager will be responsible for the visitor during the duration of their attendance on site;
- 6.1.10. All IT and electronic equipment is stored securely on site. Should any company personnel remove electronic equipment from Company premises they must seek managerial approval and comply with company procedure;
- 6.1.11. The Company has and will undergo and relevant DPIAs (see below) on new systems which could be rolled out for the processing of vehicle tracking data or other changes to our systems to ensure there is a process in place should the Company make the decision implement a major change or our systems
- 6.2. The Company performs regular tests of the measures in place to assess and evaluate the effectiveness of our procedures and systems in place. All testing is recorded and will form part of ongoing data mapping and risk assessments processes.
7. Data Mapping and Risk Assessments
- 7.1. The Company carries out a data mapping and risk assessment of the principal information and personal data we process and hold on a quarterly basis. The data mapping process is recorded and maintained to show the main categories of information we hold in relation to our customers, the business and our members of staff. Such a process also indicates what security measures are taken to protect the personal data we process, use and maintain together with any risks identified.
- 7.2. In general terms the types of documents to be held in our information systems (either electronic or hard copy) are:-
- 7.2.1. Customer documents (Vehicle tracking reports, contact details, order forms, contracts, purchase history etc)
- 7.2.2. Staff documents (contracts of employment, personnel records etc)
- 7.2.3. Business documents (examples – leases, company documents etc)
- 7.2.4. Others (third party agreements)
- 7.3. The safe disposal of any information and personal data collated as part of the data mapping process will be in line with this policy and the Company’s Data Retention Policy.
8. Training and Awareness
- 8.1. Staff should at all times do their best to ensure the accuracy, relevance and sufficiency of any information they use, process or maintain in accordance with the processes and procedures relevant to their role. They will, at all times, seek to maintain the confidentiality and security of the Company’s information and personal data.
- 8.2. The Company provides regular training to all staff on all relevant aspects of data protection, information management and information technology as appropriate.
- 8.3. New members of staff joining the Company, who have access to personal data, will be introduced to this Information Security Policy and other relevant data protection policies referred therein as part of their induction.
- 8.4. Should a member of staff of the Company move from one area of the business to another then they will receive training in the relevant procedures on information security relevant to their new role.
- 8.5. The Company will monitor the review of their information systems, information technology and information security measures as set out in this policy and will ensure all members of staff are updated.
9. Data Privacy Impact Assessments (DIPAs)
- 9.1. The Company, as a Data Controller, must conduct DPIAs should a specific type of processing or processing which is likely to result in a high risk to individuals’ interests.
- 9.2. Company personnel should conduct a DPIA (and discuss your findings with the Data Protection Manager) when implementing major system or business change programs involving the processing of personal data including the following:
- 9.2.1. use of new technologies (programs, systems or processes), or changing technologies (programs, systems or processes);
- 9.2.2. automated processing including profiling and/or automated decision-making;
- 9.2.3. large scale processing of sensitive data; and
- 9.2.4. large scale, systematic monitoring of a publicly accessible area.
- 9.3. A DPIA must include:
- 9.3.1. a description of the processing, its purposes and the Data Controller’s legitimate interests if appropriate;
- 9.3.2. an assessment of the necessity and proportionality of the processing in relation to its purpose;
- 9.3.3. an assessment of the risk to individuals; and
- 9.3.4. the risk mitigation measures in place and demonstration of compliance.
10. Key Areas of Information Security
- 10.1. The Company is increasingly reliant on information and communication technology for the preparation and delivery of its services to our customers. This position increases the significance of effective computer management systems within the Company.
- 10.2. The Company has in place strict rules on and procedures on the use of:-
- 10.2.1. Internet access and use
- 10.2.2. Email communication protocols
- 10.2.3. Social media access and use (both personal and business use)
- 10.2.4. Telephone and mobile use
- 10.2.5. Laptop use
- 10.3. The Company, as part of our data mapping and risk assessment process, keeps under review our information and communication technology policies and procedures. The person with responsibility for this task is Scott Chesworth, Operations Director. Where necessary, all members of staff will receive training on the Company’s policies and procedures in terms of information and communication technology.
11. System Risk Management
- 11.1. Management of our information systems is the responsibility of Scott Chesworth, Operations Director.
- 11.2. The Company has identified the following critical risks to our systems:-
- 11.2.1. Fire
- 11.2.2. Computer virus attack
- 11.2.3. Theft
- 11.2.4. Incompetence
- 11.2.5. Malice
- 11.3. The Company has in place the following procedures, processes and technology to eliminate, minimise or transfer the critical risks identified above:-
- 11.3.1. Virus protection system
- 11.3.2. Management of system configurations
- 11.3.3. Regular system backups
- 11.3.4. Use of a router firewall on its internet connection
- 11.3.5. User password procedures
- 11.3.6. Management of user accounts including restrictions of access and removal of users where access is no longer required
- 11.3.7. Continual training on I.T systems
- 11.3.8. Restrictions on computer systems to prevent data being added or removed.
12. Data Processors
- 12.1. The Company has identified and uses third parties to process personal data on our behalf (as per our privacy policies and notices). The Company recognises that as the data controller we are responsible for ensuring compliance with the GDPR. This includes what our data processers do with the personal data.
- 12.2. We ensure, as part of our organisation and technical measures, that all data processors comply with the GDPR principals and provides the Company with the appropriate written agreements of their compliance.
- 12.3. All data processors will have to comply with the same security measures we enforce and expect as specified under this policy.
- 12.4. As part of our data mapping and risk assessment process this will include an audit of data processors used.
13. Data Protection Breaches
- 13.1. The Company recognises at times, despite all efforts made to prevent breaches of data security in line with this policy, there could be a breach of security leading to an accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- 13.2. Data protection breaches could happen for a number of reasons including, human error, cyber-attacks, loss or theft of devices/equipment, deceit, disasters at company premises or inadequate or inappropriate access controls.
- 13.3. Should a data protection breach occur then it must be reported to Sandy Noble or Scott Chesworth (Data Protection Leads) immediately upon discovery. A report of a potential breach should be made by way of logging a GDPR case on SalesForce. Should any member of staff be unsure whether a potential incident or situation would amount to a data protection breach then they should speak with their direct line manager in the first instance.
- 13.4. The Data Protection Leads (Sandy Noble or Scott Chesworth) will then take appropriate steps to recover lost data, limit the damage of the breach and will investigate the breach. Should a breach amount to a risk to the rights and freedoms of the individual(s) then the breach will be reported to the Information Commissioner’s Officer (“ICO”) in line with reporting guidelines in place at the relevant time but without delay and no later than 72 hours after notification of the breach.
- 13.5. The Data Protection Leads (Sandy Noble or Scott Chesworth) where appropriate will inform the individual(s) affected by the data protection breach in line with current guidelines and requirements.
- 13.6. All data protection breaches must be recorded in the Company’s central breach register.
- 13.7. If the breach is found to be part of a wider systematic issue then the Data Protection Leads (Sandy Noble or Scott Chesworth) will ensure that practices are revised and communication to all relevant parties.