Orangebox Training is committed to a policy of protecting the rights and privacy of individuals (includes learners, staff and other stakeholders) in accordance the General Data Protection Regulations (GDPR).
Orangebox Training needs to process certain information about its staff, learners and other individuals it has dealings with for administrative purposes (e.g. to recruit and pay staff, to administer programmes of learning, to record progress, to agree awards, to collect fees, and to comply with legal obligations to funding bodies and government). To comply with the law, information about individuals must be collected and used fairly, stored safely and securely and not disclosed to any third party unlawfully.
This policy applies to all staff and learners of Orangebox Training. Any breach of the Data Protection Act 2018 (GDPR) is considered to be an offence and in that event, Orangebox Training disciplinary procedures will apply. As a matter of good practice, other agencies and individuals working with Orangebox Training, and who have access to personal information, will be expected to have read and comply with this policy. It is expected that departments/sections who deal with external agencies will take responsibility for ensuring that such agencies sign a contract agreeing to abide by this policy.
The purpose of this policy is to identify, assess, and appropriately mitigate vulnerabilities and threats to Orangebox Training which through the loss, corruption of or unauthorised access to critical information could adversely impact the critical business assets of the organisation. This includes ensuring business continuity and minimising business damage by preventing, detecting and responding to information security incidents and managing information security risks.
Orangebox Training Information Security Policy ensures that:
- Confidentiality of Orangebox Training information assets is maintained
- Integrity and authenticity of information is maintained
- Availability and usability of information is maintained
- Information is protected against unauthorised access
- Authentication is appropriately applied to validate user identities
- Contractual, Regulatory and Legislative Information Security requirements are met
- Business Continuity and risk management plans are produced, maintained and tested
- Change management is applied to maintain security
- Information security awareness training is available to all staff
- All security breaches, actual or suspected, are reported and investigated and action taken to improve procedures where required
- Information Security Policies, Procedures and Guidelines are documented and implemented to support this policy
- All information assets will be subject to formal risk assessment and treatment
- The Security Policy and the supporting policy documents are reviewed at least annually by the Data Controller and the Senior Management Team.
Data Protection Act 2018
The Data Protection Act 2018 enhances and broadens the scope of the Data.
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulations (GDPR).
The Data Protection Act 2018 controls how your personal information is used by organisations, businesses or the government.
There are separate safeguards for personal data relating to criminal convictions and offences.
S identified as data relating to a living individual who can be identified from that information or from that data and other information in possession of the data controller. It includes the name, address, telephone number, ID number. It also includes the expression of opinion about the individual, and of the intentions of the data controller in respect of that individual.
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- biometrics (where used for identification)
- sex life or orientation.
Any person (or organisation) who makes decisions with regard to particular personal data, including decisions regarding the purposes for which personal data are processed and the way in which the personal data are processed.
Any living individual who is the subject of personal data held by an organisation.
Any operation related to organisation, retrieval, disclosure and deletion of data including:
- Obtaining and recording data
- Accessing, altering, adding to, merging, deleting data
- Retrieval, consultation or use of data
- Disclosure or otherwise making available of data.
Any individual/organisation other than the data subject, the data controller or its agents.
Relevant Filing System
This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Please note that this is the definition of ‘Relevant Filing System’ in the Act. Personal data as defined, and covered, by the Act can be held in any format, electronic (including websites and emails), paper-based, photographic etc. from which the individual’s information can be readily extracted.
Responsibilities under the Data Protection Act 2018 (GDPR)
System owners are responsible for submitting system change requests to the ICT support organisation using the change request form.
The following changes are considered routine or insignificant and are therefore not subject to this policy:
- Anti-virus updates
- Routine vendor issued patches to Windows operating systems and system software
- Vendor issued application patches.
All change requests will be subject to review by the ICT support company and the Data Controller to ensure the proposal remains in line with company policy. The Data Controller will consider the impacts upon Information Security and Business Continuity when undertaking the review.
Subject to a satisfactory review request will be formally authorised. Changes which are not authorised will not be made.
All changes will be subject to rigorous testing prior to deployment and will include suitable back out plans.
Emergency changes can be deployed without going through the associated Change Control Procedure however such emergency changes must be authorised by the Board and the Data Controller.
Emergency changes must be fully documented following the change with a clear explanation for the change and the reasoning as to why such a change was required in an emergency.
In all circumstances, only the asset owner can authorise the transfer of their system from the test environment to the operational (live) environment.
All staff are responsible for ensuring that any personal data (on others) which they hold is kept securely and that they are not disclosed to any unauthorised third party. All personal data should be accessible only to those who need to use it. You should form judgement based upon the sensitivity and value of the information in question, but always consider keeping personal data:
Stored on Orangebox Trainings SharePoint or OneDrive cloud storage and data files password protected.
- In a lockable room with controlled access, or
- In a locked drawer or filing cabinet, or
- If computerised, password protected, or
- Kept on disks which are themselves kept securely.
Care should be taken to ensure that PCs and terminals are not visible except to authorised staff and that computer passwords are kept confidential. PC screens should not be left unattended without password protected screensavers and manual records should not be left where they can be accessed by unauthorised personnel.
Care must be taken to ensure that appropriate security measures are in place for the deletion or disposal of personal data. Manual records should be shredded or disposed of as “confidential waste”.
Hard drives of redundant PCs should be wiped clean before disposal.
This policy also applies to staff and learners who process personal data “off-site”. Offsite processing presents a potentially greater risk of loss, theft or damage to personal data. Staff and learners should take particular care when processing personal data at home or in other locations outside Orangebox Training.
Rights of Access to Data
To ensure that access to all Orangebox Training Information Systems is controlled with access being granted only to those who have a need to access specific information/systems. A failure to control access could allow unauthorised individuals or groups access to confidential information.
The company controls access to information on the basis of statutory, contractual, business and security requirements.
Access control rules and rights to applications, expressed in standard user profiles, for each user or group of users will be clearly stated, together with the business requirements met by the controls.
The security requirements of each business application are determined by a risk assessment that identifies all information related to the application and the risks to that information.
The access rights to each application will take into account:
- The classification levels of information processed within that application and ensure that there is consistency between the classification levels and access control requirements across the systems
- Data protection and privacy legislation and supplier contractual commitments regarding access to data or services
- The ‘need to know’ principle (i.e. access is granted at the minimum level necessary for the role)
- “Everything is generally forbidden unless expressly permitted”
- Rules that must always be enforced and those that are only guidelines,
- Prohibit, by restricting access to admin functionality, user-initiated changes to information labels
- Prohibit unauthorised changes to user permissions
- Enforcing, using up policies and application functionality, rules that require specific permission before enactment
Any privileges that users actually need to perform their roles, subject to it.
The company has standard user access profiles for specific system and organisational roles in the business which share common resource requirements.
Management of access rights across the network is managed by the external IT support organisation.
User access requests, authorisation and administration will be segregated.
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the entire Orangebox Training network. Consequently, all employees (including contractors and vendors with access to Orangebox Training Systems) are to comply with Orangebox Training password procedures, as outlined in the following paragraphs, when selecting and securing passwords.
Orangebox Training Company password procedures is as follows:
- Passwords are to be at least 8 characters in length
- Passwords are to include upper and lowercase letters, numbers and special/punctuation characters (using at least 3 of the 4-character types listed)
- Passwords must be changed when prompted, or immediately where compromise is suspected
- Passwords issued to new users and other temporary/reset passwords provided by Orangebox Training Data Controller or ICT support organisation must be changed immediately after first use/logon
- Passwords must not be re-used/recycled
- Group passwords are not to be used
- User accounts will be locked out after 5 failed logon attempts
- The IT support organization will ensure that pre-set Vendor/Default passwords are changed prior to systems/assets being taken into use
- All network/system level passwords (including switches, firewalls, servers etc) are to be changed on termination/departure or change of IT support organisation.
Passwords must not be:
- shared with others*
- written down or stored on-line
- based on personal information, names of family
- a dictionary word (any language), slang, dialect, jargon etc.
*Not sharing passwords with others includes IT support staff, line managers or others claiming they need to know it for Company/technical/official purposes. If pressed refer demander to this policy.
This password procedure is to be applied to all Orangebox Training systems except where individual bespoke applications/systems are incompatible
Although Company policy requires a minimum of only 8 characters, the use of longer passwords is encouraged where systems permit; the longer the password, the more secure it is likely to be.
A suggestion is to take all or part of a sentence, saying, phrase etc and abbreviate it e.g.:
- IhwaIf2y (I have worked at Intartic for two years)
- Bitsumro6t9 (Back in the summer of sixty-nine) ? mt4ceBwu (May the force be with you).
Users are strongly encouraged to make use of such passwords as they can be easy to remember and virtually impossible to guess.
Passwords are considered to be weak if:
- The password is a word found in a dictionary
- The password is a common usage word such as: Names of family, pets, friends, co-workers, fantasy characters, etc. Computer terms, names, commands, sites, hardware, software. Personal information such as birthdays, addresses, phone number Word or number patterns
- Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g. secret1, 1secret).
Improper use of passwords is to be reported immediately to the Data Controller and senior management.
Subject Access Request
Members of Orangebox Training have the right to access any personal data which is held by Orangebox Training in electronic format and manual records which form part of a relevant filing system.
This includes the right to inspect confidential personal references received by Orangebox Training about that person.
Any individual who wishes to exercise this right should apply in writing to the Data Controller. Orangebox Training will not charge for complying with a subject access request but reserves the right to charge a fee for data subject access requests that are manifestly unfounded or excessive (currently £10). Any such request will normally be complied with within 1 month of receipt of the written request and, where appropriate, the fee. For information on responding to subject access requests see Appendix A of this policy.
In order to respond efficiently to subject access requests, Orangebox Training needs to have in place appropriate records management practices. See Appendices for further information on records management.
Disclosure of Data
Orangebox Training must ensure that personal data is not disclosed to unauthorised third parties which includes family members, friends, government bodies, and in certain circumstances, the Police. All staff and learners should exercise caution when asked to disclose personal data held on another individual to a third party. For instance, it would usually be deemed appropriate to disclose a colleague’s work contact details in response to an enquiry regarding a particular function for which they are responsible. However, it would not be appropriate to disclose a colleague’s work details to someone who wished to contact them regarding a nonwork-related matter. The important thing to bear in mind is whether or not disclosure of the information is relevant to, and necessary for, the conduct of business. Best practice, however, would be to take the contact details of the person making the enquiry and pass them onto the member of Orangebox Training concerned.
This policy determines that personal data may be legitimately disclosed where one of the following conditions apply:
- the individual has given their consent (e.g. a learner/member of staff has consented to Orangebox Training corresponding with a named third party)
- where the disclosure is in the legitimate interests of the institution (e.g. disclosure to staff – personal information can be disclosed to other employees if it is clear that those members of staff require the information to enable them to perform their jobs)
- where the institution is legally obliged to disclose the data (e.g. HESA and HESES returns, ethnic minority and disability monitoring)
- Where disclosure of data is required for the performance of a contract as long as such contract adheres to the current Data Protection Act.
When members of staff receive enquiries as to whether a named individual is a member of Orangebox Training, the enquirer should be asked why the information is required. If consent for disclosure has not been given and the reason is not one detailed above (i.e. consent not required), the member of staff should decline to comment. Even confirming whether or not an individual is a member of Orangebox Training may constitute an unauthorised disclosure.
Unless consent has been obtained from the data subject, information should not be disclosed over the telephone. Instead, the enquirer should be asked to provide documentary evidence to support their request. Ideally a statement from the data subject consenting to disclosure to the third party should accompany the request.
As an alternative to disclosing personal data, Orangebox Training may offer to do one of the following:
- Pass a message to the data subject asking them to contact the enquirer
- Accept a sealed envelope/incoming email message and attempt to forward it to the data subject.
Please remember to inform the enquirer that such action will be taken conditionally: i.e. “if the person is a member of Orangebox Training to avoid confirming their membership of, their presence in or their absence from, the organisation.
Retention and Disposal of Data
Records are defined as all those documents, which facilitate the business carried out by the company (to provide services to customers and learners) and which are thereafter retained (for a set period) or are used in the day to day running of the company. These records may be created, received or maintained in hard copy or electronic format.
This applies to all records created, received or maintained by staff of the company in the course of carrying out their daily duties.
Records management is defined as a field of management responsible for the efficient and systematic control of the creation, receipt, maintenance, use and disposition of records, including processes for capturing and maintaining evidence of, and information about, business activities and transactions.
The company has a corporate responsibility to maintain its records and recordkeeping systems in accordance with the regulatory environment. The role with overall responsibility for this policy is the MD.
The Data Controller is responsible for drawing up guidance for good records management practice and promoting compliance with this policy in such a way as to ensure the easy, appropriate and timely retrieval of information.
Individual employees must ensure that records for which they are responsible are accurate, and are maintained and disposed of in accordance with the company’s records management guidelines.
The destruction of records will only take place when authorised by the Audit and