Updated 04 October 2024

Introduction

 This I.T. and Data Security Policy helps us:

• Reduce the risk of I.T. problems
• Plan for problems and deal with them when they happen
• Keep working if something does go wrong
• Protect company, client and employee data
• Keep valuable company information secret
• Meet our legal obligations under the General Data Protection Regulation (UK) and Victorian Privacy and Data Protection Act 2024 (Victoria, Australia)
• Follow our company Data and Privacy Protection Policy
• Meet our professional obligations towards our clients and customers

IT security problems can be expensive and time-consuming to resolve. Prevention is much better than cure.

Responsibilities

 Lyndall Grant  is the director with overall responsibility for I.T. security strategy, as well as day-to-day operational responsibility for implementing this policy.

Review process

We will review this policy YEARLY

In the meantime, if you have any questions, suggestions or feedback, please contact Lyndall Grant, lyndall@captivate-action.com.

Information classification

 We will only classify information which is necessary for the completion of our duties. We will also limit access to personal data to only those that need it for processing. We classify information into different categories so that we can ensure that it is protected properly and that we allocate security resources appropriately:

• Unclassified. This is information that can be made public without any implications for the company, such as information that is already in the public
• Employee confidential. This includes information such as contact details, medical records, pay, account details and so
• Company confidential. Such as contracts, source code, business plans, client contact records, accounts
• Client confidential. This includes personally identifiable information such as name, email, phone number or address; medical history; employment history and professional experience; client business plans; new product information, market sensitive information

We have categorised the information we keep as follows:

Type of information	Classification level
e.g. registration form	e.g. Client confidential

The deliberate or accidental disclosure of any confidential information has the potential to harm the business. This policy is designed to minimise that risk.

We do not protectively mark documents and systems. Therefore, you should assume information is confidential unless you are sure it is not and act accordingly.

Access controls

Internally, we operate on a ‘need to share’ rather than a ‘need to know’ basis with respect to all confidential information. This means that our bias and intention is to share information to help people do their jobs and keep our clients safe.

For client information in particular, we operate in compliance with the GDPR ‘Right to Access’. This is the right of data subjects to obtain confirmation as to whether we are processing their data, where we are processing it and for what purpose. Further, we shall provide, upon request, a copy of their personal data, free of charge in an electronic format.

We also allow data subjects to transmit their own personal data to another controller.

However, in general, to protect confidential information we implement that administrative privileges to company systems  which contain sensitive or confidential information will be restricted to Director Lyndall Grant alone for the proper performance of  duties. I.T. elements such as website design and email set-up are assigned to Lyndall Grant, and to our I.T. support, Kevin Powe.

Selected details of employee confidential and client confidential information supplied to us may be shared with the Tutor/s, Assistant/s and/or Director/s (a “Collaborator”) who will be directly working with that employee or client in the near future.  This information is shared only in cases where it is deemed necessary for the safety, comfort and/or performance ability of the individual in question.  These pieces of information will be restricted to:

• Name.
• Date of Birth.
• Professional experience and training.
• Medical history and supportive teaching techniques requested.

If an individual does not wish any of this information to be shared, they should contact Lyndall Grant: lyndall@captivate-action.com.

Details such as phone number, address and email address will NOT be shared without prior consent of the affected individual.  Under no circumstances are any details shared with a third party.

When people leave a project they will have no access to any further customer information supplied.

Collaborator responsibilities 

It the responsibility of each collaborator  to know and follow these guidelines.

Each collaborator is personally responsible for the secure handling of confidential information that is entrusted to them. They may access, use or share confidential information only to the extent it is authorised and necessary for the proper performance of their duties. Promptly report any theft, loss or unauthorised disclosure of protected information or any breach of this policy to Lyndall Grant.

Protecting your own device(s)

 It is each collaborator’s  responsibility to use their devices (computer, phone, tablet etc.) in a secure way. At a minimum:

• Remove software that you do not use or need from your computer
• Update your operating system and applications regularly
• Keep your computer firewall switched on
• For Windows users, make sure you install anti-malware software (or use the built-in Windows Defender) and keep it up to For Mac users, consider getting anti-malware software.
• Store files in official company storage locations so that it is backed up properly and available in an emergency.
• Switch on whole disk encryption
• Understand the privacy and security settings on your phone and social media accounts
• Have separate user accounts for other people, including other family members, if they use your Ideally, keep your work computer separate from any family or shared computers.
• Don’t use an administrator account on your computer for everyday use
• Make sure your computer and phone logs out automatically after 15 minutes and requires a password to log back

Be alert to other security risks

Each person’s  actions and habits are important. With this in mind:

• Take time to learn about I.T. security and keep yourself Get Safe Online is a good source for general awareness
• Use extreme caution when opening email attachments from unknown senders or unexpected attachments from any sender
• Be on guard against social engineering, such as attempts by outsiders to persuade you to disclose confidential information, including employee, client or company confidential Fraudsters and hackers can be extremely persuasive and manipulative.
• Be wary of fake websites and phishing Don’t click on links in emails or social media. Don’t disclose passwords and other confidential information unless you are sure you are on a legitimate website.
• Use social media, including personal blogs, in a professional and responsible way, without violating company policies or disclosing confidential
• Take particular care of your computer and mobile devices when you are away from home or out of the
• If you leave the company, you will return any company property, transfer any company work-related files back to the company and delete all confidential information from your systems as soon as is practicable.
• Where confidential information is stored on paper, it should be kept in a secure place where unauthorised people cannot see it and shredded when no longer

The following things (among others) are, in general, prohibited while carrying out your duties for the company and may result in disciplinary action:

• Anything that contradicts our Safe Space Policy and/or Student Terms and Conditions.
• Disclosure of confidential information at any time.

Disaster recovery and continuity

Under the GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’ we must notify the customers and data controllers ‘without undue delay’. We will ensure we inform them within 72 hours.

Any potential interruptions to our business are to be reported to Lyndall Grant immediately, including in cases of:

• Severe transport disruption
• Unable to access locations because of flood, fire, civil disorder, terrorist incident
• Loss of internet and/or phone connection
• Loss or theft of items containing confidential information

Any IT security issues are addressed directly to Lyndall Grant, which are then forwarded on to our IT support, Kevin Powe.  This includes:

• Malware infection detected by scanners
• Ransomware
• System failure
• Attempted social engineering
• Data loss or theft