DATA SECURITY AND CONFIDENTIALITY POLICY
Version 1 - 2023
Table of Contents
1. Aims and Objectives
2. Principles
3. Definitions
4. Informed Consent
5. Employee Responsibilities
6. Compliance
7. Data Security
8. Rights to Access Information
9. Publication of The Alternative Studio Limited Information / Social Media
10. Collection and Retention of Data
11. Information Security Audit and Incident Management
1. Aims and Objectives
1.1. This policy outlines how The Alternative Studio Limited (The Alternative) fulfils its duty to safeguard and maintain the confidentiality of personal information. It ensures that information can be shared when necessary without compromising security.
1.2. The Confidentiality Policy sets forth the principles to be followed by all individuals working within The Alternative, including volunteers, with access to personal information.
1.3. The Alternative is committed to preserving the confidentiality of the personal information it handles. Information given or received in confidence for one purpose will not be used for another or shared with a third party without consent, except in special circumstances to prevent harm.
1.4. The Alternative ensures that personal information is obtained, used, and disclosed following the common law duty of confidentiality and the relevant data protection laws.
1.5. The Alternative adheres to current and future legal requirements related to the confidentiality of personal information.
2. Principles
2.1. Personal information, whether in electronic or paper records, is collected and processed fairly and lawfully.
2.2. Personal information is used only for its specified purposes and not in any way incompatible with those purposes.
2.3. Information is adequate, relevant, and not excessive for the intended purposes.
2.4. Information is kept accurate and updated when necessary.
2.5. Information is not retained longer than required for its purposes.
2.6. Information processing respects individuals' rights under data protection laws.
2.7. Information is protected from unauthorized access, unlawful processing, accidental loss, damage, or destruction.
3. Definitions
3.1. 'Confidentiality' applies to information obtained through formal channels, informally, or accidentally. It applies to all individuals or organizations in contact with The Alternative.
3.2. Information classified as 'Confidential' includes personal information and sensitive organizational data.
3.3. Breaches in confidentiality occur when sensitive information is disclosed to unauthorized individuals, often due to inadequate procedures.
3.4. Information security involves preserving confidentiality, integrity, and availability of information, among other properties.
4. Informed Consent
4.1. Information sharing requires the informed consent of individuals, except in exceptional cases, ensuring they understand what information will be shared and why.
4.2. Informed consent should ideally be recorded in writing, defining terms and conditions for information sharing and storage.
4.3. Consent is sought each time confidential information must be shared with an unauthorised person.
4.4. Conversations involving confidential information are conducted with authenticated callers, using security checks when needed.
4.5. Refusal to give consent is respected when possible.
5. Employee Responsibilities
5.1. Staff may only disclose personal information outside the organization under specific conditions.
5.2. Exceptional circumstances may override the need for consent when there's a legal basis, e.g., court orders or law enforcement.
5.3. When passing information, staff ensures the recipient understands their confidentiality obligations and shares only necessary information.
5.4. When receiving information, staff ensures confidentiality marks are observed and requests only necessary information.
5.5. All information shared through social media or external communication must be approved by the Managing Director.
5.6. Sensitive commercial information shared with third parties requires signed non-disclosure agreements.
5.7. Declarations of confidentiality are signed by staff, volunteers, and contractors upon joining The Alternative.
5.8. All employees and volunteers are responsible for keeping their personal data up-to-date and informing The Alternative of any changes.
5.9. Sensitive information is requested only when necessary for service provision, in the best interest of users or staff.
6. Compliance
6.1. The Alternative provides training and guidance on handling, disclosing, and storing personal information and information assets to staff, volunteers, and trustees.
6.2. Managers ensure staff and volunteers are aware of their responsibilities and provide guidance on information requests outside their responsibilities.
6.3. Failure to follow this policy or related procedures may result in disciplinary action.
6.4. Contractors and employment agencies' contracts include clauses enforcing confidentiality.
6.5. Procedures for employee, contractor, or third-party exits ensure equipment return and access removal.
6.6. Any breach of this policy is treated seriously and may result in formal action.
7. Data Security
7.1. Data security precautions protect against physical loss or damage, unauthorised access, and disclosure.
7.2. Personal data is kept securely, either electronically or in lockable cabinets.
7.3. Documents with individual data must not be left visible.
7.4. Desks are cleared nightly, and electronic documents are closed.
7.5. Access controls are enforced, especially for password use.
7.6. Hardware containing data is stored securely.
7.7. Personal data is not stored on laptops or flash drives unless encrypted.
7.8. Mobile and remote working facilities require adequate protection.
7.9. Off-site equipment undergoes security checks.
7.10. Physical and environmental security prevents unauthorised access, damage, theft, compromise, or interference.
8. Rights to Access Information
8.1. Data is categorized based on sensitivity and usage.
8.2. Individuals have the right to access their information and request corrections.
9. Publication of The Alternative Information / Social Media
9.1. Information already in the public domain is exempt from data protection laws.
9.2. Staff or contractors must not publish or discuss The Alternative information on personal social media without approval.
10. Collection and Retention of Data
10.1. Permission is obtained for personal data collection, and purposes are clearly stated.
10.2. Data is retained only for necessary durations.
10.3. Disposal of unneeded information is done securely.
11. Information Security Audit and Incident Management
11.1. Audits ensure compliance with this policy.
11.2. Incident reporting and escalation procedures are established and communicated to all users, with responsibilities and procedures for handling incidents once reported.