ELECTRONIC DATA & CYBER SECURITY POLICY

1. POLICY STATEMENT

This Policy sets out the organisation’s commitment to protecting its information systems, personal data, confidential information, and business operations.

Cybersecurity and data protection are shared responsibilities across the organisation and are essential to maintaining trust, legal compliance and operational resilience.

This Policy applies to employees, directors, contractors, consultants, temporary staff and suppliers with system access.

Failure to comply may result in disciplinary action or termination of contractual arrangements.

2. LEGAL & REGULATORY FRAMEWORK

This Policy aligns with the following legislation and guidance:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Computer Misuse Act 1990
  • Network and Information Systems Regulations 2018 (where applicable)
  • ICO Guidance and applicable sector regulations

The organisation may act as a Data Controller and/or Data Processor as defined under UK GDPR.

3. PURPOSE OF THIS POLICY

  • Protect personal data and confidential information
  • Ensure system integrity and availability
  • Reduce cyber risk exposure
  • Define staff responsibilities
  • Ensure compliance with UK data protection laws
  • Establish a structured incident response framework

4. DEFINITIONS

Personal Data: Information relating to an identified or identifiable natural person.

Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or data concerning sex life or sexual orientation.

Criminal Offence Data: Personal data relating to criminal convictions and offences.

Processing: Any operation performed on personal data including collection, storage, use, disclosure or destruction.

Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

5. GOVERNANCE & ACCOUNTABILITY

  • Assignment of data protection responsibility at senior management level
  • Maintenance of Records of Processing Activities (ROPA)
  • Risk-based security measures
  • Documented breach response procedures
  • Staff training and awareness programmes
  • Annual policy review

Where required under Article 37 UK GDPR, a Data Protection Officer (DPO) shall be appointed.

6. DATA PROTECTION PRINCIPLES

  • Lawfulness, fairness and transparency
  • Purpose limitation
  • Data minimisation
  • Accuracy
  • Storage limitation
  • Integrity and confidentiality (security)

7. CYBERSECURITY RISK MANAGEMENT

The organisation shall maintain a Cybersecurity Risk Register identifying vulnerabilities, threats, third-party risks and human-factor risks.

Risks shall be assessed based on likelihood and impact, with high risks escalated to senior management.

8. TECHNICAL & ORGANISATIONAL SECURITY MEASURES

  • Role-based access control and least privilege
  • Multi-factor authentication
  • Strong password standards
  • Antivirus and endpoint protection
  • Encryption of personal data where appropriate
  • Secure backups and restoration testing
  • Network security controls including firewalls and secure remote access

9. DATA PROTECTION BY DESIGN AND DEFAULT

All new systems and projects must incorporate privacy risk assessments.

Where processing is likely to result in high risk to individuals, a Data Protection Impact Assessment (DPIA) must be conducted.

10. PERSONAL DATA BREACH MANAGEMENT

All suspected breaches must be reported immediately to the Data Protection Lead or DPO.

The organisation will assess risk to individuals' rights and freedoms.

Where required, the ICO will be notified within 72 hours.

Affected individuals will be notified where there is a high risk to them.

All breaches must be documented in a breach register.

11. STAFF RESPONSIBILITIES

  • Comply with this Policy
  • Maintain confidentiality of personal and business data
  • Use secure passwords and multi-factor authentication
  • Install security updates promptly
  • Report phishing attempts or suspicious activity immediately

12. THIRD-PARTY PROCESSORS

Third parties processing personal data must have a written UK GDPR-compliant contract in place.

Due diligence and security assurances must be obtained prior to engagement.

13. INTERNATIONAL DATA TRANSFERS

Personal data may only be transferred outside the UK where adequate safeguards exist, including adequacy regulations or approved transfer mechanisms such as the UK IDTA or UK Addendum.

14. DATA SUBJECT RIGHTS

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to object
  • Right to data portability
  • Rights relating to automated decision-making

Requests must be responded to within one month.

15. MONITORING & REVIEW

This Policy shall be reviewed annually or following significant legislative or operational changes.

 

 

TOP