Data integrity policy
Roles and responsibilities
- The role of Data Controller is held by Hastings Area Business Crime Reduction Partnership CIC
- The identified Data Processors providing services to the Data Controller ar Littoralis (DISC), Microsoft (Office 365), Knack (Knack.com database tool), Adobe (Adobe Acrobat), Love Hastings Ltd. (day-to-day management of data on behalf of HABCRP CIC)
- The Directors of HABCRP CIC have oversight and responsibility for all data management within the direct control of the company.
- Individual member businesses who are part of the data sharing agreement are responsible for the management of data that they and their staff have access to and that has been made available as part of the terms of membership.
Data collection, processing, sharing, and retention
- All data is collected, processed and shared in line with published privacy statements which will be reviewed annually.
- Minimal paper records shall be kept, with all offender data transferred to and stored on secure on-line systems.
- All redundant paper files will be securely disposed of using a suitable approved contractor.Any physical records will be kept locked in secure cupboards within the scheme office which shall in turn always be locked when unoccupied.
- All visitors will be accompanied by an authorised person and a record shall be kept of any such visit.
- Data will be saved on secure cloud-based systems rather than on individual hard drives or computers.
- Any computers or mobile devices used to access scheme data will be password protected and securely stored.
- Computers used to access cloud-based data or to receive e-mails relating to offenders or members data will be regularly audited to remove any sensitive personal data or image files that may have been downloaded locally.
- All computers will have suitable virus checking software installed and regularly updated.
- Where staff work remotely they will only access scheme data on a computer or mobile device exclusively provided and authorised for this purpose.
- Physical files will not be taken off site but will be scanned and only accessed via a secure cloud service.
- Care must always be taken to ensure e-mails are only sent to the intended recipient.
- BCC rather than CC shall be used when sending group e-mails to recipients who are not permitted to know the addresses of others on the group.
- Sensitive data will only be e-mailed to recipients whose security arrangements are known and trusted.
- Spam filters will be activated and any suspicious e-mails will be deleted without opening.
Member access to data
- Individuals will only be given access to scheme data if they have been authorised by the company or organisation they represent or work for.
- All individuals access scheme data must sign to agree to adhere to scheme data protocols.
- Each individual accessing scheme data must do so via a unique login so their activity can be tracked.
- Regular checks will be carried out (at a minimum annually) to ensure individuals still have authority to access scheme data.
- All individuals will be automatically forced to reconfirm their compliance with the scheme every six months.
- The scheme co-ordinator will provide guidance to member organisations on relevant training that should be issued to individuals with access to scheme data.
- Annual audits of member organisations will check to ensure this training has been delivered.
- All incidents shall be reported via the secure DISC system.
- All data subjects shall be contacted as soon as address details are available to inform them that their data is being stored in line with the published privacy statement.