Information Security Policy
We all hold personal data about our employees, clients, suppliers and other individuals for a variety of business purposes. An information security system within the company is aimed at protecting employees, partners and customers of the company from illegal or damaging actions by individuals, either directly or implied, knowingly or unknowingly, when processing information and data which come at their disposal, as well as using certain equipment for the fulfilment of their work duties.
This policy sets out how we seek to protect personal data and ensure that staff understand the rules governing their use of personal data to which they have access to in the course of their work.
The policy shall apply to the processing of information within any systems or held on any media involved in the data/information processing within the company, irrespective of whether data/information processing is related to internal business operations of the company or to external relations of the company with any third parties.
This policy applies to all staff. We may supplement or amend this policy with additional policies and guidelines from time to time.
Our Data Controller has overall responsibility for the day-to-day implementation of this policy.
More details can be found in the following documents:
Data Retention and Erasure Policy
Information Classification Policy
Purposes Of Personal Data
The purposes for which personal data may be used by us includes, but is not limited to
- Payroll and business development purposes
Business purposes include the following
- Compliance with our legal, regulatory and corporate governance obligations and good practice
- Ensuring business policies are adhered to (such as policies covering email and internet use)
- Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, security vetting, credit scoring and checking
- Investigating complaints
- Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration and assessments
- Monitoring staff conduct
- Marketing our business
- Improving services
Information relating to identifiable individuals, such as
- job applicants
- current and former employees
- contractors and other staff
- marketing contacts
Sensitive Personal Data
Personal data we gather may include: individuals’ contact details, educational background, financial and payment information, details of certificates and diplomas, education and skills, marital status, nationality, job title and CV.
We may also hold personal data about an individual’s racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership (or non-membership), physical or mental health condition, criminal offences or related proceedings. Any use of sensitive personal data should be strictly controlled in accordance with this policy.
We must process personal data fairly and lawfully in accordance with individuals’ rights. This generally means that we should not process personal data unless the individual whose details we are processing has consented to this happening.
In most cases where we process sensitive personal data, we will require the data subject’s explicit consent to do this unless exceptional circumstances apply or we are required to do this by law (e.g. to comply with legal obligations to ensure Health And Safety at Work). Any such consent will need to clearly identify what the relevant data is, why it is being processed and to whom it will be disclosed.
We will ensure that any personal data we process is accurate, adequate, relevant but not excessive, given the purpose for which it was obtained. We will not process personal data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.
Roles and Responsibilities
Data security is key to everything we do and is everyone’s responsibility. In particular:
Data Controller responsibilities
- Staying updated on data protection responsibilities, risks and issues
- Reviewing all data protection procedures and policies on a regular basis
- Arranging data protection training and advice for all staff members and those included in this policy
- Answering questions on data protection from staff, board members and other stakeholders
- Responding to individuals such as clients and employees who wish to know which data is being held on them by Martian Marketing
- Checking and approving with third parties that handle the company’s data, any contracts or agreement regarding data processing
Responsibilities of the IT Manager
- Ensuring all systems, services, software and equipment meet acceptable security standards
- Checking and scanning security hardware and software regularly to ensure it is functioning properly
- Researching third-party services (such as cloud services) that the company is considering using to store or process data
Responsibilities of the Marketing Manager
- Approving data protection statements attached to emails and other marketing copy
- Addressing data protection queries from clients, target audiences or media outlets
- Coordinating with the DC/DPO to ensure all marketing initiatives adhere to data protection law and the company’s data protection policy.
Data Security – Personal Responsibilities
It is the responsibility of everyone to keep personal data secure against loss or misuse. Where other organisations process personal data as a service on our behalf, it will be established what, if any, additional specific data security arrangements need to be implemented in contracts with those third party organisations.
All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided whenever there is a substantial change in the law or to our policy and procedure. Completion of training is compulsory.
The importance of this policy means that failure to comply with any requirement may lead to disciplinary action under our procedures which may result in dismissal. If you have any questions or concerns about anything in this policy, do not hesitate to contact your the data controller.
- All data and information collected and processed in any form (paper, electronic etc.) shall be subject to the requirements of this policy. Any statutory regulation in respect to collection, processing, protection and retention of data/information and such documents shall be stored in a safe place as designated by the company for a retention period provided for by applicable laws and/or indicated by the company
- Employees are not permitted to keep any confidential information on their devices except information which is temporarily needed for specific, work related activity. Any download of such files to local devices should be avoided or limited only to necessity related with information processing for work purposes
- Internet access and operations performed by employees according to requirements of the applicable laws and regulations may be filtered and monitored by duly authorised IT personnel of or on behalf of the company
- Any mobile, portable devices (including laptops, tablets, smartphones and other handheld computing devices) as well any cloud information storage places should be approved by IT personnel of the Company and secured to prevent unauthorised access
- Only systems and program software licensed and authorised by the company can be installed and used on equipment and tools used within the company. Before downloading or installing any software to devices held and used by employees for the purposes described in this policy permission from the IT personnel shall be obtained
- In cases when employees use home devices for access to corporate resources of the company (e.g. CRM, email, online/cloud databases) the employees shall be obliged to comply with the requirements of this policy; equally as if they were using equipment provided by the company. Accordingly, it shall be prohibited to store any data and information related to the company on the device; any processing of the data shall be permitted only through cloud and online storage places used by the company
- It shall be strictly prohibited to use public access devices at all times (e.g. at internet cafes, libraries etc.). Unless it is critical and urgent work and a direct manager of the employee has provided explicit written consent for such action
- In case access is granted to the employee to a files storage system of a client or cooperation partner of the company; the employee shall be obliged to use the access tools provided by the client or partner and follow provided guidelines on secure information/data processing requirements (including use of encryption systems, passwords, data use limitations, using dedicated locations etc.)
- No information/data referred to in this policy shall be sent, forwarded or otherwise submitted to any third party, unless it is necessary for the accomplishment of work duties of the employee. In the case of forwarding and submission of data to third parties, it shall be ensured that the data is protected and corresponding security measures have been taken
- The company shall audit the systems used in the processing of information/data to control ongoing compliance with this policy and applicable statutory requirements
We will retain personal data for no longer than is necessary. What is necessary will depend on the circumstances of each case, taking into account the reasons why that personal data was obtained, but should be determined in a manner consistent with our data retention guidelines. For more information refer to the data retention and erasure policy document.
Encryption And Anonymisation Policy
Encryption protects information stored on mobile and static devices and in transmission. It is a way of safeguarding against unauthorised or unlawful processing of data. There are a number of different encryption options available.
Anonymisation of personal data should be considered where possible and desirable. Anonymisation ensures the availability of rich data resources, whilst protecting individuals’ personal data.
The company will consider encryption alongside other technical measures, taking into account the benefits and risks that it can offer. Appropriate technical and organisational measures will be taken against unauthorised or unlawful processing of personal data and against accidental loss, destruction or damage to personal data.
Transferring Data Internationally
There are restrictions on international transfers of personal data. You must not transfer personal data anywhere outside the UK without first consulting the Data Controller.
Save for exceptions specifically established; in no case and under no circumstances should any equipment, systems or tools owned by the company, its clients or cooperation partners be used for purposes not related to work duties of the employee or not related to business operation of the company.
The Following Activities Are Prohibited, With No Exceptions
Breach of this policy can lead to disciplinary action and other legal action.
- Violation of the rights of any person or company protected by intellectual property rights, including but not limited to installation, copying, distribution or storage on any Martian Marketing systems or equipment of any illegal software, online platforms, any other electronic contents which are not licensed for use of by Martian Marketing
- Unauthorised copying of materials subject to copyright protection
- Violation of the rights of any person by excessive and unnecessary collection and processing of personal data
- Accessing data, server or an account for the purpose other than conducting business operation of Martian Marketing or performance of work duties of the particular employee
- Exporting of software, technical information, encryption keys or technology in breach of applicable international or national laws and regulations and/or directions of Martian Marketing
- Exporting of any data or information which is of proprietary and/or confidential value to the company, if such exporting is not required in the course of business operation of Martian Marketing or performance of work duties of the employee and/or is in breach of internal regulations of the company, applicable laws or regulations
- Revealing an employee’s account password to others and allowing the use of such account by others (including but not limited to employee’s family members)
- Making fraudulent offers of products, items or services originating from the company account
- Effecting security breaches or disruptions of network communication. Such security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account which the employee is not expressly authorised to access, unless such access rights are granted to the employee due to him/her being involved in a specific project of the company
- Using any program/script/command or sending a message of any kind with intent to interfere with or disable a user session via any means
Reporting Security Incidents
- All information/data processing security incidents or threatened incidents shall be immediately reported to management, which accordingly shall take all measures for prevention of potential damage, elimination of the damage caused and restitution of previous security status
- If applicable, it shall be the obligation of the management to ensure further reporting on data/information security breach to all relevant authorities and individuals involved as provided for by applicable laws and regulations and/or laws of the European Union
We keep this Policy under regular review. This Policy was last updated in April 2018.
End of Policy.