Purpose
There are many occasions when information is transferred between departments, to third-party service providers, to other public bodies, commercial organisations and individuals. This is done using a wide variety of media and methods, in electronic and paper format.
In every transfer, there is a risk that the information may be lost, misappropriated or accidentally released. WeThrive has a duty of care in handling information.
Scope
The scope of this policy covers any type of information (i.e., word documents, PDF reports and excel spreadsheets) in any format and on any medium.
This policy applies to all employees and any third-party that processes any WeThrive information.
Exclusions
This policy does not cover the transfer of information over the internal network, which has its own automated security controls. It does not cover proprietary secure transfer mechanisms such as BACS financial transfers that have their own separately implemented security requirements.
Roles and Responsibilities
Proper definitions of roles and responsibilities are essential to assure compliance with this Policy. In summary these are:
The Sender
The Sender is responsible for ensuring the following requirements of this Policy are met.
Assessing the information to be sent, in line with the Risk Assessment section of this policy.
Ensuring that the identity and authorisation of the recipient has been formally confirmed and documented.
Obtaining the consent of the Information Asset Owner for the transfer.
Ensuring that the information is sent and tracked in an appropriate manner.
Employees
Individual employees will be responsible for familiarising themselves with this Policy and ensuring that any information transfer for which they are responsible is done in a compliant manner.
Individual employees must report any suspected or actual security breaches related to data transfer in line with the Incident Response Policy.
Risk Assessment
Consider the following before transferring information. If in doubt, please contact the Data Protection Officer (DPO).
Is the transfer legal and necessary?
It is dangerous to assume that because someone asks for information that they are necessarily authorised or legally entitled to have it. If you are in doubt, then you should check with the DPO.
Once you are sure that the transfer is legal and necessary, then you must decide what kind of information you are dealing with. This will determine what security is appropriate.
To transfer personal or confidential information without these checks may leave WeThrive open to legal and reputational damages and the sender may be subject to disciplinary action.
Is it personal information?
Personal information is about a living, identifiable individual. Data concerning persons who are deceased may still constitute personal information, particularly if that information may reveal data by association for a living individual or constitutes a record protected under legislation such as medical information. If it contains details of racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, commission of offences, court appearances and sentences, it is further classified as sensitive personal information.
Anything we do with personal information must comply with data protection legislation including the Data Protection Act 2018 and the UK General Data Protection Regulation (GDPR).
Before you make any transfer, you must:
Ensure that the transfer is legal (in particular under the Data Protection Act & GDPR).
Ensure that the transfer is necessary (is there a less intrusive way).
Remove or blackout anything that is not essential for the recipient's purpose.
Have a documented agreement in place to ensure the recipient understands their responsibilities under the law, particularly what to do with the transfer file after they have extracted the information to their system.
Is it confidential information?
Confidential information is that which WeThrive has a duty of confidentiality. This may include information that affects the business interests of a third party, or for which the sender does not hold copyright e.g., bank details, salary details, contracts, agreements.
Before you transfer you must:
Ensure that you are not breaching a Non-Disclosure Agreement.
Ensure that the transfer is necessary (is there a less intrusive way).
Remove anything that is not essential for the recipient's purpose.
Have a documented agreement in place to ensure the recipient understands their responsibilities under the law, particularly what to do with the transfer file after they have extracted the information to their system.
Electronic Mail & Encrypted Links
Any password used must adhere to the internal Password Policy.
Any password to open the attached file must be transferred to the recipient using a different method than e-mail. Consideration must be given.
E-mail message must contain clear instructions on the recipient’s responsibilities and instructions on what to do if they are not the correct recipient.
An accompanying message and the filename must not reveal the contents of the encrypted file.
Check with the recipient that their e-mail system will not filter out or quarantine the transferred file.
The sender must check at an appropriate time that the transfer has been successful and report any issues to their line manager.
Electronic memory (CD, DVD, Flash media drive)
Information must be stored encrypted using a product approved by an approved mechanism according to the Encryption policy.
Any password used must adhere to the Password Policy.
Any password or key to open the attached file must be transferred to the recipient using a different method than e-mail, e.g., a telephone call to an agreed telephone number, closed letter.
An accompanied message must contain clear instructions on the recipient’s responsibilities and instructions on what to do if they are not the correct recipient.
An accompanying message and the filename must not reveal the contents of the encrypted file.
The sender must check at an appropriate time that the transfer has been successful and report any issues to their line manager.
Delivery by Post or by Hand
It is essential that the file, whether electronic or paper is kept secure in transit, tracked during transit, and delivered to the correct individual.
An appropriate delivery mechanism must be used.
Recipient should be informed beforehand that data is being sent so they are aware of when to expect the data.
Package must be securely and appropriately packed, clearly labelled and have a seal, which must be broken to open the package.
Package must have a return address and contact details.
The label must not indicate the nature or value of the contents.
Package must be received and signed for by addressee.
Telephone/Mobile Phone
Transferred information must be kept to a minimum.
Personal or Confidential information must not be transferred over the telephone unless the identity and authorisation of the receiver has been appropriately confirmed.
Lost or Missing Data
Employees should inform their line manager and the Data Protection Officer immediately when they become aware that data has been lost or missing.
WeThrive will follow the Data Protection Incident Reporting Process.