Data can potentially be transferred in a wide variety of media and methods both into and out of our company, in electronic and/or paper format. In every transfer there is a risk that the information may be lost, misappropriated or accidentally released. Where this data is personal data, this represents a risk to our company of breaching our responsibilities under the the General Data Protection Regulation (EU) 2016/679 ("GDPR") and could lead to regulatory action, including significant fines.
This policy lays out the practical methods that need to be applied in undertaking a transfer of data, and will provide additional guidance more specifically on the transfers of personal data and confidential information. This policy is applicable to anyone handling personal data or confidential information including but not limited to:
- employees of the company
- contractors
- agency staff
Before you undertake a physical data transfer, ensure you have the appropriate authorisation to do so. Bear in mind any restrictions in place for the sharing or transfer of controlled data.
- Never automatically assume someone is entitled to the information just because they have told you they need it, regardless of whether they are an internal or external requester.
- When dealing with third parties consider whether there are any data sharing agreements, data transfer agreements, data processing agreements or other contracts in place that cover the transfer of data. Check whether there are any stipulations in place regarding the method of transfer that should be used.
- Think about whether a non-disclosure agreement is required to cover security and use of the data.
- Check that you are not providing more information than is necessary for the identified purpose. Do not just send a whole document or spreadsheet because it is ‘easier’, when only one section or specific columns are required.
- Consider whether the objective / purpose be met using anonymised data instead.
- Consider whether any personal data is being transferred outside of the European Economic Area.
- Consider the most appropriate (not necessarily the easiest) transfer or access method.
- What risk does the transfer or access to information pose (if any)?
- For all transfers of information containing personal data or confidential information, it is essential that you appropriately establish the identity and authorisation of the recipient. N.B. If you are you are in doubt you should seek further advice from the ISMS Committee.
This section lists the main methods of data transfer and also sets out any restrictions and requirements for the secure transfer of personal data and/or confidential information. Before choosing your method of transfer you must consider the following:
- the nature of the information, its sensitivity, confidentiality or possible value
- the size of the data being transferred
- the damage or distress that may be caused to individuals as a result of any loss during transfer
- the implications any loss would have for the company You must only send information that is necessary for the stated purpose. You must remove any unnecessary data, and any data not required should be redacted or removed completely (as appropriate) before transfer.
There are 3 main email routes that can be considered when transferring data via email. These are outlined below, with relevant restrictions highlighted. All transfers of data by email must be done in a way that complies with the Acceptable Use Policy.
General email rules
- Secure email should not be used for transfer of large amounts of data or significant numbers of records.
- Information sent must, where practical, be enclosed in an attachment.
- Be careful as to what information you place in the subject line of your email or in the accompanying message. Filename or subject line must not reveal the full contents of attachments or disclose any sensitive personal data.
When sending information internally between “infinityworks.com” addresses, this is already secure and does not require any additional actions.
- All password(s) assigned to encrypted documents must conform to the minimum corporate Password Policy.
- All password(s) required to open the encrypted attached file must be transferred separately to the recipient either via a telephone call to an agreed number, or by slack or SMS text message
- Be careful as to what information you place in the subject line of your email or in the accompanying message. Filename or subject line must not reveal the contents of the encrypted file.
As phone calls may be monitored, overheard or intercepted either deliberately or accidentally, care must be taken as follows:
- Controlled data must not be transferred / discussed over the telephone unless you have confirmed the identity and authorisation of the recipient.
- When using voice mail do not leave sensitive or confidential messages or include any personal data other than a means of contact. Wait for the recipient to speak to you personally.
- When listening to voice mail messages left for yourself, ensure you do not play them in open plan areas which risks others overhearing.
You, as the sender, are responsible for making sure that:
- The postal address is correct.
- The envelope is clearly marked for the attention of the intended recipient.
- No information relating to another customer / service user has been included in error, either in a letter/email or an attached document.
- That you choose the most appropriate method of transfer.
You are responsible for the package up until its successful arrival at its destination. You must therefore ensure you choose the most appropriate method of transfer and mitigate any potential loss or risk to the information. An extra level of protection must be applied when sending:
Any amount of personal data or confidential information. It is essential that the document or file, whether sent on a media device or in paper form, is kept secure in transit, tracked during transit, and delivered to the correct individual. So you must ensure that:
- the package is securely and appropriately packed, clearly addressed and has a seal, which must be broken to open the package.
- the package must have a return address and contact details.
- the package must be received and signed for by the addresee, e.g by the use of special or recorded delivery. Successful delivery / transfer of the item must be checked and verified as soon as possible. Any issues must be reported immediately to your account lead. NOTE: Staff members or teams who wish to send personal data or confidential information in a way different to that prescribed above must apply for a formal policy exception as outlined in the Policy Exception Policy, stating clear business reasons as to why an exception is required. An exception should be sought for one off requests as well as requests for an alternate way of working. Any exception granted will be reviews annually. Staff who do not abide by the above requirements will be in breach of this policy, which may lead to diciplinary action.
Hand delivery or collection of a document is also an approved method of transfer provided that this Data Transfer Policy is complied with. When arranging for an individual to collect information, you should be satisfied that you know that they are who they say they are and seek an appropriate form of photo identification (passport or driving license) before you hand over any documentation.
You must speak to the Information Security Management Team before agreeing or undertaking any transfers of any data outside of the European Economic Area. This is especially important when handling personal data. You must check, as part of information management due diligence that any service providers you procure are not planning to process personal data outside the European Economic Area. E.g. some service providers may use cloud based systems for data storage which are not UK based. GDPR requires that personal data must not be transferred to a country or territory outside the European Economic Area (EEA) unless the country or territory can provide an adequate level of protection for the rights and freedoms of the individuals whose data is being transferred. It is important to note that all other principles of GDPR are still relevant and must be complied with.
Staff must report any suspected or actual security breaches to the ISMS Committee
This policy will be reviewed on an annual basis or sooner as is required where there are changes in legislation or recommended changes to improve best practice.