Skip to content

Latest commit

 

History

History
executable file
·
49 lines (28 loc) · 2.26 KB

readme.md

File metadata and controls

executable file
·
49 lines (28 loc) · 2.26 KB

Information Exchange Policy

Overview

This policy sets out the controls used to exchange information in a secure manner.

Consideration Categories

There are 4 main categories:

  • Handling
  • Action
  • Sharing
  • Licensing

HANDLING How information should be handled, e.g. how it is stored or transmitted.

ACTION The permitted actions or uses of information.

SHARING Any permitted redistribution of information that is received.

LICENSING Any applicable agreements, licenses, or terms of use that governs the information being shared.

Role and Responsibilities

Provider

The organisation or individual who acts to provide, produce, publish, share or exchange information with third parties.

A Provider is responsible for the individual considerations pertaining to the data being shared or exchanged. It is their responsibility to ensure the considerations for each of the four categories are recorded in a suitable fashion, usually the request/incident ticket relating to the work.

Recipient

The organisation or individual who receives or consumes information from third party Providers.

Recording Exchanges

What data to capture largely relies on the requirements of the data and the agreement in-place between the parties involved. When recording this exchange, The provider should the consider the HASL categories first, in addition:

  • Encryption in Transit, consider whether the received information has to be encrypted when is retransmitted by the recipient.

  • Encryption at Rest, whether the received information has to be encrypted by the Recipient when it is stored at rest.

  • Permitted actions, the permitted actions that Recipients can take upon information received.

  • Sharing, any permitted redistribution of information that is received and any actions that need to be taken first if applicable.

  • Provider attribution, recipients could be required to attribute or anonymise the Provider when redistributing the information received. Alternativley recipients MAY attribute the Provider when redistributing the information received.

  • Obfuscation, recipients could be required to obfuscate or anonymise information that could be used to identify the affected parties before redistributing the information received.

back