This policy applies to all data processing activities undertaken by or involving Nous House Ltd (“Nous”) relating to the privacy, confidentiality and security of Personal Data. This Policy includes activities or systems related to both internal business operations, as well as external relations and any third-party agreements.
Definitions Used in this Policy are:
“Data Controller” means a person who alone or jointly with others determines the purposes and means of the Processing of Personal Data.
“Data Processor” means a person who Processes Personal Data on behalf of the Data Controller.
“EEA” means the countries of the European Economic Area.
“Government Authority Request” means any subpoena, warrant or other judicial, regulatory, governmental or administrative order, proceeding, demand or request (whether formal or informal) by a government or quasi-governmental or other regulatory authority (including law enforcement or intelligence agencies) seeking or requiring access to or disclosure of Personal Data.
“Information Security Incident” means any actual or reasonably suspected accidental or unlawful Processing, destruction, loss, theft, alteration, misuse, interference, modification, unauthorized access to, or disclosure or acquisition of, any Personal Data.
“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with an identified, identifiable or particular individual or household, regardless of the media in which it is contained, that may be (a) disclosed to or Processed (as defined below) by Nous in connection with or incidental to the performance of its business; or (b) derived by Nous from the information described in (a) above.
“Process”, “Processed” or “Processing” means any operation or set of operations performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as creating, collecting, procuring, obtaining, retaining, accessing, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, aligning, combining, restricting, anonymizing, deleting or destroying the data.
“Privacy Laws” means applicable international, federal, state, provincial and local laws, rules, regulations, directives and governmental requirements currently in effect and as they become effective relating in any way to the privacy, confidentiality or security or otherwise relating to the Processing of Personal Data.
Nous has secured consent to process Personal Data from Data Subject(s) and shall not Process Personal Data for any other purpose. To this end, Nous will act as a Data Processor with respect to the Processing of Personal Data from Customers.
A: Statements of principle: access to personal data
01. Nous will only access and store the minimum amount of Personal Data necessary for the purposes of fulfilling contracts with a Customer.
02. Nous limits access to Personal Data. • Access is limited to employees, agents or consultants (“Staff”) who have a need to know the Personal Data as a condition to Nous’s performance of its services to Customers. • Physical access to premises where Personal Data is stored is limited.
03. Nous will not share, transfer, disclose, make available or otherwise provide access to any Personal Data to any third party. • Access will only be granted where a Customer has authorised Nous to do so in writing.
04. Any access to Personal Data granted to a third party (“Sub-Processor”) will only be undertaken under a written agreement with each Sub-Processor.
• Sub-processors will be subject to the same obligations of privacy as Business.
05. Nous does not Sell Personal Data.
06. Nous will undertake a detailed assessment of the purposes and context of the Processing, and the laws of the country or countries of destination prior to processing to ensure it an provide an adequate level of protection for the Personal Data. • Where that is not the case, Nous, in coordination with the Customer, shall consider what additional safeguards may be implemented to ensure an adequate level of protection for the Personal Data and share a copy of this assessment with Customer.
07. Nous will not transfer, transmit or disclose Personal Data outside the country from which Customer originally delivered it to Nous without entering into written agreements as are necessary to comply with Privacy Laws concerning any cross-border transfer of Personal Data. • Nous shall enter into standard contractual clauses for transfer of data outside of the EEA as reasonably required by Customers.
08. Nous shall cooperate with the Customer if an individual requests access or updates to, or deletions of their Personal Data, or requests the restriction of or objects to the Processing of his or her Personal Data.
09. Nous has a documented procedure for reviewing and responding to Government Authority Requests. • Nous shall maintain a written record of all Government Authority Requests. Such record shall include details of (i) the government authorities making the requests or demands, (ii) the number of requests or demands received and how Nous responded to such requests or demands, (iii) the types of Personal Data that Nous was required to provide.
10. Nous has appropriate technical and organisational measures to protect Personal Data in transit over public networks between Customer and Nous (and any applicable Sub-Processors), • Nous will ensure that all Personal Data in transit is encrypted by default.
11. Nous shall ensure, to the extent possible, that the Personal Data it stores is pseudonymized or otherwise obfuscated.
B: Compliance with privacy and information security safeguards
01. Nous employs an information security program that complies with applicable Privacy Laws.
02. Nous’s information security program includes appropriate administrative, technical, physical, organisational and operational safeguards and other security measures designed to (i) ensure a level of security appropriate to the risk presented by the Processing of Personal Data; (ii) protect against any anticipated threats or hazards to the security, availability, confidentiality and integrity of Personal Data; and (iii) protect against any Information Security Incident.
03. Safeguards for Data and information involve:
(i) Data and information are all stored in the Cloud, operated by third party providers from secure locations. Physical access to premises where Personal Data is stored is limited. (ii) Access to all equipment on which data is input or retrieved is controlled via passwords and personal logins. (iii) Personal Data is encrypted at rest and in transit. (iv) Continual testing is undertaken to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services involved in the Processing of the Personal Data. (v) Regular penetration testing is undertaken (where permitted in host’s cloud environment) to assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the Processing. (vi) Enhanced security obligations for those with authority to access Sensitive Personal Data or Confidential Information (see below). (vii) Access to data processing equipment is controlled using automatic locking after 3 minutes as standard, two-factor authentication, encryption. (viii) Nous undertakes log tracking and can identify who has entered Personal Data onto its data processing systems in order to verify the information, its accuracy and authority. (ix) All data is securely stored behind an end point security cloud . Data is scanned daily for viruses and incoming data is sandboxed (or equivalent) as necessary until security of it is confirmed. (x) All Staffs are obliged to maintain secrecy under their employment terms. Agents, consultants and Sub-Processors to Nous are also contractually obliged to maintain confidentiality of all Data and information received and to deploy similar security measures in respect of Data and information received from Nous. (xi) Passwords and entry codes (as referred to in (ii) above) are reset by system administrators each time a Staff member leaves the company and exit interviews and similar are undertaken whereby any company information, Personal Data or Confidential Information is removed from BYO devices owned by an exiting Staff. Unauthorised access to data processing equipment is forbidden by Nous’s employment policies and may lead to disciplinary proceedings and even dismissal of a Staff member who accesses data processing equipment without authority.
04. Nous shall immediately inform a Customer in writing of any Information Security Incident of which Nous becomes aware. In which case all Staffs of Nouns will follow the procedure set out in the Nous Data Processing, Access & Breach Policy (“the Breach Policy”).
05. Nous shall immediately inform a Customer if, in Nous’s opinion, an instruction from Customer infringes applicable Privacy Laws.
06. Nous supervises its Staff and sub-processors to the extent required to maintain appropriate privacy, confidentiality and security of Personal Data.
07. Nous provides training regarding the privacy, confidentiality and information security requirements set forth in this Policy to relevant Staff and Sub-Processors who have access to Personal Data.
08. Nous may adopt all reasonable recommendations from Customers concerning data security measures, programs and procedures to ensure ongoing compliance with this Policy.
C: Classification of data
01. To properly assign safeguards, all data that our company collects, processes or stores must be assigned one of the following classification categories to ensure Nous upholds its regulatory commitment to uphold the rights of individuals, as outlined under Data Protection Legislation: • Public • Open • Confidential • Strictly Confidential • Secret
02. Some data Nous uses will most likely be classed as being either ‘Public’ or ‘Open’ data. Any information relating to an individual or organisation that could identify them or is personal or private in nature must be assigned a category of either ‘Confidential’ or ‘Strictly Confidential’.
Public data
01. Public data is information or data that can be accessed by any external individual or organisation. Types of public data include: • Official contact data of relevant company Staff • News updates or press releases. • Company publications • External-facing company policies or procedures
Management of public data:
02. Public data will be formatted to allow for the most basic security measures. Examples include converting a Word document into a PDF to avoid others editing it, as this could subsequently cause some form of reputational damage.
Open data
03. Anyone at Nous is able to access this information for the purposes of fulfilling Nous’s contractual obligations and business needs. Types of open data might include:
• Official contact data e.g. full name, primary email address and telephone number • Authorised communications, such as blogs, news articles and industry updates. • Approved company policies, guidance and processes
Management of open data: 04. Open data will be formatted to allow for the most basic security measures. Examples might include converting a Word document into a PDF to avoid others editing it, as this could subsequently cause some form of reputational damage.
Sensitive Data 05. Access to sensitive data is limited only to individuals who have been granted appropriate authorisation to view or process that information. Types of sensitive data might include:
• Name • Date of birth • Address • Telephone number • Email address • National Insurance number • Race • Religion • Health details • Political affiliations • Trade union membership • Criminal offences • Employee and/or Staff contracts • Non-Disclosure Agreements • Unfinished or unapproved company documents • Staff wage and/or payment slips • PDR documentation
06. Where strictly necessary authorised individuals or stakeholders may need to be granted access to sensitive data on a need-to-know or project only basis.
07. Sensitive Data is afforded a higher level of protection than other data that is not sensitive. Sensitive data must be identified and assessed on a case-for-case basis. In most cases, sensitive data will inherently be classed as confidential; thus, access and/or availability will be limited to key individuals who need to know the information in order to fulfil a Customer contract or a statutory obligation of Nous.
Management of Sensitive Data:
08. As and where required to handle confidential data, Staff should exercise the following handling processes: • Paper documents will be: · In secure locked storage · Transported in sealed envelopes only · Transported by an approved third-party courier service · Securely disposed of • Electronic data will be: · Encrypted · Password-protected wherever possible · Transportation must follow secure file transfer protocol · Storage must be limited to secure file stores · Securely disposed of.
Strictly confidential data
09. A minimal number of authorised individuals, authorities or other stakeholders may be permitted access to data that has been classified as being ‘Strictly confidential’. Types of strictly confidential data might include:
• Bank details • Credit card information • Financial information • Server information • Usernames or passwords • Test data • Medical records • Disciplinary proceedings • Patent information • Network information
Management of strictly confidential data:
10. As and where required to handle strictly confidential data, Staff should exercise the following handling processes:
• Paper documents will be: · In secure locked storage · Transported in sealed envelopes only · Transported by an approved third-party courier service • Electronic data will be: · Encrypted · Password-protected wherever possible · Tagged · Transportation must follow secure file transfer protocol · Storage must be limited to secure file stores
Secret data
11. On rare occasions, Nous may wish to classify data as ‘Secret’. If a member of Staff is unsure as to whether they should categorise a piece of data as being secret – or if they need assistance in classifying any other piece of data, they should consult a line manager. If no manager is available for consultation, data should default to a ‘Confidential’ classification. We recognise that various types of secret data may require different controls and circumstances. Bearing that in mind, individual protocols will be implemented on a case-for-case basis as required for Secret data. Data classification markings
12. Data classification markings are clearly visible at all times either at the top, bottom or centre of each document page and match the classification category in which that data has been assigned.
13. Classification markings will include the retention period for the data.
Reclassifying data
14. There may be occasions when Personal Data and other data must be reclassified from one data category to another data category. The need for reclassification may depend upon a content change, or an alteration in terms of the data’s intent, where it is stored or how it is being used. Before reclassifying data, a firm and justifiable rationale must be established and guidance of the Data Protection Officer sought and recorded.
D: Data storage policy 01. All information and data that is collected and processed is subject to all of the applicable requirements as outlined and documented within this policy. This includes information collected electronically, by paper, telephone or data collected through any other means.
02. All data will be collected, stored and protected in the secure location appointed by Nous for the retention period required by this policy as determined by the nature of the data and for the period it is marked as to be stored for.
03. Staff members are strictly forbidden to retain confidential information or personal data not relating to themselves on their personal devices. Exceptions to this policy include information that is needed for a purpose that is work-related, temporarily and specified and approved by a relevant manager.
04. Staff members are actively discouraged from downloading sensitive files or confidential information to local devices.
05. Staff may only install and use software and systems that have been licensed and approved by the company on devices the company owns or has access to while carrying out the duties of their role. Downloading or using any software, app or system that is not preapproved by the company requires prior written approval from Nous.
06. All mobile and portable devices used by staff members must be approved by Nous and secured to prevent unauthorised access or breach. Personal devices could include a laptop, smartphone, tablet or any other handheld computing devices. This policy also applies to any shared cloud storage spaces.
07. All internet access and online operations carried out by Staff are subject to monitoring and filtering in accordance with relevant legislation and company policy. This monitoring is carried out only by authorised member of staff of Nous.
08. Staff must adhere to all applicable elements of this policy when using personal devices to access company resources. Similarly, Staff must observe and adhere to all applicable elements of this data security policy when using equipment provided by Nous to access information externally.
09. Staff are forbidden from using public access devices. This practice is allowed in some circumstances; however, prior and explicit approval from a line manager for regular public access must be obtained.
E: Return or destruction of personal data 01. Nous securely shreds all paper copies of information and Personal Data periodically using a reputable information disposal operation with similar security policies to Nous.
02. Nous will securely destroy each and every original and copy in every media of all Personal Data in Nous’s or its Sub-Processors’ possession, custody or control on or as soon as possible after the data retention date.
03. Nous takes steps to prevent accidental or deliberate destruction or loss of information and Personal Data. This includes cloud provision and daily backup of information.
F: Prohibited activities
01. Staff are strictly forbidden from using company equipment, tools or systems for any purpose unrelated to their role responsibilities, excluding any previously mentioned exceptions. The following activities by Staff of Nous are forbidden with no exceptions:
• Any unauthorised replication of copyrighted materials. • The violation of individual rights by way of the unnecessary collection, storage and processing of Personal Data or information. • The violation of rights of an individual or organisation protected under intellectual property law in any jurisdiction. • The use of any programme, command or interface designed to interfere with a user or corresponding user session. • The accessing of any Personal Data, data, user account or server for any purpose unrelated to the business function of an individual’s company role. • Issuing fraudulent product or service offers from a Nous account. • Sharing or use of Staff login credentials or company systems by anyone apart from the named individual. • Export of proprietary or confidential information as it relates to Nous. • Export of any software or data that is in breach of regulation or Nouss data security policy. • Knowingly causing a network disruption or security breach. • Staff are not allowed to access data that is not intended for them by logging into a system or gaining access to a confidential or limited-access account. The only exception to this rule is if the Staff member is granted access as part of a specific company project.
G: Reporting security breaches 01. All Staff who access, manage or use Personal Data in any way are responsible for reporting a data breach. This report MUST be made immediately.
02. The report must be made to the reporting party’s line manager, using the data breach reporting form in the Nous Breach Policy.
03. Details of the incident that must be included in the report include: • NAME of person reporting the incident. • HOW the incident was discovered. • WHEN the incident occurred. • DETAILS of the incident.
04. Immediately upon discovering an incident, Nous will take all necessary steps to minimise the effects of any data or security breach or incident. That process will be undertaken as set out in the Nous Data Access and Breach Policy.
06. If the data security incident potentially involves a large number of individuals, Nous will consider whether notifying a large number of individuals may have the potential to cause disproportionate enquiries which will in turn result in delayed response to the incident.
07. Nous will determine whether to notify an individual whose personal data has been affected by an incident or breach as set out in the Nous Data Access and Breach Policy.