Information Security Policy

1.Policy Statement

The confidentiality, integrity and availability of information, in all its forms, are critical to the on-going functioning and good governance of TAA. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for TAA to recover. This information security policy outlines TAA’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of the companies’ information systems. Supporting policies, codes of practice, procedures and guidelines provide further details. TAA is committed to a robust implementation of Information Security Management. It aims to ensure the appropriate confidentiality, integrity and availability of its data. The principles defined in this policy will be applied to all of the physical and electronic information assets for which the TAA is responsible

2.Purpose

The primary purposes of this policy are to:

  1. Ensure the protection of all SFA information systems (including but not limited to all computers, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
  2. Make certain that users are aware of and comply with all current and relevant UK and EU legislation.
  3. Provide a safe and secure information systems working environment for staff, students and any other authorised users.
  4. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
  5. Protect TAA from liability or damage through the misuse of its IT facilities.
  6. Respond to feedback and update as appropriate, initiating a cycle of continuous improvement.

Scope

This policy is applicable to, and will be communicated to, all staff, learners and third parties who interact with information held by TAA and the information systems used to store and process it. This includes, but is not limited to, any systems or data attached to the TAA data or telephone networks, systems managed by TAA, mobile devices used to connect to TAA networks or hold TAA data, data over which TAA holds the intellectual property rights, data over which TAA is the data owner or data custodian, communications sent to or from the TAA.

3. Policy

Information security principles
The following information security principles provide overarching governance for the security and management of information at TAA.

1. Information should be classified according to an appropriate level of confidentiality, integrity and availability (see Section Information Classification) and in accordance with relevant legislative, regulatory and contractual requirements and TAA policy (see Section Legal and Regulatory Obligations).

2. Staff with responsibilities for information (see Section Responsibilities) are responsible for ensuring the classification of that information; for handling that information in accordance with its classification level; and for any policies, procedures or systems for meeting those responsibilities.

3. All users covered by the scope of this policy (see Section Scope) must handle information appropriately and in accordance with its classification level.

4. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.

5. Information will be protected against unauthorized access and processing in accordance with its classification level.

6. Breaches of this policy must be reported (see Sections Compliance and Incident Handling).

Legal & Regulatory Obligations

TAA has a responsibility to abide by and adhere to all current UK and EU legislation as well as a variety of regulatory and contractual requirements.

Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.

Information Classification

The following table provides a summary of the information classification levels that have been adopted by TAA and which underpin the 6 principles of information security defined in this policy.

These classification levels explicitly incorporate the Data Protection Act’s (DPA) definitions of Personal Data and Sensitive Personal Data, as laid out in TAA’s Data Protection Policy.

Security level Definition Example
1. Confidential Normally

Accessible to specified members of TAA staff

DPA-defined Sensitive personal data (racial/ethnic origin, political opinion, religious beliefs, trade union membership, physical/mental health condition, sexual life, criminal record) including as used as part of primary or secondary research data;

 

individuals’ bank details; HR records

 

passwords;

large aggregates of personally identifying data (>1000 records) including elements such as name, address, telephone number.

2. Restricted

 

Normally accessible

only to specified

members of TAA staff

DPA-defined Personal Data (information that identifies living individuals including home / work address, age, telephone number, schools attended, photographs);

 

Director minutes; draft reports, papers and minutes; systems.

3. Internal Use Normally accessible only to members of TAA staff Internal correspondence, P drive information, staff minutes
4. Public Accessible to all members of the public Annual accounts, Information available on the TAA website or written publicity information.

Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of TAA’s information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems.

The loss or breach of confidentiality of personal data is an infringement of the Data Protection Act (1998), contravenes TAA’s Data Protection Policy, and may result in criminal or civil action against TAA. The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against TAA. Therefore, it is crucial that all users of the companies’ information systems adhere to the Information Security Policy and its supporting policies as well as the Information Classification Standards.

All current staff, learners and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.

Any security breach will be handled in accordance with all relevant TAA policies, and the appropriate disciplinary policies.

Incident Handling

If a member of TAA (employee or learner) is aware of an information security incident then they must report it to Quality Improvement Manager

If necessary, employees can also use TAA’s Whistle Blowing policy

Review and Development

This policy, and its subsidiaries, shall be reviewed by the Quality Improvement Manager and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.

Additional regulations may be created to cover specific areas. The Quality Improvement Manager will determine the appropriate levels of security measures applied to all new information systems.

4.Responsibilities

Members of TAA

All members of TAA, TAA associates, third parties and collaborators on TAA projects will be users of TAA information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation, supporting policies, procedures and guidance. No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so. To report policy contraventions, please see Section 2.5: Incident Handling

Data Owners

Many members of TAA will have specific or overarching responsibilities for preserving the confidentiality, integrity and availability of information. These include:

Contract Manager / Project administrators

Responsible for the security of information produced, provided or held in the course of carrying out enrolment, training, obtaining feedback, consultancy or knowledge transfer activities. This includes ensuring that data is appropriately stored, that the risks to data are appropriately understood and either mitigated or explicitly accepted, that the correct access rights have been put in place, with data only accessible to the right people, and ensuring there are appropriate backup, retention, disaster recovery and disposal mechanisms in place.

Management Team

Responsible for the information systems (e.g. HR/ Registry/ Finance) both manual and electronic that support TAA work. Responsibilities as above (Contract manager/ Project administrators) and specific areas of TAA work, including all the supporting information and documentation that may include working documents/ contracts/ staff or student information.

Quality Improvement Manager

Responsible for this and subsequent information security policies and will provide specialist advice across the company on information security issues.