Contact Us

Data Security Policy and Processes

Reviewed: 28.10.2025

Introduction

This policy is a key component of Inform People Ltd’s overall business management framework and provides the framework for the more detailed information security documentation including system level security policies, security guidance and protocols or procedures.

Objectives

The objective of this Data Security Policy is to help preserve the confidentiality, integrity and availability of our business information, based on a risk assessment and an understanding of our tolerance for risk.

Policy aim

The aim of this policy is to set out the rules governing the secure management of our information assets by ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies; ensuring an approach to security in which all members of staff fully understand their own responsibilities, creating and maintaining within the organisation a level of awareness of the need for information security as an integral part of the day to day business and protecting information assets under the control of the organisation.

Scope

This policy applies to all information, information systems, networks, applications, locations and users of Inform People Ltd or supplied under contract to it.

Legislation

Data Protection Act 2018

The Data Protection Act 2018 describes how we must collect, handle and store personal information.

These rules apply regardless of whether data is stored electronically, on paper or on other materials.

To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully.

The Data Protection Act is underpinned by eight important principles. These say that personal data must:

  1. Be processed fairly and lawfully
  2. Be obtained only for specific, lawful purposes
  3. Be adequate, relevant and not excessive
  4. Be accurate and kept up to date
  5. Not be held for any longer than necessary
  6. Processed in accordance with the rights of data subjects
  7. Be protected in appropriate ways
  8. Not be transferred outside the European Economic Area (EEA), unless that country or territory also ensures an adequate level of protection

The General Data Protection Regulation (UK GDPR)

The UK GDPR is a legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the United Kingdom (UK). Under the definitions of UK GDPR we are a processor, meaning we follow the instructions of how and what personal data we collect and process on behalf of a controller (clients).

UK GDPR sets out seven key principles. They stay that personal data shall be:

  1. Processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’)
  2. Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  3. Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)
  4. Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
  5. Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;
  6. Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”

What Is Personal Information?

DPA:

Personal information is any information that we could use to identify an individual. It does not include personal information that is encoded or anonymised, or publicly available information that has not been combined with non-public information.

Sensitive personal information is information that meets the “personal information” criteria and also:

  • Reveals race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or
  • Concerns health or sex life, information about Social Security benefits, or information on criminal or administrative proceedings other than in the context of pending legal proceedings.

UK GDPR:

  • Personal data only includes information relating to natural persons who:
    • can be identified or who are identifiable, directly from the information in question; or
    • who can be indirectly identified from that information in combination with other information.

  • Personal data may also include special categories of personal data or criminal conviction and offences data. These are more sensitive and you may only process them in more limited circumstances.

  • Pseudonymised data

  • Information about individuals acting as sole traders, employees, partners and company directors where they are individually identifiable and the information relates to them as an individual.

Exclusions

  • anonymised data is not subject to the UK GDPR

  • Information about a deceased person does not constitute personal data and therefore is not subject to the UK GDPR.

  • Information about companies or public authorities is not personal data.

Responsibilities

Infrastructure & Security Team

The Infrastructure & Security Team currently consists of Chris Thomas and Paul King and is responsible for all aspects of security and data protection for the company. Below is the breakdown of responsibilities.

Chris Thomas will be responsible for:

  • Keeping records of the hardware we have in the office and who has access to what systems.
  • Keeping the company up to date about data protection responsibilities, risks and issues.
  • Arranging security & data protection training and advice
  • Handling security & data protection questions
  • Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.

Paul King will be responsible for:

  • Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
  • Performing regular checks and scans to ensure security hardware and software is functioning properly.
  • Evaluating any third-party services the company is considering using to store or process data. For instance, cloud computing services.
  • Approving any data protection statements attached to communications such as emails and letters.
  • Addressing any data protection queries from journalists or media outlets like newspapers.
  • Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.

The team will conduct a monthly review which includes:

  • Updating packages on servers
  • Checking the backup systems
  • Checking the backup systems
    • Code
      • Backup offline before any changes are made
      • Previous code versions backed up until following version rollout 
    • Data
      • Daily Backup to separate server location via AWS
      • Manual backup to testing sites before significant change and testing 
      • Manual key data exports at client request
  • Running through a checklist of other items such as firewall settings
  • Regular password updates to key systems

The team reviews the following things at least annually:

  • The Administrator Privilege Register

EVERYONE

Everyone that handles personal data must ensure that it is handled and processed correctly in accordance with this document.

Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.

All information security incidents or suspected weaknesses should be reported to the Infrastructure and Security Team.

You should not install software or other active code (with the exception of those from official repositories from operating systems suppliers) without approval from the Infrastructure and Security Team.

If you wish to use a new cloud service which will store or transmit personal or company data, this should be evaluated by the Infrastructure and Security Team.

If, for any reason, you believe that you need a higher level of access to a system, such as administrator access, you must seek approval from the Infrastructure and Security Team.

Platform Configuration

The project lead will be responsible for all project data handled and processed for their customers. Once the data has been securely configured into the client’s database security will be Paul King’s responsibility.

All new systems and significant changes to existing systems (such as config updates) should be approved by the data controller main contact.

Examples of what would need approval

  • Mass editing of personal data at a database level

  • Editing of what personal data is displayed on a platform 

  • Module updates

Examples of what wouldn’t need approval

  • Adding a new user to a platform (at a controller’s request)

  • Removal of an audit or performance review (at a controller’s request)

Physical Security and Devices

PHYSICAL SECURITY

You must report any lost or stolen office keys or building access cards as soon as possible.

You must not give someone else your office keys or building access cards.

Any unusual conditions or events in the office which may affect local infrastructure such as very high or low temperatures or water leaks should be reported to the Infrastructure and Security Team.

Try to minimise the amount of information which needs printing or storing as a hard copy.

Usernames and passwords should never be stored in hard copy format.

Where hard copy data is necessary or is provided by a customer:

  • Personal or confidential information held temporarily in hard copy format (in documents, notepad pages, post-it notes, etc.) should be disposed of (i.e shredded) as soon as possible after use.
  • Hard copy personal or confidential information requiring storage (or still awaiting disposal) should be locked away securely at the end of each day.

DESKTOPS & LAPTOPS

Only use operating systems which are supported by a supplier. Once official support ends for a particular version of an operating system it should be upgraded to a supported version.

Where we are able to do so, we will remove or disable all the software that we do not use on laptops, computers, servers, tablets and mobile phones.

Disable all auto-run / auto-play facilities in the operating system.

Log into desktops systems as unprivileged / standard users and only upgrade your privileges when necessary. When connecting to other systems, all connections should be made as non-administrative users with the option to upgrade to administrative users for specific tasks (sudo)

Change any default passwords or passwords which have been sent via an insecure transport (email) to more secure alternatives. Strong passwords should be created randomly and should consist of upper and lower case letters and special characters.

Passwords must only be stored in a secure password manager. Approved options include:

  • Keepass
  • Lastpass
  • Dashlane

Anti-malware software must be installed on all your computers and laptops which are susceptible to viruses.

Only use removable media in the office if it is strictly necessary as this opens the company up to additional risk. If removable media is required then the Infrastructure and Data Security Team must be informed and a virus scan must be performed if the OS being used is susceptible to viruses.

Ensure desktops are always locked when left unattended.

Employees should not save copies of personal data locally on their machine. If data needs downloading to be securely uploaded elsewhere it should be deleted as soon as the task has been completed.

PERSONAL MOBILE DEVICES

The Inform People wifi can be used from within the office on personal mobile devices, but the following conditions must be met:

  • All mobile devices must have latest software installed where possible
  • All mobile devices must have up-to-date anti-malware software installed where possible
  • All mobile devices must be protected by a PIN, password or other access protection
  • All mobile devices must be trackable and have the facility to be remotely wiped if lost or stolen

Project /Application Security

The Project Data Capture Form should be completed as early as possible as this captures security and privacy requirements and includes prompts for recommendations, which may include:

  • HTTPS wherever personal information is transmitted, ideally with HSTS enabled
  • Privacy Policy wherever personal information is collected or stored
  • Cookie Policy wherever cookies are used

A client representative for security and privacy related matters should be identified and recorded as part of the communication strategy.

Development Environments

All development environments are treated with the same level of security as the main client sites. In addition no personal data is used from any client platforms for development purposes. The only exception to this is when a specific issue has been raise by the client that requires the developer to take a copy of the live site in full to review. When this is the case the local copy of the database will be deleted as soon as the issue under review as been resolved and a fix pushed live.

Client Passwords

To ensure all client data remains secure the following password procedures should be adhered to:

  • Enforcing the length of passwords to ensure they are at least 8 characters long (exclusion for where we are slave to master DB and cannot control/enforce password requirements).
  • Never sending passwords directly through email – only using the forgotten password tool.
  • All client passwords are securely encrypted.

Storage / Access / Transmission Of Personal Data

LONG TERM STORAGE

Personal information owned by a client should only be stored in the following places on a long term basis.

  • On servers or RDS instances in the UK and EU regions specific to that client (ones with their client ID in the server IDs).
  • On shared hosting servers or shared RDS instances in the UK and EU region so long as access to databases containing personal data is denied to all DB users used by other clients.
  • Other AWS services in the UK and EU regions such as access is restricted to the individual client.
  • On the Inform Backups server.

Once a controller ends their working relationship with Inform People, Inform People shall make available all personal data held. Following a termination of services the data shall be held for a temporary period agreed either in the controllers contract of services, their data processing agreement or other other length of time determined at the termination of services. Following this period Inform People shall permanently delete all data.

SHORT TERM STORAGE

The following services are either in the office or online within in the UK or EU so it’s legally acceptable to store personal data on them:

  • Asana
  • Google Drive / Docs / Suite
  • Trello

However our policy is that they should only be used for the temporary storage of small amounts of personal data (individual records for instance) and not long term storage. Personal information on these systems should be deleted at the earliest convenience after being used.

ACCESS TO PERSONAL DATA

Staff will only be granted access to view personal data that is deemed essential to perform their duties. When accessing personal data through the Inform People platform access is controlled through use of different user accounts with different access levels. Permission is decided and granted by Chris Thomas (CEO) or Paul King (CTO).

When personal data is stored short term on one of the approved systems it will only be accessible to the intended staff member though use different user accounts and password protection. It will then be securely deleted.

TRANSMISSION OF PERSONAL DATA

Considering transmission of personal and sensitive data is equally as important as considering storage.

Personal data should not be shared via email. The exception is supplying usernames, in very specific situations where there is no other option.

Where possible, data should be shared with clients through use of their secure Knowledge Base on their own Inform People site.

We should also avoid using third party online file transfer services as we cannot guarantee the protection of the data.

Peer to peer video / screen sharing services such as Skype and Whereby are fine to use however we should still make every effort to avoid displaying personal and sensitive data where possible.

Note: Clients can send data to us by any means they wish as that is their responsibility. Once received however, we must comply with our guidelines on storage.

Personal data should not be transmitted outside of the EEA unless using on of our approved services:

  • Asana
  • Google Drive / Docs / Suite
  • Trello

Where practical, data should be encrypted before being transferred electronically.

Destruction Of Assets

When a technology asset needs to be retired the following process should be followed:

  1. Remove all personal information and backup to cloud if required.
  2. Complete factory reset.
  3. Use a third-party software to wipe/sanitise all data from the machine.
  4. Contact an accredited hardware disposal company to destroy and recycle the machine.

Incident And Breach Management

A data breach generally refers to the unauthorised access and retrieval of information that may include corporate and / or personal data. Data breaches are generally recognised as one of the more costly security failures of organisations. They could lead to financial losses, and cause our consumers to lose trust in Inform People.

All staff must uphold and adhere to our process and follow the below steps if a breach is identified.

  1. If quickly achievable and if it is safe to do so, any employee who identifies a breach and has the ability to stem an active breach must do so immediately.
  2. Once the breach has been steamed, or if the staff member is unable to do so safely they must immediately contact Chris Thomas (CEO) and Paul King (CTO) and report the breach.
  3. If possible, Chris Thomas and Paul King must take steps to stem the breach (if still active).
  4. Between the reporting staff member, Chris Thomas and Paul King, a data breach checklist must be completed. This checklist is designed to gather all the necessary information relating to the breach. A new checklist can be generated on inform.informpeople.co.uk/module/saudit/add
  5. Depending on the level of the breach identified the appropriate steps will be undertaken which could include reporting the breach to the ICO or disciplinary actions.

Personal Information Owned by Us

Inform People may store non-customer personal information in the following places:

  • CRM systems

Employees should store company usernames and passwords in an approved secure password manager application, not insecurely on their own machines.

Cyber Essentials - Certificate of Assurance

Please click the adjacent image to view our 2025 Cyber Essentials certificate.

Get the best resources, right in your inbox