Data Security Policy Analysis
POLICY NAME:Data Security Policy
Date Written: 10/02/2017
Written by: Dylan Mc Grath
Authorised by: ICT Manager
Review Date: 10/02/2019
The reason for having a policy:
The reason for having the policy is so that the workers at ACME LEARNING Ltd know what to do when they are assessing the personal data of the customers and how they will use the data.
A Brief explanation of the company’s obligations under the law:
There is one main legislation which the company has to obligate by it is called the Data Protection Act 1998 which was also amended in 2003. It was created for when personal details are given to a company they have to keep the details and they cannot be given to anyone outside of the company.
Every person who has given their details to the company can request a copy of their information that the company has. The company must send the person their details within 40 days.
They can also have their name removed from any marketing list.
They could also make a complaint to the data commissioner if the company is not adhering to the Protection Acts rules.
A person can claim compensation if they suffer when the company uses their data in a wrong way.
Who is effected by how the company uses and stores data?
The people that are effected by this are:
- Teachers and Staff who work for ACME LEARNING Ltd
The Data that is stored about them is:
- Credit Card/ Bank Details
- Birth Dates
- Contact details
- PPS Numbers
- Suppliers information
Why the data is used by ACME LEARNING Ltd:
- For advertising and marketing purposes.
- To have a database of a person’s information.
- For payroll and pension administration
- To make the names and addresses of people are correct.
- To stop fraud and money laundering
- For record keeping
What Specific Threats does AMCEs data have?
Malware: Malware is software that can harm a computer and can slow down performance.
Hacking: Getting into a computer authorized or unauthorized without wanting to cause any damage.
Weather Conditons and Fires: data can lost by storms, earthquakes and floods. Fires can also be started by accident when the server room is too hot. When these weather conditions and fires happen the server rooms can be completely destroyed.
Adware: Software that can monitor the users online activities so that the person can be targeted by advertisements.
Copying data onto storage devices.
Roles and Responsibilities:
ACME LEARNING Ltd must appoint a Data Controller who is there to deal with the data which is about their customers on a computer and also in a filing cabinet.
The Data Controller must:
1: Obtain and process the information fairly.
2: Keep it only for what is it was needed for.
3: Use it for and it should only be given out for a specified purpose.
4: It must be kept safe and secured.
5: The information must be kept up to date and correct.
6: Make sure the data is adequate, relevant and not excessive.
7: It must not be kept for any longer than it is needed for.
8: Give a copy of his/her personal data on their request.
Every Employee that works for ACME LEARNING LTD has to be given training on how to use and handle the data.
Rules for:1. Data storage:
- Data on hard drives cannot be deleted.
- The data has to be stored on the network drive where the I.T department can back it up when they need to.
- Data that is on paper has to be kept in a safe place.
- Data has to be protected by strong passwords.
- All data has to be stored on the server and data has to in a safe location.
- The Data Controller and only the people who need to access the data are allowed to look at it.
- Servers and computers that have data have to be protected by a firewall and security software.
- Data on CDs or DVDs has to be locked away.
- The servers have to have different sites in case one site goes offline.
- Data should not be saved on laptops or other mobile devices.
- There will be two different databases for both staff and students information.
- The data cannot be stored locally have it in a place where it can be backed up every night.
- Data has to be backed up every night.
- The usb ports on all the machines have to be disabled.
- Every computer in the building has to be rebooted every night at a certain time.
- There are two databases one for staff and the other for students’ information.
- Users have to logout of their computer to make the data stays safe.
- The person that looks at the data should be able to see the quantity of the data and the duplication.
2. Data use
- When looking at data on a computer all employees must have their computer locked when they are away from their desk.
- Employees cannot make a duplicate of any data on a file.
- When data is being transferred electronically it has to be encrypted.
3. Data accuracy:
- ACME Learning LTD must keep the data up to date and accurate.
- Data that is inaccurate should be updated to the correct data by someone that is allowed to edit the data.
- There are staff that are allowed to edit the data and other staff who are only allowed to read the data.
4. Data access requests:
The Data Protection Act lets a person find out if ACME LEARNING Ltd has any information that relates to them.
The person has to either fill out a form or write a letter to the company asking for their information.
The person has to include identification so that the company knows that they are giving the data to the right person.
The person is entitled to:
- A copy of the data.
- A description of the use for which it is held.
- A description of those to whom the data may be shown to.
- The source of the data.
The person may have to pay a fee to access their information which cannot exceed €6.35.
The person has to be contacted within 40 days with their data or be told that the company does not have any data about them.
5. Data Disposal:
ACME LEARENING LTD will keep the data it has for employees for seven years only if it is financial.
ACME LEARENING will keep the students data for three years.
If a student has ticked a box to say that they want ACME LEARENING LTD to keep their exam results then ACME LEARENING LTD has to keep the students exam results for a certain number of years.
If data is on paper it has to be thrown into a waste bin.
It must also be recycled.
The paper can also be shredded so that the data on the paper will be destroyed.
An incinerator can be used to burn the paper to destroy it so no one can recover any of the data on the sheets.
Hard Drive Disposal:
At the time the hard drives need replacing an employee must carry out the procedures that need to be done. The procedures are to overwrite a hard drive, get the hard drive destroyed by paying a company that deals with destroying hard drives the right way so that the data is safe from being seen by a person that wants to use it for gaining money.
The hard drive can also be degaussed. This removes all the data from the hard drive. Degaussing destroys the magnetic fields on the hard drive. It completely makes the hard drive in tiny pieces so that it cannot ever be used again.
Overwriting the data using a program puts binary numbers onto the hard drive. It should be done at least three times to be successful.
Tape Media Disposal:
The data on the tapes can be overwritten. They can also be incinerated this method will completely destroy the tape. This method will pollute the air. The data on the tapes can be degaussed. The company can get someone to come in and do it to witness that the tape has been degaussed properly.