Info Handling Policy
Info Handling Policy
Info Handling Policy
1. Introduction
This Information Handling Policy sets out the requirements relating to the handling of the
company’s information assets. Information assets must be managed in order to protect against
the consequences of breaches of confidentiality, loss of integrity, interruption to availability,
and non-compliance with legislation which would otherwise occur.
An inventory of the company’s main information assets will be developed and maintained and
the ownership of each asset clearly stated.
Each asset will have a nominated owner who will be assigned responsibility for defining the
appropriate uses of the asset and ensuring that appropriate security measures are in place to
protect the asset.
3. Security classification
Each information asset will be assigned a security classification by the asset owner which
reflects the sensitivity of the asset according to the following classification scheme:
Any information which is disclosable under the Freedom of Information Act 2000 will be
classified as public. Any data which is classified as sensitive personal data under the General
Data Protection Regulations (GDPR 2018) (or its successor legislation) will be classified as strictly
confidential. Any data which is subject to the Official Secrets Act 1989 will be classified as secret.
Any information which is not explicitly classified will be classified as open, by default.
4. Access to information
Members of the company will be granted access to the information they need in order to fulfil
their roles within the company. Members who have been granted access must not pass on
information to others unless the others have also been granted access through appropriate
authorisation.
1
5. Disposal of information
Great care needs to be taken to ensure that information assets are disposed of securely.
Confidential paper waste must be disposed of in accordance with formal (insert name of
company) procedures (insert where they are documented for example which are documented on
the website).
In cases where a storage system (for example a computer disc) is required to be returned to a
supplier it should be securely erased before being returned unless contractual arrangements are
in place with the supplier which guarantee the secure handling of the returned equipment. If
this is not possible, then the storage system should not be returned to the supplier and should
remain in the possession of the company until it is disposed of securely.
6. Removal of information
Data which is subject to the GDPR 2018 or which has a classification of confidential or above
should be stored using the company’s facilities or with third parties subject to a formal, written
legal contract with the company, wherever possible. In cases where it is necessary to otherwise
remove data from the company, appropriate security measures must be taken to protect the
data from unauthorised disclosure or loss. Strictly confidential data in electronic form must be
strongly encrypted prior to removal. Secret data must never be removed except with the explicit
written permission of the data owner.
Particular care needs to be taken when information assets are in transit. Company supplied
mobile devices must always be fully encrypted.
Any processing or storage of company information using personally owned devices must be in
compliance with the organisation’s Mobile and Remote Working Policy
Members of staff who handle confidential paper documents should take appropriate measures
to protect against unauthorised disclosure, particularly when they are away from their desks.
Confidential documents should be locked away overnight, at weekends and at other unattended
times.
Care should also be taken when printing confidential documents to prevent unauthorised
disclosure.
2
Computer screens on which confidential or sensitive information is processed or viewed should
be sited in such a way that they cannot be viewed by unauthorised persons and all computers
should be locked while unattended.
9. Backups
Information owners must ensure that appropriate backup and system recovery measures are in
place. Where backups are stored off site, appropriate security measures must be taken to
protect against unauthorised disclosure or loss. Recovery procedures should be tested on a
regular basis.
Information which is entrusted to the care of IT Services will meet these requirements.
Whenever significant amounts of personal data or other confidential information are exchanged
with other organisations, appropriate information security measures must be established to
ensure the integrity and confidentiality of the data transferred. Regular exchanges must be
covered by a formal written agreement with the third party.
Information classified as strictly confidential may only be exchanged electronically both within
the company and in exchanges with third parties if the information is strongly encrypted prior to
exchange. Information classified as secret may not be transmitted electronically except with the
explicit written permission of the information owner.
When exchanging information by email or fax, recipient addresses should be checked carefully
prior to transmission.
Unsolicited emails, faxes, telephone calls, instant messages or any other communication
requesting information which is not classified as public should not be acted upon until and
unless the authenticity and validity of the communication has been verified.
Members of the company must not disclose nor copy any information classified as confidential
or above unless they are authorised to do so.
All members of the company have a duty to report the loss, suspected loss or unauthorised
disclosure of any information asset to the information security incident response team
[Insert details of responsibility for example The Data Protection Officer DPO/GDPR owner ] is
responsible for ensuring that this procedure is reviewed in line with the review requirements of
the GDPR
3
Issue Description of Approval Date of Issue
change