Data Management Policy

1. Data Ownership

• Designation of Data Owners: Each category and type of data within InContext Solutions will have a designated Data Owner. These roles are assigned to senior management members, at the VP level or higher, who assume the responsibility of acting as stewards of the data. Their primary role is to oversee the classification, security, and access of the data they are entrusted with.

• Responsibilities and Accountabilities:

  • Classification: Data Owners are responsible for accurately classifying data based on its sensitivity and the potential impact of its disclosure. This involves categorizing data into Restricted, Confidential, or Public classifications.

  • Access Control: They must establish clear policies for who can access the data, ensuring adherence to the principle of need-to-know and least privilege. Access decisions are carefully considered based on business needs and individual roles.

  • Usage Monitoring: Data Owners are tasked with monitoring how data is used within the organization to ensure compliance with established policies and legal standards. They must be vigilant in identifying and addressing any misuse or unauthorized access.

  • Policy Compliance: They ensure that their respective data categories comply with all relevant external legal requirements and internal company policies. Regular audits and reviews of data handling practices are part of their responsibilities.

  • Training and Awareness: Data Owners are also involved in fostering a culture of data protection by ensuring that their teams are aware of policies and best practices for data management.

• Decision Making and Oversight:

  • Access Decisions: Data Owners have the authority to make decisions about who is permitted to access specific data. These decisions must be based on legitimate business needs and documented through proper channels.

  • Incident Management: In the event of a data breach or incident involving their data, the Data Owner plays a crucial role in the response and recovery process. They work closely with the Information Security Team to ensure that appropriate measures are taken to mitigate any potential damage.

  • Continual Improvement: Data Owners are expected to engage in continuous improvement of data management practices. They must stay informed of new technologies and methodologies that can enhance data security and efficiency.

2. Data Classification

• Restricted: Applies to information whose unauthorized disclosure could cause severe damage to the company or its stakeholders. Restricted data is handled with the highest level of security and access control.

• Confidential: Includes less sensitive business information that could negatively impact the company if disclosed. Used within the organization and shared externally only on a need-to-know basis.

• Public: Information approved for release to the public with no risk of harm from unauthorized disclosure. Such data is freely distributable.

3. Policy Review Schedule

• Annual Review: The Information Security Team will conduct an annual review of the Data Management Policy to incorporate any changes in legal requirements or business needs.

• Update Protocol: All updates and changes to the policy will be documented, and relevant stakeholders will be informed of new requirements or procedures.

4. Data Handling

• Data Capture and Collection:

  • Purpose Limitation: Data collection will be confined strictly to what is necessary for legitimate business purposes. The reason for data collection must be clearly justified and documented, ensuring alignment with business objectives and legal requirements.

  • Consent and Transparency: Wherever applicable, informed consent will be obtained from individuals whose data is being collected. They will be informed about what data is collected, why it is necessary, and how it will be used.

  • Minimization: Only data that is relevant and necessary for the specified purpose will be collected. Excessive or irrelevant data collection is prohibited to minimize risks and ensure compliance with data protection principles.

• Data Usage:

  • Authorized Access: Data usage is restricted to personnel who have been granted authority based on their role's requirements. This is managed under the principle of least privilege to prevent unnecessary access.

  • Purpose-Specific Processing: Data must be used exclusively for the purposes for which it was collected unless further use is legally permitted and justifiable. This ensures that data handling respects individuals' rights and regulatory obligations.

  • Monitoring and Auditing: Usage of data is subject to monitoring and auditing to detect and address any unauthorized or inappropriate access or use.

• Data Storage:

  • Security Measures: Data shall be stored using security measures appropriate to its classification. This includes encryption and secure access controls to protect against unauthorized access and data breaches.

  • Backups and Redundancy: Regular backups will be conducted for all critical data to ensure availability and recovery in case of data loss incidents. Backup data shall also adhere to security protocols to prevent unauthorized access.

• Data Retention:

  • Retention Periods: Data will be retained only for as long as necessary to fulfill its intended purpose or as required by law. Data Owners are responsible for determining and documenting these retention periods.

  • Review and Disposal: Periodic reviews of stored data will be conducted to identify data that is no longer needed. Data that has reached the end of its retention period will be securely disposed of in line with the Data Lifecycle - Destruction policy.

• Data Transfer:

  • Secure Transfers: When data needs to be transferred, it will be done using secure protocols to prevent unauthorized intercepts and ensure data integrity during transit.

  • Third-Party Sharing: Share data with third parties only if essential for business operations and if the third parties are compliant with equivalent data protection obligations. Data sharing agreements will be established to safeguard data during external transfers.

5. Data Security

• Access Control:

  • Principle of Least Privilege: Access to data is granted based on the minimum level of access necessary for an individual to perform their job functions. This principle helps limit exposure of sensitive data to only those who need it.

  • Authentication and Authorization: Robust authentication mechanisms, such as multifactor authentication, are implemented to verify the identity of users accessing the systems. Authorization controls ensure that users can access only the data and resources that they are permitted to use.

  • Auditing and Logging: Regular audits of access logs are conducted to monitor access patterns and detect any unauthorized attempts to access sensitive data. These logs are maintained to support incident investigations and compliance checks.

• Data Protection Measures:

  • Encryption: Sensitive data is encrypted both at rest and in transit using industry-standard encryption protocols. This protects data from unauthorized access and ensures data integrity.

  • Network Security: Network infrastructure is secured with firewalls, intrusion detection systems, and other security measures to protect data from external and internal threats. Regular vulnerability assessments and penetration testing help identify and address security gaps.

  • Endpoint Protection: All endpoint devices accessing company data are equipped with up-to-date security software, including antivirus and anti-malware tools. These measures help prevent data breaches originating from endpoint vulnerabilities.

• Incident Response:

  • Incident Detection: Systems are in place to detect and alert the Information Security Team of security incidents as they occur. Continuous monitoring helps to identify potential threats in real-time.

  • Response Protocols: An incident response plan outlines the steps to be taken in the event of a data breach or security incident. This includes incident containment, eradication, recovery, and communication processes.

  • Notification and Reporting: In the case of a data breach, affected parties are notified in accordance with legal requirements and company policy. Reporting procedures ensure that incidents are documented and reviewed for future prevention.

• Training and Awareness:

  • Employee Training: Regular training sessions are conducted for employees to raise awareness about data security threats and best practices. This includes phishing awareness, secure password management, and data protection protocols.

  • Security Culture: Encouraging a culture of security awareness helps employees recognize and respond to potential threats, reducing the risk of human error and insider threats.

• Supplier and Third-Party Security:

  • Vendor Assessments: Before engaging with third-party vendors, comprehensive security assessments are conducted to ensure their security measures meet company standards.

  • Data Sharing Agreements: Contracts with third parties include clauses on data protection responsibilities, security obligations, and breach notification requirements.

6. Data Lifecycle - Destruction

InContext Solutions Limited is committed to implementing effective data retention schedules to manage the lifecycle of different types of data we hold. These schedules are crucial for ensuring data is retained only as long as necessary to meet legal, regulatory, and business requirements, and for ensuring secure and compliant data destruction when no longer needed.

• Types of Data Stored:

  • Data Categories: We categorize data into types such as personal data, financial records, operational records, and more. Each category is assessed for its specific retention requirements.

  • Legal and Regulatory Requirements: Retention schedules take into account any applicable legal and regulatory obligations. This ensures compliance with laws such as GDPR, data protection regulations, and industry-specific mandates.

  • Business Requirements: Business needs for data retention, such as historical analysis or auditing, are considered alongside legal obligations when determining retention periods.

• Retention Period:

  • Defined Durations: Each type of data in our custody is assigned a specific retention period, which is clearly documented and reviewed regularly. The retention period is determined based on the category of data, its purpose, and any legal or business requirements.

  • Review and Update: Retention schedules are reviewed periodically to ensure alignment with changing legal requirements and business needs. Adjustments are made as necessary to remain compliant and efficient.

• Data Disposal/Removal/Destruction:

  • Secure Disposal Procedures: Once data has reached the end of its retention period, it is securely disposed of using methods that prevent unauthorized retrieval. These methods might include digital data wiping, degaussing, and physical destruction for media that cannot be wiped.

  • Documentation and Verification: The destruction of data is documented, including the date, method of destruction, and the responsible personnel. Regular audits are conducted to verify compliance with established procedures.

  • Technology and Tools: Appropriate tools and technologies are employed to ensure that data destruction is both effective and irreversible. These tools are chosen based on industry standards and internal security evaluations.

• Evidence of Compliance:

  • Record-Keeping: Comprehensive records are maintained to document compliance with data retention and destruction policies, which include retention schedules and destruction logs.

  • Review by Information Security Team: The Information Security Team regularly reviews compliance evidence to ensure adherence to policies and to prepare for audits or inspections by external entities if required.

  • Preparation for Effective Date: Prior to the effective date of this agreement, all processes and records related to data retention and destruction are reviewed and updated to meet the latest policy standards and requirements.

7. Risk Management

InContext Solutions Limited will develop and implement a comprehensive risk management policy aligned with recognized industry standards. This policy will focus on identifying, assessing, and mitigating risks related to data handling and protection.

• Risk Policy and Framework: The policy will provide a structured approach to managing risks across all departments and processes involving data. It will align with frameworks like ISO 31000 or NIST for best practices.

• Risk Assessment: We plan to conduct regular assessments to identify potential threats to our data assets. These assessments will help us understand vulnerabilities and the potential impact of security incidents.

• Mitigation Strategies: For identified risks, we will create strategies to reduce their likelihood or impact. This will include considering both technical and procedural solutions.

• Roles and Responsibilities: Assigning clear roles and responsibilities will ensure accountability and effective implementation of risk management practices.

• Compliance and Documentation: We'll maintain documentation of risk management activities to demonstrate compliance. Regular audits will be conducted to ensure ongoing effectiveness and adherence to industry standards.

Revision History