This policy sets out the different areas where user privacy is concerned and outlines the obligations and requirements of the users, the website and website owners. Furthermore, the way this website processes, stores and protects user data and information will also be detailed within this policy.
The purpose of this document is to define the Dynavics Technology policy with regard to information, systems and communications security. This policy is applicable to all Dynavics permanent, contract and temporary personnel, and to all partners and third parties who have access to Dynavics systems and information.
The Directors of Dynavics are committed to ensuring that all information owned by Dynavics and by its customers and partners is protected in accordance with its level of confidentiality and sensitivity.
The principal objectives of this policy are:
To protect Dynavics information assets from all threats, whether internal or external.
To ensure that all Dynavics personnel and others with access to Dynavics information assets are fully aware of the requirements of information security.
To identify to all personnel and their respective responsibilities in relation to the security of information.
To ensure that all personnel are aware of the requirement for them to comply with all Information Security related legislation.
To protect customer and partner information and assets.
To ensure that Dynavics meet, or exceed all aspects of recognised good security practice as defined in the current version of the security standard ISO27001.
2. Information Security
The purpose of information security is to ensure the continuity of business, and to minimise the impact of security related incidents. Information security enables information to be shared, while ensuring the protection of information and computing assets.
Information security has three basic components:
Confidentiality: assuring that sensitive or personal information or data is read only by authorised individuals, and is not disclosed to unauthorised individuals or the public.
Integrity: safeguarding the accuracy and completeness of information and software, and protecting it from improper modification.
Availability: ensuring that information, systems, networks and applications are available when required to departments, groups or users that have a valid reason and authority to access them.
There are three further controls, which support these basic components:
Authentication – All persons and systems seeking access to our networked computer resources must first establish their identity to the organisation’s satisfaction.
Access Control – The privilege to view or modify information, software, or the systems on which the information resides, must be restricted to only those whose job functions absolutely require it.
Auditing – User access and activity on the organisation’s computers, firewalls and networks must be recorded and maintained in compliance with all security, retention, and regulatory requirements.
Information takes many forms; it may be processed and stored on computers or in other electronic form, printed or written on paper, shared through voice or video communications, transmitted through post or electronic means such as e-mail, blogs, social networking, instant messaging or fax, and may be made available on corporate videos or web sites. Whatever form the information takes, or means by which it is shared, stored or processed, it should always be appropriately classified and protected.
Information systems and the information they process and store are a vital asset to Dynavics Technology. Dynavics is dependent on the availability of accurate, up to date information.
Any loss of information, computer systems or the data they contain could have serious repercussions on Dynavics and / or its customers and partners. A breach of security during processing, storage or transfer of data could result in financial loss, loss of business advantage, serious inconvenience or embarrassment, or even legal proceedings against the company, and possibly the individuals involved. In order to ensure the confidentiality, integrity and availability of these systems a high level of security must be achieved and maintained. The level of security implemented on each of the various systems will be consistent with the designated security classification of the information and the environment in which it operates.
Specific security standards, procedures and guidelines will be published and updated from time to time to facilitate the implementation of this Security Policy.
Dynavics will provide procedures, processes and guidelines to ensure against the unauthorised modification, destruction or disclosure of information or data whether accidental or intentional. Within Dynavics, access to information will be restricted to those personnel with a valid business requirement.
All computer systems will be protected with anti-virus software, which will be updated regularly. Scans will be carried out periodically on all servers, workstations and laptops, and virus definitions will be updated each weekday. Updates and scans will be automatic for every machine and must not be turned off or bypassed.
Dynavics will take appropriate steps to prevent, detect and recover from any loss or incident, whether accidental or malicious, including error, fraud, damage and disruption to, or loss of computing or communications facilities.
Dynavics uses various software packages, which will not be modified other than application of manufacturer’s software patches and upgrades following successful testing.
Software developed within Dynavics will be subject to strict project control and change management, and will include risk assessment and security sign-off to ensure that appropriate protection of information is always considered.
A security risk assessment will be carried out on each category of information asset to identify the level of protection required. The security and control procedures required, will take account of the sensitivity and value of the information.
All business units within Dynavics must have business continuity plans for information that is deemed to be critical. These plans will be co-ordinated to avoid conflict of interest and priorities.
This Policy is applicable to:
All Dynavics Technology information, information owned by its partners and customers, and information about its partners and customers. For the purpose of this document, this will be referred to as Dynavics Information.
All Dynavics permanent, contract and temporary personnel, and all third parties and partners who have access to Dynavics premises, systems and information.
All Dynavics computer systems, software, and information created, held or used on those systems. Printed output from all Dynavics systems is also in the scope of this policy.
All means of communicating information, both within Dynavics and externally. These include Data and voice transmissions, e-mails, post, fax, telex and voice and video conferencing.
4.1. Chief Executive
The Chief Executive of Dynavics is ultimately responsible for the protection of the organisation’s information and for ensuring the implementation of this Security Policy.
4.2. Information Security Officer
The Information Security Officer will act as the focus for all Information security issues; he will be responsible for the operational security of the Company’s IT infrastructure, and for implementing approved recommendations and policies.
His responsibilities include:
Leading the formulation of Information Security Policies, procedures and guidelines, and obtaining Executive approval for these documents.
Providing security awareness induction and ongoing training programmes to ensure that all employees have a full understanding of the importance of security, and of the requirement for their compliance with the Security Policies.
Identification of specific training for Information Security specialists, and for non-specialists who require a level of knowledge in the subject.
Monitoring security compliance on a day-to-day basis.
Providing support to Management of all levels, on their basic responsibilities in the enforcement of Security Compliance.
Identifying areas of security risk, and providing advice regarding actions that may be taken to minimise and manage these risks.
Advising the Management on the requirement for, and implementation of security programmes.
Reviewing the adequacy of business continuity plans and tests.
Maintaining security documentation.
Assisting users in the development and implementation of operating procedures, security controls and products in compliance with the Security Policies.
Identifying areas of improvement required to meet, or exceed Security Best Practice as defined by the current version of ISO27001.
4.4. Chief Executive
It is the responsibility of all employees to ensure that they conduct their business in accordance with this Policy.
All employees are required to familiarise themselves with this Policy, and all applicable supporting Policies, Procedures, Standards and Guidelines. Compliance with this Policy is mandatory, and any employee failing to comply may be subject to disciplinary procedures.
Employees responsible for management of third parties must ensure that the third parties are contractually obliged to comply with this Policy and those third parties are aware that their failure to comply may lead to contract termination.
Users of systems and information must:
Only access systems and information, including reports and paper documents to which they are authorised.
Use systems and information only for the purposes for which they have been authorised.
Comply with all appropriate legislation, and with the controls defined by the Information Owner, and all corporate Policies, Standards, Procedures and Guidelines.
Not disclose confidential information to anyone without the permission of the Information Owner.
Notify the Information Security Officer of any actual or suspected breach of Information Security, or of any perceived weakness in the organisation’s Security Policies, Procedures, Practices, Process or infrastructure.
Protect assets from unauthorised access, disclosure, modification, destruction or interference.
4.5. Human Resources
Human Resources are responsible for ensuring that Dynavics recruits trustworthy employees, and that all employees are aware of their responsibilities regarding information security. Their responsibilities include:
Pre-employment reference checking in line with the role.
Ongoing vetting as required by role changes or customer requirements.
Obtaining signed non-disclosure agreements from every employee.
Arranging induction training for new employees, this training to include security awareness.
Taking disciplinary action in the event of misconduct, and non-compliance with Security Policies.
Ensuring that user administrators receive prompt notification of employee moves and departures.
5. Review of Information Security Policy
This policy will be reviewed on an annual basis by the Information Security Officer, and the results of the review will be submitted to the Chief Executive. Any resulting changes will be formally advised to all Dynavics employees and contractors.
In the event of a security incident, the policy will be reviewed for effectiveness, and modified if appropriate.
Appendix A: Applicable Legislation
Dynavics employees will comply with all current legislation. Some of the key laws relating to information security are outlined below. For further information on any legislation, refer to the Information Security Officer.
Data Protection Act 1998 and EU Directive on Data Protection
Personal information relating to identifiable individuals must be kept accurate and up to date. It must be fairly obtained and securely stored. Personal information may only be disclosed to people who are authorised to use it.
The Data Protection Act lists the eight principles in the following terms.
- Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Further information on the Act can be obtained from the Data Protection Officer, or from the Information Security Officer.
Copyright, Patents and Designs Act 1988
Documentation must be used strictly in accordance with current applicable copyright legislation, and software must be used in accordance with the licence restrictions. Unauthorised copies of documents or software may not be made under any circumstances.
Patents Act 1997
Covers the protection of designs and inventions, and the process for applying for patents.
Computer Misuse Act 1990
This Act addresses the following offences:
Unauthorised access to computer material.
Unauthorised access with intent to commit or facilitate commission of further offences.
Unauthorised modification of computer material.
Regulation of Investigatory Powers Act 2000 (RIPA)
This Act provides for, and regulates the use of, a range of investigative powers, by a variety of public authorities. It updates the law on the interception of communications to take account of technological change such as the growth of the Internet. It puts other intrusive investigative techniques on a statutory footing for the very first time; provides new powers to help combat the threat posed by rising criminal use of strong encryption; and ensures that there is independent judicial oversight of the powers in the Act.
Electronic Communications Act 2000
Which supports the use of encryption and digital signatures. Dynavics will only use cryptographic technologies that comply with the laws of each country within which Dynavics uses, purchases or provides them. Dynavics does not use PKI, or any other form of encryption that is not incorporated into proprietary packages or network solutions.
Code on Employers Monitoring Practices
Part 3 of the Employee Practices Data Protection Code, provides best practice guidance on monitoring of emails, phone calls and internet access in the context of the Data Protection Act.
EU Directive on Privacy and Electronic Communications
Defines legal standards for the processing of personal data, and the protection of privacy in the electronic communications sector.
Human Rights Act 1998
Based on the European Convention on Human Rights.
Working time directive
Defines maximum working hours and minimum breaks from work.
Health and Safety at Work Act 1974
The primary legislation covering health and safety in the UK, making provision for securing the health, safety and welfare of persons at work, and for protecting others against risks to health and safety.
Liability Insurance Policy
This policy includes requirements for compliance with legislation such as Health and Safety at Work Act.
6. The Website
Our website and its owners take a proactive approach to user privacy and ensure the necessary steps are taken to protect the privacy of its users throughout their visiting experience. Our website complies with all UK national laws and requirements for user privacy.
What are cookies?
Cookies are small files saved to the user’s computer’s hard drive that track, save and store information about the user’s interactions and usage of the website. This allows the website, through its server to provide the users with a tailored experience within this website.
We use anonymous session cookies (short-term cookies that disappear when you close your browser) to help you navigate the website and make the most of the features. If you log into the website, application or a course as a registered user, your session cookie will also contain your user ID so that we can check which services you are allowed to access.
Should users wish to deny the use and saving of cookies from our website onto their computer’s hard drive, they should take necessary steps within their web browser’s security settings to block all cookies from our website and its external serving vendors.
8. Personal Information
Whilst using our website, software applications or services, you may be required to provide personal information (name, address, email, etc.). We will use this information to administer our website, applications, client databases and marketing material. We will ensure that all personal information supplied is held securely in accordance with the General Data Protection Regulation (EU) 2016/679, as adopted into law of the United Kingdom in the Data Protection Act 2018.
Further, by providing telephone, mobile and email details, you consent to Dynavics Ltd contacting you, using that method. You have the right at any time to request a copy of the personal information we hold on you. Should you wish to receive a copy of this, or would like to be removed from our database, please contact us at firstname.lastname@example.org.
9. Information Collection and Use
How do we collect information?
Dynavics Ltd collects information in two possible ways:
1. When you directly give it to us (“Directly Provided Data”)
When you sign up for our site, purchase our products or communicate with us, you may choose to voluntarily give us certain information – for example, by filling in text boxes or completing registration forms. All this information requires a direct action by you at that time in order for us to receive it.
2. When you give us permission to obtain from other accounts (“User Authorised Data”)
Depending on your settings or the privacy policies for other online services, you may give us permission to obtain information from your account with those other services. For example, this can be via social media or by choosing to send us your location data when accessing our website from your smartphone.
How long do we keep your data for?
Dynavics Ltd will not retain your personal information longer than necessary. We will hold onto the information you provide either while your account is in existence, or as needed to be able to provide the Services to you, or (in the case of any contact you may have with our Support Team) for as long as is necessary to provide support-related reporting and trend analysis only.
If legally required or if it is reasonably necessary to meet regulatory requirements, resolve disputes, prevent fraud and abuse, or enforce our Terms and Conditions, we may also retain some of your information for a limited period of time as required, even after you have closed your account, or it is no longer needed to provide the Services to you.
10. Registration Forms
Dynavics Ltd will not sell or rent your personally identifiable information, gathered as a result of filling out the site registration form, to anyone.
Choosing how we use your data
We understand that you trust us with your personal information and we are committed to ensuring you can manage the privacy and security of your personal information yourself.
With respect to the information relating to you that ends up in our possession, and recognising that it is your choice to provide us with your personally identifiable information, we commit to giving you the ability to do all of the following:
You can verify the details you have submitted to Dynavics Ltd. by contacting our marketing team – email@example.com. Our security procedures mean that we may request proof of identity before we reveal information, including your e-mail address and possibly your address.
You can also contact us by the same method to change, correct, or delete your personal information controlled by Dynavics Ltd regarding your profile at any time. Please note though that, if you have shared any information with others through social media channels, that information may remain visible, even if your account is deleted.
You are also free to close your account through our account settings. If you do so, your account will be deactivated. However, we may retain archived copies of your information as required by law or for legitimate business purposes (including to help address fraud and spam).
You can always feel free to update us on your details at any point by emailing firstname.lastname@example.org.
You can unsubscribe from receiving marketing emails from us by clicking the “unsubscribe” link at the bottom of any email. Once you do this, you will no longer receive any emails from us.
You can request a readable copy of the personal data we hold on you at any time. To do this, please contact us at email@example.com.