Information security policy

1.1 Chaser Technologies Limited (”Chaser”, “the Company”) is committed to the highest standards of information security and treats confidentiality and data security extremely seriously.

1.2 In relation to personal information, under Retained Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR), the Company must:

• 1.2.1 use technical or organisational measures to ensure personal information is kept secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage;
• 1.2.2 implement appropriate technical and organisational measures to demonstrate that it has considered and integrated data compliance measures into the Company’s data processing activities; and
• 1.2.3 be able to demonstrate that it has used or implemented such measures.

1.3 This purpose of this policy is to:

• 1.3.1 protect against potential breaches of confidentiality;
• 1.3.2 ensure all our information assets and IT facilities are protected against damage, loss or misuse;
• 1.3.3 support the Company’s Data Protection Policy in ensuring all staff are aware of and comply with UK law and the Company’s procedures applying to the processing of personal information; and
• 1.3.4 increase awareness and understanding in the Company of the requirements of information security and the responsibility of staff to protect the confidentiality and integrity of the information that they themselves handle.

For the purposes of this Policy:

business information: means business-related information other than personal information regarding customers, clients, suppliers and other business contacts of the Company;

confidential information: means trade secrets or other confidential information (either belonging to the Company or to third parties) that is processed by the Company;

personal information: (sometimes known as personal data) means information relating to an individual who can be identified (directly or indirectly) from that information;

pseudonymised: means the process by which personal information is processed in such a way that it cannot be used to identify an individual without the use of additional information, which is kept separately and subject to technical and organisational measures to ensure that the personal information cannot be attributed to an identifiable individual;

sensitive personal information: (sometimes known as ‘special categories of personal data’ or ‘sensitive personal data’) means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation.

3.1 Information security is the responsibility of all staff. The Company’s Chief Executive Officer (CEO) Sonia Dorais is in particular responsible for:

• 3.1.1 monitoring and implementing this policy;
• 3.1.2 monitoring potential and actual security breaches;
• 3.1.3 ensuring that staff are aware of their responsibilities; and
• 3.1.4 ensuring compliance with the requirements of Retained Regulation (EU) 2016/679, UK GDPR and other relevant legislation and guidance.

4.1 The information covered by this policy includes all written, spoken and electronic information held, used or transmitted by or on behalf of the Company, in whatever media. This includes information held on computer systems, hand-held devices, phones, paper records, and information transmitted orally.

4.2 This policy applies to all staff, including employees, temporary and agency workers, other contractors, interns, volunteers and apprentices.

4.3 All staff must be familiar with this policy and comply with its terms.

4.4 The Company information covered by this policy may include:

• 4.4.1 personal information relating to staff, customers, clients, suppliers;
• 4.4.2 other business information; and
• 4.4.3 confidential information.

4.5 This policy supplements the Company’s Data Protection Policy and other policies and privacy notices relating to data security and the contents of those policies must be taken into account, as well as this policy.

4.6 We will review and update this policy in accordance with our data protection and other obligations. It does not form part of any employee’s contract of employment and we may amend, update or supplement it from time to time. We will circulate any new or modified policy when it is adopted.

5.1 All Company information must be treated as commercially valuable and protected from loss, theft, misuse or inappropriate access or disclosure.

5.2 Personal information, and sensitive personal information, must be protected against unauthorised and/or unlawful processing and against accidental loss, destruction or damage, by the use of appropriate technical and organisational measures.

5.3 Staff should discuss with line managers the appropriate security arrangements and technical and organisational measures which are appropriate and in place for the type of information they access in the course of their work.

5.4 Company information (other than personal information) is owned by the Company and not by any individual or team.

5.5 Company information must be used only in connection with work being carried out for the Company and not for other commercial or personal purposes;

5.6 Personal information must be used only for the specified, explicit and legitimate purposes for which it is collected.

6.1 Personal information must be processed in accordance with:

• 6.1.1 the data protection principles, set out in the Company’s Data Protection Policy;
• 6.1.2 the Company’s Data Protection Policy generally; and
• 6.1.3 all other relevant policies.

6.2 In addition, all information collected, used and stored by the Company must be:

• 6.2.1 adequate, relevant and limited to what is necessary for the relevant purposes;
• 6.2.2 kept accurate and up to date;

6.3 The Company will take appropriate technical and organisational measures to ensure that personal information is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage, including:

• 6.3.1 pseudonymisation of personal information; and
• 6.3.1 encryption of personal information.

6.4 Personal information and confidential information will be kept for no longer than is necessary.

7.1 Given the internal confidentiality of personnel files, access to such information is limited to Sonia Dorais (CEO) and Catarina Simeos (Operations Assistant). Except as provided in individual roles, other staff are not authorised to access that information.

7.2 Any staff member in a management or supervisory role or involved in recruitment must keep personnel information strictly confidential.

7.3 Staff may ask to see their personnel files and any other personal information in accordance with Retained Regulation (EU) 2016/679, UK GDPR and other relevant legislation. For further information, contact the CEO.

8.1 Password protection and encryption must be used where available on Company systems in order to maintain confidentiality.

8.2 Computers and other electronic devices must be password protected and those passwords must be changed on a regular basis. Passwords must not be written down or given to others.

8.3 Computers and other electronic devices must be locked when not in use and when you leave your desk, to minimise the risk of accidental loss or disclosure.

8.4 Confidential information must not be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/ thumb drive without the express permission of the CEO and must be encrypted. Data held on any of these devices should be transferred to the Company’s computer network as soon as possible in order for it to be backed up and then deleted from the device.

8.5 All electronic data is securely backed up every 6 hours in our London servers.

8.6 Staff must ensure they do not introduce viruses or malicious code on to Company systems. Software must not be installed or downloaded from the internet without it first being virus checked. Staff should contact the CEO for guidance on appropriate steps to be taken to ensure compliance.

9.1 Staff must be careful about maintaining confidentiality when speaking in public places, eg when speaking on a mobile telephone.

9.2 Confidential information must be marked ‘confidential’ and circulated only to those who need to know the information in the course of their work for the Company.

9.3 All reasonable steps must be taken to ensure that the integrity of the information and confidentiality are maintained. Staff must ensure that confidential information is:

• 9.3.1 stored on an encrypted device with strong password protection, which is kept locked when not in use;
• 9.3.2 when in paper copy, not transported in see-through or other unsecured bags or cases;
• 9.3.3 not read in public places (eg waiting rooms, cafes, trains); and
• 9.3.4 not left unattended or in any place where it is at risk (eg in conference rooms, car boots, cafes).

9.4 Postal, document exchange (DX) and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.

9.5 All sensitive or particularly confidential information should be encrypted before being sent by email, or be sent by tracked DX or recorded delivery.

10.1 Personal email accounts, such as yahoo, google or hotmail and cloud storage services, such as dropbox, icloud and onedrive are vulnerable to hacking. They do not provide the same level of security as the services provided by our own IT systems.

10.2 Do not use a personal email account or cloud storage account for work purposes.

10.3 If you need to transfer a large amount of data, contact the CEO for help.

11.1 You should refer to the Company’s Homeworking Policy for further information.

12.1 Third parties should be used to process Company information only in circumstances where appropriate written agreements are in place ensuring that those service providers offer appropriate confidentiality, information security and data protection undertakings. Consideration must be given to whether the third parties will be processors for the purposes of Retained Regulation (EU) 2016/679, UK GDPR.

12.2 Staff involved in setting up new arrangements with third parties or altering existing arrangements should consult the CEO for more information.

13.1 There are restrictions on international transfers of personal information and transfers to international organisations. Staff may only transfer personal information outside the UK, or to an international organisation, with the prior written authorisation of the CEO.

13.2 You should refer to the Company’s Data Protection Policy for further information on international transfers.

14.1 All staff will receive training on this policy. New joiners will receive training as part of the induction process. Further training will be provided at least every two years or whenever there is a substantial change in the law or our policy and procedure.

14.2 Training is provided online.

14.3 Completion of training is compulsory.

14.4 The CEO will continually monitor training needs but if you feel that you need further training on any aspect of the relevant law or our Information management and security policy or procedures, please contact the CEO.

15.1 All members of staff have an obligation to report actual or potential data protection compliance failures. This allows the Company to:

• 15.1.1 investigate the failure and take remedial steps if necessary;
• 15.1.2 maintain a register of compliance failures; and
• 15.1.3 make any applicable notifications.

15.2 Please refer to the CEO for our reporting procedure.

16.1 The Company takes compliance with this policy very seriously. Failure to comply with it puts both staff and the Company at significant risk. The importance of this policy means that failure to comply with any requirement of it may lead to disciplinary action, which may result in dismissal.

16.2 Staff with any questions or concerns about anything in this policy should not hesitate to contact the CEO.

Last revised: June 2022