• Data Protection Policy

    • Purpose

      This document applies to data collected and/or stored digitally by Fresh Information Limited (Fresh Info).  Fresh Info understands and accepts that there are security risks associated with hosting data on the internet or hardware connected to the internet.  Fresh Info also understands that having sound data security policies and practices and vigilant staff cannot eliminate the risks completely.  The key tenet of Fresh Info’s data protection policy is to take reasonable and practical steps to avoid a breach in the first place by following industry best practice.

      Definitions

      Service Data means any data collected and/or stored digitally by Fresh Info, including backups.

      Personal Data means any data that allows an individual person or organisation to be identified.

      Representative means an employee, vendor, contractor, distribution partner and/or business partner of Fresh Info.

      Service Accounts means any accounts used by Representatives to capture, store or analyse data.

      Applicability & review period

      This policy applies to all Fresh Info employees. Relevant sections of this policy apply to vendors, contractors, and business partners.  This policy shall be reviewed at least annually and updated as required to reflect changes to business objectives and/or the risk environment.

    • Data protection principles

      Personal data

      Personal data shall be:

      •  Processed lawfully, fairly and in a transparent manner in relation to individuals;
      •  Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.  Further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes;
      •  Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
      •  Accurate and, where necessary, kept up to date.  Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
      •  Kept in a form which permits identification of an individual person or organisation for no longer than is necessary for the purposes for which the personal data are processed.  Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures in order to safeguard the rights and freedoms of individuals; and
      •  Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.

      General staff guidelines

      Employees should keep all data secure by taking sensible precautions and following the guidelines below.

      •  The only people able to access Service Data should be those who need it for their work associated with Fresh Info.
      •  Service Data should not be shared informally.
      •  All Service Accounts used by Representatives must have strong passwords with a minimum of 8 characters and a mix of cases and numbers and/or punctuation.
      •  Service Account passwords must never be shared.
      •  When working with Service Data, employees should ensure the screens of their computer are always locked when left unattended.
      •  Employees should not save copies of Service Data to local drives on their computers. They should access and update the central copy of any data.

      Data storage

      These rules describe how and where Service Data should be safely stored.

      •  Service Data will be stored securely while it is at rest.
      •  Backups of Service Data may be taken outside of this environment for debugging or statistical purposes. The backup may only exist on Fresh Information authorized machines approved by management. No copies of the backup may be transferred to any other media for any other purpose without prior permission.

      Fresh Info hardware

      •  All Fresh Info networks will be isolated from the internet via firewalls and/or routers that are configured to deny untrusted traffic by default.
      •  Any hardware device that will be connected to any Fresh Info network (including the networks of Fresh Info contractors) must be approved by management and be protected prior to connection.
      •  Prior to connection all devices must have (where it is an option):
        • (i) Strong passwords (a minimum of 8 characters long with a mix of case and numbers and/or punctuation).
        • (ii) The latest security patches applied.
        • (iii) Security patches configured to install automatically or where this is not possible a roster to be developed for the hardware for installing patches at least once a month.
        • (iv) Manufacturer recommended anti-virus software installed with the latest virus-definitions applied and a clean scan completed.
        • (v) For employee computers, individual logins are required with automatic password/pin re-entry required after a maximum of 15 minutes inactivity.

      Online platform development

      These rules are applicable to Fresh Info’s online platforms.

      •  Code of Fresh Info’s online platforms will be reviewed at least annually for vulnerability against known attacks.
      •  Code updates will be committed to the code repository with changes tracked before deployment.
      •  All current automated tests including security tests must be run against the code and must pass before each deployment.

      Security requirements falling outside of policy

      Any security requirement arising that is not expressly addressed by this document will be reviewed by management and system administrators utilising a best practice approach that will attempt to balance risk factors against business/user requirements.

      Disclosing data for other reasons

      In certain circumstances, personal data can be disclosed to law enforcement agencies without the consent of the data subject.

    • Last updated 13 March 2020.