Data Transfer Policy

1. Introduction

Data can potentially be transferred in a wide variety of media and methods both into and out of our company, in electronic and/or paper format. In every transfer there is a risk that the information may be lost, misappropriated or accidentally released. Where this data is controlled data, this represents a risk to our company of breaching our responsibilities under the DPA and could lead to regulatory action, including significant fines.

2. Purpose and scope

This policy lays out the practical methods that need to be applied in undertaking a transfer of data, and will provide additional guidance more specifically on the transfers of controlled data. This policy is applicable to anyone handling sensitive information that may have a need to transfer client or company data, including:

• employees of the company
• contractors
• agency staff

3. Initial considerations

Before you undertake a physical data transfer, ensure you have the appropriate authorisation to do so. Bear in mind any restrictions in place for the sharing or transfer of controlled data.

• Never automatically assume someone is entitled to the information just because they have told you they need it, regardless of whether they are an internal or external requester.
• When dealing with third parties consider whether there are any data sharing agreements or contracts in place that cover the transfer of data. Check whether there are any stipulations in place regarding the method of transfer that should be used.
• Think about whether a non-disclosure agreement is required to cover security and use of the data.
• Check that you are not providing more information than is necessary for the identified purpose. Do not just send a whole document or spreadsheet because it is ‘easier’, when only one section or specific columns are required.
• Can the objective / purpose be met using anonymised data instead?
• Consider the most appropriate (not necessarily the easiest) transfer or access method.
• What risk does the transfer or access to information pose (if any)?
• For all transfers of information containing controlled data, it is essential that you appropriately establish the identity and authorisation of the recipient. N.B. If you are you are in doubt you should seek further advice from the ISMS Committee.

4. Data transfer methods

This section lists the main methods of data transfer and also sets out any restrictions and requirements for the secure transfer of controlled data. Before choosing your method of transfer you must consider the following:

• the nature of the information, its sensitivity, confidentiality or possible value
• the size of the data being transferred
• the damage or distress that may be caused to individuals as a result of any loss during transfer
• the implications any loss would have for the company You must only send information that is necessary for the stated purpose. You must remove any unnecessary data, and any data not required should be redacted or removed completely (as appropriate) before transfer.

4.1. Via email

There are 3 main email routes that can be considered when transferring data via email. These are outlined below, with relevant restrictions highlighted. All transfers of data by email must be done in a way that complies with the Acceptable Use Policy.

General email rules

• Secure email should not be used for transfer of large amounts of data or significant numbers of records.
• Information sent must, where practical, be enclosed in an attachment.
• Be careful as to what information you place in the subject line of your email or in the accompanying message. Filename or subject line must not reveal the full contents of attachments or disclose any sensitive personal data.

4.2. Via standard email “@Opusworks.com”

When sending information internally between “Opusworks.com” addresses, this is already secure and does not require any additional actions.

• All password(s) assigned to encrypted documents must conform to the minimum corporate Password Policy.
• All password(s) required to open the encrypted attached file must be transferred separately to the recipient either via a telephone call to an agreed number, or by slack or SMS text message
• Be careful as to what information you place in the subject line of your email or in the accompanying message. Filename or subject line must not reveal the contents of the encrypted file.

4.3. Telephone / mobile phone

As phone calls may be monitored, overheard or intercepted either deliberately or accidentally, care must be taken as follows:-

• Controlled data must not be transferred / discussed over the telephone unless you have confirmed the identity and authorisation of the recipient.
• When using voice mail do not leave sensitive or confidential messages, or include any personal data. Only provide a means of contact and wait for the recipient to speak to you personally.
• When listening to voice mail messages left for yourself, ensure you do not play them in open plan areas which risks others overhearing.

4.4. Sending information by post

You, as the sender, are responsible for making sure that:

• The postal address is correct.
• The envelope is clearly marked for the attention of the intended recipient.
• No information relating to another customer / service user has been included in error, either in a letter/email or an attached document.
• That you choose the most appropriate method of transfer.

You are responsible for the package up until its successful arrival at its destination. You must therefore ensure you choose the most appropriate method of transfer and mitigate any potential loss or risk to the information. Posting of sensitive / confidential data an extra level of protection must be applied when sending:

• a large amount (e.g. a file) of personal data or;
• Any amount of controlled data. It is essential that the document or file, whether sent on a media device or in paper form, is kept secure in transit, tracked during transit, and delivered to the correct individual. So you must ensure that:
• the package is securely and appropriately packed, clearly addressed and has a seal, which must be broken to open the package.
• the package must have a return address and contact details.
• the package must be received and signed for by the addressee, e.g. the use of special or recorded delivery. Successful delivery / transfer of the item must be checked as soon as possible. Any issues must be reported immediately to your account lead. NOTE: Staff members or teams who wish to send sensitive information in a way different to that prescribed above, must apply for a formal policy exception as outlined in the Policy Exception Policy, stating clear business reasons as to why an exception is required. An exception should be sought for one off requests as well as requests for an alternate way of working. Any exception granted will be reviewed annually. Staff who do not abide by the above requirements will be in breach of this policy, which may lead to disciplinary action.

4.5. Hand delivery / collection

Hand delivery or collection of a document is also an approved method of transfer. When arranging for an individual to collect information, you should be satisfied that your know that they are who they say they are and seek an appropriate form of identification before you hand over any documentation.

5. Transferring data outside of the United Kingdom / EEA

You must speak to the Information Security Management Team before agreeing or undertaking any transfers of any data outside of the EEA. This is especially important when handling controlled data. You must check, as part of information management due diligence that any service providers you procure are not planning to process personal data outside the EEA. E.g. some service providers may use cloud based systems for data storage which are not UK based. Principle Eight of the Data Protection Act 1998 (DPA), requires that personal data must not be transferred to a country or territory outside the European Economic Area (EEA) unless the country or territory can provide an adequate level of protection for the rights and freedoms of the individuals whose data is being transferred. It is important to note that all other principles of the Data Protection Act are still relevant and must be complied with.

6. Reporting data incidents

Staff must report any suspected or actual security breaches to the ISMS Committee

7. Policy review

This policy will be reviewed on an annual basis or sooner as is required where there are changes in legislation or recommended changes to improve best practice.

back