Data Security Policy


Shaping Tomorrow Ltd. (the Company) is responsible for the security and integrity of all data it holds. The Company must protect this data using all means necessary by ensuring at all times that any incident which could cause damage to the Company's assets and reputation is prevented and/or minimised. There are many types of incidents which could affect security:

A computer security incident is an event affecting adversely the processing of computer usage. This includes:

  • loss of confidentiality of information
  • compromise of integrity of information
  • denial of service
  • unauthorized access to systems
  • misuse of systems or information
  • theft and damage to systems
  • virus attacks
  • intrusion by humans

Other incidents include:

  • Missing correspondence
  • Exposure of Uncollected print-outs
  • Misplaced or missing media
  • Inadvertently relaying passwords

Ensuring efficient reporting and management of security incidents helps reduce and in many cases, prevent incidents occurring.


Management of security incidents described in this policy requires the Company to have clear guidance, policies and procedures in place.

The purpose of this policy is to:

  • Outline the types of security incidents
  • Detail how incidents can and will be dealt with
  • Identify responsibilities for reporting and dealing with incidents
  • Detail procedures in place for reporting and processing of incidents
  • Provide Guidance


This policy applies to:

  • The Company, it's contractors and vendors, and systems (including software) dealing with the storing, retrieval and accessing of data.

Policy Statement

  • The Company has a clear incident reporting mechanism in place which details the procedures for the identifying, reporting and recording of security incidents.
  • The Company, it's contractors and vendors are required to report all incidents - including potential or suspected incidents, as soon as possible.
  • The types of Incidents which this policy addresses include but is not limited to:
  • Computers left unlocked when unattended
  • All The Company, it's contractors and vendors need to ensure they lock their computers appropriately.

Password disclosures

Unique IDs and account passwords are used to allow an individual access to systems and data. It is imperative that individual passwords are not disclosed to others - regardless of trust. If an individual needs access to data or a system, they must go through the correct procedures for authorisation.

Virus warnings/alerts

All computers in use across the Council have Antivirus (including Anti-Spyware/Malware). For the most part, the interaction between the computer and antivirus software will go unnoticed by users of the computer. On occasion, an antivirus warning message may appear on the computer screen. The message may indicate that a virus has been detected which could cause loss, theft or damage to data. The warning message may indicate that the antivirus software may not be able to rectify the problem and so must be reported by the user as soon as possible.

Data loss/disclosure

The potential for data loss applies to any data which is:

  • Transmitted over a network and reaching an unintended, unauthorised -recipient (such as the use of e-mail to send sensitive data)
  • Intercepted over the internet through non secure channels
  • Posting of data on the internet whether accidental or intentional
  • Published on the Company's website and identified as inaccurate or inappropriate
  • Conversationally - information disclosed during conversation
  • Press or media - unauthorised disclosure by employees or an ill advised representative to the press or media
  • Data which can no longer be located and is unaccounted for on an IT system
  • Unlocked and uncollected print-outs from Multi-Function Devices (MFDs)
  • Paper copies of data and information which can no longer be located
  • Hard copies of information and data accessible from desks and unattended areas

The Company, it's contractors and vendors must act responsibly, professionally and be mindful of the importance of maintaining the security and integrity of Company and client data at all times.

Any loss of data and/or disclosure whether intentional or accidental must be reported immediately.

Physical Security

Maintaining the physical security of offices and rooms where data is stored, maintained, viewed or accessed is of paramount importance. Rooms or offices which have been designated specifically as areas where secure information is located or stored must have a method of physically securing access to the room - e.g. a combination key lock mechanism. Lower floor/level windows could also provide access to the room/office and must also be securely locked - particularly when the room is left unattended. Rooms which have not been secured should not be used to store sensitive and personal information and data - concerns about any rooms/office which should be securely locked or access restricted must be reported.

Logical Security / Access Controls

Controlling, managing and restricting access to the Authority's Network, Databases and applications is an essential part of Information Security.  It is necessary to ensure that only authorized employees can gain access to information which is processed and maintained electronically.

Missing correspondence

Data or information which has been sent either electronically or physically which cannot be accounted for e.g. not arrived at the intended destination via physical post, sent electronically, sent for printing but no printed output retrieved etc… must be reported.

Found correspondence/media

Data stored on any storage media or physically printed information which has been found in a place other than a secure location or a place where the security and integrity of the data/information could be compromised by unauthorised viewing and/or access e.g. unlocked printouts, discarded CD (media), must be reported.

Loss or theft of IT/information

Data or information which can no longer be located or accounted for e.g. cannot be found in a location where it is expected to be, filing cabinet etc… or which is known/or suspected to have been stolen needs to be reported immediately.


It is the responsibility for the Company, it's contractors and vendors who undertake work for the Company, on or off the premises to be proactive in the reporting of security incidents. The Company's Incident Reporting procedures are in place to prevent and minimise the risk of damage to the integrity and security of Company or client data and information.

It is also a responsibility of all individuals and handlers of Company and client data and information to ensure that all policies and procedures dealing with the security and integrity of information and data are followed.

Compliance with legal and contractual obligations

The Data Protection Act (1998) requires that personal data be kept secure against unauthorised access or disclosure.

The Computer Misuse Act (1990) covers unauthorised access to computer systems.

Breaches of Policy

Breaches of this policy and/or security incidents are incidents which could have, or have resulted in, loss or damage to Company or client assets, including IT equipment and information, or conduct which is in breach of the Company's security procedures and policies.

All The Company, it's contractors and vendors have a responsibility to report security incidents and breaches of this policy as quickly as possible. through the Company's Incident Reporting Procedure. This obligation also extends to any external organisation contracted to support or access the Information Systems of the Company.

In the case of third party vendors, consultants or contractors non-compliance could result in the immediate removal of access to the system. If damage or compromise of the Company's ICT systems or network results from the non-compliance, the Company will consider legal action against the third party. The Company will take appropriate measures to remedy any breach of the policy through the relevant frameworks in place.