Our information security policy and the related sub-policies are based upon the ISO 27001 standard for security. They provide a structure from which Unity can develop, put in place and measure effective security management.
The Information Commissioner’s Office has the power to hand out fines of up to €20,000,000 for breaches of the data protection legislation. They also have the authority to carry out checks on organisations to make sure their processes follow good practice.
Why we have this policy
Information is an asset that has value to Unity and needs to be suitably protected.
The reason we need to keep our information secure is to preserve the confidentiality, integrity, availability and resilience of it. By keeping our information secure, we ensure business continuity and limit any damage to Unity and/or clients, customers, and/or any legal challenge.
The purpose of information security management is to allow information to be shared and protected whether that information is held electronically or on paper.
We have a legal duty to put appropriate organisational and technical safeguards in place to ensure the security of personal data and to protect the information under its control.
Who this policy applies to
This policy applies to (but may not be limited to) all Unity committees, departments, partners, employees of Unity, contractors, agency staff, voluntary agencies of Unity who have access to information systems or information (electronic and paper records) used for Unity purposes.
Any person found to have breached this policy or any of the related sub-policies, may be considered as an act of gross misconduct and may result in disciplinary action, possibly leading to dismissal.
Managers are responsible for making sure their staff understand and follow this policy.
If you do not understand any part of this policy or any of the associated sub-policies or how they may apply to you, you must seek advice from your manager.
The term “Unity information” covers all information for which Unity is the information owner – this is not limited to personal information but also includes any information which is not known to the public.
Unity is responsible for the information it holds, whether it is personal information, business information or information held on behalf of a third party. Unity has a responsibility to ensure that there are no breaches in relation to:
- Data Protection legislation / General Data Protection Regulations
- Human Rights
- Freedom of Information
- Intellectual Property
- Regulation of Investigatory Powers Act
- Lawful Business Practice Regulations
- Other related legislation
- Standards of practice and conduct
The purpose of this policy is to protect Unity’s information from all threats, whether internal or external, deliberate or accidental. This will ensure business continuity, minimise business damage and maximise return on investments and business opportunities.
Unity is committed to protecting information through preserving:
Confidentiality: We will prevent information being accessed, used by and/or disclosed to unauthorised individuals, entities or processes.
Integrity: We will safeguard the accuracy and completeness of information. This may include proving that an action or event has taken place so that it cannot be disputed at a later date.
Availability: We will make information accessible and usable on demand by an authorised person or process.
Resilience: We will ensure systems can continue operating under adverse conditions, such as those that may result from a physical or technical incident, and have the ability to restore them to an effective state.
The principles of information security used by us are based on ISO27001, a family of standards which help organisations to keep their information secure.
We will assess the risks associated with protecting information and will use physical assets, people, technology and procedures to make sure security measures are appropriate. Unity will take into account developments in technology, including costs and how easy it is to implement, in order to achieve an appropriate level of security for the nature of the information and the impact a security breach would have on the organisation.
Some aspects of Unity’s information security are governed by other legislation including:
- The Freedom of Information Act 2000
- The Human Rights Act 2000
- The Electronic Communications Act 2000
- Regulation of Investigatory Powers Act 2000
- General Data Protection Regulation 2018
- Data Protection Act 2018
- The Copyright Designs and Patents Act 1998
- The Computer Misuse Act 1990
Data protection and privacy must be guaranteed dependent on relevant legislation, regulations, and if applicable, contractual clauses.
Records must be protected from loss, damage, destruction and forgery, in line with statutory, regulatory, contractual, and business requirements.
Unity committees, departments, partners, employees, contractors and voluntary agencies of Unity are all required to keep Unity information confidential and may only disclose it with legal permission. Unity will provide guidance and training to enable them to understand and carry out their responsibilities in respect of information security.
All users should be aware that use of PCs, laptops, iPads can be monitored. Email and internet usage is monitored and recorded centrally. The Authority reserves the right to monitor the content of e-mail and internet transactions. The monitoring is carried out so that the organisation:
- can plan and manage its resources effectively;
- ensures that users act only in accordance with policies and procedures;
- ensures that standards are maintained;
- can prevent and detect any crime;
- can investigate any unauthorised use.
Monitoring of content will only be carried out by authorised staff. These arrangements will be applied to all users and may include checking the contents of equipment, email messages and internet usage for the purpose of:
- establishing the existence of facts relevant to the business, client, supplier and related matters;
- ensuring standards which are being achieved by those using the facilities;
- preventing or detecting crime;
- investigating or detecting unauthorised use of email and internet facilities;
- ensuring effective operation of email and internet facilities;
- determining if communications are relevant to the business.
Where anyone suspects that resources or facilities are being abused by a user, they should contact their line manager or Human Resources advisor. This can then be investigated and work carried out with Unity to provide evidence and audit trails of access to systems.
Where an employee suspects that facilities are being abused by a member, they should contact the Chief Operating Officer who can then require an investigation to be carried out.
- Individual Responsibilities
All managers must accept responsibility for initiating, applying and keeping to Unity’s information security standards.
All non-managerial employees, contractors, agency staff, volunteers etc. must take responsibility for maintaining standards by following the controls which apply to them. If they are unsure of their responsibilities they should seek clarification from their immediate line manager.
Support and Training
We are committed to providing all employees with the information they need to make sure they can comply with this policy and all related policies, procedures and guidelines.
Training and awareness activities will be offered on a regular basis and where circumstances allow, specific in house sessions can be arranged.
Authority for this policy
This policy is owned by the senior management team on behalf of the Senior Information Risk Officers.
This delegation is to establish and approve internal policies dealing with all aspects of the management of our information security, records and information governance.
The Managing Director is ultimately accountable for this policy and Senior Risk Information Officers are responsible for implementing it.