Data Security & Protection Policy

Summary

The Seven Steps Support Ltd Data Security Policy outlines the organization’s commitment to protecting the privacy, confidentiality, integrity, and availability of personal and sensitive data. This policy applies to all employees, contractors, and third parties who handle or access the organization’s data or systems.

The policy covers a wide range of data security aspects, including access control, data storage and transmission, network security, device security, security awareness and training, third-party service providers, data retention and disposal, data backup, physical security, security audits, change management, and data breach notifications. It also addresses data subject rights, responsibilities, vendor risk management, and business continuity and disaster recovery.

By implementing and adhering to this policy, Seven Steps Support Ltd aims to comply with relevant laws and regulations, such as GDPR, UK Laws, and CQC Regulations, while ensuring the protection of the personal and sensitive data of its clients, employees, and other stakeholders.

1. Purpose

This data security policy outlines the requirements and practices Seven Steps Support Ltd follows to ensure the confidentiality, integrity, and availability of the data we process, store, and transmit. The policy aims to protect the personal and sensitive information of our employees, clients, and stakeholders, and to ensure compliance with applicable laws and regulations, such as GDPR, UK laws, and CQC regulations.

2. Scope

This policy applies to all employees, contractors, and third-party service providers who access, process, or manage Seven Steps Support Ltd’s data, including the use of Google Workspace for Business, Amazon Web Services, Cognito Forms, Zapier, Slack, and Citation Atlas.

3. Data Classification

Data processed by Seven Steps Support Ltd is classified into the following categories:

Internal: Employee personal information necessary for employment, and other general business data.
Sensitive: Client personal information, health records, and other data required for providing support to adults with learning disabilities.

4. Data Protection Measures

a. Access Control:

Access to sensitive data is restricted to authorized personnel on a need-to-know basis.
Single Sign-On (SSO) and Two-Factor Authentication (2FA) are implemented for accessing critical systems.

b. Data Storage and Transmission:

All data is stored in secure cloud storage solutions, such as Google Workspace for Business and Amazon Web Services.
Data in transit is encrypted using SSL/TLS.
Encryption at rest is used for data storage.
Strict access controls are in place for data storage and transmission.

c. Network Security:

Cloudflare Web Application Firewall (WAF) and strict firewall rules are in place to protect against external threats.
Cloudflare Zero Trust is implemented to enhance security in remote access scenarios.
WPA3 is used for Wi-Fi security.
Network access is limited to authorized devices and users.
Network devices are configured to automatically update firmware.

d. Device Security:

Bitlocker Drive Encryption is used to secure data stored on employees’ devices.
Encryption enforcement on company smartphones.
Remote wipe capabilities on smartphones.
PIN and/or biometric enforcement on devices.
Strict password rules that require periodic changes are in place.

5. Risk Assessment

Seven Steps Support Ltd will conduct regular risk assessments to identify potential risks and vulnerabilities associated with data security, including hacking, data breaches, data leaks, and computer misuse. Based on the assessment, appropriate risk mitigation strategies and security controls will be implemented.

6. Incident Response Plan

In the event of a data breach or security incident, Seven Steps Support Ltd will:

Notify the designated incident response team members.
Investigate the incident to identify its source, scope, and potential impact.
Contain the incident and implement necessary measures to prevent further damage.
Notify affected individuals and relevant authorities, as required by law.
Conduct a post-incident review and update the data security policy and procedures accordingly.

7. Security Awareness and Training

All employees are required to complete data governance training, which includes education on data security best practices, compliance with applicable laws and regulations, and incident reporting procedures.

8. Policy Compliance and Review

Seven Steps Support Ltd will monitor compliance with this policy and conduct regular reviews to ensure its effectiveness. Violations of this policy may result in disciplinary action, up to and including termination of employment.

9. Third-Party Service Providers

Seven Steps Support Ltd uses the following third-party service providers, which are required to meet GDPR requirements, have their own data security and privacy policy statements, and support data encryption in transit and at rest. All accounts with third-party providers have 2FA and complex passwords as a minimum.

Google Workspace: Provides cloud-based productivity and collaboration tools, including email, documents, and storage.
Amazon Web Services: Offers a range of cloud computing services, such as data storage and processing.
Cloudflare: Supplies security and performance solutions for websites and networks, including DDoS protection, WAF, and Zero Trust.
Cognito Forms: Enables the creation of online forms to collect client and staff information.
Zapier: Automates workflows by connecting different applications and services for processing non-personally identifiable information.
Slack: Offers a messaging platform for internal administration and management communication.
Citation Atlas: Provides human resources management and support.

10. Data Retention and Disposal

Seven Steps Support Ltd retains data according to the following timespans:

Risk assessments: Retain the latest risk assessment until a new one replaces it.
Purchasing excluding medical devices and medical equipment: 18 months.
General operating policies and procedures: Retain the current version and previous version for three years.
Incidents, events, or occurrences requiring notification to the Care Quality Commission: Three years.
Use of restraint or deprivation of liberty: Three years.
Detention: Three years.
Maintenance of the premises, equipment, and electrical testing: Three years.
Fire safety, water safety, and medical gas safety, storage, and transport: Three years.
Money or valuables deposited for safekeeping: Three years.
Staff employment: Three years following the date of the last entry.
Duty rosters: Four years after the year to which they relate.
Purchasing of medical devices and medical equipment: 11 years.
Final annual accounts: 30 years.

Physical records are securely shredded upon reaching the end of their retention period.

11. Data Backup

Seven Steps Support Ltd uses daily snapshots for data backup on Google Workspace and Amazon Web Services through Amazon S3. Data can be rolled back to any day within the past 30 days.

12. Physical Security

The organization employs the following physical security measures:

Locked cabinets and safes for storing sensitive documents and equipment.
Alarm systems to detect unauthorized access or security breaches.
CCTV cameras for monitoring the premises.

13. Security Audits

Seven Steps Support Ltd conducts comprehensive security audits at least once a year to assess compliance with the data security policy and identify potential security gaps. The audit process includes reviewing access controls, data storage and transmission, network security, device security, and third-party service provider security.

14. Change Management

The organization follows a structured change management process to minimize the risk of introducing new security vulnerabilities when making changes to IT systems, applications, and infrastructure. This process includes:

Assessing the potential security impact of proposed changes.
Obtaining approval from relevant stakeholders before implementing changes.
Testing changes in a controlled environment before deployment.
Monitoring the effects of changes and addressing any security issues that arise.

15. Data Breach Notifications

In the event of a data breach, Seven Steps Support Ltd will:

Notify the Information Commissioner’s Office (ICO), for which the organization is registered.
Notify all affected and potentially affected parties.
If the breach affects a client or vulnerable individual, contact the Care Quality Commission (CQC) and potentially raise a safeguarding concern.

These notifications will be made in accordance with legal and regulatory requirements.

16. Data Subject Rights

Seven Steps Support Ltd is committed to respecting the rights of data subjects under GDPR. This includes:

Providing data subjects with access to their personal data upon request.
Correcting inaccurate or incomplete personal data when informed by the data subject.
Erasing personal data when it is no longer necessary for the purposes for which it was collected or when the data subject withdraws consent and there is no other legal ground for processing the data.
Restricting the processing of personal data in certain circumstances, such as when the data subject contests its accuracy or objects to its processing.
Complying with data portability requests by providing personal data in a structured, commonly used, and machine-readable format.
Respecting data subjects’ rights to object to the processing of their personal data for specific purposes, such as direct marketing.

Data subjects can exercise their rights by contacting Seven Steps Support Ltd, and the organization will respond to requests in a timely manner and in accordance with GDPR requirements.

17. Regular Reviews and Updates

Seven Steps Support Ltd is committed to reviewing and updating the data security policy at least once a year or more frequently as needed. This ensures that the policy remains relevant and effective in addressing emerging technologies, regulatory changes, and evolving threats to data security.

18. Responsibilities

All staff at Seven Steps Support Ltd have a shared responsibility to protect personal and sensitive data. Specific responsibilities include:

Management: Provide oversight and support for data security initiatives, ensure sufficient resources for data security, and create a culture of security awareness.
IT Staff: Implement, monitor, and maintain data security measures, respond to security incidents, and provide guidance and training to employees.
Individual Employees: Adhere to the data security policy, attend security awareness training, and report any potential security incidents or concerns to IT staff or management.

19. Vendor Risk Management

Seven Steps Support Ltd is committed to managing risks associated with third-party vendors who have access to the organization’s data or systems. To ensure the security and privacy of data shared with or accessed by vendors, the organization will:

Conduct due diligence on potential vendors to assess their data security and privacy practices before entering into any agreements or granting access to data or systems.
Incorporate data security and privacy requirements into vendor contracts, including obligations to comply with relevant laws, regulations, and industry standards.
Monitor vendor performance and compliance with data security and privacy requirements throughout the duration of the contractual relationship.
Require vendors to promptly notify Seven Steps Support Ltd of any security incidents affecting the organization’s data and cooperate in the investigation and remediation of such incidents.

By implementing a comprehensive vendor risk management program, the organization aims to minimize the risks associated with third-party relationships and maintain a high level of data security and privacy.

20. Business Continuity and Disaster Recovery

Seven Steps Support Ltd is committed to ensuring the continuity of operations and the recovery of critical systems and data in the event of a disaster or unexpected disruption. To achieve this, the organization will:

Develop and maintain a business continuity plan that outlines the steps to be taken in response to various types of disruptions, such as natural disasters, cybersecurity incidents, or power outages.
Establish a disaster recovery plan that specifies the procedures for recovering critical systems and data, including the restoration of backups and the use of alternative facilities, equipment, or services as needed.
Regularly review and update the business continuity and disaster recovery plans to ensure their effectiveness and alignment with the organization’s evolving needs and objectives.
Conduct periodic testing and training exercises to validate the plans and ensure that staff are familiar with their roles and responsibilities in the event of a disruption.

By implementing a comprehensive business continuity and disaster recovery program, Seven Steps Support Ltd aims to minimize the impact of disruptions on its operations and ensure the timely recovery of critical systems and data.

Data Risk Assessment

1. Introduction

This risk assessment aims to identify and evaluate potential data security risks facing Seven Steps Support Ltd and determine appropriate mitigation measures to address these risks. This assessment covers all aspects of data security, as outlined in the organization’s Data Security Policy.

2. Scope

This risk assessment applies to all Seven Steps Support Ltd employees, contractors, and third parties who handle or access the organization’s data or systems.

3. Risk Identification

The following risks have been identified:

Unauthorized access or disclosure of personal and sensitive data
Data loss or corruption due to hardware or software failure
Data breaches caused by hacking, phishing, or other cyber-attacks
Insider threats, such as malicious or negligent actions by employees or contractors
Non-compliance with GDPR, UK Laws, or CQC Regulations

4. Risk Analysis

Risk	Impact	Likelihood
Unauthorized access or disclosure of data	High	Medium
Data loss or corruption due to hardware failure	High	Low
Data breaches caused by cyber-attacks	High	Medium
Insider threats	Medium	Medium
Non-compliance with regulations	High	Low

5. Risk Evaluation

Based on the risk analysis, the prioritized risks are:

Unauthorized access or disclosure of personal and sensitive data
Data breaches caused by hacking, phishing, or other cyber-attacks
Non-compliance with GDPR, UK Laws, or CQC Regulations
Insider threats
Data loss or corruption due to hardware or software failure

6. Risk Mitigation

Risk	Mitigation Measures
Unauthorized access or disclosure of data	Implement stronger access controls, such as multi-factor authentication; Conduct regular access control reviews and audits; Encrypt sensitive data at rest and in transit
Data breaches caused by cyber-attacks	Regular security awareness training for staff; Implement advanced threat detection and response tools; Regularly update and patch software and hardware
Non-compliance with regulations	Appoint a data protection officer (DPO); Establish procedures to handle data subject requests and report data breaches; Regularly review and update the Data Security Policy
Insider threats	Conduct thorough background checks on employees and contractors; Implement strict access controls and segregation of duties; Foster a security-aware culture within the organization
Data loss or corruption due to hardware failure	Regularly back up data and test backup procedures; Implement redundancy and fault tolerance measures for critical systems; Ensure timely replacement and maintenance of hardware

7. Monitoring and Review

Seven Steps Support Ltd will monitor and review the identified risks and the effectiveness of the mitigation measures in place by:

Updating the risk assessment at least annually, or more frequently if necessary
Conducting periodic security audits to identify potential vulnerabilities and areas for improvement
Tracking and analyzing data security incidents to identify trends and lessons learned