Privacy Policy

MIALDN.Com Limited (t/a “Eta & Associates”)

Company Number: 10403170

Address: FORA Melcombe Place, 12 Melcombe Place, Marylebone, London, United Kingdom NW1 6JJ 

Website: etaandassociates.com 

Eta and Associates

Last Updated: 1 July 2024

Information Security Policy

(this “Policy”)

  • Introduction
      1. The Practice is committed to the highest standards of information security and treats confidentiality and data security extremely seriously.
      2. In relation to personal data, under Assimilated Regulation (EU) 2016/679, UK General Data Protection Regulation (UK GDPR), the Practice is required to:
        1. use technical or organisational measures to ensure personal data is kept secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage;
        2. implement appropriate technical and organisational measures to demonstrate that it has considered and integrated data compliance measures into the Practice’s data processing activities; and
        3. be able to demonstrate that it has used or implemented such measures.
      3. This purpose of this Policy is to:
        1. protect against potential breaches of confidentiality;
        2. ensure all our data assets and IT facilities are protected against damage, loss or misuse;
        3. ensure that all clients and stakeholders are aware of and comply with UK law and the Practice’s procedures applying to the processing of personal data; and
        4. increase awareness and understanding in the Practice of the requirements of information security and the responsibility of staff to protect the confidentiality and integrity of the data that they themselves handle.
  • Definitions

For the purposes of this Policy:

business information

means business-related information other than personal information regarding customers, clients, suppliers and other business contacts of the Practice;

confidential information

means trade secrets or other confidential information (either belonging to the Practice or to third parties) that is processed by the Practice;

personal data

(sometimes known as personal information) means data relating to an individual who can be identified (directly or indirectly) from that data;

Practice

means MIALDN.COM Limited (trading as ‘Eta & Associates’) incorporated and registered in England and Wales with company number 10403170, whose address is Eta & Associates, FORA Melcombe Place, 12 Melcombe Place, Marylebone, London, United Kingdom NW1 6JJ;

pseudonymised

means the process by which personal data is processed in such a way that it cannot be used to identify an individual without the use of additional data, which is kept separately and subject to technical and organisational measures to ensure that the personal data cannot be attributed to an identifiable individual; and

special category data

(formerly ‘sensitive personal data’) means personal data about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic data, biometric data (where used to identify an individual) and data concerning an individual’s health, sex life or sexual orientation.

  • Roles and responsibilities
      1. Information security is the responsibility of all of ourl staff. The Practice’s data protection officer (DPO) is in particular responsible for:
        1. monitoring and implementing this Policy;
        2. monitoring potential and actual security breaches;
        3. ensuring that staff are aware of their responsibilities; and
        4. ensuring compliance with the requirements of Assimilated Regulation (EU) 2016/679, UK GDPR and other relevant legislation and guidance.
  • Scope
      1. The information covered by this Policy includes all written, spoken and electronic information held, used or transmitted by or on behalf of the Practice, in whatever media. This includes information held on computer systems, hand-held devices, phones, paper records, and information transmitted orally.
      2. This policy applies to all Practice staff, including employees, temporary and agency workers, other contractors, interns, volunteers and apprentices and all staff are required to be familiar with this Policy and comply with its terms.
      3. The Practice information covered by this Policy may include:
        1. personal data relating to staff, customers, clients, suppliers;
        2. other business information; and
        3. confidential information.
      4. This Policy supplements other internal Practice policies and the contents of those policies are required to be taken into account by staff, as well as this Policy.
      5. This Policy has been drafted with the assistance of a representative group of employees to ensure that it is clear and easy to understand. We will review and update this Policy regularly in accordance with our data protection and other obligations. We may amend, update or supplement it from time to time. 
  • General principles
      1. All Practice information is required to be treated as commercially valuable and protected from loss, theft, misuse or inappropriate access or disclosure.
      2. Personal data and special category data is required to be protected against unauthorised and/or unlawful processing and against accidental loss, destruction or damage, by the use of appropriate technical and organisational measures.
      3. Staff are required to discuss with line managers the appropriate security arrangements and technical and organisational measures which are appropriate and in place for the type of information they access in the course of their work.
      4. Practice information (other than personal data) is owned by the Practice and not by any individual or team.
      5. Practice information is required to be used only in connection with work being carried out for the Practice and not for other commercial or personal purposes;
      6. Personal data is required to be used only for the specified, explicit and legitimate purposes for which it is collected.
  • Information management
      1. Personal data is processed in accordance with our data protection principles, and all of our other relevant policies.
      2. In addition, all information collected, used and stored by the Practice is required to be:
        1. adequate, relevant and limited to what is necessary for the relevant purposes;
        2. kept accurate and up to date;
      3. The Practice will take appropriate technical and organisational measures to ensure that personal data is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage, including:
        1. pseudonymisation of personal data; and
        2. encryption of personal data.
      4. Personal data and confidential information will be kept for no longer than is necessary and stored and destroyed in accordance with our internal policies and applicable law.
  • Human resources information
      1. Given the internal confidentiality of personnel files, access to such information is limited to certain senior staff members. Except as provided in individual roles, other staff are not authorised to access that information.
      2. Any staff member in a management or supervisory role or involved in recruitment is required to keep personnel information strictly confidential.
      3. Staff may ask to see their personnel files and any other personal data in accordance with Assimilated Regulation (EU) 2016/679, UK GDPR and other relevant legislation. 
  • Access to offices and information
      1. Office doors, keys and access codes are required to be kept secure at all times and keys or access codes are not to be given or disclosed to any third party at any time.
      2. Documents containing confidential information and equipment displaying confidential information should be positioned in a way to avoid them being viewed by people passing by, e.g. through office windows.
      3. Visitors are required to sign in at reception, accompanied at all times and never left alone in areas where they could have access to confidential information.
      4. Wherever possible, visitors should be seen in meeting rooms. If it is necessary for a member of staff to meet with visitors in an office or other room which contains Practice information, then steps should be taken to ensure that no confidential information is visible.
      5. At the end of each day, or when desks are unoccupied, all paper documents, backup systems and devices containing confidential information are required to be securely locked away.
  • Computers and IT
      1. Password protection and encryption is required to be used where available on Practice systems in order to maintain confidentiality.
      2. Computers and other electronic devices are required to be password protected and those passwords is required to be changed on a regular basis. Passwords are required not to be written down or given to others.
      3. Computers and other electronic devices are required to be locked when not in use and when you leave your desk, to minimise the risk of accidental loss or disclosure.
      4. Confidential information is required not to be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/ thumb drive without the express permission of the Practice’s director. Data held on any of these devices should be transferred to the Practice’s computer network as soon as possible in order for it to be backed up and then deleted from the device.
      5. All electronic data is required to be securely saved on the cloud (and backed up, where the facilities are available) at the end of each working day. For documents worked on within our internal cloud systems, data is typically saved on the cloud in real time.
      6. Staff are required to ensure they do not introduce viruses or malicious code onto Practice systems. Software is required not to be installed or downloaded from the internet without it first being virus checked. 
  • Communications and transfer of information
      1. Staff are required to maintain confidentiality when speaking in public places.
      2. Confidential information is required to be kept confidential and circulated only to those who need to know the information in the course of their work for the Practice. 
      3. Confidential information is required not to be removed from the Practice’s offices unless required for authorised business purposes, and then only in accordance with paragraph 10.4 below.
      4. Where confidential information is permitted to be removed from the Practice’s offices, all reasonable steps are required to be taken to ensure that the integrity of the information and confidentiality are maintained. Staff are required to ensure that confidential information is: 
        1. stored on a device with strong password protection, which is kept locked when not in use;
        2. when in paper copy, not transported in unsecured bags or cases;
        3. not read in public places; and
        4. not left unattended or in any place where it is at risk (eg in conference rooms, car boots, cafes).
      5. Postal, document exchange (DX) and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.
      6. All sensitive or particularly confidential information should be encrypted before being sent by email, or be sent by tracked DX or recorded delivery.
  • Personal email and cloud storage accounts

Employees are required not to use a personal email account or personal cloud storage account for work purposes.

  • Home working
      1. Staff are required to only access Practice information at home where required for authorised business purposes, and then only in accordance with paragraph 12.2 below.
      2. Where staff are permitted to access Practice information at home, staff are required to ensure that appropriate technical and practical measures are in place within the home to maintain the continued security and confidentiality of that information. In particular:
        1. personal data and confidential information is required to be kept in a secure and locked environment where it cannot be accessed by family members or visitors; and
        2. all personal data and confidential information is required to be retained and disposed of in accordance with paragraph 6.4 above.
      3. Staff are required to only use confidential information on their home computers for authorised business purposes.
  • Transfer to third parties

Third parties should be used to process Practice information only in circumstances where appropriate written agreements are in place ensuring that those service providers offer appropriate confidentiality, information security and data protection undertakings. Consideration is required to be given to whether the third parties will be processors for the purposes of Assimilated Regulation (EU) 2016/679, UK GDPR.

  • Overseas transfer

There are restrictions on international transfers of personal data and transfers to international organisations. Staff may only transfer personal data outside the UK, or to an international organisation, with the prior written authorisation of the Practice’s director.

  • Training

Staff will receive training on the contents of this Policy, both at the induction and as part of our continual monitoring.

  • Reporting breaches

We have an obligation to report actual or potential data protection compliance failures. This allows the Practice to:

  1. investigate the failure and take remedial steps if necessary;
  2. maintain a register of compliance failures; and
  3. make any applicable notifications.