Data Exchange Policy & Guidance
Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Data Exchange Policy Version Date 14/12/2012 Effective Date 01/12/2012 Version 1.6 Issue THREE Change Record Modified Date Author Version Description of Changes 02/06/2010 Clare Kelly 1.1 Incorporates changes made by TB, ZH, CS, CK and NS 04/05/2011 R McCaughan 1.2 Re format RM 09/05/11 S Smith 1.2 Checked document before sending to Adrian Last. 18/05/11 A R Last 1.3 Reviewed 08/08/2011 S Smith 1.4 Checked RB s formatting, for AL. 10/08/11 AR Last 1.5 Final amendments as discussed with NS 14/12/2012 James Dillon 1.6 Reviewed Stakeholder Sign off Name Position Signature Date Nigel Spencer Information Services Manager July 2011 Martin Brazier Knowledge Manager July 2011 Security Sign-off Name Position Signature Date Adrian Last Business Support Manager August 2011 1
Table of Contents 1. Purpose 3 2. Scope 3 3. Policy 3 3.1. Policy Statement 3 3.2. Policy Objectives 3 3.3. Policy Overview 4 3.4. Policy Maintenance 4 4. Policy Requirements 4 4.1. General 4 4.2. Data Transfer 5 4.3. Data Storage 5 4.4. Data Usage 5 4.5. Data Retention 5 4.6. Legal Requirements 6 4.7. Reporting of Security Incidents 6 5. Disciplinary Process 6 6. Deviations from Policy 6 7. Glossary of Terms 6 Appendix A - List of related documents, procedures and processes 7 2
1. Purpose The purpose of this Policy is to protect the confidentiality and integrity of The Crown Estate s information when temporarily under the control of third parties. The Policy also seeks to ensure the protection of the confidentiality and integrity of information owned by third parties when temporarily under the control of The Crown Estate. 2. Scope The scope of this policy applies to: Any of The Crown Estate s premises where electronic or paper-based information is stored and Crown Estate personnel work; The Crown Estate personnel, temporary staff, contractors and service providers utilising The Crown Estate s information resources; Any premises occupied by third parties with whom information belonging to The Crown Estate has been exchanged; Information in transit between The Crown Estate and third parties; Paper records; and Electronic records of any kind, regardless of the mode of storage. 3. Policy 3.1. Policy Statement The Crown Estate s information resources are important to The Crown Estate s business and stakeholders and its dependency on these resources demands that appropriate levels of information security be instituted and maintained. It is The Crown Estate s policy that appropriate measures are implemented to protect its information resources when temporarily under the control of third parties against accidental or malicious destruction, damage, modification or disclosure, and to maintain appropriate levels of confidentiality, integrity and availability of such information resources. It is also The Crown Estate s policy that equivalent measures are undertaken to protect information owned by third parties when temporarily under the control of The Crown Estate. 3.2. Policy Objectives The objectives of this policy with regard to the protection of information resources are: Minimise the threat of accidental damage to, or disclosure of, either electronic or paper-based information owned by The Crown Estate and temporarily entrusted to a third party, or owned by a third party and temporarily entrusted to The Crown Estate. Minimise reputation exposure, which may result from loss, disclosure or corruption of sensitive information and breach of confidentiality. 3
3.3. Policy Overview The Crown Estate s information resources are important business assets that are vulnerable to access by unauthorised individuals or unauthorised remote electronic processes. The Crown Estate exercises great care in handling its information and requires that third parties to whom information is temporarily entrusted will apply equivalent standards of care. The Crown Estate will also treat information temporarily entrusted to it by third parties with the same level of care as would be accorded to its own information. 3.4. Policy Maintenance Supporting standards, guidelines and procedures will be issued on an ongoing basis by The Crown Estate. Relevant third parties will be informed of any subsequent changes or updated versions of such standards, guidelines and procedures by way of e-mail or other relevant communication media. Contracts with third parties provide for them to follow such guidelines, policies, procedures and standards as The Crown Estate may require. 4. Policy Requirements 4.1. General Third parties with whom The Crown Estate s information is exchanged may be required to be certified to ISO 27001 or equivalent standard, at the discretion of the Information Services Manager. Consideration must always be given to data exchange issues whenever third parties are engaged to carry out work on behalf of The Crown Estate. This is mandatory when personal data, sensitive, critical or valuable information will be exchanged, regardless of which party owns the information. Consideration of the third party s competence in dealing with data should be assessed as part of the tender process. Depending on the nature of the work the third party is being engaged to do and the sensitivity of the information involved some or all of the following issues should be considered (in accordance with BS ISO/IEC 27002 : 2005): Management responsibilities for controlling and notifying transmission, dispatch and receipt; Procedures for notifying sender of transmission, dispatch and receipt; Procedures to ensure traceability and non-repudiation; Minimum technical standards for packaging and transmission; Escrow agreements; Courier identification standards; Responsibilities and liabilities in the event of information security incidents, such as loss of data; Use of an agreed labelling system; Ownership and responsibilities for data protection, copyright, software licence compliance and similar considerations; Technical standards for recording and reading information and software; Any special controls that may be required to protect sensitive items, such as cryptographic keys. If the third party is a Data Processor, the responsibilities expected of a Data Processor by The Crown Estate as Data Controller. 4
Notification that anyone holding Crown Estate information may have to release it under FOI That any information belonging to someone else (such as the third party) that The Crown Estate holds may be released under FOI/EIR Once a contractor has been selected Legal Services and Procurement should be used to advise on the appropriate form of contract. 4.2. Data Transfer The mechanism for all data transfers will be agreed between The Crown Estate and the third party before transfer begins. Physical packaging (e.g. sealed boxes) and electronic packaging (e.g. encryption) will be agreed prior to data transfer taking place. The sending party will notify the receiving party of the contents of any physical or electronic data which has been sent and the receiving party will check the contents and confirm receipt to the sender. Any discrepancy between data sent and data received will be immediately notified to the sender. Confidentiality / non-disclosure agreements should be in place with any couriers used for the transfer of sensitive or critical information. 4.3. Data Storage All data will be stored in a manner appropriate to its classification, taking into account both its physical security and electronic security: All electronic information will be protected by correctly-configured firewalls and anti-virus software. The physical medium holding the electronic information will be subject to the rule below for physical data. All physical data will be stored in appropriately-secured rooms and buildings. Data should not normally be transferred to local media, but, where absolutely necessary for onward processing, disposal or retention of the local media will be in accordance with Section 4.5 below. Personal data will be stored and used at all times in accordance with the principles of the Data Protection Act. 4.4. Data Usage Staff will have signed standard confidentiality agreements / Non-disclosure agreements wherever sensitive or critical information is handled. Data will only be used in accordance with the instructions of the owner and in relation to the specific task for which it has been provided. The data remains under the ownership of the sending party and will not be changed or updated in any way without express permission to do so. A Tidy and Secure Desk Policy & Guidance should be in operation wherever sensitive or critical data is in use. 4.5. Data Retention All data exchanged for a specific task will be disposed of or returned once the task has been completed, in accordance with prior agreement. 5
Data must only be retained by the receiving party if specifically agreed with the originator and in accordance with documented terms and conditions. Disposal of physical information resources will only take place after explicit sign-off from the originator. Where required, secure disposal methods will be employed, including shredding of paper and secure wiping or destruction of electronic media. 4.6. Legal Requirements All data will be exchanged in strict accordance with any relevant statutory and regulatory requirements in particular but not limited to The Data Protection Act 1998. 4.7. Reporting of Security Incidents All actual or potential breaches involving Crown Estate or third party data being held by The Crown Estate on trust should be reported immediately to the ISMS Manager or ISMS Manager. Reports must be recorded in accordance with The Crown Estate s Security Breach and Weakness Policy & Guidance. These incidents include occasions when: An unauthorised disclosure of personal data has been made however this has occurred Personal data has been lost or stolen Any other Crown Estate or third party data has been lost 5. Disciplinary Process The Crown Estate reserves the right to audit compliance with the policy from time to time. Any disciplinary action against The Crown Estate s staff, arising from breach of this policy, shall be taken in accordance with The Crown Estate s Rules and Disciplinary Code as amended from time to time. Disciplinary action may ultimately lead to dismissal. 6. Deviations from Policy Unless specifically approved, any deviation from this policy is strictly prohibited. Any deviation from or non-compliance with this policy shall be reported to the ISMS Manager and the Information Services Manager. 7. Glossary of Terms The terms used in this policy document are to be found in the ISMS Glossary of Terms. In particular, data exchange control is defined as the means of ensuring that The Crown Estate s electronic and physical information resources are protected to the highest possible standards by third parties with whom they are exchanged. Equally, data exchange control ensures that The Crown Estate also treats electronic and physical information resources owned by third parties with a level of care equivalent to that accorded to its own information. For the purpose of this Policy, data and information can be regarded as interchangeable terms, referring to both electronic and physical formats. 6
Appendix A - List of related documents, procedures and processes Data Protection Act Policy & Guidance Confidentiality agreements / Non-disclosure Tidy and Secure Desk Policy & Guidance The Crown Estate s Rules and Disciplinary Code ISMS Glossary of Terms 7