COMMERCIALISM INTEGRITY STEWARDSHIP. Data Exchange Policy & Guidance

Similar documents
Surplus Property Disposal Guidelines

Access Controls is defined as procedures, mechanisms, and/or measures that limit access to Boeing Systems to authorized persons or applications.

Terms of Use of Boeing Information and Electronic Systems Rev. 06/ Definitions Access Controls is defined as procedures, mechanisms,

Standard Terms & Conditions

Key Control and Access Procedures Knox County Housing Authority 255 W. Tompkins St. Galesburg, IL (309)

Consulted With Individual/Body Date Head of Finance Financial

APPRAISAL MANAGEMENT COMPANY

General Terms and Conditions

IAF/ILAC-A4:2004. Guidance on the Application of ISO/IEC 17020

ADMINISTRATIVE GUIDANCE

SAMPLE ESCROW AGREEMENT APPLICATION SOFTWARE SOURCES CODE., (hereinafter Escrow Agent ) whose main office. is located at,, and,

Standard for the acquisition of land under the Public Works Act 1981 LINZS15005

National Trust for Historic Preservation Collections Management Policy INTRODUCTION

GENERAL CONDITIONS OF PURCHASE

New Smyrna Beach Board of REALTORS MLS DATA ACCESS SUBSCRIBER AGREEMENT For RETS/FTP Server Access

Chapter 11. Competitive Negotiation: Procedure

Do I Need a Licence? Interpreting the Definition of Providing Condo Management Services.

BOSSIER PARISH COMMUNITY COLLEGE Moveable Property Policy and Procedures SECTION 1 REGULATIONS

IDX Paperwork Cover Sheet

Astrophysical Research Consortium Rev. 11/06/2013 Property Management

Minnesota Department of Health Grant Agreement

Fixed Asset Policy and Procedure Manual

HAVEBURY HOUSING PARTNERSHIP

HOMEAWAY LISTING AGREEMENT FOR PROPERTY MANAGERS

General terms of purchase

Information, Privacy and Archives Division

Type of Costs, Obligations and Property Management Federal Programs

EXCLUSIVITY OR OPTION AGREEMENT SALE OF [ NAME OF PROPERTY] DATED THE [ ] DAY OF [ MONTH ] relating to. between [PARTY 1] and

Rules for assessors. Date of approval by the Accreditation Advisory Board: SD Revision: November 2016.

Glatfelter [Glatfelter Gernsbach GmbH & Co. KG (Germany)] Conditions of Purchase (Goods and Services)

Share the. Sunshine. Your Solar Energy Agreement (VIC) Premium Feed-in Terms and Conditions

MANUAL OF PROCEDURE. Property Management. 3. Includes other selected items of property or equipment.

NORTHROP GRUMMAN CORPORATION

PROPERTY MANAGEMENT. These procedures apply to all tangible, non-consumable equipment meeting all the following criteria;

VIRGINIA CENTRAL REGION ITS ARCHITECTURE MAINTENANCE PLAN

Amsterdam, October Re: Draft escrow agreement Escrow4all. Dear Sir, / Madam, Thank you for your interest in Escrow4all s solutions.

ASK CLOSING AGENT AGREEMENT

APES 225 Valuation Services

Longleaf Pine REALTORS, Inc. RETS FEED or VOW FEED Order Form

Title: Government-Furnished Property

Terms and Conditions for leased lines. V 2.0 English

CONDITIONS OF CONTRACT FOR THE PURCHASE OF GOODS AND SERVICES BY PENNON GROUP PLC AND/OR SOUTH WEST WATER LIMITED

1.1. Purchase Order means the purchase order issued to the Seller contemporaneously with these Standard Terms and Conditions.

ALL PURCHASE ORDERS ARE SUBJECT TO THE FOLLOWING TERMS AND CONDITIONS

ELECTRONIC COMMERCE TRADING PARTNER AGREEMENT (Dated 10 November 2016)

Property Online Provincial Query User Agreement Instructions. Filling Out the Agreement

CHAPTER BROKERS

To Complete This IDX Contract

General Terms and Conditions of Sale

Union procedure on the preparation, conduct and reporting of EU pharmacovigilance inspections

General Terms and Conditions

ACCESS AGREEMENT FOR BROKER RECIPROCITY DATA FEED RECITALS DEFINITIONS

Property Online Query User Agreement Instructions. Filling Out the Agreement

General Conditions of Sale

IMPORTANT INFORMATION FOR PURCHASERS OF CUSTOM PLATES

Performance, Audit and Review Group Strategy and Plans

The German version of this text is binding. This English version is not binding and is for information purposes only.

SIKORSKY AIRCRAFT CORPORATION SELLER QUALITY REQUIREMENTS

IDX Paperwork Cover Sheet

Real Estate Agents Act (Professional Conduct and Client Care) Rules 2012

Guide to Preparing an Appraisal Report for a Continuing Disposal Schedule RECORDKEEPING GUIDE G11

OHIO DEPARTMENT OF TRANSPORTATION OFFICE OF REAL ESTATE. Adam Sheets, Manager, Administrative Section. Changes and Updates to the Real Estate Manual

NEM GENERATOR TRANSFER GUIDE

Chapter 5. Competitive Sealed Bidding: Procedure

1. Introduction and reading guide Purpose of the inspection The inspection period Requirements for the inspection...

TERMS AND CONDITIONS FOR THE SALE OF PRODUCTS

IDX Data Access Agreement

NOTE: Four (4) options are available. Please select one of the following options:

AGENCY SPECIFIC RECORD SCHEDULE FOR: Environmental Conservation, Dept. of

Authorized Lawyer User Agreement Instructions

Township of Salisbury Lehigh County, Pennsylvania REQUEST FOR PROPOSALS EMERGENCY SERVICES COMPREHENSIVE REVIEW

EXCLUSIVE SELLER LISTING AGREEMENT (ALSO REFERRED TO AS EXCLUSIVE SELLER BROKERAGE AGREEMENT)

TC-05 Terms and Conditions of Purchase (Purchase Order International Terms and Conditions Fixed Price Procurement)

INSTRUCTIONS FOR LANDLORDS - SERVING LEGAL NOTICE ON TENANTS

Social Media Policy. This policy shall apply to all Municipal departments and/or agencies.

BLIND BID PROCEDURES

ERER Pilot Measurements County & Trusted Submitter

ScanSource Communications Purchase Agreement and Cloud Solutions Agreement Featuring Mitel Cloud Services PURCHASE AGREEMENT

4 Payment 4.1 Credit accounts are available for corporate customers against approved references. 4.2 In the case of sales to Buyers who do not

HMO Licensing Changes. David Smith Anthony Gold Solicitors

Caliber Aero s Terms and Conditions for Purchase Orders Rev

ENVIRONMENT CANTERBURY S WEB-BASED CONTAMINATED LAND INFORMATION TRANSFER SYSTEM

Improving the energy efficiency of our buildings

AGREEMENT FOR THE SALE AND PURCHASE OF TELEPHONE KIOSK(S) TO A LOCAL AUTHORITY IN NORTHERN IRELAND

BEFORE THIS APPLICATION CAN BE PROCESSED YOU MUST PROVIDE PHOTOCOPIES OF THE FOLLOWING DOCUMENTS

TERMS AND CONDITIONS OF EQUIPMENT LEASE / RENTAL

Appendix A The Homes and Communities Agency Grant Funding Conditions under the Affordable Homes Programme

HICENTRAL MLS, LTD. IDX USER AGREEMENT

CIC Approved Inspectors Register (CICAIR) Code of Conduct for Approved Inspectors

Contract Management Body of Knowledge, Acquisition Planning and Strategy, and Post- Award Competencies

Group Company A together with its subsidiaries

EMPLOYEE RESIDENTIAL LEASE AGREEMENT by and between THE TEXAS A&M UNIVERSITY SYSTEM and

Object entry. The SPECTRUM Standard

the cost of replacing or repairing the goods or of acquiring equivalent goods.

TERMS AND CONDITIONS FOR THE SALE OF GOODS AND SERVICES

General Conditions of Purchase

Creating a Security Breach Action Plan: From Laws, Policies & Procedures to Dealing with an Actual Breach Incident

Town of North Castle New York REQUEST FOR PROPOSALS REAL ESTATE BROKER SERVICES

IDX Paperwork Cover Sheet

SentriLock Lockbox System Authorized User Agreement

Transcription:

Data Exchange Policy & Guidance

Document Control Document Details Author Adrian Last Company Name The Crown Estate Division Name Information Services Document Name Data Exchange Policy Version Date 14/12/2012 Effective Date 01/12/2012 Version 1.6 Issue THREE Change Record Modified Date Author Version Description of Changes 02/06/2010 Clare Kelly 1.1 Incorporates changes made by TB, ZH, CS, CK and NS 04/05/2011 R McCaughan 1.2 Re format RM 09/05/11 S Smith 1.2 Checked document before sending to Adrian Last. 18/05/11 A R Last 1.3 Reviewed 08/08/2011 S Smith 1.4 Checked RB s formatting, for AL. 10/08/11 AR Last 1.5 Final amendments as discussed with NS 14/12/2012 James Dillon 1.6 Reviewed Stakeholder Sign off Name Position Signature Date Nigel Spencer Information Services Manager July 2011 Martin Brazier Knowledge Manager July 2011 Security Sign-off Name Position Signature Date Adrian Last Business Support Manager August 2011 1

Table of Contents 1. Purpose 3 2. Scope 3 3. Policy 3 3.1. Policy Statement 3 3.2. Policy Objectives 3 3.3. Policy Overview 4 3.4. Policy Maintenance 4 4. Policy Requirements 4 4.1. General 4 4.2. Data Transfer 5 4.3. Data Storage 5 4.4. Data Usage 5 4.5. Data Retention 5 4.6. Legal Requirements 6 4.7. Reporting of Security Incidents 6 5. Disciplinary Process 6 6. Deviations from Policy 6 7. Glossary of Terms 6 Appendix A - List of related documents, procedures and processes 7 2

1. Purpose The purpose of this Policy is to protect the confidentiality and integrity of The Crown Estate s information when temporarily under the control of third parties. The Policy also seeks to ensure the protection of the confidentiality and integrity of information owned by third parties when temporarily under the control of The Crown Estate. 2. Scope The scope of this policy applies to: Any of The Crown Estate s premises where electronic or paper-based information is stored and Crown Estate personnel work; The Crown Estate personnel, temporary staff, contractors and service providers utilising The Crown Estate s information resources; Any premises occupied by third parties with whom information belonging to The Crown Estate has been exchanged; Information in transit between The Crown Estate and third parties; Paper records; and Electronic records of any kind, regardless of the mode of storage. 3. Policy 3.1. Policy Statement The Crown Estate s information resources are important to The Crown Estate s business and stakeholders and its dependency on these resources demands that appropriate levels of information security be instituted and maintained. It is The Crown Estate s policy that appropriate measures are implemented to protect its information resources when temporarily under the control of third parties against accidental or malicious destruction, damage, modification or disclosure, and to maintain appropriate levels of confidentiality, integrity and availability of such information resources. It is also The Crown Estate s policy that equivalent measures are undertaken to protect information owned by third parties when temporarily under the control of The Crown Estate. 3.2. Policy Objectives The objectives of this policy with regard to the protection of information resources are: Minimise the threat of accidental damage to, or disclosure of, either electronic or paper-based information owned by The Crown Estate and temporarily entrusted to a third party, or owned by a third party and temporarily entrusted to The Crown Estate. Minimise reputation exposure, which may result from loss, disclosure or corruption of sensitive information and breach of confidentiality. 3

3.3. Policy Overview The Crown Estate s information resources are important business assets that are vulnerable to access by unauthorised individuals or unauthorised remote electronic processes. The Crown Estate exercises great care in handling its information and requires that third parties to whom information is temporarily entrusted will apply equivalent standards of care. The Crown Estate will also treat information temporarily entrusted to it by third parties with the same level of care as would be accorded to its own information. 3.4. Policy Maintenance Supporting standards, guidelines and procedures will be issued on an ongoing basis by The Crown Estate. Relevant third parties will be informed of any subsequent changes or updated versions of such standards, guidelines and procedures by way of e-mail or other relevant communication media. Contracts with third parties provide for them to follow such guidelines, policies, procedures and standards as The Crown Estate may require. 4. Policy Requirements 4.1. General Third parties with whom The Crown Estate s information is exchanged may be required to be certified to ISO 27001 or equivalent standard, at the discretion of the Information Services Manager. Consideration must always be given to data exchange issues whenever third parties are engaged to carry out work on behalf of The Crown Estate. This is mandatory when personal data, sensitive, critical or valuable information will be exchanged, regardless of which party owns the information. Consideration of the third party s competence in dealing with data should be assessed as part of the tender process. Depending on the nature of the work the third party is being engaged to do and the sensitivity of the information involved some or all of the following issues should be considered (in accordance with BS ISO/IEC 27002 : 2005): Management responsibilities for controlling and notifying transmission, dispatch and receipt; Procedures for notifying sender of transmission, dispatch and receipt; Procedures to ensure traceability and non-repudiation; Minimum technical standards for packaging and transmission; Escrow agreements; Courier identification standards; Responsibilities and liabilities in the event of information security incidents, such as loss of data; Use of an agreed labelling system; Ownership and responsibilities for data protection, copyright, software licence compliance and similar considerations; Technical standards for recording and reading information and software; Any special controls that may be required to protect sensitive items, such as cryptographic keys. If the third party is a Data Processor, the responsibilities expected of a Data Processor by The Crown Estate as Data Controller. 4

Notification that anyone holding Crown Estate information may have to release it under FOI That any information belonging to someone else (such as the third party) that The Crown Estate holds may be released under FOI/EIR Once a contractor has been selected Legal Services and Procurement should be used to advise on the appropriate form of contract. 4.2. Data Transfer The mechanism for all data transfers will be agreed between The Crown Estate and the third party before transfer begins. Physical packaging (e.g. sealed boxes) and electronic packaging (e.g. encryption) will be agreed prior to data transfer taking place. The sending party will notify the receiving party of the contents of any physical or electronic data which has been sent and the receiving party will check the contents and confirm receipt to the sender. Any discrepancy between data sent and data received will be immediately notified to the sender. Confidentiality / non-disclosure agreements should be in place with any couriers used for the transfer of sensitive or critical information. 4.3. Data Storage All data will be stored in a manner appropriate to its classification, taking into account both its physical security and electronic security: All electronic information will be protected by correctly-configured firewalls and anti-virus software. The physical medium holding the electronic information will be subject to the rule below for physical data. All physical data will be stored in appropriately-secured rooms and buildings. Data should not normally be transferred to local media, but, where absolutely necessary for onward processing, disposal or retention of the local media will be in accordance with Section 4.5 below. Personal data will be stored and used at all times in accordance with the principles of the Data Protection Act. 4.4. Data Usage Staff will have signed standard confidentiality agreements / Non-disclosure agreements wherever sensitive or critical information is handled. Data will only be used in accordance with the instructions of the owner and in relation to the specific task for which it has been provided. The data remains under the ownership of the sending party and will not be changed or updated in any way without express permission to do so. A Tidy and Secure Desk Policy & Guidance should be in operation wherever sensitive or critical data is in use. 4.5. Data Retention All data exchanged for a specific task will be disposed of or returned once the task has been completed, in accordance with prior agreement. 5

Data must only be retained by the receiving party if specifically agreed with the originator and in accordance with documented terms and conditions. Disposal of physical information resources will only take place after explicit sign-off from the originator. Where required, secure disposal methods will be employed, including shredding of paper and secure wiping or destruction of electronic media. 4.6. Legal Requirements All data will be exchanged in strict accordance with any relevant statutory and regulatory requirements in particular but not limited to The Data Protection Act 1998. 4.7. Reporting of Security Incidents All actual or potential breaches involving Crown Estate or third party data being held by The Crown Estate on trust should be reported immediately to the ISMS Manager or ISMS Manager. Reports must be recorded in accordance with The Crown Estate s Security Breach and Weakness Policy & Guidance. These incidents include occasions when: An unauthorised disclosure of personal data has been made however this has occurred Personal data has been lost or stolen Any other Crown Estate or third party data has been lost 5. Disciplinary Process The Crown Estate reserves the right to audit compliance with the policy from time to time. Any disciplinary action against The Crown Estate s staff, arising from breach of this policy, shall be taken in accordance with The Crown Estate s Rules and Disciplinary Code as amended from time to time. Disciplinary action may ultimately lead to dismissal. 6. Deviations from Policy Unless specifically approved, any deviation from this policy is strictly prohibited. Any deviation from or non-compliance with this policy shall be reported to the ISMS Manager and the Information Services Manager. 7. Glossary of Terms The terms used in this policy document are to be found in the ISMS Glossary of Terms. In particular, data exchange control is defined as the means of ensuring that The Crown Estate s electronic and physical information resources are protected to the highest possible standards by third parties with whom they are exchanged. Equally, data exchange control ensures that The Crown Estate also treats electronic and physical information resources owned by third parties with a level of care equivalent to that accorded to its own information. For the purpose of this Policy, data and information can be regarded as interchangeable terms, referring to both electronic and physical formats. 6

Appendix A - List of related documents, procedures and processes Data Protection Act Policy & Guidance Confidentiality agreements / Non-disclosure Tidy and Secure Desk Policy & Guidance The Crown Estate s Rules and Disciplinary Code ISMS Glossary of Terms 7

2024 © estatedocbox.com Privacy Policy | Terms of Service | Feedback