Data Security and Privacy Protection
Dateva holds and processes confidential and personal information that includes information relating to Dateva’s own operations, personal health information on private individuals and data provided by partners including their employees. The information and data stored with Dateva is an asset that Dateva has a duty and responsibility to protect.
Dateva’s Data Governance Policy:
- protects Dateva held information from all threats – whether internal or external, deliberate or accidental
- dictates consistent and professional use of information that ensures that everyone is clear about their roles in using and protecting information
- ensures business continuity and minimizes business damage
- protects Dateva from legal liability and the inappropriate use of information
Dateva’s Data Governance Policy is a high-level document, and adopts a number of controls to protect information. The controls are delivered by policies, standards, processes, procedures, and are supported by training and tools.
1. Scope
1.1 Dateva’s Data Governance Policy outlines the framework for management of Information Security within Dateva.
1.2 Dateva’s Data Governance Policy (all standards, processes and procedures) apply to all staff and employees of Dateva, contractual third parties and agents of Dateva who have access to the Dateva information systems or information.
1.3 Dateva’s Data Governance Policy applies to all forms of information including but not limited to:
Speech:
– Spoken, face to face, or communicated by phone or radio or any other electronic means of conveyance
Copy Data:
– Printed or written on paper
Information Storage:
– Held in manual filing systems, stored and processed via servers, computers, laptops, mobile phones, Personal Digital Assistant (PDAs), iPads, stored on any type of removable media, CD, DVD, tape, USB memory sticks, digital cameras, shared drives, cloud storage, sent by post, courier, fax, electronic mail or text messaging
2. Terms and Definitions
For the purpose of this document the following terms and definitions apply.
Asset:
– Anything that has value to Dateva.
Control:
– Means of managing risk, including policies, procedures, guidelines, practices.
Guideline:
– A description that clarifies what should be done and how.
Information Security:
– Preservation of confidentiality, integrity and availability of information.
Policy:
– Overall intention and direction as formally expressed by management.
Risk:
– Combination of the probability of an event and its consequence.
Third Party:
– Person or body that is recognized as being independent.
Threat:
– Potential cause of an unwanted incident, which may result in harm to a system.
Vulnerability:
– Weakness of an asset that can be exploited by one or more threats.
3. Structure of this Policy
3.1 This policy is based upon ISO 27002 and is structured to include the 11 main security category areas within the standard.
4. Risks
4.1 Data and information which is collected, analyzed, stored, communicated and reported upon may be subject to theft, misuse, loss and corruption.
4.2 Data and information may be put at risk by poor education and training, misuse, and the breach of security controls.
4.3 Information security incidents can give rise to embarrassment, financial loss, non-compliance with standards and legislation as well as possible judgements being made against Dateva.
5. Security Policy
5.1 Data Governance Policy
5.1.1 The Data Governance Policy sets out the approach to managing information security.
5.1.2 The Data Governance Policy is approved by management and is communicated to all staff and employees of Dateva, contractual third parties and agents of the Dateva.
5.2 Review
5.2.1 The security requirements for Dateva will be reviewed at least annually by the Dateva Directors and approved by Dateva. Formal requests for changes will be raised for incorporation into the Data Governance Policy – processes, and procedures.
6. Organization of Information Security
6.1 Statement of Management Intent
6.1.1 It is the policy of Dateva to ensure that Information will be protected from a loss of:
Confidentiality:
– So that information is accessible only to authorized individuals.
Integrity:
– So that accuracy and completeness of information and processing methods are safeguarded.
Availability:
– So that authorized users have access to relevant information when required.
6.1.2 Dateva will review and make recommendations on Information Security including standards, directives, procedures, incident management and security awareness education.
6.1.3 Dateva will work towards implementing the ISO 27000 standards: the international standard for Information Security.
6.1.4 Guidance will be provided on what constitutes an “Information Security Incident”.
6.1.5 All breaches of information security, actual or suspected, must be reported and will be investigated.
6.1.6 Information security education and training will be made available to all staff and employees.
6.1.7 Information stored by Dateva will be appropriate to the purposes of Dateva, defined as “Purposes” in the Data Governance Policy.
6.2 Information Security Coordination
6.2.1 The security of information will be managed within an approved framework through assigning roles and coordinating implementation of this security policy across Dateva and in its dealings with third parties.
7. Asset Management
7.1 Dateva’s assets will be appropriately protected.
7.2 All assets including data, information, software, computer and communications equipment, service utilities and people will be accounted for and have an owner.
7.3 Owners will be identified for all assets and will be responsible for the maintenance and protection of their assets.
8. Human Resources Security
8.1 Dateva security policies will be communicated to all employees, contractors and third parties to ensure that they understand their responsibilities.
8.2 Security responsibilities will be included in job descriptions and in terms and conditions of employment.
8.3 Verification checks will be carried out on all new employees, contractors and third parties.
9. Physical and Environment Security
9.1 Critical or sensitive information processing facilities will be housed in secure areas.
9.2 The secure areas will be protected by security perimeters with appropriate security barriers and entry controls.
9.3 Critical and sensitive information will be physically protected from unauthorized access, damage and interference.
10. Communications and Operations Management
10.1 Dateva will operate its information processing facilities securely.
10.2 Responsibilities and procedures for the management, operation and ongoing security and availability of all data and information processing facilities will be established.
10.3 Appropriate operating procedures will be put in place.
10.4 Segregation of duties will be implemented, where appropriate, to reduce the risk of negligent or deliberate system misuse.
11. Access Control
11.1 Access to all information will be controlled.
11.2 Access to information and information systems will be driven by business requirements.
11.3 Access to information and information systems will be granted, or arrangements made for employees, partners, suppliers according to their role, only to a level that will allow them to carry out their duties.
11.4 A formal user registration and deregistration procedure will be implemented for access to all information systems and services.
12. Information Systems Acquisition, Development, Maintenance
12.1 The information security requirements will be defined during the development of business requirements for new information systems or changes to existing information systems.
12.2 Controls to mitigate any risks identified will be implemented where appropriate.
13. Information Security Incident Management
13.1 Information security incidents and vulnerabilities associated with information systems will be communicated in a timely manner. Appropriate corrective action will be taken.
13.2 Formal incident reporting and escalation will be implemented.
13.3 All employees, contractors and third party users will be made aware of the procedures for reporting the different types of security incident, or vulnerability that might have an impact on the security of Dateva’s assets.
13.4 Information security incidents and vulnerabilities will be reported as quickly as possible to Dateva Management.
14. Business Continuity Management
14.1 Dateva will put in place arrangements to protect critical business processes from the effects of major failures of information systems or disasters and to ensure their timely resumption.
15. Compliance
15.1 Dateva will abide by any law, statutory, regulatory or contractual obligations affecting its information systems.
15.2 The design, operation, use and management of information systems will comply with all statutory, regulatory and contractual security requirements.
16. Subject privacy
16.1 Where Dateva receives only de-identified Data, Dateva will not use Data to identify or attempt to identify any individuals.
16.2 Dateva may use Data for the purposes of operating, maintaining, upgrading, troubleshooting, or generally managing Dateva’s products, provided that Dateva will not use any Data for unauthorized purposes, nor disclose such Data to third parties other than as authorized by Dateva.
17. Permitted Disclosure
17.1 Notwithstanding anything to the contrary in this Agreement, Dateva may disclose Data in order to comply with Applicable Law or judicial process, or with a court or regulatory order, provided that Dateva takes all lawful actions that are reasonable in the circumstances to minimize the extent of such disclosure and obtain confidential treatment for such disclosure; and any data that is released by Dateva will have identifying information removed to the extent possible using tools designed to assess the risk posed to a subject’s privacy.