Privacy statement & Legal Notices
- Privacy notice and
consent - Internet email and
communications policy - GDPR information
security policy - GDPR data
protection policy - GDPR access
request policy - Fair Processing
Notice
GDPR information security policy
1 Introduction
1.1 Naigai Nitto Logistics (Europe) Ltd. (the ‘Company’) is committed to the highest standards of information security and treats confidentiality and data security extremely seriously.
1.2 This purpose of this policy is to:
1.2.1 protect against potential breaches of confidentiality;
1.2.2 ensure all our information assets and IT facilities are protected against damage, loss or misuse;
1.2.3 support our Data Protection Policy in ensuring all staff are aware of and comply with UK law and our own procedures applying to the processing of data; and
1.2.4 increase awareness and understanding in the Company of the requirements of information security and the responsibility of staff to protect the confidentiality and integrity of the information that they themselves handle.
1.3 The Data Protection Manager is Keigo Kato and is responsible for all data protection matters.
1.4 The Data Protection Manager is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments you should contact the Data Protection Manager.
1.2 This purpose of this policy is to:
1.2.1 protect against potential breaches of confidentiality;
1.2.2 ensure all our information assets and IT facilities are protected against damage, loss or misuse;
1.2.3 support our Data Protection Policy in ensuring all staff are aware of and comply with UK law and our own procedures applying to the processing of data; and
1.2.4 increase awareness and understanding in the Company of the requirements of information security and the responsibility of staff to protect the confidentiality and integrity of the information that they themselves handle.
1.3 The Data Protection Manager is Keigo Kato and is responsible for all data protection matters.
1.4 The Data Protection Manager is responsible for the monitoring and implementation of this policy. If you have any questions about the content of this policy or other comments you should contact the Data Protection Manager.
2 Scope
2.1 The information covered by the policy includes all written, spoken and electronic information held, used or transmitted by or on behalf of the Company, in whatever media. This includes information held on computer systems, hand-held devices, phones, paper records, and information transmitted orally.
2.2 This policy applies to all staff, which for these purposes includes employees, temporary and agency workers, other contractors, interns and volunteers.
2.3 All staff must be familiar with this policy and comply with its terms.
2.4 This policy supplements the Company’s other policies relating to data protection, internet, email and communications, and document retention.
2.5 This policy does not form part of any employee’s contract of employment and the Company may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
2.2 This policy applies to all staff, which for these purposes includes employees, temporary and agency workers, other contractors, interns and volunteers.
2.3 All staff must be familiar with this policy and comply with its terms.
2.4 This policy supplements the Company’s other policies relating to data protection, internet, email and communications, and document retention.
2.5 This policy does not form part of any employee’s contract of employment and the Company may supplement or amend this policy by additional policies and guidelines from time to time. Any new or modified policy will be circulated to staff before being adopted.
3 General principles
3.1 All Company information must be treated as commercially valuable and be protected from loss, theft, misuse or inappropriate access or disclosure.
3.2 Staff should discuss with line managers the appropriate security arrangements which are appropriate and in place for the type of information they access in the course of their work.
3.3 Staff should ensure they attend any information security training they are invited to unless otherwise agreed by line managers.
3.4 Information is owned by the Company and not by any individual or team.
3.5 Company information must only be used in connection with work being carried out for the Company and not for other commercial or personal purposes.
3.2 Staff should discuss with line managers the appropriate security arrangements which are appropriate and in place for the type of information they access in the course of their work.
3.3 Staff should ensure they attend any information security training they are invited to unless otherwise agreed by line managers.
3.4 Information is owned by the Company and not by any individual or team.
3.5 Company information must only be used in connection with work being carried out for the Company and not for other commercial or personal purposes.
4 Information management
4.1 Information gathered should not be excessive and should be adequate relevant, accurate and up to date for the purposes for which it is to be used by the Company.
4.2 Information will be kept for no longer than is necessary in accordance with the Company’s data retention guidelines. All confidential material that requires disposal must be shredded or, in the case of electronic material, securely destroyed, as soon as the need for its retention has passed.
4.2 Information will be kept for no longer than is necessary in accordance with the Company’s data retention guidelines. All confidential material that requires disposal must be shredded or, in the case of electronic material, securely destroyed, as soon as the need for its retention has passed.
5 Human resources information
5.1 Given the internal confidentiality of personnel files, access to such information is limited the HR Department. Except as provided in individual roles, other staff are not authorised to access that information.
5.2 Any staff member in a management or supervisory role must keep personnel information confidential.
5.3 Staff may ask to see their personnel files in accordance with the relevant provisions of the GDPR. Fur further details please see the Company’s Data Subject Access Request Policy and privacy notice.
5.2 Any staff member in a management or supervisory role must keep personnel information confidential.
5.3 Staff may ask to see their personnel files in accordance with the relevant provisions of the GDPR. Fur further details please see the Company’s Data Subject Access Request Policy and privacy notice.
6 Access to offices and information
6.1 Office doors must be kept secure at all times and visitors must not be given keys or access codes.
6.2 Documents containing confidential information and equipment displaying confidential information should be positioned in a way to avoid them being viewed by people passing by, e.g. through office windows.
6.3 Visitors should be required to sign in at reception, accompanied at all times and never be left alone in areas where they could have access to confidential information.
6.4 Wherever possible, visitors should be seen in meeting rooms. If it is necessary for a member of staff to meet with visitors in an office or other room which contains Company information, then steps should be taken to ensure that no confidential information is visible.
6.5 At the end of each day, or when desks are unoccupied, all paper documents, backup systems and devices containing confidential information must be securely locked away.
6.2 Documents containing confidential information and equipment displaying confidential information should be positioned in a way to avoid them being viewed by people passing by, e.g. through office windows.
6.3 Visitors should be required to sign in at reception, accompanied at all times and never be left alone in areas where they could have access to confidential information.
6.4 Wherever possible, visitors should be seen in meeting rooms. If it is necessary for a member of staff to meet with visitors in an office or other room which contains Company information, then steps should be taken to ensure that no confidential information is visible.
6.5 At the end of each day, or when desks are unoccupied, all paper documents, backup systems and devices containing confidential information must be securely locked away.
7 Computers and IT
7.1 Use password protection and encryption where available on Company systems to maintain confidentiality.
7.2 Computers and other electronic devices must be password protected and those passwords must be changed on a regular basis. Passwords should not be written down or given to others.
7.3 Computers and other electronic devices should be locked when not in use to minimise the risk of accidental loss or disclosure.
7.4 Confidential information must not be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/thumb drive without the express permission of the Data Protection Manager and even then, it must be encrypted. Data copied onto any of these devices should be deleted as soon as possible and stored on the Company’s computer network in order for it to be backed up.
7.5 All electronic data must be securely backed up at the end of each working day.
7.6 Staff should ensure they do not introduce viruses or malicious code on to Company systems. Software should not be installed or downloaded from the internet without it first being virus checked. Staff should contact IT department for guidance on appropriate steps to be taken to ensure compliance.
7.2 Computers and other electronic devices must be password protected and those passwords must be changed on a regular basis. Passwords should not be written down or given to others.
7.3 Computers and other electronic devices should be locked when not in use to minimise the risk of accidental loss or disclosure.
7.4 Confidential information must not be copied onto floppy disk, removable hard drive, CD or DVD or memory stick/thumb drive without the express permission of the Data Protection Manager and even then, it must be encrypted. Data copied onto any of these devices should be deleted as soon as possible and stored on the Company’s computer network in order for it to be backed up.
7.5 All electronic data must be securely backed up at the end of each working day.
7.6 Staff should ensure they do not introduce viruses or malicious code on to Company systems. Software should not be installed or downloaded from the internet without it first being virus checked. Staff should contact IT department for guidance on appropriate steps to be taken to ensure compliance.
8 Communications and transfer
8.1 Staff should be careful about maintaining confidentiality when speaking in public places.
8.2 Confidential information should be marked ‘confidential’ and circulated only to those who need to know the information in the course of their work for the Company.
8.3 Confidential information must not be removed from the Company’s offices without permission from the Data Protection Manager except where that removal is temporary and necessary.
8.4 In the limited circumstances when confidential information is permitted to be removed from the Company’s offices, all reasonable steps must be taken to ensure that the integrity of the information and confidentiality are maintained. Staff must ensure that confidential information is:
8.4.1 not transported in see-through or other un-secured bags or cases;
8.4.2 not read in public places (e.g. waiting rooms, cafes, trains); and
8.4.3 not left unattended or in any place where it is at risk (e.g. in conference rooms, car boots, cafes).
8.5 Postal, document exchange (DX), fax and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.
8.6 All sensitive or particularly confidential information should be encrypted before being sent by email or be sent by tracked DX or recorded delivery.
8.7 Sensitive or particularly confidential information should not be sent by fax unless you can be sure that it will not be inappropriately intercepted at the recipient fax machine.
8.2 Confidential information should be marked ‘confidential’ and circulated only to those who need to know the information in the course of their work for the Company.
8.3 Confidential information must not be removed from the Company’s offices without permission from the Data Protection Manager except where that removal is temporary and necessary.
8.4 In the limited circumstances when confidential information is permitted to be removed from the Company’s offices, all reasonable steps must be taken to ensure that the integrity of the information and confidentiality are maintained. Staff must ensure that confidential information is:
8.4.1 not transported in see-through or other un-secured bags or cases;
8.4.2 not read in public places (e.g. waiting rooms, cafes, trains); and
8.4.3 not left unattended or in any place where it is at risk (e.g. in conference rooms, car boots, cafes).
8.5 Postal, document exchange (DX), fax and email addresses and numbers should be checked and verified before information is sent to them. Particular care should be taken with email addresses where auto-complete features may have inserted incorrect addresses.
8.6 All sensitive or particularly confidential information should be encrypted before being sent by email or be sent by tracked DX or recorded delivery.
8.7 Sensitive or particularly confidential information should not be sent by fax unless you can be sure that it will not be inappropriately intercepted at the recipient fax machine.
9 Home working
9.1 Staff should not take confidential or other information home without the permission of the Data Protection Manager and only do so where satisfied appropriate technical and practical measures are in place within the home to maintain the continued security and confidentiality of that information.
9.2 In the limited circumstances in which staff are permitted to take Company information home, staff must ensure that:
9.2.1 confidential information must be kept in a secure and locked environment where it cannot be accessed by family members or visitors; and
9.2.2 all confidential material that requires disposal must be shredded or, in the case of electronic material, securely destroyed, as soon as any need for its retention has passed.
9.3 Staff should not store confidential information on home computers (PCs, laptops or tablets).
9.2 In the limited circumstances in which staff are permitted to take Company information home, staff must ensure that:
9.2.1 confidential information must be kept in a secure and locked environment where it cannot be accessed by family members or visitors; and
9.2.2 all confidential material that requires disposal must be shredded or, in the case of electronic material, securely destroyed, as soon as any need for its retention has passed.
9.3 Staff should not store confidential information on home computers (PCs, laptops or tablets).
10 Transfer to third parties
10.1 Third parties should only be used to process Company information in circumstances where written agreements are in place ensuring that those service providers offer appropriate confidentiality, information security and data protection undertakings.
10.2 Staff involved in setting up new arrangements with third parties or altering existing arrangements should consult the Data Protection Manager for more information.
10.2 Staff involved in setting up new arrangements with third parties or altering existing arrangements should consult the Data Protection Manager for more information.
11 Overseas transfer
11.1 There are restrictions on international transfers of personal data. Staff must not transfer personal data outside the EEA (which includes the EU, Iceland, Liechtenstein and Norway) without first consulting the Data Protection Manager.
12 Data breaches
12.1 A data breach may take many different forms, for example:
12.1.1 loss or theft of data or equipment on which personal information is stored;
12.1.2 unauthorised access to or use of personal information either by a member of staff or third party;
12.1.3 loss of data resulting from an equipment or systems (including hardware and software) failure;
12.1.4 human error, such as accidental deletion or alteration of data;
12.1.5 unforeseen circumstances, such as a fire or flood;
12.1.6 deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
12.1.7 ‘blagging’ offences, where information is obtained by deceiving the organisation which holds it.
12.2 The Company will:
12.2.1 make the required report of a data breach to the Information Commissioner’s Office without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and
12.2.2 notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.
12.3 To allow the Company to comply with its obligations under clause 12.2, if you become aware of any actual or potential data protection breach, you must notify your line manager and the Data Protection Manager immediately.
12.1.1 loss or theft of data or equipment on which personal information is stored;
12.1.2 unauthorised access to or use of personal information either by a member of staff or third party;
12.1.3 loss of data resulting from an equipment or systems (including hardware and software) failure;
12.1.4 human error, such as accidental deletion or alteration of data;
12.1.5 unforeseen circumstances, such as a fire or flood;
12.1.6 deliberate attacks on IT systems, such as hacking, viruses or phishing scams; and
12.1.7 ‘blagging’ offences, where information is obtained by deceiving the organisation which holds it.
12.2 The Company will:
12.2.1 make the required report of a data breach to the Information Commissioner’s Office without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and
12.2.2 notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.
12.3 To allow the Company to comply with its obligations under clause 12.2, if you become aware of any actual or potential data protection breach, you must notify your line manager and the Data Protection Manager immediately.
13 Consequences of failing to comply
13.1 The Company takes compliance with this policy very seriously. Failure to comply puts both staff and the Company at risk. The importance of this policy means that failure to comply with any requirement may lead to disciplinary action, which may result in dismissal.
13.2 Staff with any questions or concerns about anything in this policy should not hesitate to contact the Data Protection Manager.
13.2 Staff with any questions or concerns about anything in this policy should not hesitate to contact the Data Protection Manager.