When you trust us with your personal data, you expect us to keep it safe. We know that we have an obligation to you, and in law, to ensure the confidentiality, integrity and availability of our systems and the data within them. We take this very seriously indeed.
We have a number of technical and organisational measures in place that are designed to guarantee the security of the data that we hold. We carry out regular information risk assessments to ensure that they remain appropriate, effective and up-to-date. This page gives some examples of measures we currently take and explains a little bit about them.
At Key, data protection is everyone’s responsibility. We cultivate a working environment where privacy and security are central to decision-making, and issues are never overlooked. Here’s how we do this:
- We choose our data processors carefully. We only work with trusted partners who have appropriate security credentials. We include GDPR clauses in our contracts with suppliers.
- Staff are expected to report any data breaches they become aware of, no matter how minor, so that we can respond appropriately.
- When we begin any new project we take a ‘privacy by design’ approach, meaning we make data protection a key consideration right from the start.
- We carry out data protection impact assessments whenever they’re needed.
- Our teams are encouraged to question why we do things, which helps us to identify when we no longer need to do a certain type of data processing.
- We employ a fulltime on-site IT Manager, who has the appropriate resources and authority to implement all necessary data security measures.
- We have appointed someone in our business to take overall responsibility for data protection and privacy.
It’s important that we prevent unauthorised access to our building and the data stored within it. We take a wide variety of measures in this area, from our alarm system to the way we dispose of hard copy files. Here are some examples:
- Our office has a secure entry system. Everyone signs in and out, and all entries and exits are logged.
- Visitors must have a pre-arranged appointment with a named member of staff before they will be permitted entry to the building.
- We have on-site CCTV cameras and a 24/7 security presence.
- Access to our in-house datacentre is strictly controlled.
- We have a policy of not printing personal data without a very good reason. Printouts must never be left unsecured.
- We store a very limited amount of data in hard copy. When it is no longer needed, paper containing personal data is shredded on-site by a professional shredding company.
We protect our hardware with appropriate security measures, so that no one can access any data on them without authorisation. These measures include:
- We use encryption on all devices that are used outside the office, e.g. mobile phones and laptops. We restrict the personal data that it’s possible to store on these devices.
- We don’t allow staff to use their own devices for work.
- Anyone working from home or outside the office must use an encrypted business laptop and connect via a secure and encrypted Virtual Private Network (VPN).
- Old hardware is securely destroyed.
Systems and software
We have security measures in place to protect the data in our systems. We regularly review them to ensure they remain at an appropriate level for the types of processing that we do and the risks involved. Here are some of the steps we take:
- We use internal Data Loss Prevention (DLP) modules to monitor all systems that contain personal data.
- We house our customer facing websites within a demilitarised zone (DMZ) and segregate the network from internal systems.
- Our websites are secured with SSL, which provides an extra layer of security for anyone who transmits data to us via our website.
- We use appropriate permission levels to ensure that datasets can only be accessed by staff members who need it for their job.
- We follow strict procedures to identify all incoming phone callers before discussing their account with them. Our customer service team are trained on how to recognise ‘phishing’ attempts.
- We restrict internet usage for staff and block access to webmail and online storage sites.
- We use a password management tool. Staff do not know the passwords needed to log into systems and can only access them from our office.
- We meet the requirements of the Payment Card Industry Data Security Standard (PCI DSS), which is an information security standard.
- We regularly test our systems to identify potential risks and areas for improvement. An external company conducts regular penetration testing and all recommendations resulting from those are followed up. Our last penetration test confirmed that our security provision was solid.
- We have our own firewall which is constantly monitored for suspicious activity.
- We have deployed corporate level Anti-Virus and Anti-Malware detection.
- The passwords that employees use to log into their accounts are stored and encrypted using one-way encryption, meaning they can’t be decrypted.
We have a responsibility to ensure that the data we hold about a person is accurate and complete. Since most of the data we collect about an individual comes directly from them, our risk in this area is minimised. We routinely encourage people to review their data for accuracy and make it as easy as possible for them to correct or update it.
We have a robust plan in place for restoring access to data in the event of a physical or technical incident that interrupts availability. We regularly test our disaster recovery plan.
If personal data were to be accidentally lost, altered or destroyed, we would do everything in our power to recover it as quickly as we could. To facilitate this, we take backups of all internal systems every night of the week. We also replicate our critical business systems to the Microsoft Azure Cloud, allowing data restoration up to 60 seconds previous to any outages. All backups are fully encrypted and stored off-site at regular intervals.