Data Security & IT Policy

Social Value Consultancy Ltd (registered in England & Wales, Company No. 11325322) 
Policy owner: Data Protection Lead (with IT Lead) 
Approved by: Managing Director 
Version: 1.0 
Last updated: 16 September 2025 
Next review: 16 September 2026 
Contact: info@socialvalueconsultancy.co.uk 

1) Purpose 

To protect our information, systems, clients, and people by setting minimum security controls and acceptable IT use. 

2) Scope 

Applies to all employees, contractors, and third parties who access our information or systems, whether on-site or remote, using company-owned or approved personal devices (BYOD). 

3) Roles & responsibilities 

  • Managing Director: overall accountability. 
  • Data Protection Lead (DPL): privacy compliance, incident oversight, DPIAs. 
  • IT Lead: implements and maintains technical controls. 
  • All users: follow this policy, complete training, report incidents promptly. 
  • Third-party suppliers: must meet contractual security and privacy requirements. 

4) Security principles 

  • Confidentiality, integrity, availability of information. 
  • Least privilege & need-to-know access. 
  • Data minimisation and secure-by-design. 
  • Proportionate risk management informed by threat and impact. 

5) Data classification 

  • Public: approved for public release. 
  • Internal: everyday business information not for public release. 
  • Confidential: client data, personal data, financials. 
  • Restricted: highly sensitive (e.g., credentials, encryption keys). 
    Handling rules strengthen from Public Restricted (e.g., encryption and strict access for Confidential/Restricted). 

6) Access control & authentication 

  • User access is approved by managers, provisioned by IT, and reviewed at least quarterly. 
  • Joiner–Mover–Leaver process: prompt updates; accounts removed within 24 hours of departure. 
  • Multi-factor authentication (MFA) is required on email, cloud platforms, admin panels, and remote access. 
  • Passwords: passphrases of 12+ characters, no reuse, store in an approved password manager. 
  • Privileged accounts: separate admin identities; no day-to-day work on admin accounts. 

7) Devices, BYOD & encryption 

  • Company devices are full-disk encrypted, auto-lock in 10 minutes, and run approved EDR/anti-malware. 
  • BYOD is permitted only if enrolled in our mobile/device management, with remote-wipe enabled for business data. 
  • Do not store Restricted data locally on personal devices or removable media. 

8) Remote & hybrid working 

  • Use only trusted networks; if in doubt, use company VPN. 
  • Be mindful of shoulder surfing and conversations in public spaces. 
  • Keep paperwork and devices secure; avoid printing Confidential/Restricted data off-site. 

9) Data handling & transfer 

  • Store business data only in approved systems (no shadow IT). 
  • Use encryption for Confidential/Restricted data at rest and in transit. 
  • Use approved secure file-sharing; avoid sending sensitive data unencrypted by email. 
  • Disposal: securely wipe or shred when no longer needed, per the Data Retention Schedule. 
  • International transfers follow our Privacy Policy (UK IDTA/SCCs and transfer risk assessments). 

10) Network & cloud security 

  • Firewalls enabled; unnecessary ports/services disabled. 
  • Cloud services are hosted with providers that hold ISO 27001 or equivalent certifications; this does not imply our own certification. 
  • Separate production and non-production environments where applicable. 

11) Logging & monitoring 

  • Security and access logs are retained for at least 12 months. 
  • Privileged access, MFA events, and anomalous activity are monitored; alerts are investigated promptly. 

12) Patch & vulnerability management 

  • Critical security patches: 14 days; High: 30 days; others on a monthly cycle. 
  • Quarterly vulnerability scans of internet-facing assets; annual independent penetration test (or after major changes). 
  • Track remediation to closure. 

13) Backup & recovery 

  • Critical data is backed up daily, encrypted in transit and at rest. 
  • Backups are tested quarterly for restore integrity. 
  • RPO/RTO targets are defined in the Disaster Recovery Plan (typical targets: RPO 24 hours; RTO 2 business days). 

 

14) Secure development (where applicable) 

  • Source control with branch protection and mandatory peer review. 
  • Dependency and secret scanning; vulnerabilities triaged per §12. 
  • Separate dev/test/prod environments; no live secrets in code. 

15) Supplier & third-party management 

  • Pre-contract due diligence (security, privacy, resilience). 
  • Contracts include data processing agreements, confidentiality, breach notification, and right to audit where appropriate. 
  • Annual review of critical suppliers; prompt off-boarding when services end. 

16) Incident management & reporting 

  • Report suspected incidents within 24 hours to the DPL/IT Lead via info@socialvalueconsultancy.co.uk. 
  • Triage, contain, eradicate, and recover; preserve evidence and logs. 
  • Personal data breaches are assessed without delay; if reportable, the ICO is notified within 72 hours and affected individuals are informed when required. 
  • Conduct post-incident reviews and implement lessons learned. 

17) Training & awareness 

  • Mandatory induction and annual refresher training on security, phishing, and privacy. 
  • Targeted training for privileged users and developers. 

18) Acceptable use rules (summary) 

  • Use company systems primarily for business; limited personal use is permitted if lawful and low-risk. 
  • Do not share credentials, install unauthorised software, bypass security controls, or use unapproved cloud tools. 
  • Do not upload client confidential data or personal data to public generative AI tools without written approval. 
  • Report lost/stolen devices or suspected phishing immediately. 

 

19) Compliance & enforcement 

Breaches of this policy may lead to disciplinary action or contract termination. Suppliers must meet equivalent standards. 

20) Review & related documents 

This policy is reviewed annually or after significant changes. 
Related document: Privacy & UK GDPR Policy