The confidentiality, integrity and availability of information, in all its forms, are critical to the on-going functioning and good governance of RMDM® Limited, RMDM® Pharma Limited, RMDM® Sugars Limited, and RMDM® Diagnostics Limited (together, “The RMDM® Group”). Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for RMDM® Group to recover.
This Information Security Policy (“Policy”) outlines RMDM® Group’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of RMDM® Group’s information systems.
RMDM® Group is involved in the medical diagnostics and nutraceuticals healthcare sector. It is committed to a robust implementation of information security management. The principles defined in this Policy will be applied to all of the physical and electronic information assets for which RMDM® Group is responsible.
The objectives of this Policy are to:
- Provide a framework for establishing suitable levels of information security for all RMDM® Group information systems (including but not limited to all Cloud environments commissioned or run by RMDM® Group, computers, storage, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
- Make certain that users are aware of and comply with all current and relevant UK and EU legislation.
- Provide the principles by which a safe and secure information systems working environment can be established for staff and any other authorised users, including third party providers.
- Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the personal data that they handle.
- Protect RMDM® Group from liability or damage through the misuse of its IT facilities.
- Maintain personal data and other confidential information provided by suppliers at a level of security commensurate with its classification, including upholding any legal and contractual requirements around information security.
- Respond to changes in the context of the organisation as appropriate, initiating a cycle of continuous improvement.
This Policy is applicable to, and will be communicated to, all staff of RMDM® Group and third parties (including third party providers) who interact with information held by RMDM® Group and the information systems used to store and process it.
This includes, but is not limited to:
- Cloud systems developed or commissioned by RMDM® Group.
- any systems or data attached to RMDM® Group data or telephone networks systems managed by RMDM® Group.
- mobile devices used to connect to RMDM® Group networks or hold RMDM® Group
- data over which RMDM® Group holds the intellectual property rights.
- data over which RMDM® Group is the data controller or data processor.
- electronic communications sent from RMDM® Group.
The following information security principles provide overarching governance for the security and management of information at RMDM® Group:
- Information should be classified according to an appropriate level of confidentiality, integrity and availability (see Information Classification below) and in accordance with relevant legislative, regulatory and contractual requirements.
- Staff with particular responsibilities for information (see Responsibilities below) must ensure the classification of that information; must handle that information in accordance with its classification level; and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
- All users covered by the scope of this Policy must handle information appropriately and in accordance with its classification level.
- Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
- On this basis, access to information will be on the basis of least privilege and need to know.
- Information will be protected against unauthorized access and processing in accordance with its classification level.
- Breaches of this Policy must be reported to RMDM® Group’s Chief Executive Officer.
- Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing.
Under the GDPR, a breach of personal data can lead to a fine of up to 4% of global turnover. Where RMDM® Group user Cloud services, RMDM® Group retains responsibility as the data controller for any data it puts into the service, and can consequently be fined for any data breach, even if this is the fault of the Cloud service provider. RMDM® Group will also bear the responsibility for contacting Information Commissioner’s Office concerning the breach, as well as any affected individual. It will also be exposed to any lawsuits for damages as a result of the breach. It is extremely important, as a consequence, that RMDM® Group is able to judge the appropriateness of a Cloud service provider’s information security provision. This leads to the following stipulations:
- Cloud services used to process personal data will be expected to have ISO27001 certification, with adherence to the standard considered the best way of a supplier proving that it has met the GDPR principle of privacy by design, and that it has considered information security throughout its service model.
- Any request for exceptions will be considered by the Chief Executive
The following table provides a summary of the information classification levels that have been adopted by RMDM® Group and which underpin the 8 principles of information security defined in this Policy.
|Security Level||Definition||Examples||Freedom of Information Act 2000 status|
|1. Confidential||Normally accessible only to specified members of RMDM® Group staff. Should be held in an encrypted state outside RMDM® Group’s systems; may have encryption at rest requirements from providers.||·GDPR-defined Special Categories of personal data (racial/ethnic origin, political opinion, religious beliefs, trade union membership, physical/mental health condition, sexual life, criminal record) including as used as part of primary or secondary research data;|
·large aggregates of personally identifying data (>1000 records) including elements such as name, address, telephone number.
|Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations.|
|2. Restricted||Normally accessible only to specified members of RMDM® Group staff.||·GDPR-defined Personal Data (information that identifies living individuals including home / work address, age, telephone number, schools attended, photographs);|
·reserved Board business;
|Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations.|
|3. Internal Use||Normally accessible only to members of RMDM® Group staff||·Internal correspondence,|
·information held under license.
|Subject to scrutiny in relation to appropriate exemptions/ public interest and legal considerations.|
|4. Public||Accessible to all members of the public||·Annual accounts,|
·minutes of statutory and other formal committees,
·pay scales etc.
·Information available on RMDM® Group website.
|Freely available on the website.|
Responsibilities of RMDM® Group Staff and Authorised Users
In the below “you” refers to any RMDM® Group member of staff or authorized user (including third party providers):
a) Equipment Security and Passwords
You, as a member of staff of RMDM® Group or authorised user (including third party providers) are responsible for the security of the equipment allocated to or used by you, and must not allow it to be used by anyone other than in accordance with this Policy. You should use passwords on all IT equipment, particularly items that you take out of the office. You should keep your passwords confidential and change them regularly.
You must only log on to RMDM® Group systems using your own username and password. You must not use another person’s username and password or allow anyone within RMDM® Group to log on using your username and password.
If you are away from your desk for longer than a few minutes, you should log out or lock your computer. You must log out and shut down your computer at the end of each working day.
b) Systems and Data Security
You should not delete, destroy or modify existing systems, programs, information or data (except as authorised in the proper performance of your duties).
You must not download or install software from external sources without authorisation from senior management. Downloading unauthorised software may interfere with RMDM® Group systems and may introduce viruses or other malware.
Emails can be used in legal proceedings and that even deleted emails may remain on the system and be capable of being retrieved. You must not send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, pornographic or otherwise inappropriate emails.
You should not:
- Send or forward private emails at work which you would not want a third party to read;
- Send or forward chain mail, junk mail, or gossip;
- Contribute to system congestion by sending trivial messages or unnecessarily copying or forwarding emails to others who do not have a real need to receive them; or
- Send messages from another person’s email address (unless authorised) or under an assumed name.
Do not use your own personal email account to send or receive email for the purposes of our business. Only use the email account we have provided for you.
Internet access is provided primarily for business purposes. Occasional personal use may be permitted.
RMDM® Group permits the incidental use of our systems to send personal email, browse the internet and make personal telephone calls subject to certain conditions. Personal use is a privilege and not a right. It must not be overused or abused. We may withdraw permission for it at any time or restrict access at our discretion.
Personal use must meet the following conditions:
- Personal emails should be labelled “personal” in the subject header;
- It must not affect your work or interfere with the business;
- It must not commit us to any marginal costs; and
- It must comply with our policies.
You should not access any web page or download any image or other file from the internet which could be regarded as illegal, offensive, in bad taste or immoral. Even web content that is legal in the UK may be in sufficient bad taste to fall within this prohibition. As a general rule, if any person (whether intended to view the page or not) might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of this Policy.
Creating, viewing, accessing, transmitting or downloading any of the following material will usually amount to gross misconduct (this list is not exhaustive):
- Pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature);
- Offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our clients;
- A false and defamatory statement about any person or organisation;
- Confidential information about us or any of our staff or clients (except as authorised in the proper performance of your duties);
- Unauthorised software;
- Any other statement which is likely to create any criminal or civil liability (for you or us); or
- Music or video files or other material in breach of copyright.
We may block or restrict access to some websites at our discretion.
RMDM® Group monitors all emails passing through our system for viruses. You should exercise particular caution when opening unsolicited emails from unknown sources. If an email looks suspicious do not reply to it, open any attachments or click any links in it.
RMDM® Group’s systems enable us to monitor telephone, email, voicemail, internet and other communications. For business reasons, and in order to carry out legal obligations in our role as an employer, your use of our systems including the telephone and computer systems (including any personal use) may be monitored by automated software.
RMDM® Group reserves the right to retrieve the contents of email messages or check internet usage (including pages visited and searches made) as reasonably necessary in the interests of the business, including for the following purposes (this list is not exhaustive):
- To monitor whether the use of the email system or the internet is legitimate and in accordance with this policy;
- To find lost messages or to retrieve messages lost due to computer failure;
- To assist in the investigation of alleged wrongdoing; or
- To comply with any legal obligation.
e) Technical and Security Measures
Some of the security procedures we use to protect your and customers’ privacy are:
- We require both a personal Username (log-in name) and a Password in order for users to access their personal data.
- We use firewalls to protect information held in our servers.
- We back-up our systems to protect the integrity of personal data.
Compliance, Policy Awareness and Disciplinary Procedures
The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against RMDM® Group. Therefore, it is crucial that all users of RMDM® Group’s information systems adhere to this Information Security Policy and its supporting policies.
All current staff and other authorized users (including providers) will be informed of the existence of this Policy and the availability of supporting policies, codes of practice and guidelines.
Any security breach will be handled in accordance with all relevant RMDM® Group policies.
If a member of staff of RMDM® Group and authorized user (including providers) is aware of an information security incident then they must report it to Chief Executive Officer at: firstname.lastname@example.org.
Breaches of personal data will be reported to the Information Commissioner’s Office by the Chief Executive Officer.
This security policy was last modified on the 18 Jan 2019