Information & Data Security Policy Statement

Last Updated: 03/01/2022

Objective

Highway Data Systems Ltd.’s (The Company) objective of managing information security is to ensure that its core and supporting business operations continue to operate with minimal disruptions. The Company shall ensure that all information that are disbursed or produced by the Company have absolute integrity.

The Company shall guarantee that all relevant information is managed and stored with appropriate confidentiality procedures in line with the requirements of the General Data Protection Regulations and BS EN 27001:2013

Policy

• The purpose of the Policy is to protect the organisation’s information assets from all threats, whether internal or external, deliberate or accidental.
• The Managing Director has approved the Information Security Policy.

It is the Policy of the organisation to ensure that:

• Information should be made available with minimal disruption to staff and the public as required by this policy;
• Information will be stored within the UK or EEA;
• The integrity of this information will be maintained;
• Confidentiality of information, not limited to: research, third parties, personal and electronic communications data will be assured;
• Regulatory and legislative requirements will be met;
• All personal information will be identified, risk assessed, controlled and deleted to established arrangements;
• The minimum personal information will be stored in order to achieve the business outcome;
• Personal information will only be stored in compliance with the legitimate processing basis;
• A Business Continuity Management Framework shall be made available and Business Continuity plans will be produced to counteract interruptions to business activities and to protect critical business processes from the effects of major failures or disasters. Business continuity plans should be maintained and tested;
• Information security education, awareness and training will be made available to staff
• All breaches of information security, actual or suspected, will be reported to, and investigated by the relevant authorities both internal and, if required, statutory.
• Appropriate access control will be maintained, and information is protected against unauthorised access.
• Policies, Procedures and Guidelines not limited to Information Security will be made available in an online format through an intranet system to support the ISMS Policy.
• An identified person or team has direct responsibility for maintaining the ISMS Policy and involved with writing and/or managing the development of relevant policies, procedures and guidelines not limited to information security.
• Those charged with responsibility for Information Security will develop and improve the systems to continually improve them to meet different challenges and requirements faced by the Company.
• All managers and supervisors are directly responsible for implementing the ISMS Policy within their teams, and for adherence by their staff.
• It is the responsibility of each member of staff to adhere to the ISMS Policy.
• Information security is managed through the Company’s Risk Management framework.
• The availability of information and information systems will be met as required by the core and supporting business operations.

Information takes many forms and includes data stored on computers, transmitted across networks, printed out or written on paper, sent by fax, stored on tapes and diskettes, or spoken in conversation and over the telephone.

This will ensure that information and vital services are available to users when and where they need them.

Safeguarding the accuracy and completeness of information by protecting against unauthorised modification.

The protection of valuable or sensitive information from unauthorised disclosure or unavoidable interruptions. This will ensure that the organisation remains compliant to relevant business, national and international laws and it include meeting the requirements stated in legislation.

Data Rights

• The data held by Highway Data Systems can only be as accurate as the information supplied to the Company. It is the responsibility of the individual to ensure their data is accurate.
• Once an individual’s relationship with the Company has become inactive their personal data will be retained electronically for 2 years before deletion, unless a longer duration is specified by legislation or contract.
• An individual may at any time request the removal of their personal data. It should be noted that the removal of all personal data (including email contact details) will result in Highway Data Systems no longer being able to carry out the processing of deliverables.

Business Continuity Management should be implemented effectively to ensure continuity of business operations in the event of a crisis or disaster.

Ensure that relevant and effective training is provided to personnel.

Ensure that the staff understand their roles and responsibilities in handling incidents and have a comprehensive response plan ready.

The policy will be reviewed by the Management Team at least annually.