Data Protection and Information Security
Data protection refers to BREās obligation to use information fairly and lawfully ā maintaining confidentiality is a key aspect of this. As part of your job may have access to information on BRE and its employees, customers, suppliers and contractors, some of which may be confidential. It is important that you have a clear understanding of what types of information are confidential.
For both commercial and personal confidential information, BRE has established procedures for retaining, disposing and restricting access to information and records (refer to our Control of Records Procedure in the BRE staff area of this site for further details).
Anyone using BRE digital assets must know how to keep them secure by following BREās information security rules (refer to the Information Security Management Policy in theĀ BRE staff area of this siteĀ for further details). The data storage and backup options in place provide a flexible and reliable means of storing, backing up and retrieving information (refer to the Data Storage and Backup Policy in the BRE staff area of this site for further details).
Information security is not just an IT issue as it also involves physical security, both in the office and on the road. Observing established rules will prevent visitors and staff from being exposed to confidential information and activities that they are not authorised to view.
Commercially sensitive information
Commercially sensitive information may relate to:
- BREās intellectual property (see below)
- BREās business plans
- Project ideas/strategies
- Internal documentation such as BRE policies or procedures
- Data collected or held by BRE
- Marketing portfolio
- Information relating to third parties that we are legally obliged to protect (contractually or otherwise).
Protecting the confidentiality of information belonging to BREās customers, associates, partners and contractors is essential to preserving our reputation and meeting our contractual obligations.
Under BREās Standard Confidentiality Agreement, the company must apply the same security and degree of care to third party confidential Information as to its own. We keep a written record of any documents, records or other confidential Information received and ensure these are kept at our premises at all times.
Client Confidentiality Agreements should be reviewed by the Legal team for any different, additional or onerous obligations.
Refer to our Confidentiality Procedure in the BRE staff area of this site for further details.
Safeguarding BREās intellectual property, which refers to creations of the mind, is of crucial importance to our continued success.
Intellectual property includes:
- trade secrets
- copyright materials
- certification marks
- patented inventions.
Different types of intellectual property need to be protected in different ways. For example trade secrets should not be disclosed, copyright should be retained where possible in contracts, and trademarks and certification marks should only be used by others with appropriate permission.
BRE pays annual copyright license fees for internal distribution of printed journal, newspaper and other media outputs. These licenses do not allow us to distribute materials outside the organisation. Most photographs, unless taken officially by BRE photographers, are subject to copyright and therefore cannot be used without written permission from the originators.
BRE respects the privacy and confidentiality of peopleās personal information, and will only obtain the information needed to operate BRE effectively and ensure legislative and regulatory compliance. The same fundamental principles apply to maintaining confidentiality of both commercial and personal information, but there are a few additional requirements under the Data Protection Act relating exclusively to personal information.
Personal information that must be kept confidential covers identifiable details such as:
- home address
- health record
- payroll information
- performance appraisal data.
WHAT CONSTITUTES PERSONAL DATA?
Under the Data Protection Act 1998, the term āpersonal dataā refers to data relating to an identifiable, living individual and covers both factual information and expressions of opinion about the individual.
WHAT CONSTITUTES SENSITIVE PERSONAL DATA?
Under the Data Protection Act 1998, the term āsensitive personal dataā refers to personal data consisting of information that relates to the individualās racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or criminal history.
If you are processing sensitive personal data, you must satisfy additional requirements because of its private nature and potential to be used in a discriminatory way. If you have any questions or concerns, please consult with a representative of the HR and/or Legal teams.
If you have records containing an individualās personal data ā e.g. home address, age or medical conditions ā you should seek advice from a member of the HR team on the mechanisms in place to ensure the adequate processing and retention of such information.
Q: A member of your team is consistently taking one or two sick days here and there and you wish to establish if there is an underlying health reason for these absences. You believe that asking the employee directly would not be effective as you have tried this the past and he has been reluctant to discuss this issue.
how can you establish whether that person has a health issue?
A: Medical health records are sensitive personal data under the Data Protection Act. There are restrictions on the way they can be processed, unlike less sensitive information such as simple absence records. In principle, you can access an employeeās health record to protect his or her health and wellbeing. To do this, ask HR to check whether the health record of the employee in question indicates a medical condition that could affect their performance at work. BRE cannot access health records held by the employeeās GP without that employeeās explicit consent.
Disclosing confidential information
In all cases where someone asks for information we would otherwise not disclose, the request should be passed to the Legal team or, if it is a media request, to the Marketing and Communications team.
Similarly, if there is a request for information in relation to an official government-led enquiry or investigation, you should contact the Legal team to make sure that we respond in the most appropriate way.
It is also critical to protect any classified information you may obtain in connection with your work. Such information must only be shared on a need-to-know-basis with BRE employees who have the relevant security clearance. There are three levels of government security classification: Official, Secret and Top Secret. If in doubt, please contact the Legal team.
Accidental breaches of confidentiality
While we must all take precautions to prevent breaches of confidentiality, accidents can still happen despite our best efforts. Such accidental breaches will not be penalised as long as they are reported in a timely manner, and appropriate action is taken to avoid or minimise negative repercussions.
Deliberate disclosures of confidential information are not permitted, and will result in disciplinary procedures or immediate termination of employment.
Incidents may involve paper, electronic or the spoken word and are not therefore limited to IT systems.
Examples of information security incidents include:
- Unauthorised access to information or lT systems
- Inappropriate use of information
- Unauthorised disclosure of information
- Malicious modification, corruption or deletion of information
- Introduction of viruses, Trojan horses, or other malicious software on lT systems
- Unauthorised use of IT systems.
Reporting an information security incident
If you know or suspect that an information security breach may have occurred (for instance, an unauthorised disclosure of confidential information), you should report it to your Line Manager and a member of the Legal team immediately. Remember, you will not be penalised for reporting such an incident.
Q: You take your work laptop and a memory stick containing customer information home to finish some work. You accidentally forget the memory stick on the train and are worried because it has sensitive data relating to a BRE customer.
what do you do?
A: As a general rule information stored on memory sticks, or other portable media used outside BRE, should be encrypted. In any case, you should report the incident to the Legal team right away, regardless of whether the stick was password protected, specifying the type of information it contained. Given the nature of the incident, you should also notify the IT helpdesk.
Doās and Dontās
- Handle information with due care.
- Use, hold and dispose of information appropriately and responsibly in accordance with the BRE data protection and storage rules.
- Protect BREās intellectual property.
- Consult with the Legal team if you receive a request to supply information you would not otherwise disclose.
- Follow all applicable BRE policies and procedures.
- Take adequate precautions to avoid security incidents.
- Report discovered security weaknesses or information security incidents immediately.
- Disclose confidential and proprietary information belonging to BRE, BREās customers or associates unless properly authorised to do so.
- Intentionally provide information that is untrue, inaccurate or misleading.
- Use confidential information you may come across to collude with a competitor in a way that could restrict competition.