Data Protection and Information Security

Data protection refers to BRE’s obligation to use information fairly and lawfully – maintaining confidentiality is a key aspect of this. As part of your job may have access to information on BRE and its employees, customers, suppliers and contractors, some of which may be confidential. It is important that you have a clear understanding of what types of information are confidential.

For both commercial and personal confidential information, BRE has established procedures for retaining, disposing and restricting access to information and records (refer to our Control of Records Procedure in the BRE staff area of this site for further details).

Anyone using BRE digital assets must know how to keep them secure by following BRE’s information security rules (refer to the Information Security Management Policy in the BRE staff area of this site for further details). The data storage and backup options in place provide a flexible and reliable means of storing, backing up and retrieving information (refer to the Data Storage and Backup Policy in the BRE staff area of this site for further details).

Information security is not just an IT issue as it also involves physical security, both in the office and on the road. Observing established rules will prevent visitors and staff from being exposed to confidential information and activities that they are not authorised to view.

Commercially sensitive information

Commercially sensitive information may relate to:

  • BRE’s intellectual property (see below)
  • BRE’s business plans
  • Project ideas/strategies
  • Internal documentation such as BRE policies or procedures
  • Data collected or held by BRE
  • Marketing portfolio
  • Information relating to third parties that we are legally obliged to protect (contractually or otherwise).

Protecting the confidentiality of information belonging to BRE’s customers, associates, partners and contractors is essential to preserving our reputation and meeting our contractual obligations.

Under BRE’s Standard Confidentiality Agreement, the company must apply the same security and degree of care to third party confidential Information as to its own. We keep a written record of any documents, records or other confidential Information received and ensure these are kept at our premises at all times.

Client Confidentiality Agreements should be reviewed by the Legal team for any different, additional or onerous obligations.

Refer to our Confidentiality Procedure in the BRE staff area of this site for further details.

Intellectual property

Safeguarding BRE’s intellectual property, which refers to creations of the mind, is of crucial importance to our continued success.

Intellectual property includes:

  • trade secrets
  • copyright materials
  • trademarks
  • certification marks
  • designs
  • patented inventions.

Different types of intellectual property need to be protected in different ways. For example trade secrets should not be disclosed, copyright should be retained where possible in contracts, and trademarks and certification marks should only be used by others with appropriate permission.

BRE pays annual copyright license fees for internal distribution of printed journal, newspaper and other media outputs. These licenses do not allow us to distribute materials outside the organisation. Most photographs, unless taken officially by BRE photographers, are subject to copyright and therefore cannot be used without written permission from the originators.

Personal information

BRE respects the privacy and confidentiality of people’s personal information, and will only obtain the information needed to operate BRE effectively and ensure legislative and regulatory compliance. The same fundamental principles apply to maintaining confidentiality of both commercial and personal information, but there are a few additional requirements under the Data Protection Act relating exclusively to personal information.

Personal information that must be kept confidential covers identifiable details such as:

  • home address
  • health record
  • payroll information
  • performance appraisal data.


Under the Data Protection Act 1998, the term ‘personal data’ refers to data relating to an identifiable, living individual and covers both factual information and expressions of opinion about the individual.


Under the Data Protection Act 1998, the term ‘sensitive personal data’ refers to personal data consisting of information that relates to the individual’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life or criminal history.

If you are processing sensitive personal data, you must satisfy additional requirements because of its private nature and potential to be used in a discriminatory way. If you have any questions or concerns, please consult with a representative of the HR and/or Legal teams.

If you have records containing an individual’s personal data – e.g. home address, age or medical conditions – you should seek advice from a member of the HR team on the mechanisms in place to ensure the adequate processing and retention of such information.

Q: A member of your team is consistently taking one or two sick days here and there and you wish to establish if there is an underlying health reason for these absences. You believe that asking the employee directly would not be effective as you have tried this the past and he has been reluctant to discuss this issue.

how can you establish whether that person has a health issue?

A: Medical health records are sensitive personal data under the Data Protection Act. There are restrictions on the way they can be processed, unlike less sensitive information such as simple absence records. In principle, you can access an employee’s health record to protect his or her health and wellbeing. To do this, ask HR to check whether the health record of the employee in question indicates a medical condition that could affect their performance at work. BRE cannot access health records held by the employee’s GP without that employee’s explicit consent.

Disclosing confidential information

In all cases where someone asks for information we would otherwise not disclose, the request should be passed to the Legal team or, if it is a media request, to the Marketing and Communications team.

Similarly, if there is a request for information in relation to an official government-led enquiry or investigation, you should contact the Legal team to make sure that we respond in the most appropriate way.

It is also critical to protect any classified information you may obtain in connection with your work. Such information must only be shared on a need-to-know-basis with BRE employees who have the relevant security clearance. There are three levels of government security classification: Official, Secret and Top Secret. If in doubt, please contact the Legal team.

Accidental breaches of confidentiality

While we must all take precautions to prevent breaches of confidentiality, accidents can still happen despite our best efforts. Such accidental breaches will not be penalised as long as they are reported in a timely manner, and appropriate action is taken to avoid or minimise negative repercussions.

Deliberate disclosures of confidential information are not permitted, and will result in disciplinary procedures or immediate termination of employment.

Incidents may involve paper, electronic or the spoken word and are not therefore limited to IT systems.

Examples of information security incidents include:

  • Unauthorised access to information or lT systems
  • Inappropriate use of information
  • Unauthorised disclosure of information
  • Malicious modification, corruption or deletion of information
  • Introduction of viruses, Trojan horses, or other malicious software on lT systems
  • Unauthorised use of IT systems.

Reporting an information security incident

If you know or suspect that an information security breach may have occurred (for instance, an unauthorised disclosure of confidential information), you should report it to your Line Manager and a member of the Legal team immediately. Remember, you will not be penalised for reporting such an incident.


For example:

Q: You take your work laptop and a memory stick containing customer information home to finish some work. You accidentally forget the memory stick on the train and are worried because it has sensitive data relating to a BRE customer.

what do you do?

A: As a general rule information stored on memory sticks, or other portable media used outside BRE, should be encrypted. In any case, you should report the incident to the Legal team right away, regardless of whether the stick was password protected, specifying the type of information it contained. Given the nature of the incident, you should also notify the IT helpdesk.

Do’s and Dont’s


  • Handle information with due care.
  • Use, hold and dispose of information appropriately and responsibly in accordance with the BRE data protection and storage rules.
  • Protect BRE’s intellectual property.
  • Consult with the Legal team if you receive a request to supply information you would not otherwise disclose.
  • Follow all applicable BRE policies and procedures.
  • Take adequate precautions to avoid security incidents.
  • Report discovered security weaknesses or information security incidents immediately.


  • Disclose confidential and proprietary information belonging to BRE, BRE’s customers or associates unless properly authorised to do so.
  • Intentionally provide information that is untrue, inaccurate or misleading.
  • Use confidential information you may come across to collude with a competitor in a way that could restrict competition.