Professional Language Solutions Ltd
Data Security and Retention Policy - August 2019
This policy applies to:
(1) all data of PLS or our customers which can reasonably be considered to be “confidential”
(2) personal and private data which is collected by PLS, and which is governed by GDPR
All such data is hereafter referred to as “affected data”
Definition of Our Network
1/ The PLS local domain server (including virtual servers)
2/ Cloud-based file-storage applications approved by PLS, which have their own User Credentials. At the time of writing, these include:
- Google Drive
- Dropbox
- Microsoft OneDrive
- HR Bright
- Microsoft Teams
- Microsoft Office 365 (including Microsoft Exchange)
- Jotform
- Cardstream
- Tawk.to
Secure Storage
Affected data must always be stored on our network.
Provided the affected data is held on our network, there is no further requirement to password-protect individual files, unless the file is being shared outside that environment (eg emailed to an external third party)
No affected data is permitted to be stored by PLS employees anywhere outside our network, defined above, unless it is on an approved device which is listed on the IT Register of Approved Devices
Affected data may be accessed from any device, provided it is not downloaded and stored, using approved User Credentials.
Transmission/sharing of affected data
If affected data held within our network needs to be sent by Microsoft Exchange email, it must always be password-protected, in accordance with our password-authentication processes.
Alternatively, affected data can be shared with other users through the file-sharing systems included above in the definition of our network.
Physical files
Where affected data is printed and results in a hard copy, or where PLS receives confidential or GDPR data in the form of a hard copy, the following security protocols concerning the safe-guarding of this data apply:
- No hard copies of affected data to be taken outside PLS head office without permission and being recorded on the data register by the Data Controller (CT) or designated delegate
- Hard copies of affected data always to be stored in lockable cupboards/cabinets, with the key held by the staff member designated to be responsible
- No hard copies of affected data to be left on desks or in any shared work areas without appropriate supervision
Data Retention Policy
Affected data will be kept “live” for a maximum of 5 years (see note below)
All data older than 5 years will be archived with encryption and stored in a protected area on our network.
All data older than 10 years will be destroyed, unless PLS is required by either customer contract or legal obligations to retain it.
Maintenance and Updating Policy
In December each year, IT to oversee a company-wide update, to archive/delete data in accordance with the Data Retention Policy above.