ACCOUNTSCO’S INFORMATION SECURITY POLICY
This Policy sets out our policies regarding keeping personal data that we collect, hold, and process secure. This policy should be read in conjunction with our:
All of these can be found on the footer of our UK website www.accountsco.co.uk.
2. Information about us
AccountsCo is the trading name of PG&E Professional Services Ltd (the “Company”, “we”, “us” or “AccountsCo”). Details about AccountsCo can be found here.
3. Information about our Data Protection Officer
The Data Protection Officer shall be responsible for overseeing the implementation and compliance of this Policy. Any questions regarding this Policy, or any other aspect of Data Protection Legislation compliance should be referred to the Data Protection Officer. Details of AccountsCo’s Data Protection Officer can be found here.
In this Policy the following words and expressions have the meaning given to them below:
|AccountsCo’s ICT||means data systems information and communication technology systems (including software, hardware, data networks and digital content) made available by the AccountsCo for use by staff, contractors, consultants, service providers others; and|
|User||means any person or persons granted authority to use a AccountsCo’s ICT, including AccountsCo’s staff, contractors, consultants, service providers others.|
5. Who does this policy apply to?
This policy applies to all Users, including AccountsCo’s staff, contractors, consultants, service providers others.
6. Acceptable use
Use AccountsCo’s ICT for business purposes
AccountsCo’s ICT is provided for bona fide AccountsCo business, research and study purposes. Incidental personal use of the ICT is permitted only so long as it is reasonable and in full compliance with these Regulations. Permission to access and use AccountsCo’s ICT is given on the understanding that it is used only for approved purposes and only by the person or persons authorised to use them. Access to or publication of material of a criminal, offensive or pornographic nature is not permitted. Users may not conduct any work of any kind, including voluntary work, for third parties using AccountsCo’s ICT.
Act with due skill and care
Users must, at all times, ensure that they
- comply with relevant legislative, regulatory and contractual requirements;
- apply protection measures to Confidential Information throughout its lifecycle; and
- act always with due skill and care whilst maintaining information security.
Follow AccountsCo’s policies
All use of AccountsCo’s ICT must be consistent with all terms and conditions contained in contracts of employment, staff handbooks and with AccountsCo’s policies. Use of AccountsCo’s ICT should not involve access to or publication of material of a nature which might bring discredit to the User or to AccountsCo. It is the Users responsibility to ensure that he / (she) has read and understood this policy.
Be a registered user
Before a User can have access to and any of AccountsCo’s ICT the User must be registered with the Data Protection Officer. All Users are required to adhere to AccountsCo’s policies, guidelines and procedures. Copies of these are available on the links above or from the Data Protection Officer.
Monitoring and discipline
AccountsCo may monitor communications, files and emails. Whilst AccountsCo operates on the basis of trust, if there are reasonable grounds for suspecting that an individual is engaging in activities which are in breach of this or other policies, regulations or guidelines, AccountsCo reserves the right to investigate fully. If misuse is established, disciplinary action will be taken, including referring the matter to the Police should AccountsCo consider that an offence may have been, or may be, committed.
7. Users obligation to safeguard information
AccountsCo holds a wide range of personal data about our clients, staff, contacts and suppliers. Much of the information that we hold is very sensitive. For example, we often hold:
- copies of passports, bank statements and payslips;
- details of finances;
- contact information; and
- records of financial transactions.
Users must properly safeguard all of this data. Users must assume that all information that they come into contact with, create or come into possession of through AccountsCo’s ICT or through work at AccountsCo is strictly confidential. Users have a legal obligation to safeguard and protect all this information.
AccountsCo also holds a lot of confidential information that is not of a personal nature. For example, details of our clients (and our own) business plans, finances and strategy. Although this information is not of a personal nature Users still need to safeguard and protect it. Users need to treat all information that they come into contact with through use of AccountsCo’s ICT or through their work as Confidential Information and properly protect and safeguard it.
8. Other policies to be followed by all Users
Tell the Data Protection officer about the machines that you use
Users must give the Data Protection Officer details of all of the machines and hand held devices that the User wishes to use for work purposes, including emails. Users must tell the Data Protection Officer about any changes to this information.
Third party authentication
AccountsCo uses third party authentication procedures to protect its Microsoft 365 programmes. This means that Users should not be able to access any Microsoft 365 programme without authenticating the log on via the Users mobile phone, authentication app or e-mail. If a User finds that he / (she) can use these programmes without authentication, the User must notify the Data Protection Officer immediately.
Only use AccountsCo authorised software
Users may only use software that has been specifically authorised for use. A list of authorised software is available here Other software can only be used if it is authorised in writing by the Data Protection Officer.
Users must make sure laptops and any other mobile devices are properly secured. Laptops should not be left unattended in public places or open areas, even for a very short period. Laptops must not be left in a vehicle, even in a locked boot. Laptops should be secured safely over-night. Laptops must never be left unattended.
When travelling by air, subject to the airline’s regulations and other laws, laptops must always be carried in the cabin and not placed with checked-in items.
Only use secure Wi-Fi Connections. Public or free Wi-Fi should not be used when remote working or accessing Confidential Information. If Users use their own mobile hotspot or Wi-Fi connection, the User must ensure that it is properly password protected and that no other people have access to it. The only exception to this is if a User has a home Wi-Fi network, in which case it is understood that the Users other family members may have access to the network.
Confidential data (including login details and other business sensitive information) must never be transmitted or accessed on a non-secure Wi-Fi (e.g. over the unencrypted http web protocol) as it is possible that the information could be viewed by unauthorised individuals.
Caution when opening e-mails
Exercise extreme caution when opening e-mails. Email links and attachments should be accessed with care as they may contain malware or viruses that could infect laptops or mobile devices. Users must not open any e-mails that contain attachments or links unless the User is certain that the email is legitimate. The User should ask the Data Protection Officer if he / (she) is not sure. Any suspected malware or virus infection must be reported to Data Protection Officer.
Pin protected laptops
All AccountsCo’s laptops are pin protected, which should mean that Users need a pin to start their laptop. No one else must have access to the password or pin code. Passwords or pin codes that access software must be kept private. This includes family members. If a User ever finds that he / (she) does not need a pin to log into your computer, the User must notify the Data Protection Officer immediately.
Use of personal mobile phones, tablets & other devices
Users may use their personal mobile phone, tablet or other device to access outlook, provided that the device
- is registered with the Data Protection Officer;
- is password protected; and
- is not shared with anyone else, including family members.
Users must not use personal phones, tablets or other devices to store or work on Confidential Information, even for a short period.
Don’t make unauthorised changes to AccountsCo’s devices
Do not remove or alter software restrictions on your devices. This includes disabling passwords, pin codes or any installed security programs (e.g. AntiVirus, AktivTrak or remote management applications).
Do not store Confidential Information on your laptop
Users must not store Confidential Information on their laptops. Remember that Confidential Information means all information that Users come into contact with or create through your work at AccountsCo. Confidential Information is not just personal information. The only exceptions to this rule are:
- Working with pdfs – When working with pdfs a User will usually need to save them to the laptop. In this case, once the User has finished working on the pdf he / (she) should save it to the appropriate Microsoft 365 programme and delete it from the laptop.
- Travelling or working with very large documents – Users may temporarily save documents on laptops if the User needs to work on them and anticipates that he / (she) won’t have access to Wi-Fi. For example, if a User needs to work on a document or spreadsheet when travelling. Likewise, if a User is working on a very large document that requires excessive bandwidth the User may temporarily save it on a laptop.
Users should create excel and word documents from Teams so that they are saved in the correct place. If a User finds that he / (she) has inadvertently saved a document to the laptop, the User should save it on to the appropriate Office 365 programme and delete it from the laptop.
Regularly check your laptop for saved files
Users should regularly check their laptops to ensure that they have not inadvertently downloaded or saved files. If a User finds that he/ (she) has, upload the to Teams and delete the version on the laptop.
Do not save Confidential Information to external storage devices.
Users must not save information to storage devices, such as external drives. Laptops should be set up to prevent this. If a User finds that he / (she) can save data to an external device, tell the Data Protection Officer.
Do not save Confidential Information to the cloud
Users must not save Confidential Information to the cloud, other than AccountsCo’s Microsoft 365 programmes. The only exception to this is if the User has written authorisation from the Data Protection Officer. For example, if a client asks a User to save documents to their DropBox account, the User should first get the written authorisation from the Data Protection Officer.
Only use AccountsCo’s software and cloud-based applications
Only use software and cloud-based applications that are paid for by AccountsCo. Do not use or store information in software or cloud-based applications that have been paid for personally, or are free, or are the clients. The only exception to this is if the User has written authorisation from the Data Protection Officer.
Only use AccountsCo’s e-mail and cloud storage facilities
Only use AccountsCo provided email and cloud storage facilities. AccountsCo currently has a Microsoft Office 365 subscription for each of its employees and significant sub-contractors. Personal email and cloud solutions (including other Microsoft 365 accounts, Gmail, DropBox etc) must not be used for AccountsCo’s business or accessed via a laptop provided to you by AccountsCo. The only exception to this is if the User has written authorisation from the Data Protection Officer.
Do not save passwords on your browser
Do not save passwords on your browser. Only save passwords on Dashlane.
Use Dashlane to properly store passwords. Do not share passwords on Dashlane. The only exception to this is if the User has written authorisation from the Data Protection Officer.
Do not use USB Dongle’s or other external data storage accounts
Do not use USB Drives, Dongle’s or other storage devices without the written authorisation of the data Protection Officer.
Do not print Confidential Information
Users must not print Confidential Information when working remotely. Users must not print documents that contain Confidential Information unless he / (she) is in the office, and it is necessary. Printed documents must be shredded promptly. Remember that Confidential Information means all information that a User comes into contact with or creates through his / (her) use of AccountsCo’s ICT or work at AccountsCo. Confidential Information is not just personal information.
Make sure that the office is locked and alarmed
The last person out of our office must ensure that the office door is locked and the building alarmed. This includes if the office is left even for a short period of time, such as lunch.
Keep desks clear
We operate a clear desk policy. Users must completely clear their desks before they leave their desk over-night. Do not leave Confidential Information or any other information on a desk over-night. When in the office make sure that Confidential Information is either shredded or put in the Confidential Information Draw.
Keep the Confidential Information Draw locked
If a User puts something in or take something out of the Confidential Information Draw, make sure that it is locked.
Do not provide information to third parties unless you have written authorisation
Users must not provide information about clients, contacts or staff to third parties. This includes to family and friends. Treat all requests for information with care. For example, do not provide information to people who claim to be reference agents or new accountants. The only exception to this is if you have written authorisation from the Data Protection Officer.
Report lost laptops, devices and information
If an AccountsCo laptop used by you is lost or stolen, you must notify the Data Protection Officer as soon as possible. The same applies to any personal devices which have AccountsCo’s ICT installed on them.
Users are responsible for reporting data loss and security incidents to the Data Protection Officer.
Procedures to be followed if you leave or move to another role
In addition to the procedures described above, which should always be followed, there are additional procedures that should be followed when a User leaves AccountsCo or moves to a different role within AccountsCo. These are listed below.
- Information Handover: All AccountsCo’s information should be returned to AccountsCo’s Data Protection Officer when you leave or move to another role.
- End of Use of equipment: All AccountsCo’s equipment should be returned to AccountsCo’s Data Protection Officer when you leave or move to another role.
- End of use of software: Cloud and other software should not be accessed by you once you have left or moved to another role. You should delete any login credentials or passwords that allow you access.
Ownership of laptop mobile devices and Confidential Information
Any laptop or mobile device issued to you and the data it holds remain the property of AccountsCo. The device may not be retained. There are no exceptions to the policy requirement for you to return AccountsCo owned devices when departing from AccountsCo.
9. Procedures to be followed by the Data Protection Officer
- Ensure compliance with this policy
- The Data Protection Officer has the other duties described below.
- Maintain a log of hardware
- Maintain a log of all devices that are used by the team for business purposes.
- Dispose of hardware securely: The Data Protection Officer should ensure that secure disposal arrangements for data bearing IT equipment and sensitive paper waste are followed.
- Ensure that programmes can’t be accessed once staff leave: The Data Protection Officer should ensure that programmes can’t be accessed once staff leave and that password access is deleted.
- Ensure that systems and passwords work in the way envisaged
10. Use of ActivTrak
To help us to work more productively as a team and to ensure compliance with company policies we use software called ActivTrak. ActivTrak is installed on all AccountsCo’s computers. ActivTrak monitors what the computer is used for and sends alerts if company policies are breached. You can read about AvtivTrak software here www.activtrak.com. Please take a few minutes to read about ActivTrak in the above link. Feel free to call Simon Edrich if there is any aspect of this software or its use that you would like to discuss.
11. Use of Microsoft Azzure
To help us to ensure compliance with company policies we use software called Microsoft Azure Your computer is domain registered, which means that certain activities on your laptop can be controlled remotely. For example, if the computer is lost the data on the computer can be wiped. Please call the Data Protection Officer if you would like more information on Azure.
12. Changes to this policy
This policy was last updated 16/4/23. AccountsCo may change this policy from time to time.