Information Security Policy

Last updated: 11 October 2022

1. Definitions

“Audiem”, “Company”, “we” “us”, or “our” means Workplace Advantage Ltd. (trading as Audiem), with its registered office at White House Farm, West Rounton, Northallerton, DL6 2LW, with company number 10976073 and VAT number 412702635.

“Audiem Users” refers to employees, contractors and sub-contractors of Audiem.

“Author” means a person that provides textual (Viewpoint) and numerical or categorical (metadata) content data from, or relating to, a Client organisation.

“Client” means the managing organisation commissioning Audiem to either gather data on their behalf and/or generate insights from Author content.

“Client Data” means any data generated by the Client and/or their Authors that is provided to us for processing using our tools, or that we collect using our tools on their behalf.

“Client User” means anyone authorised by the Client (or their nominated parties) to access and administer the Audiem software platform, or otherwise use our Services.

“Controller” and “Processor” have the meaning set forth in the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”) within, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“IT Systems” refers to computer systems, devices, infrastructure, computing environments and any other relevant equipment managed by Audiem.

“UK GDPR” refers to the retained EU Law version of General Data Protection Regulation ((EU) 2016/679) as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 as amended.

2. The purpose of this policy

This document sets out the measures to be taken by all employees of Workplace Advantage Ltd. (trading as Audiem) and by Audiem as a whole in order to protect Audiem’s computer systems, devices, infrastructure, computing environment and any and all other relevant equipment (collectively, “IT Systems”) from damage and threats whether internal, external, deliberate, or accidental.

This document is a public facing version of our wider Information Security Policy which contains some confidential security information. The wider policy is only accessible by Audiem employees.

This policy, and any policy mentioned within this document, applies to all members of staff, who complete relevant training as part of their induction, on both the relevant policies and best practice information security.

3. Responsibilities

“Data Protection Officer” – Ian Ellison, Director, Co-Founder

“IT Systems Manager” – James Pinder, Director, Co-Founder

4. Data protection

All personal data (as defined in the Data Protection Legislation) collected, held, and processed by Audiem will be collected, held, and processed strictly in accordance with the principles of the Data Protection Legislation, the provisions of the Data Protection Legislation, and Audiem’s Data Protection & Privacy Policy.

All Users handling data for and on behalf of Audiem shall be subject to, and must comply with, the provisions of Audiem’s Data Protection & Privacy Policy at all times.

5. Data classification

All data stored on IT Systems are to be classified appropriately (including, but not limited to, personal data, sensitive personal data, and confidential information) with reference to:

  • Authors – e.g. content information in relation to employees of the Client
  • Client Data – e.g. contractual arrangements between the Client and Audiem
  • Client Users – e.g. employees of the Client that have access to Audiem’s platform

All data so classified is handled appropriately in accordance with its classification and shall be available only to those Users with a legitimate need for access.

6. Access control

Where possible Audiem aims to create an environment of open knowledge exchange, so endeavours to avoid creating barriers around access to data, but with regards to the above-mentioned classifications the appropriate level of access is created in the context of serving the Client.

As an example, an account manager will have access to all data classifications in order to help deliver workplace insights, but members of the finance team would only have access to Client Data unless specifically required; this is assessed on a case-by-case basis.

7. Security software

Audiem’s policy is to have no corporate information held outside of Audiem’s password protected IT Systems. The following tools are used to protect Audiem’s IT Systems:

  • Bitdefender – laptop/desktop malware and antivirus
  • Microsoft 365 – secure cloud storage and email systems
  • LastPass – password storage and secure password sharing

8. Password policy

All employees of Audiem must, where software/computer/device allows, create access passwords that are:

  • at least 8 characters long;
  • a combination of upper and lower case letters, numbers and symbols;
  • different from the previous password;
  • not obvious or easily guessed (birthdays, memorable names etc.); and
  • created and securely stored by individual Audiem Users using LastPass or iCloud Keychain

9. Employee data practice

All Audiem Users handling data for and on behalf of Audiem shall be subject to, and must comply with, the provisions of Audiem’s Data Protection & Privacy Policy at all times. In particular, the following shall apply:

  • all emails containing personal data must be marked ‘confidential’;
  • personal data may be transmitted over secure networks only; transmission over unsecured networks is not permitted under any circumstances;
  • personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
  • personal data contained in the body of an email, whether sent or received, should be copied directly from the body of that email, and stored securely. The email itself should be deleted;
  • all personal data to be transferred physically, including that on removable electronic media, shall be transferred in a suitable container marked ‘confidential’;
  • where any confidential or personal data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the Audiem User must lock the computer and screen before leaving it; and
  • Audiem Users should ensure that the hard drives on their computers are encrypted.

10. Subject access requests (SARS)

When a Subject Access Request (SAR) is made there are different actions Audiem must take depending on who receives the request. If a SAR is made to a member of staff, their only action is to let the Data Protection Officer know. It will then be the responsibility of the DPO to ensure that Audiem meets requirements under any legislation, along with Client agreements.

11. Reporting data breaches

Upon receiving a question or notification of a breach, the IT Systems Manager shall, within 24 hours, assess the issue including, but not limited to, the level of risk associated therewith, and shall take any and all such steps as the IT Systems Manager deems necessary to respond to the issue.

Under UK GDPR, where a data breach is likely to result in a ‘risk for the rights and freedoms of individuals’, the Data Protection Officer will notify Clients and Data Controllers ‘without undue delay’ and ensure that this happens within 72 hours.

12. Data erasure and sanitisation

When deleting or throwing away data/removable media devices (e.g. laptops, printers) Audiem will follow government guidelines:

13. Policy review

Audiem shall review this Policy every 12 months and otherwise as required in order to ensure that it remains up-to-date and fit for purpose.