Protected: GDPR FAQs

Registered company name

Agenda Consulting Limited

Registered company number

04509427

Head office address

The Jam Factory, 27 Park End Street, Oxford OX1 1HU

Data Protection Officer

Clare Harris

Telephone number

+44 (0)1865 263720

Email address

Clare.harris@agendaconsulting.co.uk

Website

agendaconsult.wpengine.com

Length of establishment

15 years

Number of employees

8

Director’s name

Roger Parry

Bank account details

• Bank: HSBC, 65 Cornmarket Street, Oxford, OX1 3HY
• Account name: Agenda Consulting
• Account number: 80129976
• Sort code: 40-11-58

Turnover

• Annual turnover: £0.7m
• Time Period: March 2017 – February 2018

Financial performance

Request annual accounts from info@agendaconsulting.co.uk

Agenda’s Insurance Policies

Governance

Information Security Policy

Agenda has an Information Security Policy, which includes risk assessments for threats to information security.  The policy covers:

• Staff awareness, including web and email threats
• The need to retain data within the network
• Confidential information remaining in an encrypted format during transit

The Policy is referenced in the Agenda staff handbook.  All employees receive a copy of the policy and it is discussed in detail as part of the staff induction process.  The Policy is reviewed at least every 6 months and any changes are made known to staff.

Data Protection

ICO Registration number

ZA232518

How does Agenda meet GDPR requirements?

Due to the nature of Agenda’s business (conducting employee and volunteer surveys of behalf of our clients), we have developed privacy policies to protect the data of our clients and those who respond to a survey:

• Privacy Policy for Clients
• Privacy Policy for Survey Participants

Agenda has developed processes for handling personal data requests as defined in the Agenda Data Requests Policy (ADRP) document.  The ADRP covers:

• correcting inaccurate personal data
• restricting personal data
• deleting personal data
• handling a data breach

Data Protection and Information Security awareness staff training

All staff are reminded of our individual and collective responsibilities regarding how Agenda manages data to fulfil the services we provide to our clients and to maintain the standards required by the ICO. The content of the Information Security Policy is discussed with staff during both the 6 monthly review of the policy itself, as well as forming a detailed part of discussion during staff appraisals.

Incident Management

Agenda has not had any reported incidents of data breach.  However, a process has been established to document, address and track any incident.  The Data Protection Incident Log also records new policies which may develop as a result of corrective action taken to address an incident.

Outsourcing

Agenda outsources its IT Hosting to the following third parties:

• Memset: Server host. See written contract outlining obligations.
• Alberon: Server manager. See written contract outlining obligations.
• Jungle Disk: Provide the website backup service and use Rackspace Cloud for storage.

Encrypted backups use AES-256 encryption and the key is only known to Agenda.  The hosting company have no meaningful access to the data.

Memset:

• Privacy Policy
• Security Policy
• Memset have the accreditation ISO 27001:2013 Information Security Management System

Alberon:

• Privacy Policy

Jungle Disk:

• GDPR compliance details
• Security Practice document
• Privacy Policy

On a quarterly basis we review the published security policies in place with relevant third parties, as well as liaising with relevant account managers with regards to any policy change.

Redundant Hardware – Data Wiping

Data on redundant hardware is removed using multi-pass secure erase. Data destruction completed by VCI Systems Ltd  – VCI Systems Ltd, 22C Horseshoe Park, Pangbourne, Berkshire, RG8 7JW – (n hardware removed from client site).  The multi-pass secure erase used by VCI Systems Ltd is the DoD 5220.22-M Data Wipe Method.

VCI Systems Ltd then recycle units through their preferred recycling partner PCD who perform an additional data destruction process before ethical recycling of all hardware.  PCD comply with the UK Government standard (CESG HMG Infosec Standard 5).

VCI Systems Ltd maintains documentation on all devices processed for data wiping, and retains certificates of data destruction from the recycling partner (single certificate covers the data destruction of multiple units processed in a single batch).

Computer Room / Data Centre

Client data is stored electronically in the computing environment, which is outsourced to Memset (insert full address and website).  Access to the computer room is restricted to named authorised personnel and access is logged.  Access privileges are reviewed and checked periodically.

Computer Room/Data Centre environmental controls

Computer room equipment is protected by UPS devices, which are subject to regular testing and maintenance.  Generators are used and are also subject to regular testing and maintenance.

The computer room also has:

• Dedicated temperature control and air cooling
• Fire detection and suppression system installed
• Gas suppression installed
• Leak detection installed
• Power, HVAC and network connectivity, which provides at least N+1 redundancy

 The power, environmental controls, fire detection and leak detection systems are all monitored.

Firewalls

Agenda has a firewall in place – Vigor Draytek Firewall Router, whose firmware is kept up-to-date.  Configuration is checked to ensure no open ports or access from the internet is enabled.

Information transfer

• Electronic data containing personal or other confidential information is transmitted via HTTPS and SSH network connections.
• Hard copy information (rarely sent), is sent via courier, with recorded despatch and signed-for delivery

Stored data

Agenda process the data. Alberon and Memset can access the data as they maintain the servers.  Each provider has stated, in writing that they have access to the server, therefore giving access to the data, but would only use the access for support issues.  They make no alterations to the data.

Analysis of the data may be used for benchmarking for other clients where an aggregated analysis is agreed in the contract.

Access to client data is restricted to only authorised individuals with a specific requirement to access the data.

Administration access to the data environment is restricted and controlled with an audit trail any access by Memset for the purpose of support.

The data on Cloud VPS is not encrypted at rest, however the backups are covered by AES-256 encryption

Back-ups

Daily backups are performed and stored within the  Rackspace Cloud for the web-hosted platforms and Acronis Data Centre in the UK for Agenda Oxford office data.  All backups are encrypted. Oxford office data is test restored a minimum of twice a month and backups are checked daily to ensure they passed validation.

IT disaster recovery capabilities

Memset offer a 99.95% up-time guarantee and can provide geographically redundant services on request.  Their network has multiple redundancies and no single point of failure.

Agenda have almost immediate access to the locally stored Agenda office data in the event of a hardware failure and can recover all data from the off-site backups within 48 hours (subject to internet access)

Site Security – Agenda Office and Data Hosts

Agenda outsources the hosting of its IT services to Memset.  The table below contains details of the security measures in place at both Agenda and Memset and reflects the respective roles and responsibilities in relation to the protection of data.

HR recruitment and vetting

• Agenda follows a formal vetting and recruitment process for all applicants. This includes verification of employee qualifications, and the taking up of previous employment references.
• Employees sign an employment acceptance letter, which includes a clause for Confidentiality of Information.
• Agenda has an Information Security Policy, which is reviewed every 6 months and staff are refreshed on the policy as it stands. Particular attention is drawn to any changes to the policy, and it is discussed in group sessions which focus on the requirement for data security. All users must understand the requirement and have the opportunity to question any area of which he or she is unsure.

Device security, servers, hardware

• Procedures are in place for handling the loss or theft of equipment, as follows:
  • Devices are protected by passwords and, where possible, encrypted which effectively renders a stolen or lost laptop as useless.
  • Regardless, all associated user passwords and access codes are changed as a priority and/or access rescinded – whichever is faster to implement.
  • Line managers will be made aware of the loss or theft as a matter of urgency
  • Relevant providers (VCI Systems in the case of laptop, phone company in the case of a mobile) will be contacted as a matter of urgency and any cessation of services implemented at that time.
• Other areas of security
  • The Ubuntu web servers update automatically on a daily basis
  • All Windows devices have automatic updates enabled.
  • Office devices have Windows firewall enabled and run ESET NOD Antivirus software.
  • Windows Operating systems are set to automatically update and the ESET Antivirus software has pushed updates which can occur multiple times in a single day as released by the developer.
  • Internet access is not monitored though history and associated DAT files are available for analysis if required. The ability to download from the internet is an integral and implicit requirement for Agenda staff.  The Agenda structure allows for direct management of staff which ensures that internet policy is being followed.
  • Windows 10 Pro laptops are all encrypted using ‘whole disk’ encryption via BitLocker. Pre W10 or devices running home versions of the operating system are encrypted via DESLock
  • Use of Portable Media is prevented through the ESET negating the need for any further control on portable storage and appropriately encryption.
  • All desktops are set to time out to screen saver and require a password to unlock.
    Users are required to lock workstations though the 5 minute screensaver timeout helps enforce this

User IDs and passwords

• Each user has his or her own username and password to access the systems. These are not shared between colleagues and are not written down and stored on site.

Passwords must meet a minimum requirement of complexity with regard to length (8+ characters), a mix of upper and lower case along with numbers.  We also recommend the use of special characters on platforms which allow.  Single word passwords vulnerable to a dictionary attack are not allowed

• The IT systems and network is audited on an annual basis although any required changes are made between audits.

Website security

• Application firewall technology has been installed and the web site and associated services are monitored for availability
• Fail2ban monitoring is in place
• Access to source code is restricted
• Documented change-control procedures are in place
• The site uses SSL certificates