Data privacy is a critical component of Door operations. The protection and management of the various types of customer and staff Personally Identifiable Information (PII) is critical to Door operations. Door computer systems and related devices collect and record data as required for service delivery, management, and reporting purposes. This key information should never be disclosed to unauthorized individuals.
This policy establishes general protection requirements for information captured or generated by Door operations, systems, network devices, or communications. This includes systems and devices involved in the transmission and storage of voice data. The policy further delimits conditions where PII may be disclosed.
This data protection policy ensures Door:
- Complies with Data Protection law and follows good practice,
- Protects the rights of staff, customers, and partners,
- Is open to how it stores and processes individual’s data, and
- Protects itself from the risks of data breach.
This policy applies to all Door staff that create, deploy, or support Door gathered or processed information.
The Data Protection regulation describes how organisations must collect, handle and store personal information.
These rules apply regardless of whether data is stored electronically, on paper or on other materials.
To comply with the law, personal information must be collected and used fairly, stored safely and not disclosed unlawfully. The Company shall:
- Only carry out processing of any Client Personal Data on the Client’s instructions;
- Implement appropriate technical and organisational measures to protect any Client Personal Data against unauthorised or unlawful processing and accidental loss or damage;
- Not transfer Client Personal Data to any country outside the European Economic Area without written authorisation by the Client which may be granted subject to such conditions as the Client deems necessary;
- Not subcontract any processing of the Client Personal Data without the prior written authorisation of the Client;
- Ensure that access to the Client Personal Data is limited to those employees or authorised subcontractors who need access to the Client Personal Data to meet the Company’s obligations under this Agreement and that all employees and authorised subcontractors are informed of the confidential nature of the Client Personal Data;
- Comply with its obligations under any applicable Data Protection Law, and shall not, by act or omission, put the Client or its affiliates in breach of, or jeopardise any registration under, any such Data Protection Law;
- Promptly and fully notify the Client in writing of any notices in connection with the processing of any Client Personal Data, including subject access requests, and provide such information and assistance as the Client may reasonably require;
- Promptly and fully notify the Client in writing if any Client Personal Data has been disclosed in non-compliance with this Section.
Everyone who works for or with Door has some responsibility for ensuring data is collected, stored and handled appropriately.
Each team that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, these people have key areas of responsibility:
The Board of Directors is ultimately responsible for ensuring that Door meets its legal obligations.
- Keeping the board updated about data protection responsibilities, risks and issues.
- Reviewing all data protection procedures and related policies, in line with an agreed schedule.
- Arranging data protection training and advice for the people covered by this policy.
- Handling data protection questions from staff and anyone else covered by this policy.
- Dealing with requests from individuals to see the data Door holds about them (also called ‘subject access requests’).
- Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
- Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
- Performing regular checks and scans to ensure security hardware and software is functioning properly.
- Evaluating any third-party services the company is considering using to store or process data, such as cloud computing services.
- Approving any data protection statements attached to communications such as emails and letters.
- Addressing any data protection queries from journalists or media outlets like newspapers.
- Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
- The only people able to access data covered by this policy should be those who need it for their work.
- Data should not be shared informally. When access to confidential information is required, employees can request it from their line managers.
- Door will provide training to all employees to help them understand their responsibilities when handling data.
- Employees should keep all data secure, by taking sensible precautions and following the guidelines below.
- In particular, strong passwords must be used and they should never be shared.
- Personal data should not be disclosed to unauthorised people, either within the company or externally.
- Data should be regularly reviewed and updated if it is found to be out of date. If no longer required, it should be deleted or disposed of.
- Employees should request help from their line manager or the data protection officer if they are unsure about any aspect of data protection.
The organization commits to adhering to the GDPR guidance when processing personal data:
- Lawfulness, fairness, and transparency: The organization will process personal data lawfully, fairly, and transparently, ensuring that data subjects are informed of the purpose and legal basis for processing their personal data.
- Purpose limitation: The organization will collect personal data for specified, explicit, and legitimate purposes only and will not process the data in a manner that is incompatible with those purposes.
- Data minimization: The organization will only collect and process personal data that is adequate, relevant, and limited to what is necessary for the purposes for which it is being processed.
- Accuracy: The organization will take reasonable steps to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate personal data will be rectified or deleted without delay.
- Storage limitation: The organization will retain personal data for no longer than is necessary for the purposes for which it was collected and processed, taking into account legal and regulatory requirements.
- Integrity and confidentiality: The organization will implement appropriate technical and organizational measures to ensure the security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
- The right to be informed Data subjects have the right to be provided with clear and transparent information about how their personal data is processed.
- The right of access Data subjects have the right to access their personal data and receive confirmation that their data is being processed.
- The right to rectification Data subjects have the right to have inaccurate or incomplete personal data rectified without undue delay.
- The right to erasure (‘right to be forgotten’) Data subjects have the right to request the deletion of their personal data under certain conditions.
- The right to restrict processing Data subjects have the right to restrict the processing of their personal data under certain circumstances.
- The right to data portability Data subjects have the right to receive their personal data in a structured, commonly used, and machine-readable format and have the right to transmit that data to another controller.
- The right to object Data subjects have the right to object to the processing of their personal data for direct marketing purposes, or when processing is based on legitimate interests or the performance of a task in the public interest.
- Rights in relation to automated decision-making and profiling Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or significantly affects them.
Door policy surrounding data privacy falls into three broad classifications protecting information gathered to manage and deliver services to employees and clients. This policy is broken three separate sections – general network data, PII, and employee information.
Door uses additional guidelines and strict processes to protect the privacy of every employee and ensure the confidentiality and security of all PII collected and managed.
In the course of normal network operations, computer systems, voice systems, access control systems, and network devices generate and track logging data, source and destination internet protocol (IP) addresses, session times, port numbers, file sizes, etc. (referenced as Network Data).
Network Data Policy - Door treats all network data as confidential information. This information may be obtained, stored, and reported for legitimate business, compliance and audit purposes but shall not be exposed to unauthorized individuals except as specifically discussed in this policy.
Network data may be disclosed under the following conditions. Requests shall be authorized by the Door CTO or their designee:
- Network Operational Viability - Network data may be released under the following situations:
- Network performance monitoring or troubleshooting
- Security incident analysis and remediation
- Audit, group policy, and security log management and analysis
- Litigation holds and requests
- Copying, archiving, or otherwise preserving portions of any messages transmitted over the network in the course of business or maintenance
- Legal or Door Policy Analysis – Network data may be released to appropriate authorities to indicate the presence of activities that violate internal policies, federal or state law. These requests shall be in response to legal discovery or court requests.
- Network Security Threats – All relevant data, protocol, logs, and user information may be released as part of incident and breach analysis and remediation. Door shall investigate and remediate possible network security threats by means of capturing logging, and examination of files, communications, and other traffic and transmissions over or on the network.
- Network Data Requests - All requests to retrieve and share network data must be submitted to the Information Security Manager or their designee. Any litigation and legal requests require confirmation from Door’s Head of Legal. Such requests shall include:
- Name and role of the requestor.
- Reason for the request, in accordance with the principles set forth in this policy.
- Intended use of the requested data.
Any network data intentionally shared with third parties must be sanitized and redacted to preserve the anonymity of network users unless that data is used directly in legal discovery or authorized by general counsel. Requests shall be documented and stored as part of the implementation of this policy.
All employee data is treated as confidential and private. No employee related information shall be released or disclosed without the express approval of Door’s Human Resources.
Employee Data Policy - Door treats all employee data as private and confidential information. This information may be obtained, stored, and reviewed for legitimate business purposes related to personnel employment, compliance, and audit purposes but shall not be exposed to unauthorized individuals, agencies, or external sources except as specifically discussed in this policy.
Data shall be disclosed only under the following conditions and employees shall be informed of such activity prior to release:
- Employee Performance– Employee work data may be released under the following situations:
- Security incident analysis and remediation
- Litigation holds and requests
- Restoration or otherwise preserving portions of messages transmitted over the network in the course of business.
- Legal or Agency Disciplinary Analysis – Employee data may be released to appropriate authorities to indicate the presence of activities that violate internal policies, federal or state law. These requests shall be in response to internal policy incidents, personnel management, legal discovery, or court requests.
- Network or Agency Security Threats – All relevant data, protocol, logs and user information may be released as part of incident and breach analysis and remediation. Door shall investigate and remediate possible network security threats by means of capture, logging, and examination of files, communications, and other traffic and transmissions over or on the network including all employee communications and component activities relevant to the incident or breach.
- Employee Data Requests - All requests to retrieve and share employee data must be submitted through Door’s Human Resources department. Any litigation and legal requests require confirmation by executive management including at a minimum the Head of Operations. Such requests shall include:
- Name and role of the requestor.
- Reason for the request, in accordance with the principles set forth in this policy.
- Intended use of the requested data and whether this information will be used as part of a personnel action.
- Employee notification of the event unless barred due legal or disciplinary investigation. In all circumstances, employees shall be notified if information is placed in their permanent files related to an incident or discovery request.
Any employee network data intentionally shared with third parties shall be sanitized and redacted to preserve the anonymity of the employee unless that data is used directly in legal discovery or authorized by Door General Counsel and the Head of Operations. Requests shall be documented and stored as part of the implementation of this policy.
All client PII and is confidential and private. Door client data privacy procedures adhere to the guidelines set forth in applicable federal and state laws, GDPR and/or locally relevant regulations and includes additional safeguards as follows:
- Formal information security policy
- Security and privacy policies
- Policy review and revision by national experts and advisors
- Institutional Review Board (IRB) or a formal process to review and approve research requests to ensure appropriateness and confidentiality of the research
- Specific liability language and support in vendor contracts/agreements around data privacy, data breaches, appropriate uses and disclosure of data, and termination/penalties for non-compliance.
- Annual independent security audits
No client data shall be intentionally shared with third parties outside of legally compliant (e.g. research, compliant third party provider operational contracts, federal and state reporting etc.) activities unless that data is authorized by the client. All client data requests shall be documented and stored as part of this policy.
¶ 6.4 Audit Controls and Management
On-demand documented procedures and evidence of practice should be in place for this operational policy as part of Door operations. Examples of audit control and evidence include:
- Process, authorizations, and documentation for PII requests
- Historical evidence or organizational compliance
- Functioning IRB and research authorization process and regular evidence of board activity
- Procedures for executing legal holds, chain of command, and discovery requests
Door shall set records retention schedules to address legal, statutory, and compliance requirements as well as litigation needs, business processes, and data privacy concerns. Storage requirements shall be coordinated with the Door Head of Operations to comply with their requirements for record storage.
Door retention periods are generally determined by evaluating:
- Applicable regulatory, statutory, legal, or general state and federal compliance requirements
- Determining electronic data components collected, their purpose, and applying the appropriate retention procedure to each class of data asset
- Identifying other internal or external entities that collect, store, archive, or use Door information and records
Door departments shall develop procedures and documentation that implement and maintain the retention requirements as outlined in this policy. Specific procedures shall specify the retention time, archival rules, data formats, and the permissible means of storage, access, and encryption (if any).
The Door Head of Operations or their designee shall:
- Implement data retention and disposal guidelines limiting data storage and retention times to those that are required for legal, regulatory, and business requirements
- Ensure automatic or manual processes exist for the secure destruction of paper and electronic records when no longer needed
- Follow specific retention requirements for sensitive data as set forth by this policy
- Identify retention periods for log files and audit trails
- Define and enforce email retention requirements
- Determine procedures and personnel to handle litigation, public and individual records requests
Different types of records require varying retention periods. In addition to describing how long various types of information must be maintained, retention procedures shall specify:
- Steps used to archive information and locations where this information is stored
- The appropriate destruction of electronically stored information after the identified retention period. Such steps shall adhere to the requirements outlined in this policy
- Procedures for chain of custody and handling of electronically stored information when under litigation.
In certain instances, individual departments may have unique record retention requirements outside of documented groups. These shall be documented as part of internal processes and procedures and communicated to the Door Head of Operations. Such requirements may include contractual obligations with customers or business contacts or data retention requirements to maintain business operations. In some instances, departments may need to retain electronically stored information for a historical archive.
During the appropriate retention period for electronic records, archived data must be retrievable. Doing so shall require the following protocols to be in place:
- As new software and/or hardware is implemented, support staff shall ensure new systems and file formats
- Data that is encrypted must be retrievable. Door shall implement key management procedures that ensure encrypted data can be decrypted when needed. can read legacy data. This may require that older data be converted to newer formats.
When establishing record retention periods, Door shall rely on (in order of precedence):
- Federal guidelines, laws, regulations and statutes
- State guidelines, recommendations, rules, and statutory requirements
- Any Door policy and procedure enhancing existing federal and state retention periods
¶ 7.3 Audit Controls and Management
On-demand documented procedures and evidence of practice should be in place for this operational policy. Examples of effective organizational management, audit controls, and employee practices include:
- Documented record retention schedules and archival information of Door enforcement
- Procedures and anecdotal evidence of data migrations to manage electronic record compatibility with newer systems
- Documented encryption and decryption strategies that allow for retrieval of archival electronic records
- Regular employee procedures and anecdotal documentation of records management and archival processes
- Direct observation of archival records organization and storage
¶ 8. Data Destruction and Sanitization
Door regularly stores sensitive information on computer hard drives and other forms of electronic media. As new equipment is obtained and older equipment and media reach end of life, sensitive information on surplus equipment and media must be properly destroyed and otherwise made unreadable to protect Confidential Information or Personally Identifiable Information (PII).
The transfer or disposition of data processing equipment, such as computers and related media, shall be controlled and managed according to ISO-27001 guidelines. Data remains present on any type of storage device (whether fixed or removable) even after a disc is “formatted”, power is removed, and the device is decommissioned. Simply deleting the data and formatting the disk does not prevent individuals from restoring data. Sanitization of the media removes information in such a way that data recovery using common techniques or analysis is greatly reduced or prevented.
All computer desktops, laptops, hard drives, and portable media must be processed through Operations for proper disposal. Paper and hard copy records shall be disposed of in a secure manner. The Door Head of Operations shall ensure procedures exist and are followed that:
- Address the evaluation and final disposition of sensitive information, hardware, or electronic media regardless of media format or type.
- Specify a process for making sensitive information unusable and inaccessible. These procedures should specify the use of technology (e.g. software, special hardware, etc.) or physical destruction mechanisms to ensure sensitive information is unusable, inaccessible, and unable to be reconstructed.
- Authorize personnel to dispose of sensitive information or equipment. Such procedures may include shredding, incinerating, or pulp of hard copy materials so that sensitive information cannot be reconstructed. Approved disposal methods include:
- Physical Print Media shall be disposed of by one (or a combination) of the following methods:
- Shredding - Media shall be shredded using Door issued cross-cut shredders
- Shredding Bins - Disposal shall be performed using locked bins located on-site using a licensed and bonded information disposal contractor
- Incineration – Materials are physically destroyed using licensed and bonded information disposal contractor
- Electronic Media (physical disks, tape cartridge, CDs, printer ribbons, flash drives, printer and copier hard-drives, etc.) shall be disposed of by one of the methods:
- Overwriting Magnetic Media - Overwriting uses a program to write binary data sector by sector onto the media that requires sanitization
- Degaussing - Degaussing consists of using strong magnets or electric degaussing equipment to magnetically scramble the data on a hard drive into an unrecoverable state
- Physical Destruction – implies complete destruction of media by means of crushing or disassembling the asset and ensuring no data can be extracted or recreated
IT documentation, hardware, and storage that have been used to process, store, or transmit Confidential Information or PII shall not be released into general surplus until it has been sanitized and all stored information has been cleared using one of the above methods.
¶ 8.3 Audit Controls and Management
On-demand documented procedures and evidence of practice should be in place for this operational policy as part of the Door internal application development and release methodology. Examples of control documentation includes:
- On-demand documented procedures related to surplus disposal of hardware and software
- Data destruction and surplus logs of equipment identified for disposal
- Physical evidence of sanitized assets and/or data destruction/cleansing devices
These rules describe how and where data should be safely stored. Questions about storing data safely can be directed to the Technical Manager or Operations Manager.
When data is stored on paper, it should be kept in a secure place where unauthorised people cannot see it.
These guidelines also apply to data that is usually stored electronically but has been printed out for some reason:
- When not required, the paper or files should be kept in a locked drawer or filing cabinet.
- Employees should make sure paper and printouts are not left where unauthorised people can see them, like on a printer.
- Data printouts should be shredded and disposed of securely when no longer required.
When data is stored electronically, it must be protected from unauthorised access, accidental deletion and malicious hacking attempts:
- Data should be protected by strong passwords that are changed regularly and never shared between employees.
- If data is stored on removable media (like a memory stick drive), these should be kept locked away securely when not being used.
- Data should only be stored on designated drives and server and should only be uploaded to an approved cloud computing services.
- Servers containing personal data should be sited in a secure location, away from general office space.
- Data should be backed up frequently. Those backups should be tested regularly, in line with the company’s standard backup procedures.
- Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
- All servers and computers containing data should be protected by approved security software and a firewall.
Personal data is of no value to Door unless the business can make use of it.
However, it is when personal data is accessed and used that it can be at the greatest risk of loss, corruption or theft:
- When working with personal data, employees should ensure the screens of their computers are always locked when left unattended.
- Personal data should not be share informally. It should never be sent by email, as this form of communication is not secure.
- Data must be encrypted before being transferred electronically. The CTO can explain how to send data to authorised external contacts.
- Personal data should never be transferred outside of the European Economic Area.
- Employees should not save copies of personal data to their own computers. Always access and update the central copy of any data.
The law requires Door to take reasonable steps to ensure data is kept accurate and up to date.
The more important it is that the personal data is accurate, the greater the effort Door should put into ensuring its accuracy.
It is the responsibility of all employees who work with data to take reasonable steps to ensure it is kept as accurate and up to date as possible.
- Data will be held in as few places as necessary. Staff should not create any unnecessary additional data sets.
- Staff should take every opportunity to ensure data is updated. For instance, by confirming a customer’s details when they call.
- Door will make it easy for data subjects to update the information Door holds about them. For instance, via the company website.
- Data should be updated as inaccuracies are discovered. For instance, if a customer can no longer be reached on their stored telephone number, it should be removed from the database.
- It is the Operations Manager’s responsibility to ensure marketing database is checked against relevant suppression files every six months.
All individuals who are the subject of personal data held by Door are entitled to:
- Ask what information the company holds about them and why
- Ask how to gain access to it.
- Be informed how to keep it up to date.
- Be informed how the company is meeting its data protection obligations.
Subject access requests from individuals should be made by email, addressed to the Operations Manager at ebichell@doorfunds.com The Operations Manager can supply a standard request form, although individuals do not have to use this.
The data officer will aim to provide the relevant data within 14 days.
The data officer will always verify the identity of anyone making a subject access request before handing over any information.
In certain circumstances, the Data Protection Act allows personal data to be disclosed to law enforcement agencies without the consent of the data subject.
Under these circumstances, Door will disclose requested data. However, the data controller will ensure the request is legitimate, seeking assistance from the board and from the company’s legal advisers where necessary.
Door aims to ensure that individuals are aware that their data is being processed, and that they understand:
- How the data is being used
- How to exercise their rights
To these ends, the company has a privacy statement, setting out how data relating to individuals is used by the company. This is available on request. A version of this statement is also available on the company’s website.
Staff members found in policy violation may be subject to disciplinary action, up to and including termination.
This policy is to be distributed to all Door staff.