SECURITY ASSURANCES

General Controls

Yes, we were certified in October 2017, here is our certificate

Yes, we understand that we can operate as a data controller, joint data controller &/or data processor.  However, as we do not have our own in-house panel, all our recruitment or contact with respondents is on an individual consent basis.  The scope of the project and how their data will be used is clearly explained prior to gaining their consent. This is supported by our Privacy Policy.

Data Controls & Policies

Access to the building is via locked front or rear doors with pin code access for staff, all access points are covered by CCTV. A buzzer system is in place for non staff entry. Internal corridors are covered by CCTV. The internal office door has a combination lock.  The communications room (containing switches, routers and firewall) is controlled by a combination lock which is accessible only by the Senior Management Team / Information Security Manager. 

Various Policies cover the control measures that are implemented within Face Facts to control and protect data, the polices are detailed below:

Access Control Policy – Contains all the Information Security Policies
Information Classification Policy – Describes the methods of appropriate information classification and handling which apply to information in both electronic and physical forms received by Face Facts
Information Security Policy – The procedures followed to ensure that information assets at Face Facts are protected against unauthorised access, disclosure or modification.  
Information Transfer Policy – This policy details the secure file transfer facilities adopted and ensures that information, of any type or classification can safely and securely be transferred as and when required from or to Face Facts.
Password Policy – Details the criteria for the provision of passwords and conditions relating to their use.
Information Backup and Restore Policy – This policy details how / when information and data which Face Facts is responsible for is securely and routinely backed up. 
Retention Policy – Covers guidance on the retention of the distinct types of data Face Facts hold. This policy strives to balance the need to store information with legal obligations to destroy the data safely when it is no longer required.
Business As Usual (BAU) Policy – In the event of a service disruption this policy looks at all functions and minimum staffing levels so Face Facts can continue to provide critical services.  It covers procedures for all services provided from our main office.
Subject Access Policy – Covers requests from data subjects to access information that Face Facts hold on them.

We do not store our own internal panel.  Data collected is via qual recruitment, F2F interviewing or by using panel sample for online studies. Any personal data gathered from such studies is  stored within our Retention Policy and abiding by the MRS Code of Conduct. All client electronic files are version controlled and access is managed via the Access Control Policy.

We have an Access Control Policy which covers in detail the procedures that Face Facts follow when handling physical and electronic data, from receipt / collection to destruction. This documents the procedures that staff must follow to, 
– Securely receive information & log the receipt of data
– Classify information correctly
– Apply accurate access rights to the information
– Store the information securely
– Dispose of the data

Face Facts information system resources are appropriately protected to prevent unauthorised access by applying a level of encryption to sensitive or critical information which is proportionate to the business risk. 
All critical or sensitive data transferred outside Face Facts is encrypted and sent via SFTP. Portable electronic devices such as iPads are protected by passwords/PIN numbers and can be remotely wiped / locked. All removable media is strictly prohibited and controlled by Kaspersky Endpoint protection installed on all devices.

We have a BAU (Business As Usual) Policy which details the Business Continuity Plan (BCP) which provides a strategic framework of how staff can work to enable critical functions to be maintained, or quickly restored to minimise any effect on service delivery to our clients. The aim of the plan is to anticipate risks, mitigate where possible and to have flexible and tested plans in place to minimise disruption when unplanned events significantly interrupt normal business.  This includes short or long-term disasters or other disruptions, such as fires, floods, earthquakes, explosions, terrorism, tornadoes, extended power interruptions, hazardous chemical spills, and other natural or man-made disasters. The Information Backup and Restore Policy ensures that all information and data which it is responsible for is securely and routinely backed up.  All critical or sensitive data transferred outside Face Facts is encrypted and sent via SFTP. Portable electronic devices such as iPads are protected by passwords/PIN numbers and can be remotely wiped / locked. All removable media is strictly prohibited and controlled by Kaspersky Endpoint protection installed on all devices.

Staff Awareness & Training

All current & new staff undergo compulsory staff training on the following areas:  ISO27001 (covering all internal policies for Information security and HR).  We hold internal training sessions which are compulsory for all staff to attend, Data Privacy and Information Classification are part of this.

We have an Access Control Policy which includes all elements of acceptable use. Alongside this all current & new staff undergo compulsory staff training on the following areas:  ISO27001 (covering all internal policies for Information security and HR).  We hold internal training sessions which are compulsory for all staff to attend, Acceptable Use and an Acceptable Use Agreement is part of this.

Data Retention & Deletion

Face Facts have a Retention Policy which governs the length of time all classifications of data should be retained for and
how information in whatever form should be securely disposed of.

We have a Data Breach Policy which sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across Face Facts. The Policy relates to all personal and sensitive data held by Face Facts regardless of the format and applies to all staff in the company.