Edit page Add new page

Data protection and confidentiality

At dxw we have an information security management system that helps us to look after all the information we control. It instructs and guides us all in how we keep data safe for ourselves and our clients.

Though dxw doesn’t control much personal data, our clients generally do. And some of it may be held on sites that we host. Everyone at dxw has a responsibility to keep that data safe, and process it in accordance with the data protection principles.

In particular, we:

If you have any questions about data protection, talk to the Data Protection Officer, Gurps.

Information security at dxw #

Our information security management system (ISMS) is what we use to ensure we look after the data we have access to. We structure and run this system to be compliant with the ISO 27001 standard, to which we are externally assessed. Our ISMS team has the responsibility of owning our ISMS and is always evolving and improving it. They do this with the help of our senior leadership team and specialists at URM consulting. Together they help us manage risks to the security of our data. 

If you have any questions about either our ISMS or the safety of our data, talk to the ISMS team.

You can find our Information security policy in the ISMS manual. (we have two version of this, this one that is suitable for sharing outside dxw as it has some contact details redacted) 

Document labelling #

This guidance is supported by the Documents policy, which is available to be viewed by dxw staff.

Some information that we have is confidential. We use a protective marking scheme so that everyone understands how to handle this material, and who they’re allowed to disclose it to. All of the documents and data we hold will fall into one of the categories below.

Some of our clients also have protective marking schemes. For example, all central government bodies will apply the Government Protective Marking System (GPMS). If you are in possession of materials that are protectively marked using other schemes, treat them as company confidential.

We take care to handle all data carefully, but when information is protectively marked, extra requirements apply.

Because we value openness highly, we take care not to over-classify information. We don’t protectively mark information unless there is a good reason to keep it confidential.

Management-in-confidence #

This category is used only for dxw’s most confidential information. For example, employment records, salary details and company strategy documents.

Do not share any information with this marking with any person, whether internal or external to dxw.

This information:

Company Confidential #

This category is used for information which should not be communicated outside dxw. For example, details about how we operate security controls or internal discussions about client work.

Exactly the same controls apply to this information as detailed under Management-in-confidence, with the exception that Company Confidential information can be shared within dxw as required.

Client Confidential or Commercial in Confidence #

This category is used for information which is disclosed to a limited group of people external to dxw, or which is unclassified information we have received from clients. For example, dxw proposals, presentations for pitches or planning documents.

Unless otherwise specified, all unclassified information we receive from clients falls into this category.

This information:

As a rule of thumb, label a document as Client Confidential if it mostly contains the client’s confidential information, or Commercial in Confidence if it mostly contains dxw’s.

Unclassified #

Anything not captured by the sections above is unclassified. Examples are external marketing material, general emails and letters.

Beyond a general duty to treat information carefully, unclassified information is not subject to any specific restrictions.


Last updated: 30 October 2023 (history)