Data protection and confidentiality
At dxw we have an information security management system that helps us to look after all the information we control. It instructs and guides us all in how we keep data safe for ourselves and our clients.
Though dxw doesn’t control much personal data, our clients generally do. And some of it may be held on sites that we host. Everyone at dxw has a responsibility to keep that data safe, and process it in accordance with the data protection principles.
In particular, we:
- only process personal data as part of work on the service that we’re contracted to provide to a client
- don’t access personal data unless we need to in order to do our jobs: don’t read people’s personal data or private communications without good reason
- we do not ever disclose people’s personal data to anyone outside dxw unless specifically instructed, and are satisfied that it is legal to do so
If you have any questions about data protection, talk to the Data Protection Officer, Gurps.
Information security at dxw #
Our information security management system (ISMS) is what we use to ensure we look after the data we have access to. We structure and run this system to be compliant with the ISO 27001 standard, to which we are externally assessed. Our ISMS team has the responsibility of owning our ISMS and is always evolving and improving it. They do this with the help of our senior leadership team and specialists at URM consulting. Together they help us manage risks to the security of our data.
If you have any questions about either our ISMS or the safety of our data, talk to the ISMS team.
You can find our Information security policy in the ISMS manual. (we have two version of this, this one that is suitable for sharing outside dxw as it has some contact details redacted)
Document labelling #
This guidance is supported by the Documents policy, which is available to be viewed by dxw staff.
Some information that we have is confidential. We use a protective marking scheme so that everyone understands how to handle this material, and who they’re allowed to disclose it to. All of the documents and data we hold will fall into one of the categories below.
- Management-in-Confidence: internal documents whose circulation within dxw needs to be restricted.
- Company Confidential: information owned by dxw which would be of value to those outside the company, such as competitors, and whose loss or theft would potentially damage the company.
- Client Confidential or Commercial in Confidence: information owned by dxw or its clients, which needs to remain confidential between dxw and the client.
- Unclassified: information, which would not be of significant commercial value to those outside dxw.
Some of our clients also have protective marking schemes. For example, all central government bodies will apply the Government Protective Marking System (GPMS). If you are in possession of materials that are protectively marked using other schemes, treat them as company confidential.
We take care to handle all data carefully, but when information is protectively marked, extra requirements apply.
Because we value openness highly, we take care not to over-classify information. We don’t protectively mark information unless there is a good reason to keep it confidential.
Management-in-confidence #
This category is used only for dxw’s most confidential information. For example, employment records, salary details and company strategy documents.
Do not share any information with this marking with any person, whether internal or external to dxw.
This information:
- must be clearly labelled or described as “Management-in-confidence”
-
when printed
- stored only in a locked container
- transported only via courier, recorded delivery or personally by dxw staff
- destroyed by cross-cut shredding when no longer required
-
when digital
- stored in an encrypted format
- communicated only when encrypted or via an encrypted connection, unless emailed from one dxw.com address to another
Company Confidential #
This category is used for information which should not be communicated outside dxw. For example, details about how we operate security controls or internal discussions about client work.
Exactly the same controls apply to this information as detailed under Management-in-confidence, with the exception that Company Confidential information can be shared within dxw as required.
Client Confidential or Commercial in Confidence #
This category is used for information which is disclosed to a limited group of people external to dxw, or which is unclassified information we have received from clients. For example, dxw proposals, presentations for pitches or planning documents.
Unless otherwise specified, all unclassified information we receive from clients falls into this category.
This information:
- must be clearly labelled or described as “Client Confidential” or “Commercial in Confidence”
-
when printed:
- stored out of sight
- destroyed by cross-cut shredding when no longer required
-
when digital:
- stored in an encrypted format when on exchangeable media or a mobile device
As a rule of thumb, label a document as Client Confidential if it mostly contains the client’s confidential information, or Commercial in Confidence if it mostly contains dxw’s.
Unclassified #
Anything not captured by the sections above is unclassified. Examples are external marketing material, general emails and letters.
Beyond a general duty to treat information carefully, unclassified information is not subject to any specific restrictions.
Last updated: 30 October 2023 (history)