Information Security Policy

The confidentiality, integrity and availability of information, in all its forms, are critical to the on-going functioning and good governance of Nutritelligence® Limited. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for Nutritelligence® Group to recover.

This Information Security Policy (“Policy”) outlines the Nutritelligence® approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of Nutritelligence® information systems.

Nutritelligence® is involved in the medical diagnostics and nutraceuticals healthcare sector. It is committed to a robust implementation of information security management. The principles defined in this Policy will be applied to all of the physical and electronic information assets for which Nutritelligence® is responsible.

Objectives

 The objectives of this Policy are to:

  1. Provide a framework for establishing suitable levels of information security for all Nutritelligence® information systems (including but not limited to all Cloud environments commissioned or run by Nutritelligence®, computers, storage, mobile devices, networking equipment, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems.
  2. Make certain that users are aware of and comply with all current and relevant UK and EU legislation.
  3. Provide the principles by which a safe and secure information systems working environment can be established for staff and any other authorised users, including third party providers.
  4. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the personal data that they handle.
  5. Protect Nutritelligence® from liability or damage through the misuse of its IT facilities.
  6. Maintain personal data and other confidential information provided by suppliers at a level of security commensurate with its classification, including upholding any legal and contractual requirements around information security.
  7. Respond to changes in the context of the organisation as appropriate, initiating a cycle of continuous improvement.

Scope

This Policy is applicable to, and will be communicated to, all staff of Nutritelligence® and third parties (including third party providers) who interact with information held by Nutritelligence® and the information systems used to store and process it.

This includes, but is not limited to:

  • Cloud systems developed or commissioned by Nutritelligence®.
  • any systems or data attached to Nutritelligence® data or telephone networks systems managed by Nutritelligence®.
  • mobile devices used to connect to Nutritelligence® networks or hold Nutritelligence®
  • data over which Nutritelligence® holds the intellectual property rights.
  • data over which Nutritelligence® is the data controller or data processor.
  • electronic communications sent from Nutritelligence®.

The following information security principles provide overarching governance for the security and management of information at Nutritelligence®:

  1. Information should be classified according to an appropriate level of confidentiality, integrity and availability (see Information Classification below) and in accordance with relevant legislative, regulatory and contractual requirements.
  2. Staff with particular responsibilities for information (see Responsibilities below) must ensure the classification of that information; must handle that information in accordance with its classification level; and must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
  3. All users covered by the scope of this Policy must handle information appropriately and in accordance with its classification level.
  4. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level.
  5. On this basis, access to information will be on the basis of least privilege and need to know.
  6. Information will be protected against unauthorized access and processing in accordance with its classification level.
  7. Breaches of this Policy must be reported to Nutritelligence® Chief Executive Officer.
  8. Information security provision and the policies that guide it will be regularly reviewed, including through the use of annual internal audits and penetration testing.

Cloud Providers

Under the GDPR, a breach of personal data can lead to a fine of up to 4% of global turnover. Where Nutritelligence® user Cloud services, Nutritelligence® retains responsibility as the data controller for any data it puts into the service, and can consequently be fined for any data breach, even if this is the fault of the Cloud service provider. Nutritelligence® will also bear the responsibility for contacting Information Commissioner’s Office concerning the breach, as well as any affected individual. It will also be exposed to any lawsuits for damages as a result of the breach. It is extremely important, as a consequence, that Nutritelligence® is able to judge the appropriateness of a Cloud service provider’s information security provision. This leads to the following stipulations:

  1. Cloud services used to process personal data will be expected to have ISO27001 certification, with adherence to the standard considered the best way of a supplier proving that it has met the GDPR principle of privacy by design, and that it has considered information security throughout its service model.
  2. Any request for exceptions will be considered by the Chief Executive

Information Classification

The following table provides a summary of the information classification levels that have been adopted by Nutritelligence® and which underpin the 8 principles of information security defined in this Policy.

These classification levels explicitly incorporate the GDPR’s definitions of Personal Data and Special Categories of Personal Data, as laid out in Nutritelligence® Privacy Policy, and in the table below.

Security Level Definition Examples Freedom of Information Act 2000 status
1. Confidential Normally accessible only to specified members of Nutritelligence® staff. Should be held in an encrypted state outside Nutritelligence® systems; may have encryption at rest requirements from providers.

·GDPR-defined Special Categories of personal data (racial/ethnic origin, political opinion, religious beliefs, trade union membership, physical/mental health condition, sexual life, criminal record) including as used as part of primary or secondary research data;

·patient-level observations;

·passwords;

·large aggregates of personally identifying data (>1000 records) including elements such as name, address, telephone number.

Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations.
2. Restricted Normally accessible only to specified members of Nutritelligence® staff.

·GDPR-defined Personal Data (information that identifies living individuals including home / work address, age, telephone number, schools attended, photographs);

·reserved Board business;
·draft reports, papers, minutes, systems.

Subject to significant scrutiny in relation to appropriate exemptions/ public interest and legal considerations.
3. Internal Use Normally accessible only to members of Nutritelligence® staff

·Internal correspondence,

·information held under license.

Subject to scrutiny in relation to appropriate exemptions/ public interest and legal considerations.
4. Public Accessible to all members of the public

·Annual accounts,

·minutes of statutory and other formal committees,

·pay scales etc.

·Information available on Nutritelligence® website.

Freely available on the website.

Responsibilities of Nutritelligence® Staff and Authorised Users

In the below “you” refers to any Nutritelligence® member of staff or authorized user (including third party providers):

a) Equipment Security and Passwords

You, as a member of staff of Nutritelligence® or authorised user (including third party providers) are responsible for the security of the equipment allocated to or used by you, and must not allow it to be used by anyone other than in accordance with this Policy. You should use passwords on all IT equipment, particularly items that you take out of the office. You should keep your passwords confidential and change them regularly.

You must only log on to Nutritelligence® systems using your own username and password. You must not use another person’s username and password or allow anyone within Nutritelligence® to log on using your username and password.

If you are away from your desk for longer than a few minutes, you should log out or lock your computer. You must log out and shut down your computer at the end of each working day.

b) Systems and Data Security

You should not delete, destroy or modify existing systems, programs, information or data (except as authorised in the proper performance of your duties).

You must not download or install software from external sources without authorisation from senior management. Downloading unauthorised software may interfere with Nutritelligence® systems and may introduce viruses or other malware.

  1. Email

Emails can be used in legal proceedings and that even deleted emails may remain on the system and be capable of being retrieved. You must not send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, pornographic or otherwise inappropriate emails.

You should not:

  1. Send or forward private emails at work which you would not want a third party to read;
  2. Send or forward chain mail, junk mail, or gossip;
  3. Contribute to system congestion by sending trivial messages or unnecessarily copying or forwarding emails to others who do not have a real need to receive them; or
  4. Send messages from another person’s email address (unless authorised) or under an assumed name.

Do not use your own personal email account to send or receive email for the purposes of our business. Only use the email account we have provided for you.

Internet access is provided primarily for business purposes. Occasional personal use may be permitted.

Nutritelligence® permits the incidental use of our systems to send personal email, browse the internet and make personal telephone calls subject to certain conditions. Personal use is a privilege and not a right. It must not be overused or abused. We may withdraw permission for it at any time or restrict access at our discretion.

Personal use must meet the following conditions:

  1. Personal emails should be labelled “personal” in the subject header;
  2. It must not affect your work or interfere with the business;
  3. It must not commit us to any marginal costs; and
  4. It must comply with our policies.

You should not access any web page or download any image or other file from the internet which could be regarded as illegal, offensive, in bad taste or immoral. Even web content that is legal in the UK may be in sufficient bad taste to fall within this prohibition. As a general rule, if any person (whether intended to view the page or not) might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of this Policy.

Creating, viewing, accessing, transmitting or downloading any of the following material will usually amount to gross misconduct (this list is not exhaustive):

  1. Pornographic material (that is, writing, pictures, films and video clips of a sexually explicit or arousing nature);
  2. Offensive, obscene, or criminal material or material which is liable to cause embarrassment to us or to our clients;
  3. A false and defamatory statement about any person or organisation;
  4. Material which is discriminatory, offensive, derogatory or may cause embarrassment to others (including material which breaches Nutritelligence® Privacy Policy);
  5. Confidential information about us or any of our staff or clients (except as authorised in the proper performance of your duties);
  6. Unauthorised software;
  7. Any other statement which is likely to create any criminal or civil liability (for you or us); or
  8. Music or video files or other material in breach of copyright.

We may block or restrict access to some websites at our discretion.

d) Monitoring

Nutritelligence® monitors all emails passing through our system for viruses. You should exercise particular caution when opening unsolicited emails from unknown sources. If an email looks suspicious do not reply to it, open any attachments or click any links in it.

Nutritelligence® systems enable us to monitor telephone, email, voicemail, internet and other communications. For business reasons, and in order to carry out legal obligations in our role as an employer, your use of our systems including the telephone and computer systems (including any personal use) may be monitored by automated software.

Nutritelligence® reserves the right to retrieve the contents of email messages or check internet usage (including pages visited and searches made) as reasonably necessary in the interests of the business, including for the following purposes (this list is not exhaustive):

  1. To monitor whether the use of the email system or the internet is legitimate and in accordance with this policy;
  2. To find lost messages or to retrieve messages lost due to computer failure;
  3. To assist in the investigation of alleged wrongdoing; or
  4. To comply with any legal obligation.

e) Technical and Security Measures

Some of the security procedures we use to protect your and customers’ privacy are:

  • We require both a personal Username (log-in name) and a Password in order for users to access their personal data.
  • We use firewalls to protect information held in our servers.
  • We back-up our systems to protect the integrity of personal data. 

Compliance, Policy Awareness and Disciplinary Procedures

Any security breach of Nutritelligence® information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems. The loss or breach of confidentiality of personal data is an infringement of the GDPR, contravenes Nutritelligence® Privacy Policy and may result in criminal or civil action against Nutritelligence®.

The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against Nutritelligence®. Therefore, it is crucial that all users of Nutritelligence® information systems adhere to this Information Security Policy and its supporting policies.

All current staff and other authorized users (including providers) will be informed of the existence of this Policy and the availability of supporting policies, codes of practice and guidelines.

Any security breach will be handled in accordance with all relevant Nutritelligence® policies.

Incident Handling

If a member of staff of Nutritelligence® and authorized user (including providers) is aware of an information security incident then they must report it to Chief Executive Officer at: [email protected].

Breaches of personal data will be reported to the Information Commissioner’s Office by the Chief Executive Officer.


 This security policy was last modified on the 14 Aug 2023