NEWS Information Security Policy

Title: Compliance

Reference: ISP1.1

Status: Final

Version: 1.0

Date: May 2018

Contents

  • Introduction
  • Definitions
  • Compliance with legislation
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Software licence management
  • Third party terms and conditions
  • Compliance with NEWS’s Information Security Policy
  • Collection of evidence
  • Records management

 

Introduction

This Compliance Policy is a sub-policy of the Information Security Policy (ISP1) and outlines NEWS’s requirement to comply with certain legal and regulatory frameworks.

 

Definitions

For the purposes of this document, the term “personnel” will include staff, contractors and agents of NEWS together with any others who may have been granted permission to use NEWS information and communication technology facilities.

 

Compliance with legislation

NEWS provides policy statements and guidance for personnel in relation to compliance with relevant legislation to help prevent breaches of NEWS’s legal obligations. However, individuals are ultimately responsible for ensuring that they do not breach legal requirements during the course of their work.

Users of NEWS’s online or network services are individually responsible for their activity and must be aware of the relevant legal requirements when using such services.

NEWS must comply with all relevant legal requirements whether such requirements are detailed in internal policies or not. Any suspected breach of NEWS’s legal requirements must be reported to the management team.

 

Payment Card Industry Data Security Standard (PCI DSS)

NEWS must comply with the Payment Card Industry Data Security Standard (PCI DSS) when processing payment (credit/debit) cards.

 

Software licence management

All software used for NEWS business must be appropriately licensed. NEWS must comply with the software and data licensing agreements it has entered into. During the negotiation process of such agreements, full consideration must be given to how compliance with the agreement can practically be achieved. Agreements may need to be specifically negotiated to enable NEWS to comply.

 

Third party terms and conditions

Where NEWS uses the services of a third-party provider, personnel will also be subject to their terms and conditions in so far as they relate to information security.

 

Compliance with NEWS’s Information Security Policy

NEWS’s own information security policies must be adhered to at all times when handling NEWS information and NEWS must ensure it is acting legally when operating such policies.

All personnel who may handle NEWS information must be made aware of NEWS’s information security policies and of any amendments made to them. Individuals must also confirm that they have read and understood these policies and how they apply to the information they handle.

 

Collection of evidence

At times, it may be necessary for NEWS to collect evidence in relation to a potential legal claim or internal investigation.

Where there is suspicion of a criminal offence involving NEWS’s information or systems, NEWS will cooperate with the relevant agency to assist in the preservation and gathering of evidence on the basis of appropriate internal authorisation and compliance with relevant statutory requirements.

 

Records management

NEWS is required to retain certain information, whether held in hard copy or electronically, for legally defined periods. Such information must be appropriately safeguarded and not destroyed prior to the defined minimum retention period, while remaining accessible to those who require access and are authorised to access that information.

In accordance with regulatory and legal requirements, personal data should not be retained for longer than it is required for the purposes for which it was collected.

Return to ISP 1