Leisure Pursuits Ltd T/A ‘Savernake Knives’ Data Security Policy

1. Introduction
This document sets out the measures to be taken by all employees of Leisure Pursuits Ltd (the “Company”) and by the Company as a whole in order to protect data (electronic and otherwise) collected, held, and processed by the Company, and to protect the Company’s computer systems, devices, infrastructure, computing environment, and any and all other relevant equipment (collectively, “IT Systems”) from damage and threats whether internal, external, deliberate, or accidental.

For the purposes of this Policy, “data” shall refer to all information held on 3rd parties, mainly customers or potential customers. This shall include (but not be exclusive to) name, address, date of birth, order or enquiry details and other associated information.

For the purposes of this Policy, “personal data” shall carry the meaning defined in Article 4 of EU Regulation 2016/679 General Data Protection Regulation (“GDPR”): any information relating to an identified or identifiable natural person (a “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

2. Key Principles

2.1 All IT Systems and data are to be protected against unauthorised access.

2.2 All IT Systems and data are to be used only in compliance with relevant

Company Policies

2.3 All personal data must be used only in compliance with the GDPR and the Company’s Data Protection Policy.

2.4 All employees of the Company and any and all third parties authorised to use the IT Systems and data collected, held, and processed by the Company including, but not limited to, contractors and sub-contractors (collectively, “Users”), must ensure that they are familiar with this Policy and must adhere to and comply with it at all times.

2.5 All line managers must ensure that all Users under their control and direction must adhere to and comply with this Policy at all times as required under paragraph 2.4.

2.6 All data must be managed securely in compliance with all relevant parts of the GDPR and all other laws governing data protection whether now or in the future in force.

2.7 All data, whether stored on IT Systems or in hardcopy format, shall be available only to those Users with a legitimate need for access.

2.8 All data, whether stored on IT Systems or in hardcopy format, shall be protected against unauthorised access and/or processing.

2.9 All data, whether stored on IT Systems or in hardcopy format, shall be protected against loss and/or corruption.

SK Data Security Policy 2

2.10 All IT Systems are to be installed, maintained, serviced, repaired, and upgraded by persons or companies authorised by the Managing Director (MD) only.

2.11 The responsibility for the security and integrity of all IT Systems and the data stored thereon (including, but not limited to, the security, integrity, and confidentiality of that data) lies with the MD unless expressly stated otherwise.

2.12 The responsibility for the security and integrity of data that is not stored on the IT Systems lies with the MD.

2.13 All breaches of security pertaining to the IT Systems or any data stored thereon shall be reported and subsequently investigated by the MD.

2.14 All breaches of security pertaining to data that is not stored on the IT Systems shall be reported to and subsequently investigated by the MD.

2.15 All Users must report any and all security concerns relating to the IT Systems or to the data stored thereon immediately to the MD.

2.16 All Users must report any and all security concerns relating to data that is not stored on the IT Systems immediately to the MD.

3. Further Responsibilities

3.1 The MD shall have responsibility for all data systems,
a) ensuring that all IT Systems are assessed and deemed suitable for compliance with the Company’s security requirements;

b) ensuring that IT security standards within the Company are effectively implemented and regularly reviewed.

c) ensuring that all Users are kept aware of the IT-related requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the GDPR and the Computer Misuse Act 1990.

d) ensuring that all other data processing systems and methods are assessed and deemed suitable for compliance with the Company’s security requirements;

e) ensuring that data security standards within the Company are effectively implemented and regularly reviewed.

f) ensuring that all Users are kept aware of the non-IT-related requirements of this Policy and of all related legislation, regulations, and other relevant rules whether now or in the future in force including, but not limited to, the GDPR.

g) assisting all Users in understanding and complying with the IT-related aspects of this Policy;

h) providing all Users with appropriate support and training in IT security matters and use of IT Systems where possible, or sourcing external support where required;

i) ensuring that all Users are granted levels of access to IT Systems that are appropriate for each User, taking into account their job role, responsibilities, and any special security requirements;

j) receiving and handling all reports relating to IT security matters and taking appropriate action in response.

k) taking proactive action, where possible, to establish and implement IT security procedures and raise User awareness;

SK Data Security Policy 3

l) assisting all Users in understanding and complying with the non-ITrelated aspects of this Policy;

m) providing all Users with appropriate support and training in data security matters where possible, or sourcing external support where required;

n) ensuring that all Users are granted levels of access to data that are appropriate for each User, taking into account their job role, responsibilities, and any special security requirements;

o) receiving and handling reports concerning non-IT-related data security matters and taking appropriate action in response.

p) taking proactive action, where possible, to establish and implement security procedures and raise User awareness; and

q) monitoring data security within the Company and taking all necessary action to implement this Policy and any changes made to this Policy in the future.

4. Users’ Responsibilities

4.1 All Users must comply with all relevant parts of this Policy at all times whenm using the IT Systems and data.

4.2 All Users must use the IT Systems and data only within the bounds of UK law and must not use the IT Systems or data for any purpose or activity which is likely to contravene any UK law whether now or in the future in force.

4.3 Users must immediately inform the MD of any and all security concerns relating to the IT Systems or data.

4.4 Users must immediately inform the MD of any other technical problems (including, but not limited to, hardware failures and software errors) which may occur on the IT Systems.

4.5 Any and all deliberate or negligent breaches of this Policy by Users will be handled as appropriate under the Company’s disciplinary procedures.

5. Software Security Measures

5.1 All software in use on the IT Systems (including, but not limited to, operating systems, individual software applications, and firmware) will be kept up-to-date and any and all relevant software updates, patches, fixes, and other intermediate releases will be applied at the sole discretion of the IT Department.

This provision does not extend to upgrading software to new ‘major releases’ (e.g. from version 1.0 to version 2.0), only to updates within a particular major release (e.g. from version 1.0 to version 1.0.1 etc.). Unless a software update is available free of charge it will be classed as a major release, falling within the remit of new software procurement and outside the scope of this provision.

5.2 Where any security flaw is identified in any software that flaw will be either fixed immediately or the software may be withdrawn from the IT Systems until such time as the security flaw can be effectively remedied.

5.3 No Users may install any software of their own, whether that software is supplied on physical media or whether it is downloaded, without the approval of the MD. Any software belonging to Users must be approved by the MD and may only be installed where that installation poses no security risk to the IT Systems and SK Data Security Policy 4 where the installation would not breach any licence agreements to which that software may be subject.

6. Anti-Virus Security Measures

6.1 Most IT Systems (including all computers and servers) will be protected with suitable anti-virus, firewall, and other suitable internet security software. All such software will be kept up-to-date with the latest software updates and definitions.

6.2 All IT Systems protected by anti-virus software will be subject to a full system scan as recommended by the relevant software.

6.3 Where any virus is detected by a User this must be reported immediately to the MD (this rule shall apply even where the anti-virus software automatically fixes the problem).

6.4 Where any User deliberately introduces any malicious software or virus to the IT Systems this will constitute a criminal offence under the Computer Misuse Act 1990 and will be handled as appropriate under the Company’s disciplinary procedures.

7. Hardware Security Measures

7.1 No Users shall have access to any IT Systems or computers not intended for normal use by them (including such devices mentioned above) without the express permission of the normal user or MD.

7.2 All IT systems and hardware will be kept in a locked and secure environment when the workplace is unattended.

8. Organisational Security

8.1 All Users handling data (and in particular, personal data) personal data will be appropriately trained to do so.

8.2 All Users handling data (and in particular, personal data) will be appropriately supervised.

8.3 All Users handling data (and in particular, personal data) shall be required and encouraged to exercise care, caution, and discretion when discussing workrelated matters that relate to such data, whether in the workplace or otherwise.

8.4 Methods of collecting, holding, and processing data (and in particular, personal data) shall be regularly evaluated and reviewed.

8.5 All personal data held by the Company shall be reviewed periodically.

8.6 All Users handling personal data will be bound to do so in accordance with the principles of the GDPR.

8.7 No data, personal or otherwise, may be shared informally and if a User requires access to any data, personal or otherwise, that they do not already have access to, such access should be formally requested from the MD.

8.8 No data, personal or otherwise, may be transferred to any unauthorised User.

8.9 All data must be handled with care at all times and should not be left unattended or on view to unauthorised Users or other parties at any time.

9. Access Security

9.1 Access privileges for all IT Systems and data shall be determined on the basis SK Data Security Policy 5 of Users’ levels of authority within the Company and the requirements of their job roles. Users shall not be granted access to any IT Systems or data which
are not reasonably required for the fulfilment of their job roles.

9.2 All IT Systems (and in particular mobile devices including, but not limited to, laptops, tablets, and smartphones) shall be protected with a secure password or passcode, or such other form of secure log-in system as the MD may deem appropriate and approve.

9.3 Passwords should be kept secret by each User. Under no circumstances should a User share their password with anyone.

9.4 Users should not write down passwords.

9.5 Users may not use any software which may allow outside parties to access the IT Systems without the express consent of the MD. Any such software must be reasonably required by the User for the performance of their job role.

9.6 Users may connect their own devices (including, but not limited to, laptops, tablets, and smartphones) to the Company Wi-Fi. Guest may connect to the Guest Wi-Fi

10. Data Storage Security

10.1 All data stored in electronic form, and in particular personal data, should be stored securely using passwords.

10.2 No data shall be stored in hard-copy format.

11. Data Protection

11.1 All personal data (as defined in the GDPR) collected, held, and processed by the Company will be collected, held, and processed strictly in accordance with the principles of the GDPR, the provisions of the GDPR and the Company’s Data Protection Policy.

11.2 All Users handling data for and on behalf of the Company shall be subject to, and must comply with, the provisions of the Company’s Data Protection Policy at all times. In particular, the following shall apply:

a) Personal data and/or other data covered by this Policy may be transmitted over secure networks only; transmission over unsecured networks is not permitted under any circumstances;

b) All personal data and/or other data covered by this Policy to be transferred physically, including that on removable electronic media, shall be transferred in a suitable container marked “confidential”.

c) Where any personal data and/or other data covered by this Policy is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the User must lock the computer and screen before leaving it.

12. Deletion and Disposal of Data

12.1 When any data, and in particular personal data, is to be erased or otherwise disposed of for any reason (including where copies have been made and are no longer needed), it must be securely deleted and/or disposed of using the most appropriate method.

SK Data Security Policy 6

13. Reporting Security Breaches

13.1 All concerns, questions, suspected breaches, or known breaches that relate to the IT Systems shall be referred immediately to the MD.

14. Implementation of Policy

This Policy shall be deemed effective as of the date at the head of the policy. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.

This Policy has been approved and authorised by:

Name: Lawrence Timpson
Position: Managing Director
Date: 02 Dec 2019