Information Management and Security Policy (Sept25)

Purpose

This policy aims to ensure that we all understand how information should be managed and are aware of the procedures in place to protect the information that we rely on in order to operate. The policy also aims to reduce the risk of information security incidents or breaches occurring.

This policy seeks to avoid or reduce of the risk of:

• Breaches and proceedings under the Data Protection Act 2018 (DPA) and UK General Data Protection Regulation (UK GDPR);
• The inability of our firm to provide services;
• Reputational and/or financial damage;
• Negligence claims;
• Breaches of confidentiality;
• Breaches of the SRA Standards and Regulations.

The firm has obtained the Cyber Essentials accreditation.

Scope

This policy applies to us all, including managers, consultants, and any third-party that this policy has been communicated and encompasses information that is held both electronically and physically.

Responsibility

Nicola Robinson (Director) is responsible for this policy, overseeing our compliance with it and ensuring that it remains effective for our needs. However, day-to-day monitoring of policy compliance is the responsibility of line managers.

We are all (and any third party to whom this policy applies) responsible for ensuring that we comply with this policy and co-operate fully with our information management procedures. Failure to do so may result in disciplinary action.

Information Asset Register

Information Assets compromise both personal and non-personal data. Personal data is defined in data protection legislation and must be processed accordingly. Non-personal data is not subject to data protection legislation but may be subject to a duty of confidentiality and other rights including intellectual property rights.

We carry out an audit of the information assets which we hold on a regular basis. This information is held within an Information Asset Register spreadsheet maintained by Nicola Robinson and broadly includes the main categories of information that we hold in relation to our firm and our clients.

Information system risk management

• We have identified the following critical risks to its information management systems:
  • Computer virus attack;
  • Malice;
  • Theft;
  • Fire;
  • Incompetence

We have the following processes, procedures and technology in place to eliminate, minimise or transfer the critical risks identified above:

• Virus protection system;
• Use of a router firewall on its internet connection;
• User passwords changed at regular intervals;
• Restrictions on computer systems to prevent data being added or removed;
• Fire drills;
• Continual training on IT systems; and
• Business continuity planning.

Protection and security of the information assets

Nicola Robinson has overall responsibility for the management of our IT system, and is supported by Colin Bailey of CB IT Support.

The great majority of the information assets are confidential. Accordingly, the information will not be passed to anyone outside the firm save with the consent of the client (where appropriate) or where client confidentiality does not apply, when that is reasonably necessary for normal business purposes.

In publications and publicity material all client identification information will be removed unless clients have otherwise consented.

System access restrictions

We ensure the appropriate management and safe storage of electronic documents by restricting the access permissions to certain electronic folders as appropriate.

Permissions are also set on individual documents as appropriate to safeguard the integrity of those documents.

If you anticipate that a colleague may need access to confidential files in your absence, arrangements must be made for the files to be copied to an appropriate location so they can access it. Alternatively, a temporary password should be allocated and then changed on your return to the office.

We use security Microsoft365 to automatically block access to certain websites and to prevent security breaches.

Computer backup

All data is backed up daily to one of three portable hard disc drives, which are used in rotation. In addition, all data is backed up daily to CB IT support. The back up data is checked periodically to ensure that the backup has been effective.

If the backups fail for any reason, this must be reported to Nicola Robinson without delay who will then seek assistance from CB IT Support.

We will test our entire backup and restoration process regularly as part of our business continuity planning.

Retention and disposal of information

We retain information for the periods set out in the Information Asset Register. These periods reflect our data protection obligation not to keep personal data for longer than is necessary, and also our statutory, regulatory and business needs to keep records.

Thereafter information is disposed of securely via the confidential waste bins, electronic deletion or otherwise as appropriate.

Please refer to our Retention and Disposal Policy for additional details regarding our retention and disposal procedures.

Firewalls

The firm maintains a firewall to prevent unauthorised access to our network and data. All messages entering or leaving the firm’s intranet pass through the firewall, which blocks those that do not meet specified security criteria by applying a rule set which establishes a barrier between the trusted secure internal network and the internet or other networks which are not assumed to be secure or trusted.

Procedures to manage user accounts

User accounts and individual permissions for access to information systems must be authorised by Nicola Robinson.

User accounts will be set up as part of our induction process and are managed by Nicola Robinson. User accounts can be disabled at any time, for example, on discovering a breach of security.

Staff responsible for the management of payments (including fee earners and finance staff) are only recruited or assigned to that function after passing suitable background checks, including taking references and the verification of claimed qualifications.

Periodic reviews of user accounts and associated access permissions will be undertaken by Nicola Robinson who will liaise with the relevant heads of departments to ensure that user accounts and access permissions granted remain accurate.

Accounts are disabled when a member of staff leaves the firm.

Procedures to detect and remove malicious software

If, despite the precautions described elsewhere, malicious software (malware) is present on the system, this should be detected by the firm’s anti-virus software. It is then the responsibility of the firm’s IT department to remove the malware according to the nature of the threat and industry standard procedures at the relevant time.

Register of software used by the practice

The firm currently uses the following software:

PC Software

• Windows 10 & 11,
• Cloud Bitdefender Anti-Virus
• Office 365
• Outlook as mail client
• Philips Speech-Exec Dictation & Transcribe
• Dragon Speech Dictation
• ALB Practice Management
• ALB Accounts
• Laser forms
• 3CX Phone client

Server Software

• Office 365 business essentials (Mail & Skype)
• Mimecast email and URL protection
• Server Windows 2012R2 Server (Hyper V)
• Backup Assist
• SQL for ALB
• ALB full environment
• Laser Forms
• 3CX Phone system software and OS

Training for personnel on information security

The firm provides all staff with its information security requirements, which they must comply with (the current version of which is set out on the next page in the section headed ‘Information security – staff responsibilities’).

In addition, the firm trains staff about information security and cybercrime risks and precautions, that are appropriate and relevant to their role, on induction, and thereafter at least annually through online courses.

If employees move role or department, they will receive training on the information management processes and procedures relevant to their new role.

Furthermore, the COLP periodically circulates emails reminding staff of recent developments in cybercrime and how they may affect the firm, as well as necessary precautions that must be taken in response.

Updating and monitoring of software

All software used by the firm is supported by external software suppliers who issue routine updates from time to time. It is the responsibility of Nicola Robinson after obtaining guidance from CB IT to decide whether and when updated versions are to be installed or new or better software should be obtained.

Secure receipt of banking information from clients

To reduce the risk of cybercrime, file handlers are required to encourage clients to provide their bank account information in a hard copy document in person or in the post. Where a client prefers to provide this information in an email, they must be reminded of the risk of fraudsters intercepting the email and requesting that funds are paid to a different bank account. A follow-on telephone call must be made to verify the information provided by the client.

Verifying banking details of other conveyancers and third parties

A telephone call must always be made to other conveyancers or third parties to verify the banking details provided before any sums are transferred. Where the other party is a business, the call must be made to the telephone number stated in their correspondence and on their website.

Communication with the firm’s bankers

Communications with the firm’s bank are restricted to designated authorised individuals within the firm. Any calls or emails from third parties claiming to be from our bank to anyone else aside from those authorised individuals must be treated with extreme caution, which includes not disclosing confidential banking information. Any concerns in this regard. must be reported to your supervisor or the COFA immediately. See the Information Security – staff responsibilities – online payments section below for more information on the risk of funds being diverted.

Shadow IT

The use of shadow IT, namely information technology systems, devices, software, applications and services without receiving explicit prior approval to do so by the IT department is strictly forbidden due to the information security risk that it poses.

Information security when instructing Counsel

File handlers are required to ensure that an up-to-date response (checked within the last six months) to the standardised cyber questionnaire tool developed by the Bar Council and the Law Society is in place with the chambers where the barrister they intend to instruct is based before sending out the Instructions to Counsel.

The purpose of the tool is to enable law firms to check that the IT systems maintained by chambers are information security compliant, which in turn should reassure clients that their data will be kept as secure as possible.

Information security – staff responsibilities

The firm holds a huge amount of confidential information which we must keep secure. Moreover, like all law firms, we may be targeted by criminals who seek to obtain information, either as an end in itself or so that they can steal funds from the firm or its clients.

Accordingly, all staff must study and observe the precautions set out below.

Keep IT secure

• Take care with any email you receive from an unknown source. Bear in mind that clicking on attachments or links may result in viruses being downloaded. If you have any concerns about an email you receive, you should refrain from opening it and seek advice from a director or CB IT Support. See the Email Policy for more information.
• Follow the firm’s policy on the use of passwords, including the level of complexity, the frequency with which they should be changed, and other precautions such as not writing them down in any form which might be intelligible to a third party. Do not disclose your password to anybody else and do not ask for another person’s password. Secure passwords are particularly important with mobile devices, or with logins that would enable people to access the firm’s systems remotely.
• PCs and laptops must be locked using the Ctrl-Alt-Delete function when not in use or you are away from your desk for any period of time. Log off from your computer before leaving the office each day.
• Be aware of your desk’s positioning and ensure that your computer screen does not show confidential information to those who are not authorised to see it e.g., to passers-by through a window. This is particularly important when using a laptop or other device in public places, when a privacy screen should be used to protect your screen from prying eyes. Update the software on your computer whenever required to do so. Updates frequently fix security weaknesses.
• Even if data has been deleted from electronic media, it may be possible for others to recover it. Hence computer hard drives, data sticks, floppy disks, CD-ROMs, etc. should either be cleaned by an expert or physically destroyed when no longer required.
• If you take our firm laptops outside of our office, you must take care with such property. Laptops must never be left unattended and must not be left in cars.
• Our information systems can be remotely accessed meaning that you can access the systems using external computer equipment from home or another location. When outside the office, you should use remote access to work on files on our information systems rather than uploading files to your home computer by emailing them to yourself or using portable storage.
• Loss or theft of a firm laptop or smartphone must be immediately reported to Nicola Robinson.

Downloading data and software

• We must prevent malicious content from appearing on our information systems and therefore you are not permitted to upload any data from any kind of storage device onto the system without first obtaining consent from your line manager and checking for viruses. Examples of storage devices include: portable external hard drives; media player hard drives; USB memory sticks; DRD-RW drives; CS and DVD disks; and memory cards from cameras.
• Data storage devices must be formatted before any data is copied to the information systems and authorisation must be sought from your line manager before any information from the system is transferred to a data storage device.
• No electronic data, however stored, should be taken offsite without authority from your line manager. If such authority is given and confidential data is removed from our office, it should be held securely and returned to our office as soon as possible then immediately erased from the data storage device it has been temporarily saved to.
• No software should be uploaded to the information systems without express permission from your line manager. Software includes business applications, entertainment software, games, photographs and demonstration software.

Online payments

• The firm has policies in place to protect itself from the risk of funds being diverted. Those responsible for making payments from our bank account receive separate guidance, which includes a strict prohibition on ever divulging account credentials or security information (including usernames, passwords, PINs and other security codes) to anyone.
• All staff should be aware of the risk of criminals seeking to divert funds, e.g., by phone calls or emails to the firm purporting to be from clients, our bank or senior staff, or to clients purporting to be from the firm, asking for payments to be made to inappropriate accounts. Staff must report to their supervisor or the COLP/COFA immediately any request they receive for information which might be used to facilitate fraudulent payments.

Keep papers secure

• Keep confidential papers in locked cabinets when they are not in use. Bear in mind that cleaning personnel, temporary staff and others may be present in the building, and that leaving papers where they can be seen risks a breach of security.
• Report any stranger you see in an entry-controlled area.
• Minimise the amount of data taken out of the office – only take client files (or other confidential information) out of the office when it is necessary to do so. Take precautions to ensure that such items are not stolen or lost. For example, do not leave files in an unattended car.
• Be aware that taking paper files out of the office is especially risky. Where possible take information in encrypted digital form, e.g., on a laptop.
• Also bear in mind that laptops and other electronic devices may be stolen if taken out of the office. Hence confidential files taken out of the office in electronic form must be encrypted. It is not enough that the machine on which they are stored is password protected. Where possible if you are working out of the office, access documents over the internet.
• Ensure confidential papers that are no longer required are disposed of in a confidential waste bin in the office (see the Retention and Disposal Policy for requirements for disposing of confidential waste for those working in a remote/hybrid working arrangement).
• If working remotely, bear in mind the additional confidentiality and security risks when discussing confidential matters during virtual meetings or on the telephone and use headphones for privacy whenever possible.
• Take particular care with sensitive papers, such as medical reports or documents including price sensitive information or personally sensitive material.

Take care when dealing with enquiries

Beware of “blaggers” (people who attempt to obtain confidential information by deception). This is most commonly done by phone but may also be by email or in person. The following are examples of the precautions you should take when dealing with enquiries.

• Check the identity of the person making the enquiry to ensure information is only given to a person who is entitled to it.
• Ask callers to put their request in writing if you are not sure about the caller’s identity and their identity cannot be checked.
• Refer to your supervisor for assistance in difficult situations.
• Take particular care with callers who claim to be from our bank. A number of firms have had money stolen from their bank accounts after staff gave confidential banking information out over the phone.
• Under data protection law we may receive a written request from someone (known as a “data subject”) for information that we hold about them, known as a Data Subject Access Request (DSAR). If you receive such a written request, you should forward it to the firms Data Protection Manager Timothy Halliday immediately who will take responsibility for ensuring the request is actioned within the required timescales. For more information, see the Data Subject Access Request Policy.

Reporting information security incidents

You and any other party to whom this policy has been communicated are responsible for reporting any information security incidents to Nicola Robinson as soon as you become aware of them. They will then advise you if further information is required or if you are required to take any action to help resolve the incident.

Internet usage

Improper use of the internet may be inconsistent with the firm’s objectives, threaten the security of our information management systems, and damage our reputation.

When accessing the firm internet, you should use your judgment to assess what is and is not acceptable usage. If you are unsure about what constitutes acceptable internet usage, ask your line manager for guidance before you take any further action. Examples of actions you must not do include:

• Use the internet to send, receive, browse, download or store material which may be illegal, offensive or cause embarrassment to others. This includes (without limitation) the use of the internet to send, receive, obtain, access, download or store pornographic material, material which is racially or sexually offensive or material which could be deemed sexist, blasphemous, defamatory or abusive.
• Copy and paste or otherwise use material from the internet in a way which may infringe copyright or other intellectual property rights.
• Download material or access services that could pose a threat to the security of the firm’s systems, e.g., malware, viruses, phishing emails, etc.
• Steal, use or disclose a colleague’s password to a work-related website or system without authorisation.
• Pass off personal views as representing those of the firm in an online setting without proper authorisation.
• Breach data privacy laws and regulations.
• Use the firm’s internet for online gambling, or to perpetrate any form of illegal activity such as hacking, fraud or software, film or music piracy.

Personal use of the firm internet is acceptable provided:

• The use is minimal and mainly outside of working hours (e.g., during lunch breaks).
• The use does not interfere with client or other firm commitments.
• Usage complies with all other firm policies.

Monitoring internet access

The firm may monitor your internet access and usage from time to time to monitor compliance with this policy and other firm policies.

Monitoring may include tracking the volume and time of internet and network usage and the internet sites visited.

Review of this policy

This policy will be reviewed at least annually by Nicola Robinson (Finance Director).

September 2025