TFI Group Data Management & Protection Policy

Security Clearance

Security is of the utmost importance to us and to all those we act on behalf of. Prior to appointment, TFI Group will take appropriate steps to check that all new recruits are appropriately security cleared. This process will also cover any agency or temporary staff contracted to work on behalf of TFI Group and will periodically be used to review current employee profiles. Our vetting process will typically include:

  • Previous employment references
  • Verification of home address
  • Checks for County Court Judgements, Insolvency Voluntary Arrangements and Bankruptcy
  • Checks for Directorships on the Companies House Register
  • Work permit status as required, together with copies of passports and work visas.
  • Checks with the Criminal Records Bureau

Enhanced Security Checks

Personnel allocated to work on projects for clients requiring enhanced security clearance will be required to undergo an enhanced security clearance check. Such staff will be notified in advance of enhanced security checks and will be trained to have a more detailed and in depth knowledge and understanding of procedures relating to client data and its related protection in relation to its management on the TFI hard drive systems, when transferring data and in its destruction post event.

Data Management

TFI fosters a culture amongst its staff of the importance of taking appropriate steps to manage data on behalf of clients to an appropriate level of security. In advance of the commencement of a project, event managers must ascertain from their clients the level of security to be adopted in connection with data management to a level described as follows:

  • Unclassified data or ‘Not Protectively Marked’ covering non sensitive data
  • Classified dated or ‘Protect Personal’ where data goes beyond individuals’ names and addresses and/or includes the management of sensitive data which may include knowledge of an individual’s work specification.

All employees, temporary staff and subcontractors are to use the above terminology when working on projects for TFI Group.

Data management training

On appointment, employees, temporary staff and TFI subcontractors will be trained in the management of data and its security. This will form part of the induction programme for new recruits.

Registration Systems and Users

TFI Group manages data on behalf of its clients through a number of online data management, registration and online payment systems. As of April 2017 TFI Group are using Key4Events, Etouches and Starcite as well as a number of bespoke systems specifically for clients. TFI Group also uses Axcess payment services for online card transactions

The following procedures are implemented across all systems managing the data of its clients:

  • Only certain representatives of the organisation (‘users’) are permitted encrypted login/password access to our systems and authorised to handle data
  • ‘Users’ are trained on specific key data protection issues relevant to these systems prior to commencement of any data management role.
  • Users are aware of the login and password protocols – that they should keep these details secure and not divulge these details to other staff members or external stakeholders unless specifically authorised by the head of department.
  • Any data exported for transportation purposes in any media format is appropriately encrypted
  • Users have the correct access privileges in accordance with their job roles.

Data Security within systems:

Each system used for data management has been tested to ensure that data is stored securely and the appropriate steps have been taken to avoid disclosure of sensitive data.

The Key4Events data security policy please click here

For the Etouches data security policy please click here

For the Starcite data protection statement please click here

Management of all payment data outside of registration systems

TFI Group would normally expect all payments from delegates attending their events to be made through the appropriate payment portal. However, it recognises that this is not always possible (For example, the registration system may be closed to general use). Where delegates need to provide credit card details the following procedure is adhered to:

  • Delegates are asked to provide card details over the phone and the payment is taken at the same time by a TFI user in the back end of the system. The data is never written down by the TFI user.
  • If this is not possible, delegates can email card details in exceptional circumstances. Where this is necessary, users must provide card details in two separate emails:
    • First email – card number, address, cardholder and expiry date
    • Second email – CVV number
  • The delegate must let the TFI user know that the card details are being sent.
  • The TFI user must aim to have taken payment within 2 working hours of receipt of the email.
  • Once payment has been taken successfully the email(s) must be deleted from the relevant inbox and deleted items folder immediately.
  • TFI users will ensure that all details are removed from any responses to emails containing sensitive data.

Transfer of data

In most cases, access to data on site at events will be via TFI’s encrypted remote access with time-out facility. In the case of certain clients data, it may only be accessed via secure hard wired systems.  If in doubt,  checks are to be made with  Clients’ protocols for the secure transfer of data before action is taken.

Where it becomes necessary to transfer or access data other than via TFI’s remote access system please note the following mandatory requirements:

  • By Post: Please use Royal Mail Registered Post only
  • Courier: Via DHL Courier Services with signatory required at dispatch and receipt
  • Memory stick suitably encrypted, noting memory sticks are not to be used for sensitive projects
  • Excel spreadsheet email attachments, appropriately encrypted
  • Fax: AVOID

Storage of data

TFI Group operates a clear desk policy and all employees, temporary staff and contractors are required to ensure that all documents including data in hard copy format or on USB memory stick are cleared and locked away at the close of business each day.

In sensitive cases all hard copy data in any media must be locked away in a combination-lock in the safe at the Office.

When working away on site at an event, hard copy, magnetic, and memory stick data must be stored in a safety deposit box in staff bedrooms overnight or kept on the person of identified key staff on events taking place within the timescales of a day.

Loss of data

If for any reason, data is lost either from office based systems, in transit or on site at an event, this loss must be reported immediately to the Client and TFI’s Head Office.

Destruction of data

Employees should ascertain in advance with a client what is to be done with data at the end of each and every project. If data is to be stored for accounting or similar purposes for an agreed period of time over the longer term, such data must be saved with appropriate encryption protocols via the in-house FIPS or similar standard data management system in an appropriate archive folder within the project folder.

In the case of projects containing sensitive data,  unless otherwise instructed by the client, all data held must be destroyed after the agreed timescales by appropriate mechanisms such as:

Use of Shredders conform to at least DIN 32757 Level 3 through a recognised subcontractor

USB, CD, Magnetic tape media should be pulverised and disposed of by way of a professional and recognised subcontractor.

Copyright © key4events - All rights reserved