Privacy and Data handling policies

Privacy and Data handling policies

Policy scope

This policy applies to:

It applies to all data that the company holds relating to identifiable individuals. This can include:

Responsibilities

Everyone who works for or with VR Assets LLC is responsible that all data collected is stored and handled appropriately.

People that have key areas of responsibility:

The CEO is ultimately responsible for ensuring that VR Assets LLC meets its legal obligations.
The system administrator is responsible for:
Keeping the CEO updated about data protection responsibilities, risks and issues.
Reviewing all data protection procedures and related policies
Arranging data protection training for the people covered by this policy.
Handling data protection questions from staff and anyone else covered by this policy.
Assigning level of access in accordance with least user access principles.
The IT developer is responsible for:
Ensuring all systems, services and equipment used for storing data meet security standards.
Performing regular checks and scans to ensure security hardware and software is functioning properly.

The security is responsible for monitoring all entrances to the building as well as inside surveillance system.

General staff guidelines

Each employee only has access to the part of the system required to perform their daily tasks.
Data must not be shared informally. When access to extra information is required, employees must request it from their managers.
VR Assets LLC will provide training to all employees to help them understand their responsibilities when handling data.
Employees should keep all data secure by taking precautions and following the guidelines described here.
All passwords must contain at least 8 characters, a mixture of upper and lower cases, a mixture of numbers and letters and at least one special symbol.
No passwords may be shared with anybody.
Personal data should not be disclosed to unauthorized people, either within the company or outside.

Data storage

No hard copies of any documents are to be stored. If data is ever printed, all copies are to be shredded.

When data is stored electronically it must be protected from unauthorized access, accidental deletion and malicious hacking attempts:

Data should be protected by strong passwords that are changed regularly and never shared between employees.
When data is stored in "cold storage", it should be kept locked away securely when not being used.
Data should only be stored on designated drives and servers, and should only be uploaded to an approved location.
Servers containing personal data should be located in a secure location, away from general office space.
Data should never be saved directly to laptops or other mobile devices like tablets or smart phones.
All servers and computers containing data should be protected by approved security software and a firewall.

Data use

All computers should be locked when leave unattended.
Personal data should not be shared informally. It should never be sent by email.
Data must be encrypted before being transferred electronically.
Personal data should never be transferred outside of the company.
Employees may not have access to personal data on their own computers.

Disclosing data for other reasons

Data may not be inappropriately disclosed in any situation.

Some data used by VR Assets LLC is a property of third-party business.

In a case of a law enforcement agency request to disclose any personal information th following steps shall be taken:

VR Assets LLC will ensure the request is legitimate, seeking assistance from the company’s legal advisers where necessary.
The company owning the data shall be notified.
Decision to release the data shall be made in conjunction with the company owning the data