Data Storage Protection & Encryption Measures

1. Introduction 

1.1  The information held by durhamlane represents one of its most valuable assets. It is therefore essential that all information for which it has responsibility is used, communicated, transferred, stored, and disposed of in a manner that complies with legal and regulatory requirements, and within the broader information management and security framework. 

1.2  durhamlane is committed to properly protecting and processing the data that it holds. This document provides the technical specifications and solutions implemented by durhamlane to ensure compliance with Data Protection legislation. 

1.3  This document supplements durhamlane’s top level Information Security Policy and should be read in conjunction with it and all of the supporting sub-policies and documents listed within it. 

2. Responsibility 

2.1  Responsibility for the production, maintenance and communication of this document lies with the Information Security Manager. It is also the responsibility of the Information Security Manager to ensure that annual reviews of this document take place to ensure that it remains internally consistent and that the document is version controlled. 

2.2  Any substantive changes made to any of the documents in the set will be communicated to all relevant personnel. 

3. Purpose and Objectives 

3.1  The level of security required in a particular system will be dependent upon the risks associated with the system, the data held on the system and physical working environment of the system. The objective of this document is to provide stakeholders with an understanding of the technical security provisions that durhamlane have put in place to ensure the protection and safe processing of all personal data that we hold. 

4. IT Support and Expertise 

4.1  durhamlane employs the following specialist consultant organisations to assist in IT support, protection and development. All companies have been screened to BS7858 – Security screening of individuals employed in a security environment – code of practice and are also subject to both non-disclosure and data processing agreements with durhamlane. 

4.2  Aspire Technology Solutions are durhamlane’s managed IT service partner. They provide durhamlane with a working week IT service desk and support to our directors and employees. They are responsible for the 24-hour monitoring and protection of our data through firewalls and managed anti-virus malware, the full backup and restoration of our data, email filtering and other IT support, connectivity and consultancy. 

4.3  durhamlane manages and develops our website. Client contact data and other data collected through our website is processed compliantly. 

5. Network Protection 

5.1  durhamlane’s entire network and systems are protected by a local firewalls onsite and in Azure which are IP restricted and by a fully managed suite of security software including Webroot endpoint protection. The internal network is segmented by Firewalls and requires a VPN connection to the azure network. This stateful inspection firewall has advanced security that monitors on wire communications for live threats. durhamlane also have managed AV solutions on all PC’s. 

5.2  durhamlane security related devices such as our Firewall/IDS/IPS patch are continually updated. A managed patch delivery system is employed to continuously monitor for relevant security patches and automatically install white-listed patches on a schedule. 

5.3  Intrusion protection and detection is fully enabled on the firewall. When the firewall detects numerous or multiple intrusion attempts, an alert is activated to our systems administrators for review and action. Firewall logs are not monitored on our systems, however, durhamlane do have active alerting of incidents and faults which are triggered by the firewalls intrusion prevention/detection system directly into the 24-hour monitoring solution provided by Aspire. The firewall is currently not subject to regular penetration testing, but this is something that durhamlane shall be working towards in the future. 

6. Internal Data Storage 

6.1  The primary use of durhamlane storage infrastructure is to store, retain and secure company data. 

6.2  Personal folders on workstations are used only for the storage of work-related documents and templates which are specific to the users’ post or job function. No data classified ‘Sensitive Data’ is saved within personal folders on workstations. 

6.3  The ‘Company Shared’ folder is designed to be used by employees to share document templates, reference documents, spreadsheets, databases, photographs and all data classified ‘Sensitive Data’. Sharing also helps to eliminate duplication of files across the infrastructure. Access is restricted to specific groups of employees thus maintaining security and privacy of any confidential data. 

6.4  All users are authorised company employees who have been security screened to BS7858 – Security screening of individuals employed in a security environment – code of practice and have signed non-disclosure clauses as part of their employment contracts. 

6.5  durhamlane’s IT equipment is located and housed in a locked server cabinet in a dedicated server room within our head office. The server room remains locked at all times. Authorised staff may only access the room via a numeric code security lock on the door and always ensure that the door closes and locks behind them when they leave. Please see the Office Security Policy for more information. 

6.6  The data stored on our Azure servers which is encrypted and backed up daily to a different data centre within the Microsoft Azure network. 

6.7  The use external storage devices (USB sticks and portable hard drives) is strictly prohibited and their use is blocked from all employee workstations via Aspire network group policy. 

7. Back up and Data Recovery 

7.1  durhamlane utilise Azure Backup for secure backup solutions. Azure Backup provides durhamlane with a simple, secure, and automatic method for both on-site and off-site data storage in one simple and easy-to-use device. This allows for our business to recover multiple terabytes of information in 24 hours, which would be nearly impossible through Internet transfer. 

7.2  Data in motion is encrypted via TLS1.2, once on offsite UK based servers, the data at rest is encrypted and stored via AES 256. Mirror images of the servers are also transmitted and stored in the same way. 

7.3  Azure Backup creates an encrypted copy of all files stored at the on-site location off-site within the UK. In the event of accidental deletion, files can quickly be restored to the device to ensure that downtime is kept to an absolute minimum. 

7.4  The datacentres employed are UK based and are SAS 70/SSAE 16-certified and HIPAA Compliant. The backup data does not leave the EU. 

8. Sensitive Data Destruction

8.1  All client ‘Sensitive Data’ is securely held via individual electronic case files, within our case management system which is stored on our internal servers. 

8.2  durhamlane operates with a Record Retention and Data Destruction policy. This stipulates that all case files should be retained for seven years post closure, unless the ‘Data Subject’ requests immediate deletion before this period. 

8.3  All case files are given a closure date within our case management system upon their conclusion. Our case management system is set to automatically delete all sensitive data contained (on a monthly batch run) when a case reaches the seventh anniversary of its closure. The following none identifying data is retained to assist Aspire in meeting its data processing obligations in respect of any future ’subject access requests’ that may be received: 

i. durhamlane reference number; 

ii. instructing client name; 

iii. clients reference number; 

iv. matter description (i.e. process serve); 

v. date file closed and archived; and 

vi. date of file destruction.

 

8.4  durhamlane also have a “delete now” facility for use to immediately delete all sensitive data within a case file upon receive a valid data subject request. 

8.5  Upon deletion of a case file, a data destruction certificate is produced and held on file. 

9. Email Encryption and Data File Transfer 

9.1  Data is transferred off site during the instruction of any sub-contractors and the provision of reports to our clients. Where ‘Sensitive Data’ is to be transferred, it will be sent via encrypted email using Microsoft365 email encryption. Microsoft365 email encryption provides government and industry-certified security and authentication, including email and file encryption at rest and in transit, multi-factor authentication, and customisable policy control. The solution integrates with Microsoft Outlook and Office 365 for easy-to-use one-click encryption, while mobile apps help secure data on other device types. 

9.2  Detailed audit logs enable users to track information even after it has been shared, with the ability to revoke access in real time should recipients no longer be authorised to access information. Additionally, policy control can prevent actions such as downloading data locally, copy and pasting information, and using print screen functionality. When implemented at the gateway, outgoing emails can be encrypted based on key terms for GDPR compliance. End-to-end security is ensured by recipients being able to reply and initiate secure emails and file transfers for anyone with a Microsoft account. 

9.3  Larger files may also be transferred using a secure encryption file transfer service provided by www.wetransfer.com. The privacy and security standards of wetransfer.com are compliant with the high level of personal data protection required by the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens), based on the E.U. Privacy Directive (95/46/EC). Files are encrypted when they are being transferred (TLS) and when they are stored (AES256). Once files are safely stored, they can only be accessed using the unique links sent to the sender and recipient. 

10. Use of Cloud Based Storage 

10.1  The phrase “cloud storage” can be defined as any third-party solution which stores information to an online storage facility such as Google Drive, Dropbox and OneDrive. Files stored on these services can usually be accessed via any web browser and have the facility to share files with other people. Whilst being attractive, offering excellent features that are easy to use, they bring with them a series of risks. durhamlane employees are instructed that they must not use cloud services to store files containing personal, sensitive or confidential information because of these risks. durhamlane have therefore blocked access to known cloud-based storage sites to unauthorised employees via Firewall group policy. 

10.2  For collaboration purposes, the Aspire directors and senior management have access to an online ‘SharePoint’ storage facility via Microsoft Office 365 in which data and documents may be stored. Access may only be granted by the Head of Operations. 

10.3  Office 365 encrypts all data content at rest and in motion using multiple encryption technologies. For data at rest, Office 365 uses BitLocker, Azure Storage Service Encryption, and Office 365 Service Encryption. For data in transit, Office 365 uses multiple encryption technologies, including Transport Layer Security (TLS) and Internet Protocol Security (IPsec). Data is stored on Office 365 Secure Servers within the UK. No data leaves the E.U.