Thomas Johnstone Ltd requires all users to exercise a duty of care in relation to the operation and use of its information systems.
- Authorised users of information systems
With the exception of information published for public consumption, all users of Thomas Johnstone Ltd information systems must be formally authorised by appointment as a member of staff, or by specifically authorised 3rd party working on behalf of Thomas Johnstone Ltd. Authorised users will be in possession of a unique user identity. Any password associated with a user identity must not be disclosed to any other person.
Authorised users will pay due care and attention to protect Thomas Johnstone Ltd information in their personal possession. Confidential, personal or private information must not be copied or transported without consideration of:
- permission of the information owner
- the risks associated with loss or falling into the wrong hands
- how the information will be secured during transport and at it’s destination.
2.2 Acceptable use of information systems
Use of the Thomas Johnstone Ltd information systems by authorised users will be lawful, and shall have regard to the rights and sensitivities of data subjects.
2.3 Information System Owners
Thomas Johnstone Ltd are responsible for information systems and are required to ensure that:
- Systems are adequately protected from unauthorised access.
- Systems are secured against theft and damage to a level that is cost-effective.
- Adequate steps are taken to ensure the availability of the information system, commensurate with it’s importance (Business Continuity).
- Electronic data can be recovered in the event of loss of the primary source. i.e. failure or loss of a computer system, as it is incumbent on all system owners to backup data and to be able to restore data to a level commensurate with its importance (Disaster Recovery).
- Data is maintained with a high degree of accuracy.
- Systems are used for their intended purpose and that procedures are in place to rectify discovered or notified misuse.
- Any electronic access logs are only retained for a justifiable period to ensure compliance with the data protection and ICO, investigatory powers.
- Any third parties entrusted with Thomas Johnstone Ltd data understand their responsibilities with respect to maintaining it’s security.
2.4 Personal Information
Authorised users of information systems are not given rights of privacy in relation to their use of Thomas Johnstone Ltd information systems. Duly authorised officers of Thomas Johnstone Ltd may access or monitor personal data contained in any Thomas Johnstone Ltd information system (mailboxes, web access logs, file-store, phones etc).
2.5 Individuals in breach of this policy are subject to disciplinary procedures at the instigation of the DPO and/or Directors with responsibility for the relevant information system, including referral to the Police where appropriate.
Thomas Johnstone Ltd will take legal action to ensure that its information systems are not used by unauthorised persons.