| Jasper International Academy | Centre for Cyber Security Defence and Economic Crime Prevention Skills | Centre for Management Leadership and Business Enterprise Skills | Centre for Investment Securities and Economic Development Skills | Partner Approved Centres | Research | Consultancy Services |
Data Protection and Cyber Security Policy
In this Data Protection Policy references to “we”, “us” and “our” are to Jasper Global Corporation. References to “our Website” or “the Website” are to www.jasperglobal.com which is operated by Jasper Global Corporation.
This document sets out our obligations with regards to data protection and the rights of people with whom it works in respect of their personal data and our compliance with The General Data Protection Regulation (GDPR).
This Policy shall set out procedures which are to be followed when dealing with personal data. The procedures set out herein must be followed by us, our employees, contractors, agents, consultants, partners or other parties working on behalf of Us.
We view the correct and lawful handling of personal data as key to our success and dealings with third parties. We shall ensure that we handle all personal data correctly and lawfully.
Data Protection Principles
We aim to ensure compliance with GDPR and the principles with which any party handling personal data must comply. All personal data:
- Processed lawfully, fairly and transparently.
- Collected only for specific legitimate purposes.
- Adequate, relevant and limited to what is necessary.
- Must be accurate and kept up to date.
- Stored only as long as is necessary.
- Ensure appropriate security, integrity and confidentiality.
Rights of Data Subjects
Data subjects have the following rights:
- to be informed that their personal data is being processed;
- to access any of their personal data held by the Company within 40 days of making a request;
- to prevent the processing of their personal data in limited circumstances; and
- to rectify, block, erase or destroy incorrect personal data.
Personal data is defined as data which relates to a living individual who can be identified from that data or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
We only hold personal data which is directly relevant to our dealings with a given data subject. That data will be held and processed in accordance with the data protection principles and with this Policy. The following data may be collected, held and processed by Us from time to time:
- Name, address, contact information, passport details, next of kin details
- Date of birth, gender, nationality
- Qualifications and employment history, CV, details of trade memberships/professional affiliations
Processing Personal Data
Any and all personal data collected by Us (including that detailed in above) is collected in order to ensure that we can facilitate efficient transactions with third parties including, but not limited to, our customers, partners, associates and affiliates and efficiently manage our employees, contractors, agents and consultants. Personal data shall also be used by Us in meeting any and all relevant obligations imposed by law.
Personal data may be disclosed within our company. Personal data may be passed from one department to another in accordance GDPR and this Policy. Under no circumstances will personal data be passed to any department or any individual that does not reasonably require access to that personal data with respect to the purpose(s) for which it was collected and is being processed.
Data Protection Procedures
We shall ensure that all of our employees, contractors, agents, consultants, partners or other parties working on our behalf comply with the following when processing and / or transmitting personal data:
- All emails containing personal data must be encrypted;
- Personal data may be transmitted over secure networks only – transmission over unsecured networks is not permitted in any circumstances;
- Personal data may not be transmitted over a wireless network if there is a wired alternative that is reasonably practicable;
- Personal data contained in the body of an email, whether sent or received, should be copied from the body of that email and stored securely. The email itself should be deleted. All temporary files associated therewith should also be deleted;
- Where Personal data is to be sent by facsimile transmission the recipient should be informed in advance of the transmission and should be waiting by the fax machine to receive the data;
- Where Personal data is to be transferred in hard-copy form it should be passed directly to the recipient. Using an intermediary is not permitted;
- All hard-copies of personal data should be stored securely in a locked box, drawer, cabinet or similar;
- All electronic copies of personal data should be stored securely using passwords and suitable data encryption, where possible on a drive or server which cannot be accessed via the internet; and
- All passwords used to protect personal data should be changed regularly and should not use words or phrases which can be easily guessed or otherwise compromised.
We shall ensure that the following measures are taken with respect to the collection, holding and processing of personal data:
- A designated data protection officer (“the data Protection Officer”) has the specific responsibility of overseeing data protection and ensuring compliance with GDPR.
- All employees, contractors, agents, consultants, partners or other parties working on our behalf are made fully aware of both their individual responsibilities and our responsibilities in order to comply with GDPR and they shall be furnished with a copy of this Policy.
- All employees, contractors, agents, consultants, partners or other parties working on our behalf, handling personal data will be appropriately trained to do so.
- All employees, contractors, agents, consultants, partners or other parties working on our behalf, handling personal data will be appropriately supervised.
- Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed.
- The Performance of those employees, contractors, agents, consultants, partners or other parties working on our behalf, handling personal data shall be regularly evaluated and reviewed.
- All employees, contractors, agents, consultants, partners or other parties working on our behalf, handling personal data will be bound to do so in accordance with GDPR and this Policy by contract. Failure by any employee to comply with GDPR or this Policy shall constitute a disciplinary offense. Failure by any contractor, agent, consultant, partner or other party to comply with GDPR or this Policy shall constitute a breach of contract. In all cases, failure to comply with GDPR or this Policy may also constitute a criminal offence.
- All contractors, agents, consultants, partners or other parties working on our behalf, handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as our own employees arising out of this Policy and in relation to GDPR.
- Where any contractor, agent, consultant, partner or other party working on our behalf, handling personal data fails in their obligations under this Policy that party shall indemnify and hold Us harmless against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.
Access by Data Subjects
A data subject may make a subject access request at any time to see the information which we hold about them.
Upon receipt of an SAR, we shall have a maximum period of 40 days within which to respond. The following information will be provided to the data subject:
- Whether or not we hold any personal data on the data subject;
- A description of any personal data held on the data subject;
- Details of what that personal data is used for;
- Details of any third-party organisations that personal data is passed to; and
- Details of any technical terminology or codes.
Notification to the Information Commissioner’s Office
As a data controller, the Company is required to notify the Information Commissioner’s Office that it is processing personal data. The Company is registered in the register of data controllers.
Data controllers must renew their notification with the Information Commissioner’s Office on an annual basis. Failure to notify constitutes a criminal offense.
Any changes to the register must be notified to the Information Commissioner’s Office within 28 days of taking place.
The Designated Officer shall be responsible for notifying and updating the Information Commissioner’s Office.
Implementation of Policy
This Policy shall be deemed effective as of 25th May 2018. No part of this Policy shall have retroactive effect and shall thus apply only to matters occurring on or after this date.
Jasper Global Corporation, Company Registration Number 17670 (Dominica).
Registered office: 8 Copthall, PO Box 2331, Roseau (Commonwealth of) Dominica, 00152
Cyber Security Policy
Policy brief & purpose
Our Cyber Security policy outlines our guidelines and provisions for preserving the security and privacy of our data and technology infrastructure.
The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardize our Company’s reputation.
For this reason, we have implemented a number of security measures. We have also prepared instructions that may help mitigate security risks. We have outlined both provisions in this policy.
This policy applies to all our employees, contractors, volunteers and anyone who has permanent or temporary access to our systems and hardware.
Confidential and private data is secret and valuable. Common examples are:
- Unpublished financial information
- Data of customers/partners/vendors
- Patents, formulas or new technologies
- Customer lists (existing and prospective)
All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid security breaches.
Protect personal and company devices
When employees use their digital devices to access company emails or accounts, they introduce security risk to our data. We advise our employees to keep both their personal and company-issued computer, tablet and cell phone secure. They can do this if they:
- Keep all devices password protected.
- Choose and upgrade a complete antivirus software.
- Ensure they do not leave their devices exposed or unattended.
- Install security updates of browsers and systems monthly or as soon as updates are available.
- Log into company accounts and systems through secure and private networks only.
We also advise our employees to avoid accessing internal systems and accounts from other people’s devices or lending their own devices to others.
When new hires receive company-issued equipment they will receive instructions for:
- [Disk encryption setup]
- [Password management tool setup]
- [Installation of antivirus/ anti-malware software]
They should follow instructions to protect their devices and refer to our [Security Specialists/ Network Engineers] if they have any questions.
Keep emails safe
Emails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct employees to:
- Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. “watch this video, it’s amazing.”)
- Be suspicious of clickbait titles (e.g. offering prizes, advice.)
- Check email and names of people they received a message from to ensure they are legitimate.
- Look for inconsistencies or give-aways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks.)
If an employee isn’t sure that an email they received is safe, they can refer to our [IT Specialist.]
Manage passwords properly
Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advice our employees to:
- Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)
- Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
- Exchange credentials only when absolutely necessary. When exchanging them in-person isn’t possible, employees should prefer the phone instead of email, and only if they personally recognize the person they are talking to.
- Change their passwords every two months.
Remembering a large number of passwords can be daunting. We will purchase the services of a password management tool which generates and stores passwords. Employees are obliged to create a secure password for the tool itself, following the above mentioned advice.
Transfer data securely
Transferring data introduces security risk. Employees must:
- Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request employees to ask our [Security Specialists] for help.
- Share confidential data over the company network/ system and not over public Wi-Fi or private connection.
- Ensure that the recipients of the data are properly authorized people or organizations and have adequate security policies.
- Report scams, privacy breaches and hacking attempts
Our [IT Specialists/ Network Engineers] need to know about scams, breaches and malware so they can better protect our infrastructure. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our specialists. Our [IT Specialists/ Network Engineers] must investigate promptly, resolve the issue and send a companywide alert when necessary.
Our Security Specialists are responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.
To reduce the likelihood of security breaches, we also instruct our employees to:
- Turn off their screens and lock their devices when leaving their desks.
- Report stolen or damaged equipment as soon as possible to [HR/ IT Department].
- Change all account passwords at once when a device is stolen.
- Report a perceived threat or possible security weakness in company systems.
- Refrain from downloading suspicious, unauthorized or illegal software on their company equipment.
- Avoid accessing suspicious websites.
We also expect our employees to comply with our social media and internet usage policy.
Our [Security Specialists/ Network Administrators] should:
- Install firewalls, anti malware software and access authentication systems.
- Arrange for security training to all employees.
- Inform employees regularly about new scam emails or viruses and ways to combat them.
- Investigate security breaches thoroughly.
- Follow this policies provisions as other employees do.
Our company will have all physical and digital shields to protect information.
Remote employees must follow this policy’s instructions too. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.
We encourage them to seek advice from our [Security Specialists/ IT Administrators.]
We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action:
- First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
- Intentional, repeated or large scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination.
We will examine each incident on a case-by-case basis.
Additionally, employees who are observed to disregard our security instructions will face progressive discipline, even if their behaviour hasn’t resulted in a security breach.
Take security seriously
Everyone, from our customers and partners to our employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security top of mind.
Jasper Global Corporation, Company Registration Number 17670 (Dominica).
Registered office: 8 Copthall, PO Box 2331, Roseau (Commonwealth of) Dominica, 00152