1. Purpose and Scope
The purpose of this policy is to ensure that all data held by the All3Media Group is dealt with securely no matter what form such data is held in, whether it is in hard copy or digital format and type or form of device it is held on. This policy applies to all Operating Companies and all Staff and Freelancers.
2. Company Devices
Where you have been provided with a work device by your Operating Company, you must use this device for your work (and not an equivalent personal device) and comply with this policy.
When using a company device to process and store Personal Data or Company Information, you should only access and use the Company Information that you are authorised to and you must not:
a. copy such Personal Data or Company Information to any personal accounts, including cloud services. All files should be saved in the location as directed by your line manager;
b.make any changes to any IT system, information and/or equipment not authorised by your line manager and/or your IT support team;
c. store (large) personal files on company devices and systems. Your Operating Company reserves the right to delete any or all such files without notice;
d. remove or disable any software that has been installed by your IT support team;
e. install or use non-authorised software except commercially available software such as music or video streaming apps provided in each case that you pay all applicable fees and comply with the terms and conditions of such apps. You must never download or store any software intended for piracy or other illegal practices.
All company devices (including laptops, mobile phones, portable storage devices) must be returned at the end of your engagement with your Operating Company.
3. Personal Devices
Where you have not been provided with a company device, you may use an equivalent personal device for your work provided that your use of such device has been authorised by your Operating Company and you comply with this policy including in respect of passwords and passcodes.
When using a personal laptop/computer, you must ensure that the laptop/computer has up to date anti-virus and anti-malware software installed, it is encrypted (where technologically possible), has appropriately licensed software and the most recent operating system patches installed. When using a personal laptop to store Company Information and/or Personal Data, you must not copy such data to any personal accounts (including cloud services).
If you are required to save any Company Information (such as production budgets) to your personal laptop for the purposes of your engagement with your Operating Company, you must delete that information immediately following the end of your engagement.
When using a personal mobile or tablet device to access Company Information, you must not download that information to your personal device and you may never copy such information to any personal account.
4. Passcodes and Passwords
All devices (whether work or personal) must be passcode or password protected. Passwords and passcodes satisfying the criteria below will not need to be changed unless they have been compromised or where your IT support team has requested that they be changed.
You should never share a passcode or password with any other person. If you share your password or passcode or if you suspect that it has been compromised, you must immediately: (i) change the password and/or passcode that has been comprised; and (ii) inform your IT support team and follow any instructions they give to you.
You must either set or, where you have been provided a device with a pre-existing password, change your password so that it strings together three unrelated words or four letters or more with each word separated with a symbol. An example password is: table&hull%peaches Passwords meeting the criteria above will not need to be changed unless the password has been compromised.
Mobile devices must be protected using a minimum six non-consecutive digit code and/or letters. You may also use biometrics to protect your phone, such as finger prints.
5. Locking of Devices
All devices (whether company devices or personal devices) must be locked when not in use or if left unattended. All devices must auto-lock after five minutes of inactivity.
6. Transportation and Storage of Devices and Company Information
All devices must be transported safely and stored securely when not in use. Company Information should only be sent using special delivery, a reputable courier or an equivalent tracked mail service. Where confidential information is particularly sensitive, you should only use a reputable courier.
7. Personal Emails
The security measures in a corporate email account (being an email account provided to you by your operating company in the firstname.lastname@example.org (or co.uk or .tv or similar format) are far more rigorous than a personal email account. For these reasons the use of personal email accounts for operating company duties is strictly limited.Staff - all Staff must use their work email addresses when carrying out their duties on behalf of their Operating Company and must not use personal email addresses for work purposes for any reason.
Freelancers- the following Freelancers must be given corporate/work email addresses by their Operating Company. These email addresses must be used during their engagement for the purposes of the work they undertake on behalf of that Operating Company:
(i). Producer, Line Producer, Production Manager, Production Co-ordinator andProduction Accountant and Production Secretary; and
(ii). anyone else who the Operating Company deems it necessary to have a corporate email address as they will have access to and be required to send significant amounts of Personal Data.
All other Freelancers may use their personal email addresses for the purposes of their engagement where they are not provided with corporate email addresses, however care must be taken when dealing with personal data. Any documents should be password protected with the password sent separately and the recipient of any email should be double checked before sending.
8. Cloud Based Storage Systems
Use of cloud based storage systems (such as dropbox) is only permitted through a business/corporate account (and not a personal account in the name of your Operating Company). If you require the use of a corporate account/service, please contact your IT support team to discuss requirements.
9. VPNs (Virtual Private Networks)
Access to your Operating Company’s network may be provided to you through a VPN using devices provided by your Operating Company. Personal devices are not permitted to access any Operating Company’s network through a VPN.
10. Mobile Apps
Mobile communication apps, such as WhatsApp and Viber, may be used for making calls. Such apps may also be used for sending messages however they should never be used to send Confidential Information or Personal Data. Your Operating Company may make mobile apps available to you. Where instructed by your Operating Company, you must use the mobile app made available to you in accordance with any instructions from your Operating Company. You must also comply with all instructions given by your Operating Company in respect of the deletion of any mobile app or other software provided or made available to you during the course of your engagement.
11. Portable Storage Devices
Portable storage devices, such as USB sticks, SD cards, may be used to store Company information and must be encrypted, where technologically possible, if used to store and/or transport Personal Data or any sensitive or confidential company information. Only devices provided by your Operating Company may be used to store and/or transport Personal Data. You must ensure that any devices are stored securely when not in used and that all data is deleted from that device as soon as practicable.
12. Third Party Software or Services
Where third party software or service, such as Set Keeper or Yamdu, is used by your Operating Company, an appropriate person within your Operating Company must be responsible for ensuring that such software meets the requirements of the purpose for which it is used, including ensuring that any data uploaded to such software/service is secure and available only to those working on the relevant production as and when
required. You should inform your IT support team before acquiring or using such software/service to ensure that appropriate technological measures are in place.
13. Downloading and Storage of Company Information
From time to time, you may need to download company information to a personal device. Where this is the case the device must be password protected, encrypted and have up to date anti-virus software installed and active, such information must only be used for legitimate business purposes and must be deleted as soon as it is no longer required for that business purpose.
14. Compromise of Passwords, Passcodes, Devices, Loss of Devices and Viruses
You must immediately inform your IT support team if you suspect or become aware of:
a. any loss of company information;
b. any loss of any devices (whether company devices or personal devices) storing company information;
c. any personal device holding company information or any company device is infected with a virus;
d. any of your passwords or passcodes being compromised;
e. any unauthorised access to confidential information,
and comply with both the Data Breach Protocol and any instructions given to you by your IT support team.
Policy Version: v.1
Last Updated: March 2018