General Controls

Are Face Facts ISO 27001:2013 certified? 

Yes, we were certified in October 2017, here is our certificate

Are Face Facts currently registered with the data Commissioners Office?

Yes, our registration number ZA039478

Are the Senior Management team/MD/Director/s at Face Facts fully aware of their responsibilities required by the Data Protection Act 1998?

Yes, we understand that we can operate as a data controller, joint data controller &/or data processor.  However, as we do not have our own in-house panel, all our recruitment or contact with respondents is on an individual consent basis.  The scope of the project and how their data will be used is clearly explained prior to gaining their consent. This is supported by our Privacy Policy.

Data Controls & Policies

What physical controls are in place to protect any data at Face Facts?

Access to the building is via locked front or rear doors with pin code access for staff, all access points are covered by CCTV. A buzzer system is in place for non staff entry. Internal corridors are covered by CCTV. The internal office door has a combination lock.  The communications room (containing switches, routers and firewall) is controlled by a combination lock which is accessible only by the Senior Management Team / Information Security Manager. 

What logical controls do Face Facts have in place to protect any data?

Various Policies cover the control measures that are implemented within Face Facts to control and protect data, the polices are detailed below:

Access Control Policy - Contains all the Information Security Policies
Information Classification Policy - Describes the methods of appropriate information classification and handling which apply to information in both electronic and physical forms received by Face Facts
Information Security Policy - The procedures followed to ensure that information assets at Face Facts are protected against unauthorised access, disclosure or modification.  
Information Transfer Policy - This policy details the secure file transfer facilities adopted and ensures that information, of any type or classification can safely and securely be transferred as and when required from or to Face Facts.
Password Policy - Details the criteria for the provision of passwords and conditions relating to their use.
Information Backup and Restore Policy - This policy details how / when information and data which Face Facts is responsible for is securely and routinely backed up. 
Retention Policy - Covers guidance on the retention of the distinct types of data Face Facts hold. This policy strives to balance the need to store information with legal obligations to destroy the data safely when it is no longer required.
Business As Usual (BAU) Policy - In the event of a service disruption this policy looks at all functions and minimum staffing levels so Face Facts can continue to provide critical services.  It covers procedures for all services provided from our main office.
Subject Access Policy - Covers requests from data subjects to access information that Face Facts hold on them.

What controls do Face Facts have in place to ensure information is accurate, up to date and has not been modified?

We do not store our own internal panel.  Data collected is via qual recruitment, F2F interviewing or by using panel sample for online studies. Any personal data gathered from such studies is  stored within our Retention Policy and abiding by the MRS Code of Conduct. All client electronic files are version controlled and access is managed via the Access Control Policy.

Do Face Facts have a policy for managing customer data in both physical and electronic form where applicable?

We have an Access Control Policy which covers in detail the procedures that Face Facts follow when handling physical and electronic data, from receipt / collection to destruction. This documents the procedures that staff must follow to, 
- Securely receive information & log the receipt of data
- Classify information correctly
- Apply accurate access rights to the information
- Store the information securely
- Dispose of the data

Are Face Facts systems which store customer data encrypted to protect confidentiality?

Face Facts information system resources are appropriately protected to prevent unauthorised access by applying a level of encryption to sensitive or critical information which is proportionate to the business risk. 
All critical or sensitive data transferred outside Face Facts is encrypted and sent via Exavault SFTP. Portable electronic devices such as iPads are protected by passwords/PIN numbers and can be remotely wiped / locked. All removable media is strictly prohibited and controlled by Symantec Endpoint protection installed on all devices.

Are Face Facts relevant systems covered by documented disaster recovery plans and business continuity plans?

We have a BAU (Business As Usual) Policy which details the Business Continuity Plan (BCP) which provides a strategic framework of how staff can work to enable critical functions to be maintained, or quickly restored to minimise any effect on service delivery to our clients. The aim of the plan is to anticipate risks, mitigate where possible and to have flexible and tested plans in place to minimise disruption when unplanned events significantly interrupt normal business.  This includes short or long-term disasters or other disruptions, such as fires, floods, earthquakes, explosions, terrorism, tornadoes, extended power interruptions, hazardous chemical spills, and other natural or man-made disasters. The Information Backup and Restore Policy ensures that all information and data which it is responsible for is securely and routinely backed up.  

Staff Awareness & Training

Are new staff at Face Facts made aware of their data privacy responsibilities when joining the company? Do all new & existing staff at Face Facts understand the data classification marking scheme and how to protect customer data?

All current & new staff undergo compulsory staff training on the following areas:  ISO27001 (covering all internal policies for Information security and HR).  We hold internal training sessions which are compulsory for all staff to attend, Data Privacy and Information Classification are part of this.

Have all staff at Face Facts signed an Acceptable Use Agreement and are aware of their responsibilities regarding customer data protection?

We have an Access Control Policy which includes all elements of acceptable use. Alongside this all current & new staff undergo compulsory staff training on the following areas:  ISO27001 (covering all internal policies for Information security and HR).  We hold internal training sessions which are compulsory for all staff to attend, Acceptable Use and an Acceptable Use Agreement is part of this.

Data Retention & Deletion

How do Face Facts ensure customer paper records, physical media and computer equipment are destroyed securely or archived when they are no longer needed?

Face Facts have a Retention Policy which governs the length of time all classifications of data should be retained for and
how information in whatever form should be securely disposed of.

Are there procedures in place within your organisation detailing any data problems and / or breaches?

We have a Data Breach Policy which sets out the procedure to be followed to ensure a consistent and effective approach is in place for managing data breach and information security incidents across Face Facts. The Policy relates to all personal and sensitive data held by Face Facts regardless of the format and applies to all staff in the company.