Information Security Policy
1. Introduction
This information security policy is a key component of Songstall’s overall information security management. It incorporates Songstall’s handling of personal data, protection of that data, security of the systems and staff procedures.
Songstall is committed to safeguarding your personal information. Whenever you provide such information, we are legally obliged to use your information in line with all laws concerning the protection of personal information, including the Data Protection Act 1998.
Some areas of the Songstall System may contain hyperlinks to websites owned and operated by third parties. These third party websites have their own privacy policies, including cookies, and we urge you to review them. They will govern the use of personal information you submit or are collected by cookies whilst visiting these websites. We do not accept any responsibility or liability for the privacy practices of such third party websites and your use of such websites is at your own risk.
2. Objectives, Aim and Scope
2.1. Objectives
The objectives of Songstall’s Information Security Policy are to preserve:
•Confidentiality - Access to Data shall be confined to those with appropriate authority.
•Integrity – Information shall be complete and accurate. All systems, assets and networks shall operate correctly, according to specification.
•Availability - Information shall be available and delivered to the right person, at the time when it is needed.
2.2. Policy aim
The aim of this policy is to establish and maintain the security and confidentiality of information, information systems, applications and networks owned or held by Songstall by:
•Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this policy.
•Describing the principals of security and explaining how they shall be implemented in the organisation.
•Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.
•Protecting information assets under the control of the organisation.
2.3. Scope
This policy applies to all information, information systems, networks, applications, locations and employees of Songstall or supplied under contract to it.
2.4. Responsibilities for Information Security
2.5. Ultimate responsibility for information security rests with the Directors of Songstall, and, as Songstall is a small company, on a day-to-day basis the Directors shall be responsible for managing and implementing the policy and related procedures.
2.6. All staff shall comply with information security procedures including the maintenance of data confidentiality and data integrity.
2.7. Each member of staff shall be responsible for the operational security of the information systems they use.
3. Legislation
3.1. Songstall is obliged to abide by all relevant UK and European Union legislation. The requirement to comply with this legislation shall be devolved to employees and agents of the Songstall, who may be held personally accountable for any breaches of information security for which they may be held responsible. Songstall shall comply with the following legislation and other legislation as appropriate:
•The Data Protection Act (1998)
•The Data Protection (Processing of Sensitive Personal Data) Order 2000.
•The Copyright, Designs and Patents Act (1988)
•The Computer Misuse Act (1990)
•The Health and Safety at Work Act (1974)
•Human Rights Act (1998)
•Regulation of Investigatory Powers Act 2000
•Freedom of Information Act 2000
4. Policy Framework
4.1. Access Controls
Only authorised personnel who have a justified and approved business need shall be given access to restricted areas containing information systems or stored data.
4.2. Equipment Security
In order to minimise loss of, or damage to, all assets, equipment shall be physically protected from threats and environmental hazards.
4.3. Information security events and weaknesses .
All information security events and suspected weaknesses are to be noted. All information security events shall be investigated to establish their cause and impacts with a view to avoiding similar events.
4.4. Protection from Malicious Software
The organisation shall use software countermeasures and management procedures to protect itself against the threat of malicious software. All staff shall be expected to co-operate fully with this policy.
4.5. Monitoring System Access and Use
An audit trail of system access and data use by staff shall be maintained.
4.6. Business Continuity and Disaster Recovery Plans
The organisation shall ensure that business continuity and disaster recovery plans are produced for all mission critical information, applications, systems and networks.
5. Privacy
Songstall will only collect information necessary to provide the Songstall service. This includes name and contact information for both artists and customers. Songstall does not collect financial information from Customers, as Paypal operates the payment collection aspects of the Songstall system.
Songstall will not pass any personal information to any third party at any time without prior permission.
Songstall may contact you for the following reasons:
•in relation to the functioning of any service you have signed up for in order to ensure that Songstall can deliver the services to you;
•where you have opted to receive further correspondence;
•in relation to any content you have uploaded to an Artist profile;
•for marketing purposes where you have specifically agreed to this
We will keep your information confidential except where disclosure is required by law (for example to government bodies and law enforcement agencies) .
We will hold your personal information on our systems for as long as is necessary for the service you have signed up for. After this period, we will continue to hold data for as long as it is required for tax and records purposes. After the cancellation of any account, we will not use the data for any business or marketing purpose other than for tax and records purposes.
October 2009