()
    Total (inc tax)
    Go To Basket
    +44 (0) 20 7313 3886

    Direct is best!

    Book direct and get an extra hour in bed!

    Seen a cheaper rate or availability elsewhere?

    Email us to match it.

     

    enquiries@nativeplaces.com

    *T&Cs apply.

    Data Protection Policy and IT Best Practices.

    Native is a trading name of Go Native Ltd. This policy is effective from 24th May 2018.

    Native make IT systems and internet access available to its employees where relevant and useful for their jobs and staff frequently need to process personal data of stakeholders such as customers, suppliers and staff. This data protection and IT best practices policy describes the rules governing data management and IT use at the company, including acceptable, unacceptable and best practices for a variety of processing methods.

    This policy:

    – Reduces the IT security risks faced by Native
    – Lets staff know what they can and can’t do online or using systems
    – Ensures employees do not view inappropriate content at work
    – Helps the company satisfy its legal obligations regarding personal data management and internet use

     

    Policy scope

    This policy applies to all staff, contractors and volunteers at Native who use the company’s systems or internet for work or personal use. It applies no matter whether that access takes place on company premises while travelling for business or while working from home. It applies to use of any device that is owned by the company, or that is connected to any company networks or systems. For example, it applies both to an employee using a computer and the internet at their desk, and to employees who connect their own smart devices to the company wireless network.

    The structure of this policy is as follows:
    1. Internet use policy
    2. Email use policy
    3. Telephony & fax policy
    4. Mobile device policy
    5. Password policy
    6. Data retention policy
    7. Personal and sensitive information policy
    8. Potential sanctions for not complying with this policy

     

    Your Responsibility

    It is the responsibility of Native staff members and contractors to ensure they comply with our IT policies and GDPR regulations. By following these best practices in relation to management of personal data and the other policies in this document, you will be fulfilling your obligation in this regards. By reading and accepting this policy on Octopus, you are acknowledging this policy and your obligation to abide by these guidelines

    1. Internet use policy

    Native recognises that the internet is an integral part of carrying out tasks relevant to business needs. We therefore encourage employees to use the internet whenever such use supports the company’s goals and objectives and it is necessary for their role.

    1.1 Authorised users

    Only people who have been authorised to use the internet at Native may do so. It will typically be made clear when a new employee joins the company whether internet access will be required to carry out their role. Unauthorised use of the company’s internet connection is prohibited. Employees who use the internet without authorisation — or who provide access to unauthorised people — may have disciplinary action taken against them.

    1.2 Internet security

    Used unwisely, the internet can be a source of security problems that can do significant damage to the company’s data and reputation.
    – Users must not knowingly introduce any form of computer virus, Trojan, spyware or other malware into the company.
    – Employees must not gain access to websites or systems for which they do not have authorisation, either within the business or outside it.
    – Company data should only be uploaded to and shared via approved services. The IT department can advise on appropriate tools for sending and sharing large amounts of data.
    – Files should not be downloaded over the internet to the network unless from a secure and verified source.
    – Employees must not steal, use, or disclose someone else’s login or password without authorisation. Employees should not share login information for personal accounts under any circumstances.

    Staff members must always consider the security of the company’s systems and data when using the internet. If required, help and guidance is available from line managers and the company IT department.

    1.3 Inappropriate content and uses

    There are many sources of inappropriate content and materials available online. It is important for employees to understand that viewing or distributing inappropriate content is not acceptable under any circumstances.

    Users must not:

    – Take part in any activities on the internet that could bring the company into disrepute.
    – Create or transmit material that might be defamatory or incur liability for the company.
    – View, download, create or distribute any inappropriate content or material.
    – Use the internet for any illegal or criminal activities.
    – Send offensive or harassing material to others.
    – Broadcast unsolicited personal views on social, political, religious or other non-business related matters.
    – Send or post messages or material that could damage Native’s image or reputation.

    Inappropriate content includes: pornography, racial or religious slurs, gender-specific comments, information encouraging criminal skills or terrorism, or materials relating to cults, gambling and illegal drugs.

    This definition of inappropriate content or material also covers any text, images or other media that could reasonably offend someone on the basis of race, age, sex, religious or political beliefs, national origin, disability, sexual orientation, or any other characteristic protected by law.

    1.4 Copyright

    Native respects and operates within copyright laws. Users may not use the internet to:

    – Publish or share any copyrighted software, media or materials owned by third parties, unless permitted by that third party.
    – Download illegal copies of music, films, games or other software, whether via file sharing services or other technologies.
    Employees must not use the company’s equipment, software or internet connection to perform any tasks which may involve breach of copyright law.

    1.5 Personal internet use

    Native allows employees to use the internet for personal reasons, with the following stipulations:
    – Personal internet use should be of a reasonable level and restricted to non-work times, such as breaks and during lunch.
    – All rules described in this policy apply equally to personal internet use. For instance, inappropriate content is always inappropriate, no matter whether it is being accessed for business or personal reasons.
    – Personal internet use must not affect the internet service available to other people in the company. For instance, downloading large files or streaming media services over wifi could slow access for other employees and should be minimised.
    – Employees are responsible for any personal devices they wish to connect to the internet using Native’s systems and will need to ensure they are kept up to date and with regular anti-virus scans to minimise threat to business critical systems.

    1.6 Monitoring internet use

    Company IT and internet resources — including computers, smart phones and internet connections — are provided for legitimate business use. The company therefore reserves the right to monitor use of the internet, to examine systems and review the data stored in those systems. Any such examinations or monitoring will only be carried out by authorised staff. Additionally, all internet data written, sent or received through the company’s computer systems is part of official Native records. The company can be legally compelled to show that information to law enforcement agencies or other parties. Users should always ensure that the business information sent over or uploaded to the internet is accurate, appropriate, ethical, and legal.

     

    2. Email use policy

    Native recognises that email is a key communication tool for business. It encourages its employees to use email whenever appropriate. However, like any technology, email can cause difficulties if used incorrectly or inappropriately. This policy applies to all staff, contractors and volunteers at Native who use the company email system. It applies no matter where that email use takes place: on company premises, while travelling for business or while working from home. It applies to use of company email on any device, no matter whether owned by the company or employee. This policy also applies to other instant messaging and chat based systems that fulfil a similar function to email.

    2.1 Email security

    Users of the company email system must not:
    – Open any unexpected email attachments, links from any sources including both internal and frequent external business contacts, in case they contain malicious software.
    – Disable or try to work around security or email scanning software. These tools are essential to protect the business from security problems.
    – Send any confidential data via email. The IT department can advise on secure tools to use instead.
    – Access another user’s company email account. If they require access to a specific message (for instance, while an employee is off sick), they should approach their line manager or the IT department.

    Staff members must always consider the security of the company’s systems and data when using email. If required, help and guidance is available from line managers and the IT department. In the event of an unexpected link or attachment is received the sender should be contacted (not by email as this could be breached) in the first instance to verify they were the source then the message should be forwarded to the IT team to verify the legitimacy and any scan for any potential malicious software.

    Users should also note that email is not inherently secure. Most emails transmitted over the internet are sent in plain text. This means they are vulnerable to interception. Although such interceptions are rare, it’s best to regard email as an open communication system, not suitable for confidential messages and sensitive personal information under any circumstances.

    2.2 Inappropriate email content and use

    The company email system must not be used to send or store inappropriate content or materials. It is important employees understand that viewing or distributing inappropriate content via email is not acceptable under any circumstances.

    Users must not:
    – Write or send emails that might be defamatory or incur liability for the company.
    – Create or distribute any inappropriate content or material via email.
    – Use email for any illegal or criminal activities.
    – Send offensive or harassing emails to others.
    – Send messages or material that could damage Native’s image or reputation.

    Any user who receives an email they consider to be inappropriate should report this to their line manager or supervisor.

    2.3 Personal use of email

    The company also recognises that email is an important tool in many people’s daily lives. As such, it allows employees to use their company email account for personal reasons, with the following stipulations:
    – Personal email use should be of a reasonable level and restricted to non-work times, such as breaks and during lunch.
    – All rules described in this policy apply equally to personal email use. For instance, inappropriate content is always inappropriate, no matter whether it is being sent or received for business or personal reasons.
    – Personal email use must not affect the email service available to other users. For instance, sending exceptionally large files by email could slow access for other employees.
    – Users may access their own personal email accounts at work, if they can do so via our internet connection. For instance, a staff member may check their Yahoo or Google Mail during their lunch break, but should not have it open during normal working hours unless for a valid reason.

    2.4 Email marketing and bulk email

    Native may use email to market to existing and potential customers. There is significant legislation covering bulk email and use of email for marketing and GDPR regulations from May 2018 make the rules more stringent. All email campaigns must be authorised by the Marketing Director and implemented using the company’s email marketing tool. Users must not send bulk emails using the standard business email system. All questions about email marketing should be directed to the Marketing Director.

    2.5 Monitoring email use

    The company email system and software are provided for legitimate business use. The company therefore reserves the right to monitor employee use of email. Any such examinations or monitoring will only be carried out by authorised staff. Additionally, all emails sent or received through the company’s email system are part of official Native records. The company can be legally compelled to show that information to law enforcement agencies or other parties. Users should always ensure that the business information sent via email is accurate, appropriate, ethical, and legal.

     

    3. Telephony & Fax Policy

    Native recognises that telephone or fax use is a key communication tool for business. It encourages its employees to use telephony and fax whenever appropriate. However, like any technology, telephony or fax can cause difficulties if used incorrectly or inappropriately. This policy applies to all staff, contractors and volunteers at Native who use the company telephone. mobile or fax systems. It applies no matter where that telephone or fax use takes place: on company premises, while travelling for business or while working from home. It applies to use of company telephones or fax machines on any device, no matter whether owned by the company or employee. Extra security guidelines related specifically to mobile use can be seen in the Mobile policy below.

    3.1 Telephone and fax security

    Users of the company telephone or fax system must not:.
    – Send or convey any confidential data via telephone calls or fax. The IT department can advise on secure tools to use instead.
    – Access another user’s company telephone account. If they require access to a specific mailbox (for instance, while an employee is off sick), they should approach their line manager or the IT department.

    Staff members must always consider the security of the company’s systems and data when using telephony and fax. If required, help and guidance is available from line managers and the IT department.

    Users should also note that telephony and fax services are not inherently secure. They are vulnerable to interception. Although such interceptions are rare, it’s best to regard telephony and fax services as an open communication system, not suitable for confidential messages and sensitive personal information under any circumstances.

    3.2 Inappropriate telephone and fax content and use

    The company telephony and fax systems must not be used to send or store inappropriate content or materials. It is important employees understand that viewing or distributing inappropriate content via telephony or fax is not acceptable under any circumstances.

    Users must not:
    – Make phone calls or send faxes that might be defamatory or incur liability for the company.
    – Create or distribute any inappropriate content or material via telephone or fax.
    – Use telephone or fax for any illegal or criminal activities.
    – Make or send offensive or harassing telephone calls or faxes to others.
    – Send messages or material that could damage Native’s image or reputation.
    – Make premium rate or international calls unless for legitimate business purposes and pre-authorised by their line manager.
    – Incur data charges for anything other than legitimate business use where it is absolutely necessary to do so and when there is not wifi network available.

    Any user who receives a telephone call or fax they consider to be inappropriate should report this to their line manager or supervisor.

    3.3 Personal use of fax and telephones

    The company recognises that telephone calls and (occasionally!) fax transmissions are an important tool in many people’s lives. As such, it allows employees to use their company telephone and fax account for personal reasons, with the following stipulations:
    – Personal telephone or fax use should be kept to a bare minimum and should not impact the ability of stakeholders to make incoming calls to a user or team. By default, any personal calls should be carried out on the user’s personal mobile telephone during breaks or lunchtime.
    – All rules described in this policy apply equally to personal telephone and fax use. For instance, inappropriate content is always inappropriate, no matter whether it is being sent or received for business or personal reasons.
    – Personal telephone or fax use must not affect the telephone or fax service available to other users. For instance, using an incoming or outgoing line for personal reasons could prevent use of a line for business purposes, so should not be done unless absolutely necessary.

    3.4 Monitoring telephone and fax use

    The company telephone and fax systems and software are provided for legitimate business use. The company therefore reserves the right to monitor employee use of telephones and faxes. Any such examinations or monitoring will only be carried out by authorised staff. Additionally, all telephone calls and faxes sent or received through the company’s systems are part of official Native records. The company can be legally compelled to show that information to law enforcement agencies or other parties. Users should always ensure that the business information sent via telephone or fax services is accurate, appropriate, ethical, and legal.

     

    4. Mobile device policy

    All Native supplied mobile devices and their contents remain the property of the organisation and are subject to regular audit and monitoring. These devices should only be connected to a laptop or desktop that has been approved for use at Native.

    Users must be aware that the device contains Native data, and take appropriate action to protect the device from being lost or stolen.

    Only devices which have been built to Native standards and/or from approved suppliers, should be attached to the Native data network either directly or through a Native (owned or leased) PC or laptop. This should ensure that appropriate security controls have been built into the implementation. Once received, the user is not authorised to change any security device settings without reference to the IT Support team, as they may affect the security of the device, or stop it functioning with the supplied service (This does not apply to resetting the PIN).

    In certain business situations there is a need to attach non-Native owned devices. Approved devices will only connect to the Native network once the user has sought approval from IT Support and they have been issued with the instructions and necessary setup credentials. Devices eligible for this dispensation are limited to smartphones or PDA’s that are currently on the Native authorised hardware list. The Business Systems Director must have pre agreed that personal equipment attachment is appropriate for the area concerned. These devices must have their security settings (passwords etc) configured as per the requirements detailed in this document.

    If a Native owned device is lost or stolen, then the IT Support team should be contacted as a matter of urgency, so that the Native data network can be protected from the device. You must also inform IT Support immediately in the event that a personal device is lost/stolen which has the Native email account set up or any access to the Remote Desktop. Only applications provided with the device, or provided/approved by the Business Systems Director can be run. For further information on permitted applications please speak to the IT Support team.

    If the information you carry has been classified as confidential, then this information should not be carried on mobile devices unless it is encrypted (where this facility is available on the device, where it is not, the user must consider carefully before allowing it to be stored on the device). Blackberries will potentially receive confidential information via e-mail, this is recognised and dispensated until an encrypted solution is available.

    4.1 Authorised Device and controls table

    Please ensure that your devices are configured as per below
    Approved Device & Security Requirement

    – Blackberry – The security settings will be configured prior to you being issued with the Blackberry. This will be undertaken by the IT Support Team.
    You are required to set an Alphanumeric password and to keep the device locked when not in use.

    – Mobile phone – The security settings will be configured prior to you being issued with the Phone, for all NATIVE-issued devices. For both Native-issued and Naive-approved devices a PIN must be in place on the phone and the phone kept locked when not in use.

    – PDA/Tablet – The security settings will be configured prior to you being issued with the Phone, for all Native-issued devices. For both Native-issued and Native-approved devices a PIN must be in place on the PDA/Tablet and the device kept locked when not in use.

    For advice on any devices not listed here, please speak to the IT Support Team.

    4.2 What you can’t do

    No changes to the security settings or configuration of any approved device can be made without prior authorisation from IT Support.

    Never attempt to use an unapproved device, via any method of communication, with any IT equipment that belongs to Native.

    Personal mobile phones with cameras and personal digital cameras are permitted in the office but must not be used to collect and store data that belongs to Native.

    4.3 Specific Rules

    4.3.1 Specific points on the use of Blackberry devices.
    – The pin-2-pin option is not permitted from or to Native owned or operated devices.
    – The Blackberry web client is configured to use the Native internet provision, so is permitted.
    – Native Blackberry devices should not be attached to non Native owned laptops or desktop PC’s

    4.3.2 Specific points on the use of Camera Phones.
    – Phones enabled with cameras should primarily be used for taking business related pictures.
    – However, some limited personal use is allowed, but storage must not interfere with Native Business use.
    – Inappropriate content prohibition applies to mobile phones as it does other forms of communication.
    – Information should be downloaded to a secure device (Native Laptop for example) and removed from the phone at the users’ earliest opportunity.
    – Privacy, only take pictures of individuals with their permission to do so, or follow current policy where this is impractical.

    4.3.3 Specific points on the use of Bluetooth enabled devices.
    – Bluetooth must only be used for accessing passive devices – such as hands free kits
    – Bluetooth cannot be used to communicate with a device directly connected to the Native data network (unless through a Native owned or leased PC).
    – Bluetooth connections must be accepted from other devices with care. Ensure the recipient is known and agree connection security criteria in advance.
    – Never run a Native device in broadcast mode, various viruses and other schemes are prevalent whilst in this mode

    4.3.4 Specific points on the use of Infrared enabled devices.
    – Infrared must only be used for accessing passive devices, no sync should be performed using the interface (unless through a Native owned or leased PC).
    – Infrared cannot be used to communicate with other devices, and should be turned off
    – No Native data can be sent to other devices (including Native owned ones) using the Infrared protocol.

    4.3.5 Specific points on the use of non-Native devices.
    – Only devices currently supported as purchased Native devices are supported. If the device requires special software to be incorporated onto the desktop, this is not allowed.
    – The permission to attach non Native devices is prior arranged by job function and division through the Business Systems Director.

     

    5. Password policy

    Passwords should never be stored, shared or communicated in plain text (excel spreadsheets, text documents (whether electronic or paper format), email messages etc or shared via the telephone.)

    Whenever a default password is issued to a user to gain initial access to a system, this password must be updated to a new, private password by the user as soon as possible.

    Native IT will be encouraging all members of staff to familiarise themselves with and start utilising KeePass (a password management software available on our network), this can be used by both teams and individuals to safely store and not have to remember multiple different complex passwords.
    Similarly Native are also rolling out the use of Duo 2 Factor authentication to protect sign ins to terminal servers by enforcing mobile devices to be used as an additional method to verify the identity of the user.

    When a member of staff leaves Native with ow without notice, the IT Support team must be notified as soon as possible so that access to our network and wider systems is prevented. It is the line manager’s responsibility to ensure this process is adhered to.

    Native recommend the utilisation of strong passwords along with not repeating the same password with small/ incremental variations across systems or upon passwords expiring. The mandatory Password policy states the same password cannot be repeated with the system remembering previous passwords used, minimum length must be 7 characters, must not contain part of the users name (no more than 2 consecutive characters) and three of the following four categories; English upper case characters, English lower case characters, Digits between 0 – 9 and non alphabetic characters such as “!, $, #, %”. Passwords should be changed at least every 3 months this will be enforced for your terminal server account after 90 days but you should endeavour to update your iGNite password and any other systems you have access to with the same regularity.

    A tip for thinking up a strong password is to choose 3 random and non-related words and swap some of the letters with other characters such as M3chan1cPurp!eEnvel0pe!. It is estimated it would take someone with malicious tools 19 septillion years to crack whereas JzA30kT?! using the same technology would take an estimated 53 years. This still seems a long time but taking into account advances in technology this is likely to be much less in the near future. You can check the integrity of your own password by visiting https://howsecureismypassword.net/ it’s important to note that while not relevant in this case as the website does not transmit information and is recommended by information security researchers you should never enter your password or other personal information into a website unless 100% certain you’re accessing the companies legitimate sign in form.

     

    6. Data Retention policy

    It is a user’s responsibility to ensure that they comply with Native’s Data Retention policy, which can be viewed here: https://www.nativeplaces.com/data-retention-policy/ This policy is important to ensure data levels are controlled and files or emails for which there is no business reason to maintain are disposed of or archived within appropriate timeframes.

     

    7. Personal and sensitive information policy

    In May 2018 the GDPR (General Data Protection Regulation) came into force across the EU to govern the rules surrounding businesses collecting, storing and processing personal data such as the below:
    Person’s Name, Gender, Occupation, Visa, Race & Ethnicity, Child Status, Title, Age, Personnel ID, Bank Account Details, Religious Beliefs, Credit Scores, Home Address, Date of Birth, Salary, Payment Card Details, Political Opinions, Account Debt, Work Address, Place of Birth, Employment History, National Insurance No, Biometric Data, IP Address, Personal Email Address, Nationality References, CV, Contract Cookies (online identifiers), Personal Tel No, Country of Origin, Passport, Health Conditions, Physical Characteristics, Social Media Posts, Work Tel No, Employer ID, Sexual Orientation, Marital Status, Photos or documents that relate to any of the points.

    The regulations sought to safeguard personal data to ensure it was processed only when a business had legitimate business reasons to do so, was securely stored, was kept accurate and up to date, was disposed of when no longer required, was only shared when the data subject had given permission to do so, was transparent to the data subject so they knew what data was held, and to ensure marketing activities only took place when the data subject had given consent to be marketed to.
    Further details of what data Native processes and the obligations we have as a data processor can be viewed in the Native Privacy Policy which is available here: https://www.nativeplaces.com/privacy-policy/
    Due to the nature of our business some Native staff will have to process personal or sensitive information at times, so you should carefully read the below guidelines so you understand your obligations in this regards.

    7.1 Processing personal and sensitive data guidelines
    – Do not store personal information in files (whether electronic or paper form) or emails unless there is a legitimate and documented business reason to do so.

    – Access to any file or email containing personal information must be restricted to only personnel whose role requires them to have access. Secure folders restricted to certain users or groups of users can be set up by IT upon request.

    – Personal information should be entered directly into a secure password protected system such as iGNite or Sun and any file containing the same information deleted or securely filed.

    – Teams who work with verified third party suppliers who have confirmed their GDPR compliance are permitted to pass personal information to those companies providing there is a valid business reason to do so, the recipient business are GDPR compliant and the means of transport are in line with Native’s privacy and data protection policies.

    – Any credit card or payment information received should only be kept long enough to enter into a secure password protected system such as iGNite or Sun and then any unsecured physical or digital copies such as email attachments should be disposed of in line with the data retention policy and this policy.

    – Scans of identification documents such as passports, driving licences or ID cards must be stored in a secure password protected location restricted to only those users who need access.

    – If there is no legitimate and documented reason to share data with a third party, it is strictly forbidden to make any copies of or transfer any kind of information identifiable as being related to a customer, employee, contractor or supplier outside of Native without the consent of the data subject in writing or by contract.

    – Do not give out confidential personal information except to the data subject themselves and only if it has been verified it is them you are communicating with.

    – Be aware that those seeking information sometimes use deception in order to gain access to it. Always verify the identity of the data subject and the legitimacy of the request, particularly before releasing personal information by telephone or email.

    – Where possible, only transmit personal information between locations by fax or e-mail if a secure network is in place, for example, a confidential fax machine or encryption is used for e-mail

    – Do not print a hard copy of a file or image containing personal information unless there is a legitimate business reason to do so. Never leave printed documents containing personal information unattended on a printer.

    – Whenever possible, do not share or issue personal data by post, fax, email or telephone as these are not secure mediums, password protected systems with security certificates and polices in place to control data transfers are the preferred medium.

    – Ensure you comply with the Native password policy

    – If you receive a request for personal information about another employee, you should forward this to The Data Protection Officer dataprotection@nativeplaces.com who will be responsible for dealing with such requests

    – Ensure any personal data you hold is kept securely, either in a locked filing cabinet or, if computerised, it is password protected

    – Transfer of personal or sensitive data outside the EU is forbidden unless approval has first been granted by The Data Protection Officer dataprotection@nativeplaces.com who will be responsible for dealing with such requests. It will be necessary for checks to be done to verify the third party can be compliant with the principles of the GDPR regulations despite not being based in the EU before permission to use the supplier for data processing activities.

    – Ensure documents are disposed of in line with the Native data retention policy

    – Compliance with the Act is your responsibility. If you have any questions or concerns about the interpretation of these rules, take this up with the Data Protection Officer.

     

    8. Potential sanctions for not complying with this policy

    Knowingly breaching any of these policies is a serious matter. Users who do so could be subject to disciplinary action, up to and including termination of employment. Employees, contractors and other users may also be held personally liable for violating this policy. Where appropriate, the company will involve the police or other law enforcement agencies in relation to breaches of this policy.

     

    9. Data or policy breach declaration

    If you become aware of a data breach where personal data has been processed in a manner in contravention of this policy (either because it is you that has been involved with the breach directly or because you have become aware of it by another means), please send details by email to dataprotection@nativeplaces.com with date, time, user, data subject and description of the breach. Native has an obligation to report data breaches to the data subject and the Information Commissioner’s Office – https://ico.org.uk so it’s important that we are aware of breaches and can put training or further guidance in place to prevent them reoccurring.

    Hi there, we’re Native.

    We don’t do cookie cutter. Our buildings come in all styles, shapes and sizes.

    Discover the Native Difference
    Hi there, we’re Native.

    We don’t do cookie cutter. Our buildings come in all styles, shapes and sizes.

    Discover the Native Difference