Bribery Act 2010 Anti-bribery policy
Top Level Commitment
The Managing Director is committed to ensuring that the business of TDL-Creative is conducted without bribery and will not tolerate active, passive, or any other form of bribery by any employee in carrying out activities on behalf of the Company. TDL-Creative has appointed the Managing Director to be responsible for overseeing the anti-bribery policy and actions.
The Company has proportionate procedures in place to reduce the risk of bribery through existing controls over company expenditure and accounting. A system of authorised signatories and expenditure limits is in place, and constantly reviewed by the Managing Director.
The Company understands the risks of it’s clients asking for confidential information on work carried out for competitive businesses.
Due diligence will be undertaken on persons who will perform services for the Company or on its behalf, for example a freelancer. It is considered the risk of bribery being committed by such person is low and that such persons are likely to be genuine and can be trusted to do the Company’s business without bribing.
The Company’s Anti-Bribery Policy will be communicated to all employees and to those who perform services for the Company. Members of staff with purchasing authority will be given additional information regarding anti-bribery measures that are proportionate to their seniority, level of purchasing authority, and role within the Company.
Genuine hospitality or similar business expenditure that is reasonable and proportionate is acceptable. Invitations and/or acceptances to attend sporting events or other hospitality, may be extended or accepted as a reflection of good relations, provided such activity is demonstrably reasonable and proportionate to support the activities of the Company.
Monitoring and Review
The anti-bribery policy will be reviewed by the Managing Director at regular intervals to ensure the risks faced and the effectiveness of the anti-bribery policy and procedures keep pace with any changes in the bribery risks faced by the Company.
Cyber Security Policy
The impact of a cyber breach or attack can be huge; vast amounts of time could be lost through having to fix IT systems, the potential loss of customers as a direct result of the inevitable downtime, damage to your reputation and all the other potential consequences of a hacker getting their hands on the company’s data.
The threat is very real with one in four businesses having detected a cyber breach in 2016 (Cyber Security Breaches Survey 2016, Department for Culture, Media and Sports).
This policy details the steps that TDL-Creative has taken to protect itself from cyber attacks and we need your co-operation in order to maintain this protection.
This policy interlinks with the following sections in the Employee Handbook; Computers and Electronic Communications, Data Protection and Mobile and Office Telephones.
The purpose and objective of this policy is to therefore protect the company’s information assets from all cyber threats whether deliberate or accidental to ensure business continuity and minimise any potential disruption caused.
The directors have approved this policy and it should be adhered to by all staff.
The policy covers all laptops, computers, mobile phones, and all other hardware/software which is used by TDL-Creative and its staff in the course of its business. Failure to adhere to this policy will result in disciplinary action.
This policy includes detail on each of the following points from page 2 onwards.
- All passwords used should be ‘strong’ passwords
- Hardware & software must be approved for use by the directors with TDL’s systems and applications before use
- Administrative access to the company hardware, software and IT infrastructure is restricted
- All firewalls (both hardware and software) are to remain switched on at all times
- Cloud-based Data Storage
- User account creation/deletion procedure
- Following initial training during staff induction, the policy will be reviewed with staff every 6 months at the company meetings and a refresh of the current risks presented by a potential cyber attack
This policy has been issued and is maintained by Sarah Mason, Design Project Manager. If you have any issues or queries in relation to this policy, please let her know immediately.
Never write down passwords or store them on or near devices with labels or sticky notes. They should also never be sent over email as this is not secure.
The passwords used and created should be ‘strong’ passwords. This is particularly important for laptop passwords. All passwords will be stored securely and accessed by management only. A ‘strong’ password should meet or exceed the following:
- Contain at least 12 alphanumeric characters.
- Contain both upper and lower case letters.
- Contain at least one number (for example, 0-9).
- Contain at least one special character (for example,!$%^&*()_+|~).
You will be provided with passwords that have been generated by management, but if you need to update your passwords quickly in case of a breach of security, you should try to create ‘strong’ passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, “This May Be One Way To Remember” could become the password TmB1w2R! or another variation.
The above applies to your machine passwords along with your email (office365) passwords.
Any passwords you set should also be changed every 12 months.
An automatic reminder will be set to ensure you are prompted to make this change. Passwords should also be changed if a member of staff leaves or promptly changed if the team member knows or suspects they have been compromised.
Passwords which are ‘weak’ should not be used. These would have the following characteristics:
- Contain less than eight characters.
- Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
- Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
- Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
- Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
- Contain common words spelled backward, or preceded or followed by a number (for example, terces, secret1 or 1secret).
- Are some version of “Welcome123” “Password123” “Changeme123”.
- Or if the password has been used for another login either at home or at work
2. IT Hardware & Software
Only IT hardware/software authorised by use by the director may be used in conjunction with TDL Creative’s business activities. This includes the use of any personal laptops, desktops, tablets and mobile phones unless express authority has been granted.
Software or firmware updates are installed promptly by administrators with high-risk or critical security updates for operating systems and firmware installed within 14 days of release. This policy applies to the company’s Mac and Windows systems. All software currently in use is in support with the suppliers providing regular fixes and high-risk or critical security updates for applications (including any associated files and any plugins such as Adobe Flash). Before new software is commissioned for use, an assessment is carried out to ensure that they will not pose any cyber risks to the company.
Applications can only be purchased and installed by an administrator following approval by the directors.
A list of the current authorised and used software (and versions) is maintained by Sarah Mason, Design Project Manager. This list is attached at Appendix A. If software is required for TDL-Creative related work permission must be granted by Oliver Tomlinson. Any applications not available through the Apple App Store are unlikely to be approved unless there is a strong business case to do so and security checks have been completed.
In an emergency situation, if software is required to open a client document whilst working out of hours, and it has not been possible to contact Oliver Tomlinson to seek permission for the install you MUST ensure contact is made immediately the next day so any risk of security breach can be assessed. The machine shouldn’t be plugged or connected to the office network until an assessment has been made of the software that was used in an emergency.
Software accounts used by TDL-Creative must NOT be installed on personal laptops or mobile phones.
3. Administrative Access
Administrative access for all equipment and software is controlled by the directors.
It is not acceptable to work in admin mode day-to-day so separate administrator logins have been created. The administrator accounts should only be used when installing software or making configuration changes. Use of the internet or emails is not allowed whilst in an administration account apart from downloading hardware or software updates for approved software.
A register of administrators is held and attached at Appendix B. This is reviewed annually. If new administrator accounts are required these can only be set up by the director.
All computers and laptops have software firewalls installed and enabled. These should not be disabled by staff under any circumstances.
All routers with direct internet access have firewalls enabled and the login details have been changed from their default settings. A list of staff who have access to these logins is maintained and the passwords changed in the event of any staff leaving or a breach detected.
Whilst working remotely free wifi is NOT to be used, this includes in hotel and coffee shop wifi. Access to secured wifi networks provided by clients on their sites is acceptable.
Mobile internet dongles or similar hardware can be provided for remote working.
5. Cloud-based Data Storage
TDL-Creative currently uses and has approved for use ‘Dropbox for Business’. All files on DropBox are encrypted and kept on secure storage servers in the USA. Dropbox complies with the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the European Economic Area, and Switzerland to the United States. Adhering to the Privacy Shield Principles ensures that an organization provides adequate privacy protection under the EU data protection directive.
A list of individuals which have sole and exclusive access to the administrator accounts for Dropbox are held by the directors and reviewed regularly.
No other cloud-based storage offerings should be used without a request in writing from the client and prior approval from the director.
6. User Account Creation/Deletion procedure
All new team/user accounts are created by an administrator. Accounts will be set up providing access rights that match the job role. Overall access to all systems, software and applications is not acceptable.
When a member of the team leaves their account (both local Dropbox for Business and Office 365) will be disabled that day to prevent any unauthorised access.
7. Team Training
After initial training during induction, the team will receive a refresher session every 6 months at the company meeting to ensure they are aware of the risks of a cyber attack and the precautions we expect them to take when using systems, software and applications.
Modern slavery and Human trafficking Policy
Slavery and human trafficking are significant human rights issues. TDL-Creative are committed to taking appropriate steps to mitigate against the risk of these occurring both within our business and our supply chain. As such, we require that all of our partners, employees and associates hold a similar ethos. The objective of this policy is to outline how we will address this risk.
The directors have approved this policy and it should be adhered to by all staff.
The areas in which our business could be affected by slavery and human trafficking are our directly hired employees and our partners working on our behalf or with us. To mitigate these risks the following steps in each of the areas should be undertaken:
- We verify that all employees have the right to work in the UK upon commencement of their employment.
- We make all employees aware of their working hours, leave and absence entitlements and other employment benefits via the Employee Handbook.
- We prohibit the use of forced labour in our Code of Conduct, as part of our employee handbook, and training on modern slavery is made available to employees.
- We aim to only engage Partners that are listed on our Preferred Partners List.
- We require all Partners to a) ensure their workers have the right to work in the UK b) confirm that they do not charge workers a work finding fee and c) to have procedures in place to minimise the risk of recruiting forced or compulsory labour.
Our whistleblowing procedure (defined as Public Interest Disclosure within the Staff Handbook) allows any employee or third party to confidentially raise a concern.
This statement will be reviewed and updated as necessary. Accountability for compliance with this statement rests with the Directors.
TDL-Creative cares about your privacy. For this reason, we collect and use personal data only as it might be needed for us to deliver to you our services. Your personal data includes information such as:
- Telephone number
- Date of birth
- Email address
- Other data collected that could directly or indirectly identify you.
This document refers to personal data, which is defined as information concerning any living person (a natural person who hereafter will be called the Data Subject) that is not already in the public domain.
The General Data Protection Regulation (GDPR) seeks to protect and enhance the rights of data subjects. These rights cover the safeguarding of personal data, protection against the unlawful processing of personal data and the unrestricted movement of personal data within the EU. It should be noted that GDPR does not apply to information already in the public domain.
Tomlinson Designs Limited (t/a TDL-Creative) uses the information collected from you to provide quotations, make telephone contact and to email you marketing information which TDL-Creative believes may be of interest to you and your business. In you making initial contact you consent to TDL-Creative maintaining a marketing dialogue with you until you either opt out (which you can do at any stage) or we decide to desist in promoting our services. TDL-Creative also acts on behalf of its clients in the capacity of data processor. When working exclusively as a data processor, TDL-Creative will be acting on the instruction of its client and will take the reasonable necessary steps to ensure that the client is fully GDPR compliant.
Some personal data may be collected about you from the forms and surveys you complete, from records of our correspondence and phone calls and details of your visits to our website, including but not limited to personally identifying information like Internet Protocol (IP) addresses. TDL-Creative may from time to time use such information to identify its visitors. TDL-Creative may also collect statistics about the behavior of visitors to its website.
Any information TDL-Creative holds about you and your business encompasses all the details we hold about you and any sales transactions including any third-party information we have obtained about you from public sources and our own suppliers such as credit referencing agencies.
TDL-Creative will only collect the information needed so that it can provide you with marketing and consulting services, we will not sell or broker your data.
Legal basis for processing any personal data
To meet TDL-Creative’s contractual obligations to clients and to also respond to marketing enquiries.
Legitimate interests pursued by TDL-Creative and/or its clients.
To promote the marketing and consulting services offered by TDL-Creative and/or to market the services and/or products offered by TDL-Creative’s existing clients.
Through agreeing to this privacy notice you are consenting to TDL-Creative processing your personal data for the purposes outlined. You can withdraw consent at any time by emailing firstname.lastname@example.org or writing to us, see last section for full contact details.
TDL-Creative may on occasions pass your Personal Information to third parties exclusively to process work on its behalf. TDL-Creative requires these parties to agree to process this information based on our instructions and requirements consistent with this Privacy Notice and the GDPR.
TDL-Creative do not broker or pass on information gained from your engagement with the agency without your consent. However, TDL-Creative may disclose your Personal Information to meet legal obligations, regulations or valid governmental request. We may also enforce its Terms and Conditions, including investigating potential violations of its Terms and Conditions to detect, prevent or mitigate fraud or security or technical issues; or to protect against imminent harm to the rights, property or safety of TDL-Creative, its clients and/or the wider community.
TDL-Creative will process personal data during the duration of any contract and will continue to store only the personal data needed for [five years] after the contract has expired to meet any legal obligations. After five years any personal data not needed will be deleted.
All the personal data we process is processed by our staff in the UK however for the purposes of IT hosting and maintenance this information is located on servers within the EEA. Unless required by law, we will not disclose your data to third parties.
Your rights as a data subject
At any point whilst TDL-Creative is in possession of or processing your personal data, all data subjects have the following rights:
- Right of access – you have the right to request a copy of the information that we hold about you.
- Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
- Right to be forgotten – in certain circumstances you can ask for the data we hold about you to be erased from our records.
- Right to restriction of processing – where certain conditions apply you have a right to restrict the processing.
- Right of portability – you have the right to have the data we hold about you transferred to another organisation.
- Right to object – you have the right to object to certain types of processing such as direct marketing.
- Right to object to automated processing, including profiling – you also have the right not to be subject to the legal effects of automated processing or profiling.
In the event that TDL-Creative refuses your request under rights of access, we will provide you with a reason as to why, which you have the right to legally challenge.
TDL-Creative at your request can confirm what information it holds about you and how it is processed
You can request the following information:
- Identity and the contact details of the person or organisation (TDL-Creative) that has determined how and why to process your data.
- Contact details of the data protection officer, where applicable.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of TDL-Creative or a third party such as one of its clients, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- How long the data will be stored.
- Details of your rights to correct, erase, restrict or object to such processing.
- Information about your right to withdraw consent at any time.
- How to lodge a complaint with the supervisory authority (Data Protection Regulator).
- Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
To access what personal data is held, identification will be required
TDL-Creative will accept the following forms of ID when information on your personal data is requested: a copy of your national ID card, driving license, passport, birth certificate and a utility bill not older than three months. A minimum of one piece of photographic ID listed above and a supporting document is required. If TDL-Creative is dissatisfied with the quality, further information may be sought before personal data can be released.
All requests should be made to email@example.com or by phoning 020 3637 9961 or writing to us at the address further below.
In the event that you wish to make a compliant about how your personal data is being processed by TDL-Creative or its partners, you have the right to complain to TDL-Creative’s [CEO]. If you do not get a response within 30 days, you can complain to the Data Protection Regulator.
The details for each of these contacts are:
Tomlinson Designs Limited (t/a TDL-Creative), for the attention of Oliver Tomlinson
St John’s Studios
32A Larkfield Road
Telephone 020 3637 9961 or email firstname.lastname@example.org
Data Protection Regulator:
Information Commissioner’s Office
Telephone 0303 123 1113 or complete a form at: