GHE Solar Ltd have created this document to ensure the security, confidentiality,
integrity and the protection of all data internal or external related to GHE Solar Ltd.

1 Relevant Parties

• Employees

• Contractors

• Vendors

• Partner agencies

• Anyone that may come into contact with data

2 Induction and on-boarding

Inductions or on-boarding in the case of sub-contractors will be required for all personnel prior to any work being carried out. The induction will consist of the employee reading all relevant documents, including the employee handbook, the GDPR compliance statement, this document and any other relevant documentation. Data and system access will be strictly forbidden to any personnel until such time of induction. The employee handbook and employee handbook sign off sheet. Where applicable background checks and employee references must be taken. At induction it will be made clear the importance of data protection and the possible repercussions of not abiding by the rules set out in this document. All personnel that will engage in sensitive data will be made to sign confidentially agreements (document CAT/01-v1) and Non-disclosure. On induction personnel will be given the appropriate training and kept up to date with relevant changes via GHE’s intranet Slack.

3 IT equipment All new IT or software must be set up by IT professionals. This will ensure that software is set up in the correct fashion to begin with. i.e. Malware, antivirus

All equipment that is brought and installed must at least have the following where applicable:-

• Malware

• Anti-virus

• Firewalls

• Username and Password protection

• Email security

The software must be from an established vendor with consistent results in recognising and removing all types of malware. All updates must be installed as soon as they are available. To protect systems from malware, users must not: Install software from any external source including the internet, CD / DVD-ROMs, USB memory sticks, etc on their workstation.

All software must be approved and installed by the relevant IT specialist.

Any data sent via database software i.e. excel or CSV files must be encrypted.
Separate emails will be sent with the encryption code.

Independent Passwords will be changed on a periodic basis.

4 Capacity

Quarterly monitoring must take place of the systems to ensure there is adequate power and data storage. This also applies to key system resources such as:- Domain/Network infrastructure devices and equipment E-mail/web servers File/storage servers Printers

5 System Acceptance

Changes must be notified to the correct department immediately and all others
notified at a minimum quarterly meetings.

6 Controls against Mobile Code

Mobile code is often found in web pages including:

• ActiveX

• Java

• JavaScript

Certain websites rely on the use of these scripts which either run automatically or via
user interaction with the site. GHE will do what it can to protect users and
computers by blocking connections and/or scripts to known ‘bad’ or harmful websites.

7 Back-ups

Regular backups of information, data and ICT systems configuration are carried out
on a daily basis, but must be done at least once a week.

To ensure all information and data is backed up, all employees must store their work
on the network drive and not stored locally.

All 3rd party software and servers must also have secure backup routines.

8 Restores

Regular restores of information from backup media must be carried out and tested
to ensure the reliability of the backup media and restore process.

9 Media Handling

GHE Solar has a one administrator social media account holder rule. That person is
the only one allowed to post anything to social media sites. If the administrator
wishes for another member of staff to have access, that member must be inducted
as per social media guidelines below and agree to abide by them but ultimately the
administrator is responsible:-

• Don’t publish anything you know to be confidential

• Do not publish private details

• Be transparent and truthful

• Be relevant

• No profanities

• Do not bad mouth competitors

• Stay within your remit

• Use common sense – if you not sure don’t do it

• Don’t be argumentative

• Run a spell check

• Double check everything before posting

Removable media such as USB data sticks and external hard drives must be
password protected.

Media being transported must be kept safe and where applicable encrypted or
locked.

10 Disposal

Items that should be considered for secure disposal include:

• Paper documents

• Removable disks

• USB Memory sticks

• CD/DVD ROMs

All media for disposal must be completely erased and eliminate the possibility of
data recovery and reconstruction from devices or media.

11 Leaving the company

All company hardware including laptops to be returned and any information not
relevant to the next user to be deleted.

All access passwords to be changed

Where applicable non-disclosure documents to be signed.

12 Other protection measures

Any paper held information will be locked in filing cabinets with keys only accessible
for the accounting team. This must be kept within a single location at each office.

No information is to be sold to any third parties.

At night the offices must be locked and the alarm set before.

13 Accepted Risk

If known exceptions are found during a privacy risk assessment, management must
be informed to determine a course of action. Actions may consist of obtaining
insurance or letting in house or third parties know of the risk. It may also need to be
reported to the ICO.

14 Information requests

The data protection contact must be notified within 7 days of a request. Following
the request the contact will then carryout a Privacy impact assessment or if the
current one is within 3 months old use the existing data to determine what and
where the data is held. Then it must be exported into a useable file, excel for
example, and sent within 30 days. This must be done at no cost to the Customer.

16 Disposal of records

Unless GHE see a good reason for keeping a record of data after the storage period
of 7 years, for example, the warranty period of a product lasts longer, the data must
be destroyed unless consent is sort from the Customer.

The Data protection contact will carry out this exercise with the same process as that
referred to in 13. Information requests.

17 Data breach procedure

Internally the Data Protection Contact as named above will be notified immediately
of any breaches. Where applicable, the contact will then notify 3rd parties, for
example SSE or BG under 30 minute reporting.

The ICO will be informed within 72 hours.

18 Data protection contact

Scott Davis (Finance Director)
Data Protection Contact
Scott Davis
01635 529090
Scott@ghesolar.co.uk