Data Security Manual

Data Security Manual 2025 – Adlinx Ltd
Version: 1.0
Effective Date: January 2025
Next Review: Annually

1. Introduction
   This manual outlines the data security policies, standards, and procedures followed by
   Adlinx Ltd, a UK-based claims management company. It ensures that personal and financial
   data—often highly sensitive in this industry—is protected against internal and external
   threats.
2. Legal and Regulatory Framework
   Adlinx Ltd complies with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)
• Applicable case law and ICO guidance

1. Roles and Responsibilities
   Data Protection Officer (DPO):

• Oversees security controls and breach handling.
• Liaison with the ICO.
  IT Security Lead:
• Implements security tools and monitors system compliance.
  All Employees:
• Must comply with security procedures and complete training.
  Claims Handlers:
• Must verify claimant identity before accessing or sharing case data.

1. Information Classification
   Data is classified as:

• Public
• Internal Use
• Confidential: Claim files, PII, insurance documents
• Restricted: Medical records, financial data, case strategies

1. Access Control

• Least privilege access enforced for all roles
• Multi-factor authentication (MFA) for all case management systems
• Quarterly access reviews
• Revocation of access upon exit or role change

1. Data Storage and Handling

• Secure case management systems hosted in UK data centres
• Prohibition on local saves or USB use without approval
• Physical files stored in locked file rooms
• Sensitive documents must be redacted when shared externally

1. Encryption and Secure Communication

• Full-disk encryption on all mobile devices
• Encrypted email for case-related documents
• VPN required for all remote workers

1. Network and Endpoint Security

• Corporate firewalls and endpoint protection software installed
• Weekly vulnerability scans
• Patch management automated for all devices

1. Backup and Business Continuity

• Daily encrypted backups of claims data
• Business Continuity Plan includes provisions for data loss and ransomware
• RTO and RPO defined per critical system

1. Incident Response Plan

• Incidents must be reported within 1 hour
• DPO will assess breach and notify ICO within 72 hours if applicable
• Post-incident analysis and root cause tracking required

1. Physical Security

• Office access is badge-controlled
• Document disposal via secure shredding services
• Visitors must sign in and be supervised

1. Employee Awareness and Training

• Induction and annual data security training
• Scenario-based training for claims handlers (e.g., phishing, misdelivery)
• Mandatory participation in incident response drills

1. Third-Party and Vendor Security

• Security due diligence and DPAs for all partners (e.g., solicitors, insurers)
• Access limited to case-specific data
• Regular audits of data processors

1. Monitoring and Logging

• Detailed logs of all system access retained for at least 12 months
• Review of privileged access monthly
• Use of SIEM tools for automated alerting

1. Policy Review and Updates
   Manual reviewed annually or following any:

• Regulatory updates
• Introduction of new systems
• Security incidents or audit findings

1. Contact
   Data Protection Officer (DPO)
   Michele Oldfield
   info@adlinx.co.uk
   0161 519 0454