Skip links

Data Protection Policy

1) Policy Owner

All terms and conditions, along with our policies, are established in accordance with AAH Services Group’s guidelines and regulations.

2) Introduction

Data protection is paramount to ensure the security and confidentiality of personal and sensitive information. This policy outlines the measures that AAH Services Group follows in order to safeguard data in accordance with the standards of the United Kingdom.

3) Scope

This policy applies to all data processed and stored by AAH Services Group, including but not limited to personal identifiable information (PII), financial data, and any other sensitive information.

4) Related Documents

  • Data Retention and Disposal Policy
  • Privacy Policy
  • Physical Access Control Policy
  • System Configuration Documents
  • Roles and Responsibilities
  • Audit Policy
  • Acceptable Use Policy
  • Information Security Policy

5) Policy Statement

a) Protection
  • All data, regardless of format (electronic or physical), containing personal or sensitive information shall be securely protected.
  • Data shall be classified based on its sensitivity to ensure appropriate handling and protection measures.
  • Backup copies of data shall be securely stored in off-site locations to mitigate risks of loss or unauthorized access.
  • A comprehensive inventory of all data media shall be maintained, including their locations, and shall be reviewed periodically.
  • Data shall be securely destroyed when it is no longer required, following the guidelines outlined in the Data Retention and Disposal Policy.
b) Distribution
  • Strict controls shall be maintained over the distribution of data, internally or externally.
  • The use of portable media storage devices for business purposes shall be strictly regulated and approved by higher management.
  • Any movement of data media shall be documented in the inventory, with management authorization required for removal from secure areas.
  • When data is transported to off-site locations, it shall be done through secure courier services or other tracked delivery mechanisms.
  • Data inventory records shall be retained in accordance with the Data Retention and Disposal Policy.
c) Sanctions

Instances of non-compliance with this policy shall be identified, documented, and escalated per the Audit Policy. Any personnel found intentionally violating this policy will be subject to disciplinary action, as outlined in the organization’s disciplinary procedures.

This Data Protection Policy shall be reviewed and updated as necessary to ensure its effectiveness and compliance with relevant laws and regulations in the UK.