Data protection and confidentiality

Though dxw doesn’t control much personal data, our clients generally do. And some of it may be held on sites that we host. Everyone at dxw has a responsibility to keep that data safe, and process it in accordance with the data protection principles.

In particular, we:

  • only process personal data as part of work on the service that we’re contracted to provide to a client
  • don’t access personal data unless we need to in order to do our jobs: don’t read people’s personal data or private communications without good reason
  • we do not ever disclose people’s personal data to anyone outside dxw unless specifically instructed, and are satisfied that it is legal to do so

If you have any questions about data protection, talk to the Data Protection Officer, Gurps.

Protective marking scheme #

Some information that we have is confidential. We use a protective marking scheme so that everyone understands how to handle this material, and who they’re allowed to disclose it to. All of the documents and data we hold will fall into one of the categories below.

  • Management-in-Confidence: internal documents whose circulation within dxw needs to be restricted.
  • Company Confidential: information owned by dxw which would be of value to those outside the company, such as competitors, and whose loss or theft would potentially damage the company.
  • Client Confidential or Commercial in Confidence: information owned by dxw or its clients, which needs to remain confidential between dxw and the client.
  • Unclassified: information, which would not be of significant commercial value to those outside dxw.

Some of our clients also have protective marking schemes. For example, all central government bodies will apply the Government Protective Marking System (GPMS). If you are in possession of materials that are protectively marked using other schemes, treat them as company confidential.

We take care to handle all data carefully, but when information is protectively marked, extra requirements apply.

Because we value openness highly, we take care not to over-classify information. We don’t protectively mark information unless there is a good reason to keep it confidential.

Management-in-confidence #

This category is used only for dxw’s most confidential information. For example, employment records, salary details and company strategy documents.

Do not share any information with this marking with any person, whether internal or external to dxw.

This information:

  • must be clearly labelled or described as “Management-in-confidence”
  • when printed

    • stored only in a locked container
    • transported only via courier, recorded delivery or personally by dxw staff
    • destroyed by cross-cut shredding when no longer required
  • when digital

    • stored in an encrypted format
    • communicated only when encrypted or via an encrypted connection, unless emailed from one address to another

Company Confidential #

This category is used for information which should not be communicated outside dxw. For example, details about how we operate security controls or internal discussions about client work.

Exactly the same controls apply to this information as detailed under Management-in-confidence, with the exception that Company Confidential information can be shared within dxw as required.

Client Confidential or Commercial in Confidence #

This category is used for information which is disclosed to a limited group of people external to dxw, or which is unclassified information we have received from clients. For example, dxw proposals, presentations for pitches or planning documents.

Unless otherwise specified, all unclassified information we receive from clients falls into this category.

This information:

  • must be clearly labelled or described as “Client Confidential” or “Commercial in Confidence”
  • when printed:

    • stored out of sight
    • destroyed by cross-cut shredding when no longer required
  • when digital:

    • stored in an encrypted format when on exchangeable media or a mobile device

As a rule of thumb, label a document as Client Confidential if it mostly contains the client’s confidential information, or Commercial in Confidence if it mostly contains dxw’s.

Unclassified #

Anything not captured by the sections above is unclassified. Examples are external marketing material, general emails and letters.

Beyond a general duty to treat information carefully, unclassified information is not subject to any specific restrictions.

Last updated: 9 May 2023 (history)