External Supplier Control Obligations. Records Management

Similar documents
External Supplier Control Obligations. EUDA End User Developed Applications

External Supplier Control Obligations. Information Security

Records Management Plan

Humber Information Sharing Charter

INFORMATION GOVERNANCE STRATEGY AND STRATEGIC VISION

External Supplier Control Obligations

Information Governance and Records Management Policy March 2014

DATA PROTECTION POLICY

TECHNICAL RELEASE TECH 05/14BL. Data Protection Handling information provided by clients

TRANSLINK RECORDS MANAGEMENT POLICY

Date: INFORMATION GOVERNANCE POLICY

Records Management Policy

Auditing of Swedish Enterprises and Organisations

GUIDANCE NOTES DATA PRIVACY IMPACT ASSESSMENT

Policy for Preservation of Documents

COMPUTERISED SYSTEMS

INFORMATION GOVERNANCE POLICY

Records Management Policy

Records Management policy

WILTSHIRE POLICE FORCE POLICY

CLAREMONT HIGH SCHOOL ACADEMY TRUST

Business Continuity Policy

External Supplier Control Obligations. Information Security

Data Protection Act Policy Statement Status/Version: 0.1 Review Information Classification: Unclassified Effective:

DE MONTFORT UNIVERSITY RECORDS MANAGEMENT POLICY

A tool for assessing your agency s information and records management

GUIDELINES FOR IMPLEMENTING A PRIVACY MANAGEMENT PROGRAM For Privacy Accountability in Manitoba s Public Sector

Information Governance Policy

DATA PROCESSING AGREEMENT

General Data Protection Regulation (GDPR) Key considerations and implications for brokers

Information Asset Management Policy

SOLUTION BRIEF EU GENERAL DATA PROTECTION REGULATION COMPLIANCE WITH RSA ARCHER

POLICY. TITLE POLICY Records Management Policy. roxbycouncil POLICY RECORDS MANAGEMENT Policy Date Latest Review Changes

UK Research and Innovation (UKRI) Records Management Policy

Humber Information Sharing Charter

BROOKS PERSONAL TRAINING

Brasenose College Data Protection Policy Statement v1.2

TECHNOLOGY POLICY SUMMARY FOR THIRD PARTY SUPPLIERS

Preparing for the GDPR

General Personal Data Protection Policy

Oracle Tech Cloud GxP Position Paper December, 2016

DePaul University Records Management Manual October 1, 2016

Salesforce s Processor Binding Corporate Rules. for the. Processing of Personal Data

INFORMATION GOVERNANCE POLICY

DATA QUALITY POLICY. Version: 1.2. Management and Caldicott Committee. Date approved: 02 February Governance Lead

Quality Assurance Agreement

General Optical Council. Data Protection Policy

General Retention and Disposal Authority: GA28

Contents. NRTT Proprietary and Confidential - Reproduction and distribution without prior consent is prohibited. 2

ISMS AUDIT CHECKLIST

HSCIC Audit of Data Sharing Activities:

GENERAL TERMS AND CONDITIONS FOR USING THE JUVENTUS eprocurement PORTAL

Protection of Personal Information Policy (POPI)

Mobile Connect Privacy Principles

Computer System Validation Perform a Gap Analysis of your CSV Processes

Getting ready for the new data protection laws A guide for small businesses, charities and voluntary organisations

ONR GUIDE. LC 6 Documents, records, authorities and certificates. Nuclear Safety Technical Inspection Guide. NS-INSP-GD-006 Revision 0

Supplier Security Directives

Approved by Board: 22/06/2016. Records Management Policy

NUS RECORDS MANAGEMENT POLICY. Ver 1.6

KEMBLE PRIMARY & SIDDINGTON CE PRIMARY SCHOOLS DATA PROTECTION & THE GENERAL DATA PROTECTION REGULATION (GDPR) POLICY

COMPLIANCE MANAGEMENT FRAMEWORK FOR VICTORIA UNIVERSITY

Environmental Roles and Responsibilities

SHENLEY BROOK END SCHOOL

Records Management Policy

Sydney Opera House Policy

EUROPEAN COMMISSION HEALTH AND CONSUMERS DIRECTORATE-GENERAL. EudraLex The Rules Governing Medicinal Products in the European Union

PROCEDURE (Essex) / Linked SOP (Kent) Asbestos Management. Number: U 1005 Date Published: 22 July 2015

HSCIC Audit of Data Sharing Activities:

Orbit Recruitment Privacy Policy

Corporate Governance Statement

APES 320 QUALITY CONTROL FOR FIRMS

Records Management Policy and Strategy

IBM SmartCloud Control Desk Software as a Service

Office of the Police and Crime Commissioner Devon & Cornwall

Basic Records Management Practices for Saskatchewan Government*

HSCIC Audit of Data Sharing Activities:

Roche Group Records Management Directive V2.0

RISK MANAGEMENT POLICY AND PROCEDURES AD-P009

PREPARING YOUR ORGANISATION FOR THE GENERAL DATA PROTECTION REGULATION YOUR READINESS CHECKLIST DATA PROTECTION COMMISSIONER

Health and Safety Management Standards

University of Westminster Records Management Policy

CORPORATE GOVERNANCE STATEMENT 30 JUNE 2018

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

Sample Data Management Policy Structure

THE ARCG CHARTER. Issued in March 2008

EDRMS and Information Analyst

HEALTH & SAFETY POLICY

Applying Health and Safety legislation and working practices (installing and maintaining electrotechnical systems and equipment) (ELTP01)

Mapping ISO/IEC 27001:2005 -> ISO/IEC 27001:2013

Information Security Policy

ECOSERVICES, LLC BINDING CORPORATE RULES

University College Cork National University of Ireland, Cork Records Management Policy Version 1.0

SME guide to the personal data protection act 2012

219 Make sure your own actions reduce risks to health and safety

OH&S MANAGEMENT SYSTEM CHECKLIST - AS 4801:2001 (STATUS A = Acceptable; N = Not Acceptable; N/A = Not Applicable)

Health, Safety Environmental Advisor (HSEA): This employee oversees the HSE program and reports to the SVP, Global Real Estate Services;

Information governance strategy

Human Resources. Data Protection Policy IMS HRD 012. Version: 1.00

Privacy Management Programs. Ruth Marks and Stacey Pratt April 2018

Transcription:

External Supplier Control Obligations Records Management

Page 1

Governance and Roles and The Supplier must define and communicate roles and responsibilities for Records Records Management requires high-level Assurance Responsibilities Management. These must be reviewed after any material change to the Supplier s sponsorship in order to ensure that operating model or business. Key roles must include a senior executive, accountable for Records Management. controls are designed, implemented, and operated effectively. Ongoing monitoring is necessary to provide senior management with Records Management Documented controls and processes must be in place to ensure Records Management incidents are reported and managed. assurance over the design and operation of Records Management controls. Risk Reporting Records Management Incidents and breaches should be responded to by the Supplier and reported to Barclays immediately. An incident response process for timely handling and reporting of intrusions involving Barclays information and/or services used by Barclays should be established. The Supplier must ensure that identified remedial actions following an incident are addressed with a remediation plan (action, ownership, delivery date) and shared and agreed with Barclays. On-going The Supplier must regularly and in any event not less than once in every calendar year, Monitoring measure, review and document its compliance with this Schedule. Adherence to local legislative The Supplier must ensure that Records Management related legislative and statutory requirements which apply to the jurisdiction in which the Supplier operates are and statutory appropriately documented and complied with. requirements Page 2

Education and Awareness New Joiner education and awareness The Supplier must ensure that all new Supplier Personnel, within a reasonable time period, complete training which ensures they understand their Records Management roles and responsibilities. To ensure that all Supplier Personnel understand their responsibilities in relation to Records Management Records Management Retention On-going education and awareness Legal and regulatory retention requirements Retention schedule The Supplier must ensure that once a year all Supplier Personnel complete mandatory training ensuring that they are aware of their Records Management roles and responsibilities. The Supplier must ensure all Relevant Records are retained and disposed of in line with applicable legal, regulatory or business requirements. The Supplier must ensure all Relevant Records are in line with the retention periods defined in the agreed Barclays Retention Schedule. The Supplier must change the retention periods of Relevant Records, when instructed to do so by Barclays. If these requirements are not implemented then it may result in Barclays information not being retained in line with the applicable legal, regulatory or business requirements, which may result in legal and regulatory sanction, reputational damage, loss / disruption of business. Records Owner The Supplier must nominate a key Supplier contact to be the liaison with the Barclays Relevant Records Owner. Records Storage Protection The Supplier must ensure Relevant Records are protected using physical, environmental and logical controls to prevent unauthorised loss, modification or damage throughout their retention and protected according to their confidentiality classification against the Barclays Information Classification Scheme defined in the Information Security Supplier Control Requirements Schedule and the controls set out in the Physical Security Supplier Control Requirements Schedule. Access The Supplier must have physical / logical controls to ensure access to Relevant Records are restricted to only those Supplier Personnel who are appropriately authorised and need access to perform their duties. If these requirements are not implemented then Relevant Records may be vulnerable to unauthorised modification, disclosure, access, damage, loss or destruction, which may result in legal and regulatory sanction, reputational damage, or loss / disruption of business. Inventory The Supplier must ensure an index / inventory of physical Relevant Records is maintained / be accessible to Barclays and reviewed at least annually. The index / inventory must contain at least the following mandatory information: Box owner Box number Description of contents Destruction date or from date / to date Page 3

Records Retrieval Retrieval The Supplier must ensure Relevant Records can be retrieved within the following required timescales: Electronic Relevant Records retrievable within three (3) working days or within a period required by any applicable legislative or statutory requirements; and Physical Relevant Records / archived electronic records (not instantly accessible on a live system) retrievable within ten (10) working days, or within a period required by any applicable legislative or statutory requirements The Supplier must ensure retrieval processes are documented and the process tested at least annually through a testing regime or through business as usual processes. If these requirements are not implemented then Relevant Records may be vulnerable to unauthorised modification, disclosure, access, damage, loss or destruction, which may result in legal and regulatory sanction, reputational damage, or loss / disruption of business. Records Format Protection Authenticity and integrity The Supplier must protect Relevant Records during transit via appropriate controls (physical, environmental, logical) that are commensurate with the Barclays Information Classification Scheme defined in the Information Security Supplier Control Requirements Schedule. The Supplier must have controls in place to maintain and protect the authenticity and integrity of Relevant Records. The controls must be commensurate with the Barclays Information Classification Scheme, set out in Appendix B - Table 1 of the Information Security Supplier Control Requirements Schedule. The Supplier must maintain records in a specific format required to comply with any applicable country legislation / regulation, such as maintaining relevant records in a nonrewritable, non-erasable format. Records Format Scanned Documents Where scanned documents are used as a Primary Record, the Supplier must ensure the Relevant Records are captured through a scanning process that: Adheres to any applicable legal or regulatory requirements for the capture of scanned documents Ensures quality assurance processes are in place commensurate to the value of the Relevant Records and classification requirements as listed in the Barclays Information Classification Scheme; and Captures scanned documents using a minimum of 200 dpi (dots per inch) scanning resolution Page 4

Records Disposal Disposal Process The Supplier must ensure Relevant Records are securely destroyed within twelve Disposal Authorisation months of the expiry of their retention period (upon notification and authorisation from Barclays), provided a Disposal Hold is not in effect. The Supplier must ensure disposal processes are documented and reviewed at least annually. The Supplier must ensure evidence of the authorisation and destruction of Relevant Records is maintained, using controls such as: If these requirements are not implemented then it may result in records being over-retained past their specified retention period or records being destroyed without authorisation, which may result in legal and regulatory sanction, reputational damage, loss / disruption of business. Physical Relevant Records certificates of destruction; and Electronic Relevant Records audit trail / reports of Relevant Records purged / deleted Records Disposal Area Disposal Methods Title For Suppliers of services to Barclays Corporate / Barclays Capital Inc. and /or Barclays Africa Group Limited only, the Supplier must ensure Barclays Relevant Records are not destroyed without Barclays prior written consent. The Supplier must ensure Relevant Records are disposed of safely and securely, through disposal controls which are: applicable to legislative, statutory and contractual requirements commensurate with the Relevant Records confidentiality classification in the Barclays Information Classification Scheme applicable to the medium on which the Relevant Records are stored Records Disposal Hold Disposal Hold Notification The Supplier must have controls in place to ensure upon notification from Barclays any Relevant Records covered by a Disposal Hold are suspended from destruction within 24 hours and confirm to Barclays that the Disposal Hold requirements have been applied. Disposal Hold Release The Supplier must have controls in place to ensure upon notification from Barclays of a Disposal Hold being lifted; any Relevant Records under the Disposal Hold have their applicable retention period or destruction recommenced within twelve months of the Disposal Hold being lifted (providing the records are not covered by another Disposal Hold). Page 5

US Records Original and Backup The Supplier must have controls in place to ensure an original and a backup copy of each If these principles are not implemented Management Relevant Records - electronic Barclays Relevant Record are maintained and for any and all such electronic then it may lead to Relevant Records not requirements Universal Time Barclays Relevant Record(s) must implement and maintain Universal Time Coordinator being stored and retained in accordance Coordinator ( UTC ) services ( UTC ) services, to ensure that file date/time stamp recordings and parameters are applied consistently. with applicable regulations / legislation, which may result in legal and regulatory Relevant Records - Email The Supplier must have controls in place to ensure emails generated by a Supplier and defined as Barclays Relevant Records are retained for a minimum period of 7 years or sanction, or reputational damage, loss / disruption of business. specific retention period defined in the Barclays Retention Schedule. Letter of Undertaking The Supplier must promptly provide the applicable regulator with a Letter of Undertaking if requested to do so. Page 6

Definitions Disposal Hold Letter of Undertaking Primary Record Relevant Records Relevant Records Owner Retention Schedule A notification to cease destruction of certain information, typically because the information may be required as evidence in a contractual, legal, or regulatory matter. A letter from Supplier to a regulator of a Barclays Entity stating that Supplier will take reasonable steps to fulfil any request by such regulator to download to any acceptable medium Barclays Relevant Records that are maintained in electronic storage media within Supplier s possession or control. Where duplicate copies of a Record exist, the Primary Record is the original version which is chosen to be used as the Relevant Record. Specific information required by Barclays to be retained and disposed of in line with applicable legal, regulatory or business requirements. The owner of the Barclays business process which the relevant records relate to may be the Barclays Relevant Records Owner; or the Relevant Records Owner is assigned to the job role of the Barclays person that created the Relevant Records. A list of the Relevant Records which Barclays are required to maintain and details the applicable country retention periods, any specific format / storage requirements and the confidentiality classification of the Relevant Records. Page 7

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback