Data Protection

• Each member of staff is made fully aware by the distribution and signed acknowledgement of this policy document that they are equally responsible for the data security within Indemnity Insurance Brokers LLC.
• Managing Director has overall responsibility for the data security within the Indemnity Insurance Brokers LLC.
• Indemnity Insurance Brokers LLC has an open and honest culture to encourage staff to report any data security concerns.
• If data loss occurs, we will contact our customers within 48 hours (either via letter or phone) and provide free guidance as to what actions they should take.
• Where any issues are identified, these will be considered at Management level for any appropriate action.

We endorse and adhere to the following main principles as part of our Data Protection and client confidentiality policy. This how ever does not constitute to complete statement of this policy.

Data must:

1. Personal Data must be processed fairly and lawfully and shall not be processed unless certain conditions are met.
2. Personal Data must be obtained for a specified and lawful purpose and shall not be processed in any manner incompatible with that purpose.
3. Personal Data must be adequate, relevant and not excessive for those purposes.
4. Personal Data must be accurate and, where necessary, kept up to date.
5. Personal Data must only be kept for as long as is necessary for the purpose for which it was obtained or as required by the Law/Regulatory Authority.
6. Personal Data must be processed in accordance with the data subject’s rights. Data Subjects must be made aware of the purposes for which their information will be processed and any other information necessary to make the processing fair, such as details of third parties to whom Personal Data will be disclosed.
7. Personal Data must be kept secure from unauthorized or unlawful processing and protected against accidental loss, destruction or damage by using the appropriate technical and organizational measure.
8. Personal Data must not be transferred to a country or territory outside the United Arab Emirates (UAE), unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

These principles apply to obtaining, handling, processing, transportation and storage of personal data. Employees and agents of Indemnity Insurance Brokers LLC who obtain, handle, process, transport and store personal data for us must adhere to these principles at all times.

Personal data is defined as data relating to a living individual who can be identified from that data or information regarding an individual’s racial or ethnic origin, political opinion, religious or other beliefs, trade union membership, physical or mental health or condition, sexual life or criminal proceedings or convictions.

Indemnity Insurance Brokers LLC will, through appropriate management and the use of strict criteria and controls will ensure that:

• All staff managing and handling personal information understand that they are contractually responsible for following good data protection practice.
• All staff managing and handling personal information are appropriately trained to do so.
• All staff managing and handling personal information are appropriately supervised
• A clear procedure is in place for anyone wanting to make enquiries about handling personal information
• Methods of handling personal information are regularly assessed and evaluated.
• Any disclosure or sharing of personal data must be in compliance with approved procedures.

• The identity of a client is always confirmed by staff before providing any personal data or taking instruction over the telephone.
• All staff are responsible for ensuring that any personal data which they hold is kept securely and that personal information is not disclosed either orally or in writing or otherwise to any unauthorized third party.
• All staff have access to system and shared drives which contain general documents. Access is restricted for sensitive documents as appropriate and which are password protected.
• Access to IT system of the company is restricted to staff based on their job profile. Staff access is reviewed and amended as and when necessary.
• The use of company laptops is restricted to specific individuals for the purpose of client presentations only. All individuals permitted to use laptops are aware that these must be used and secured appropriately. Following measures must be adhered to ensure safe keeping of laptops and data it contains:
  • Ensure that the most up-to-date virus and malware protection products are installed
  • Always use a strong password to protect your computer
  • Use a password protected screen-saver
  • Avoid leaving your laptop unattended and unsecured
  • If leaving your laptop in a hotel room, use the room safe or lock it securely to an immovable object
  • Do not connect laptops to any public network (public WIFI networks)
  • If your laptop is lost or stolen, contact the IIB office for assistance
• The Insurance application will be accessed through encrypted htttps:// pages. User credentials will be stored in a secure local database and login will be through secure domain authentication.
• Data will be stored at a local server located at IIB office. This will be located in dedicated server room. As part of contingency plan in case of catastrophic event, data will be backed up real-time basis in a separate dedicated server by IIB.
• All servers, desktops, and laptops, would be secured by McAfee anti-virus protection.
• SonicWall Total Secure UTM for Internet Gateway Security to protect the entire network.
• Veeam Backup and Replication for Scheduled backups of all servers and user data.
• Each computer held onsite can only be accessed by a password which is individual for that person.  We do not use a ‘common’ password. Where a member of staff leaves the company, their access is suspended. Employees are encouraged to set up password as per following guidelines:
  • Be at least eight characters long
  • Passwords may not contain words found in a dictionary
  • Must NOT be anything easily associated with you (for instance, information someone could learn about you from Facebook) such as
    • Your user id
    • Your name
    • Your phone number
    • Your address
    • Your pet’s name
    • Your birthday
    • Friends or family member names or birthdays
    • Any other information that can be easily found about you
  • Must include three of the following four elements
    • Upper case letters
    • Lower case letters
    • Digits
    • Punctuation
  • Must not be shared with anyone, including your colleague(s).
• An anti-virus protection package is installed on all computers held onsite, which provides daily protection against viruses.
• Staff are required as best practice to lock their computer when they leave their workstation.

• This policy document is given to all new recruits within the first month of their employment.
• Until a new member of staff has acknowledged and understood this policy, they are not allowed unsupervised access to customer data.
• Annual Data Security refresher training is delivered by Indemnity Insurance Brokers LLC to all existing staff to maintain their awareness.
• Employment references and appropriate vetting are obtained for all new recruits prior to being allowed unsupervised access to any customer data.
• Access into office premises is allowed only through pre-configured access cards, which are allocated specific for each staff. System maintains the log of entry and exit using the access card control points.
• All visitors are attended to in reception area or meeting rooms. No unauthorized personnel are allowed without staff supervision in main work area.
• Staff will follow a clear desk policy and no client related documents or information is left unattended on the desks.
• All confidential paper waste is appropriately disposed using paper shredder.

• We carry out a risk assessment of our data security arrangements every year.
• Any issues identified by a risk assessment are reviewed by the Managing Director and any actions required are addressed.