Keeping personal data secure is both a legal duty and something we take seriously in its own right. We use a combination of technical and organisational measures, designed to protect data against loss, misuse and unauthorised access.
Technical measures
- Encryption of data in transit and, where appropriate, at rest.
- Access controls so staff and providers only see what their role requires.
- Monitoring and logging to detect unusual activity.
- Regular updates and security testing of our systems.
Organisational measures
- Staff training on data protection and security.
- Written contracts requiring our providers to protect data.
- Internal policies covering how data is handled and shared.
Your part in security
You can help by keeping your portal sign-in details private, using a strong unique password, and being alert to phishing. We will never ask for your full password, and we will not ask you to move money to a so-called safe account. If something looks suspicious, contact us through the help centre rather than replying to the message.
If something goes wrong
If a personal data breach is likely to risk your rights, we will notify the Information Commissioner's Office and, where required, the people affected.
See also: What happens if there is a data breach?, Who is the data controller for my information?, What is our lawful basis for processing your data?.