About this policy
This policy is issued by Bubble Fresh (Bubblefresh Limited, company number 12691029), a specialist cleaning and clearance company based in Rushden, Northamptonshire. We provide services for vulnerable adults, families, and local council partners across Northamptonshire, Milton Keynes, Bedford, and Norfolk. The Director, Lance James, has overall responsibility for information security. This policy sets out how we protect the confidentiality, integrity, and availability of all information we handle, including personal data about our clients, employees, and council partners, as well as business-sensitive information. We implement appropriate technical and organisational measures as required by Article 32 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 to ensure a level of security appropriate to the risk. We base these measures on a documented information security risk assessment that we review at least annually. We regularly test, assess, and evaluate the effectiveness of those measures in accordance with Article 32(1)(d), including through vulnerability scanning and penetration testing where appropriate to our systems and scale. Unauthorised access to computer systems is a criminal offence under the Computer Misuse Act 1990. We take all reasonable steps to prevent unauthorised access and will report suspected offences to the relevant authorities.
Scope
This policy applies to all employees, contractors, volunteers, and anyone who handles information on behalf of Bubble Fresh. It covers all forms of information: digital records, paper documents, verbal communications, photographs, body-worn camera footage (see our Body-Worn Camera Policy for full details), and any cloud services or third-party platforms used to process or store information on our behalf. It applies regardless of where the information is accessed, including when working remotely or using personal devices for work purposes.
Information classification
We classify all information into four categories to make sure we apply the right level of protection. Public information is content we have published or made openly available, such as our website, marketing materials, and published policies. No special handling is needed. Internal information is day-to-day business information not intended for public release, such as staff rotas, internal procedures, and general correspondence. This should be kept within Bubble Fresh systems and not shared outside the company without management approval. Confidential information includes personal data about clients, employees, and council partners, financial records, contract details, pricing, and council referral information. Access is restricted to those who need it for their role. This information must be encrypted when stored digitally and when sent electronically, and paper copies must be kept in locked storage. Restricted information is the most sensitive category and includes safeguarding records (see our Safeguarding Policy), medical or mental health information, body-worn camera footage, DBS results, and any information that could put a vulnerable person at risk if disclosed. Access is strictly limited to named individuals with a specific need. This information requires the highest level of protection, including encryption, access logging, and secure disposal. Where practical, label confidential and restricted documents clearly so that anyone handling them knows the level of care required. All employees must handle information according to its classification. If you are unsure how to classify a piece of information, treat it as confidential and ask your manager.
Access control
We restrict access to information to those who need it for their role, following the principle of least privilege. All employees must protect their accounts with strong passwords: a minimum of 12 characters including a mix of upper and lower case letters, numbers, and special characters. Employees must not reuse passwords across systems and must change passwords immediately if they suspect a compromise. We encourage the use of a reputable password manager to help manage passwords securely. We configure systems to lock accounts after no more than 10 failed login attempts, requiring administrator action or a timed lockout before the account can be used again. We require multi-factor authentication on all systems that hold personal data or confidential information. Where a system does not support multi-factor authentication, we apply compensating controls and document this as a risk acceptance. Administrator-level access to systems containing personal data is restricted to named individuals, requires separate credentials, and is logged. We review all access permissions, including privileged access, quarterly and revoke them promptly when no longer needed. When an employee leaves the company or changes role, we revoke or adjust their access on the same day. We keep a record of all access permissions granted and the business reason for each.
Device security
All employees must protect devices used for work purposes, including computers, tablets, and phones, with a strong password or PIN. Lock devices when unattended and configure them to lock automatically after a maximum of 5 minutes of inactivity. Enable full-disk encryption on all devices that store or access work data. Keep operating systems and applications up to date (see Software updates and patch management below). Install and maintain approved antivirus or endpoint protection software on all devices (see Malware protection below). Do not connect to unsecured public Wi-Fi networks when accessing work systems; use a virtual private network (VPN) if you need to work on a public network. Report lost or stolen devices immediately to the Director so that we can remotely wipe data if necessary. We keep a register of all devices used to access Bubble Fresh systems and data.
Bring your own device (BYOD)
Employees must not use personal devices for work purposes without prior written approval from the Director. Where approval is given, the following rules apply. The device must meet the same security standards as company-owned devices, including strong passwords, automatic locking, full-disk encryption, up-to-date software, and approved antivirus or endpoint protection. Work data must be kept separate from personal data on the device, using a work profile or approved application where available. We reserve the right to remotely wipe work data from a personal device if it is lost, stolen, or if the employee leaves the company. Employees must not store restricted or confidential information on personal devices unless there is no practical alternative and the Director has approved it. Any personal device used for work is subject to the same acceptable use rules as company equipment.
Acceptable use of IT
All IT systems, devices, email accounts, and internet access provided by Bubble Fresh are for business use. Limited personal use is permitted provided it does not interfere with work, breach any policy, or create a security risk. Employees must not use work systems to access, download, or share offensive, illegal, or inappropriate material. Employees must not install software or applications on work devices without approval from management. Employees must not attempt to bypass security controls, access systems or data they are not authorised to use, or share login credentials with anyone else. Be careful when using social media, even on personal accounts, not to share any information about clients, their homes, our work locations, or other confidential business information. We monitor the use of our systems to protect security and may review activity logs where there is a concern. Any breach of acceptable use rules may result in disciplinary action. Unauthorised access to computer systems is a criminal offence under the Computer Misuse Act 1990.
Email and communications
Do not send confidential or restricted personal data by unencrypted email. Where you need to send sensitive information electronically, use an encrypted method or a secure file-sharing platform approved by the company. Always verify recipient email addresses before sending emails containing personal data, particularly when using auto-complete. Do not set up automatic forwarding of work emails to personal email accounts. Be cautious with email attachments and links from unknown senders (see Social engineering and phishing awareness below). Do not discuss confidential or restricted information in public places where it may be overheard, including on phone calls in public areas. When communicating with council partners, follow any specific secure communication requirements set out in our contracts.
Social engineering and phishing awareness
Social engineering is when someone tries to trick you into giving away information, access, or money. Phishing is the most common form, usually through fake emails or messages that look like they come from a trusted source. Be suspicious of unexpected emails asking you to click links, open attachments, or provide login details, even if they appear to come from a known contact. Check the sender's email address carefully for small differences. Never share passwords, login codes, or multi-factor authentication codes with anyone, including people claiming to be from IT support. If you receive a phone call asking for sensitive information, verify the caller's identity by calling them back on a known number. Report any suspicious emails, messages, or calls to management immediately. Do not click links or open attachments if you are unsure. We send simulated phishing tests from time to time to help staff practise spotting these threats. Falling for a simulated test is not a disciplinary matter; it is a learning opportunity.
Clear desk and clear screen
Keep your workspace clear of confidential and restricted documents when you are not actively using them. Lock paper documents containing personal data or sensitive information in a drawer or cabinet when you leave your desk, even for a short break. Do not leave printed documents on shared printers; collect them immediately. Lock your computer screen every time you step away from your desk. Position screens so that they cannot be read by passers-by, particularly in shared or public areas. At the end of the working day, make sure all confidential and restricted documents are locked away and your screen is locked or the device is shut down.
Physical security
We control access to our office and any location where we store physical records or equipment containing personal data. Only authorised individuals may access these areas. We manage keys and access cards carefully; keys are signed out and returned, and lost keys or cards must be reported immediately so that locks or codes can be changed. Visitors to our office must be accompanied at all times and must not be left alone with access to confidential or restricted information. We store server equipment and network hardware in a secure location with restricted access. Paper records containing personal data are kept in locked cabinets. We dispose of confidential paper documents securely by cross-cut shredding. When working in clients' homes, employees must keep all devices and documents secure and never leave them unattended.
Removable media
Removable media includes USB drives, external hard drives, SD cards, CDs, and DVDs. Do not use removable media to store or transfer confidential or restricted information unless there is no practical alternative and the Director has approved it. Where removable media is approved, it must be encrypted. Do not connect removable media from unknown or untrusted sources to any work device. When removable media is no longer needed, securely erase it before disposal or reuse (see Data disposal and sanitisation below). We keep a log of any approved use of removable media for confidential or restricted data.
Cloud services
We only use cloud services that have been approved by the Director and that meet our security and data protection requirements. Before we start using a new cloud service, we carry out a risk assessment covering where data will be stored, the provider's security measures, their compliance with UK GDPR, and our ability to retrieve or delete data. All cloud services that process personal data must store data within the United Kingdom or a country with an adequate level of data protection under UK GDPR. We require a Data Processing Agreement compliant with Article 28(3) of UK GDPR from any cloud provider that processes personal data on our behalf. We review our cloud services at least annually to check that they continue to meet our requirements. Where a council contract specifies particular cloud or hosting requirements, those requirements take priority.
Data storage and backup
We store digital data securely with encryption (AES-256 at rest, TLS 1.2 or above in transit) and access controls appropriate to the information's classification level. We perform regular backups to prevent data loss and store backups in a separate location from the original data to protect against loss from fire, theft, or hardware failure. We test backup restoration periodically to make sure backups are working and that we can recover data within an acceptable timeframe. Backups containing personal data are encrypted and subject to the same access controls as the original data. We store paper records containing personal data in locked cabinets with access limited to authorised personnel.
Data disposal and sanitisation
When information is no longer needed, we dispose of it securely in a way that prevents recovery. Paper documents containing personal or confidential information are destroyed by cross-cut shredding. Digital data is securely erased using software that overwrites the data, or the storage media is physically destroyed where secure erasure is not possible. We follow the National Cyber Security Centre (NCSC) guidance on secure sanitisation of storage media. Before we dispose of, sell, or repurpose any device (including computers, phones, tablets, printers, and external drives), we remove all data using a recognised sanitisation method. We keep a record of data disposal, including what was destroyed, when, and by whom. Where a council contract or the UK GDPR requires us to confirm data destruction, we provide written confirmation. For retention periods before disposal, see our Privacy Policy.
Network security
We protect our network with a properly configured firewall that blocks unauthorised inbound and outbound traffic. We separate guest Wi-Fi from the network used for business operations. We use encryption (WPA3 or WPA2 as a minimum) on all wireless networks. We change default passwords on all network equipment, including routers, firewalls, and access points. We disable unnecessary services and features on network equipment to reduce the attack surface. We monitor network activity for signs of unusual or unauthorised access. Where employees access Bubble Fresh systems remotely, they must use a secure, encrypted connection.
Malware protection
We install approved antivirus or endpoint protection software on all computers and devices that access Bubble Fresh systems or data. We configure this software to update automatically and to scan files on access. We do not allow users to disable or change the settings of antivirus or endpoint protection software. We scan all removable media before use. If antivirus or endpoint protection software detects a threat, report it to the Director immediately. We review our malware protection measures regularly to make sure they remain effective against current threats. This is one of the five core technical controls required for Cyber Essentials certification.
Software updates and patch management
We keep all software, operating systems, and firmware up to date with the latest security patches. We apply critical security patches within 14 days of release, or sooner where a vulnerability is actively being exploited. We enable automatic updates where possible. Where automatic updates are not available or practical, the Director is responsible for checking for and applying updates regularly. We do not use software that is no longer supported by its vendor (end-of-life software), as it no longer receives security updates. If a business-critical application cannot be updated, we document this as a risk acceptance and apply compensating controls.
Supply chain and third-party security
We assess the information security practices of any third party that handles data on our behalf before engaging them. This includes cloud service providers, IT support companies, waste disposal contractors, and any other supplier with access to personal or confidential data. We require appropriate contractual protections, including confidentiality clauses, data protection obligations, and the right to audit. Where a third party processes personal data on our behalf, we require a Data Processing Agreement compliant with Article 28(3) of UK GDPR. We review our third-party arrangements at least annually. If a third party suffers a security incident that affects our data, they must notify us without undue delay. For more detail on how we manage subcontractors, see our Subcontractor Policy. For our data processing arrangements with third parties, see our Privacy Policy.
Incident management
Report any suspected or actual information security incident immediately to the Director. This includes data breaches, lost or stolen devices, unauthorised access, suspicious emails, malware infections, and any other event that may compromise the security of information. Do not try to investigate or fix the issue yourself; report it and wait for instructions. We investigate, contain, and resolve incidents promptly. We keep a log of all security incidents, including what happened, the response taken, and any lessons learned. Where a personal data breach has occurred, we follow our data breach procedure, including notification to the Information Commissioner's Office (ICO) within 72 hours where required under Article 33 of UK GDPR. Our ICO registration number is ZB656998. See our Privacy Policy for full data breach notification procedures. For any security incident or data protection concern, contact our Data Protection Officer (DPO) at pkvhrexniixavehtaahacqgoyjamqz@btsyuwkbbaeababjlmofekvcfxibrrazerhasxaihvom.jpgccsvozeh.egwuxutkkyv or call 01933 213045 (Relay UK: 18001 then 01933 213045). We carry out a post-incident review after every significant security incident to identify improvements. For our wider incident reporting procedures, see our Incident Reporting Policy.
Cyber Essentials alignment
We are working towards Cyber Essentials certification, with a target of achieving certification by the end of 2027. Cyber Essentials is a UK Government-backed scheme that helps organisations protect against the most common cyber threats. The five technical controls covered by Cyber Essentials are firewalls (see Network security), secure configuration (see Device security and Network security), user access control (see Access control), malware protection (see Malware protection), and software updates (see Software updates and patch management). This policy and our day-to-day practices are designed to meet or exceed these requirements. We regularly assess our position against the Cyber Essentials requirements and address any gaps. Once certified, we will maintain certification through annual reassessment.
Training and awareness
All employees receive information security awareness training during induction and through annual refresher sessions. Training covers password security and multi-factor authentication, recognising and reporting phishing and social engineering, safe handling of personal and confidential data, clear desk and clear screen practices, acceptable use of IT, malware awareness and what to do if a threat is detected, incident reporting procedures, and the information classification system. We update training content when threats change or when we introduce new systems. We keep records of all training delivered and attendance. For our wider approach to training, see our Training & Development Policy.
Changes to this policy
We may update this policy from time to time to reflect changes in legislation, technology, threats, or best practice. Any changes will be posted on this page with an updated date. Where we make material changes that affect how we protect information, we will notify all employees directly and brief them on what has changed. Where changes affect our council partners or their data, we will notify them before the changes take effect.
Review
The Director, Lance James, reviews this policy at least annually, when we introduce new systems or technologies, following any significant security incident, or when there are relevant changes to legislation or guidance. Last reviewed: February 2026. Next review due: February 2027.
© 2026 Bubble Fresh. This policy is protected by copyright (Copyright, Designs and Patents Act 1988) and may not be copied, reproduced, or redistributed without our written permission. See our Terms of Use.