logo

Information security Policy


1. Introduction

The confidentiality, integrity and availability of information are critical to the ongoing functioning and good governance of bigspark. Failure to adequately secure information increases the risk of financial and reputational losses from which it may be difficult for bigspark to recover.

This information security policy outlines bigspark’s approach to information security management. It provides the guiding principles and responsibilities necessary to safeguard the security of the company's information systems. Supporting policies, codes of practice, procedures and guidelines provide further details.

Bigspark Limited is committed to a robust implementation of Information Security Management. It aims to ensure the appropriate confidentiality, integrity and availability of its data. The principles defined in this policy will be applied to all the physical and electronic information assets for which bigspark Limited is responsible.

Bigspark Limited is specifically committed to preserving the confidentiality, integrity and availability of documentation and data supplied by, generated by and held on behalf of third parties pursuant to the carrying out of work agreed by contract in accordance with the requirements of data security standard ISO 27001.


1. 1 Objectives

The objectives of this policy are to:

  1. Provide a framework for establishing suitable levels of information security for all bigspark’s information systems (including but not limited to all Cloud environments commissioned or run by bigspark, computers, storage, mobile devices, software and data) and to mitigate the risks associated with the theft, loss, misuse, damage or abuse of these systems. It requires that: The resources required to manage such systems will be made available. Continuous improvement of bigspark’s Information Security Management System will be undertaken in accordance with Plan Do Check Act principles
  2. Make certain that users are aware of and comply with all current and relevant UK and (where appropriate) EU legislation.
  3. Provide the principles by which a safe and secure information systems working environment can be established for staff, students and any other authorised users.
  4. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data that they handle.
  5. Protect bigspark limited from liability or damage through the misuse of its IT facilities.
  6. Maintain research data and other confidential information provided by suppliers at a level of security commensurate with its classification a. including upholding any legal and contractual requirements around information security.
  7. Respond to changes in the context of the organisation as appropriate, initiating a cycle of continuous improvement.


1.2 Scope

This policy is applicable to, and will be communicated to, all staff and third parties who interact with information held by bigspark and the information systems used to store and process it.

This includes, but is not limited to: Cloud systems developed or commissioned by bigspark, any systems or data attached to the bigspark data or systems managed by bigspark, mobile devices used to hold bigspark data, data over which bigspark holds the intellectual property rights, data over which bigspark is the data controller or data processor, electronic communications sent from bigspark.

 

2. Policy

2.1 Information Security Principles

The following information security principles provide overarching governance for the security and management of information at bigspark.

  1. Information should be classified according to an appropriate level of confidentiality, integrity and availability (see Section 2.3. Information Classification) and in accordance with relevant legislative, regulatory and contractual requirements (see Section 2.2. Legal and Regulatory Obligations).
  2. Staff with particular responsibilities for information (see Section 3. Responsibilities) must: ensure the classification of that information is established; must handle that information in accordance with its classification level; must abide by any contractual requirements, policies, procedures or systems for meeting those responsibilities.
  3. All users covered by the scope of this policy (see Section 1.2. Scope) must handle information appropriately and in accordance with its classification level.
  4. Information should be both secure and available to those with a legitimate need for access in accordance with its classification level. Access to information will be on the basis of least privilege and need to know.
  5. Information will be protected against unauthorized access and processing in accordance with its classification level.
  6. Breaches of this policy must be reported (see Sections 2.6. Compliance and 2.7. Incident Handling).
  7. Information security provisions and the policies that guide them will be regularly reviewed, including through the use of annual internal audits and penetration testing.
  8. Any explicit Information Security Management Systems (ISMSs) run within the organisation will be appraised and adjusted through the principles of continuous improvement, as laid out in ISO27001 clause 10.


2.2 Legal & Regulatory Obligations

  1. Bigspark Limited has a responsibility to abide by and adhere to all current UK and (where appropriate) EU legislation as well as a variety of regulatory and contractual requirements.
  2. A non-exhaustive summary of the legislation and regulatory and contractual obligations that contribute to the form and content of this policy is provided in Appendix A.
  3. Related policies will detail other applicable legislative requirements or provide further detail on the obligations arising from the legislation summarised below.


2.3 Information Classification

  1. The following table provides a summary of the information classification levels that have been adopted by bigspark Limited and which underpin the 8 principles of information security defined in this policy.
  2. These classification levels explicitly incorporate the General Data Protection Regulation’s definitions of Personal Data and Special Categories of Personal Data, as laid out in bigspark’s Data Protection Policy, and are designed to cover both primary and secondary research data.
  3. Detailed information on defining information classification levels and providing appropriate levels of security and access is provided in the Data Classification Standard. Information on appropriate encryption techniques for securing Confidential data can be found here.
  4. Information may change classification levels over its lifetime, or due to its volume

2.4 Suppliers

All bigspark suppliers will abide by bigspark’s Information Security Policy, or otherwise be able to demonstrate corporate security policies providing equivalent assurance. This includes:

  • when accessing or processing bigspark assets, whether on site or remotely
  • when subcontracting to other suppliers.


2.5 Cloud Providers

Under the GDPR, a breach of personal data can lead to a fine of up to 4% of global turnover. Where bigspark uses Cloud services, bigspark retains responsibility as the data controller for any data it puts into the service, and can consequently be fined for any data breach, even if this is the fault of the Cloud service provider. bigspark will also bear the responsibility for contacting Information Commissioner’s Office concerning the breach, as well as any affected individual. It will also be exposed to any lawsuits for damages as a result of the breach. It is extremely important, as a consequence, that bigspark is able to judge the appropriateness of a Cloud service provider’s information security provision. This leads to the following stipulations:

  1. All Cloud services used will be expected to have ISO27001 certification, with adherence to the standard considered the best way of a supplier proving that it has met the GDPR principle of privacy by design, and that it has considered information security throughout its service model.
  2. Any request for exceptions will be considered, email at information-security@bigspark.dev


2.6 Compliance, Policy Awareness and Disciplinary Procedures

  1. Any security breach of bigspark’s information systems could lead to the possible loss of confidentiality, integrity and availability of personal or other confidential data stored on these information systems.
  2. The loss or breach of confidentiality of personal data is an infringement of the General Data Protection Regulation, contravenes bigspark’s Data Protection Policy, and may result in criminal or civil action against bigspark.
  3. The loss or breach of confidentiality of contractually assured information may result in the loss of business, financial penalties or criminal or civil action against bigspark. Therefore it is crucial that all users of the company's information systems adhere to this Information Security Policy and its supporting policies as well as the Information Classification Standards.
  4. All current staff and other authorised users will be informed of the existence of this policy and the availability of supporting policies, codes of practice and guidelines.
  5. Any security breach will be handled in accordance with all relevant policies and the appropriate disciplinary policies.


2.7 Incident Handling

  1. If an employee is aware of an information security incident then they must report it to the information security officer by email to information-security@bigspark.dev
  2. Breaches of personal data will be reported to the Information Commissioner’s Office by Data Protection Officer.
  3. If necessary, employers should use the Matrix manager to report
  4. All members of the bigspark community must report instances of actual or suspected phishing to phishing@bigspark.dev


2.8 Supporting Policies, Codes of Practice, Procedures and Guidelines

  1. Supporting policies are being developed to strengthen and reinforce this policy statement. These, along with procedures and and the employee handbook are published on Confluence
  2. All staff and any third parties authorised to access bigspark systems are required to familiarise themselves with these supporting documents and to adhere to them in the working environment.


2.9 Review and Development

  1. This policy, and its subsidiaries, shall be reviewed annually by the Directors and updated regularly to ensure that they remain appropriate in the light of any relevant changes to the law, organisational policies or contractual obligations.
  2. Additional policy may be created to cover specific areas.
  3. The Information Security Manager will determine the appropriate levels of security measures applied to all new information systems


3. Responsibilities

Members of Bigspark:

All employees of bigspark limited, agency staff working for bigspark, third parties and collaborators on bigspark projects will be users of bigspark information. This carries with it the responsibility to abide by this policy and its principles and relevant legislation, supporting policies, procedures and guidance. No individual should be able to access information to which they do not have a legitimate access right. Notwithstanding systems in place to prevent this, no individual should knowingly contravene this policy, nor allow others to do so. To report policy contraventions, please see Section 2.7: Incident Handling

Data Controllers:

Many members of bigspark will have specific or overarching responsibilities for preserving the confidentiality, integrity and availability of information. These include:

Project leads:

Responsible for the security of information produced, provided or held in the course of carrying out client or bigspark projects. This includes ensuring that data is appropriately stored, that the risks to data are appropriately understood and either mitigated or explicitly accepted, that the correct access rights have been put in place, with data only accessible to the right people, and ensuring there are appropriate backup, retention, disaster recovery and disposal mechanisms in place.

Heads of Practices:

Responsible for the information systems (e.g. HR/ Registry/ Finance) both manual and electronic that support bigspark’s work. Responsibilities as above (for Project leads).

Line managers:

Responsible for specific area of bigspark's work, including all the supporting information and documentation that may include working documents/ contracts/ staff information.

Head of Operations:

Responsible for bigspark’s compliance with the General Data Protection regulation

Data Protection Officer:

Responsible for bigspark’s Data Protection Policy, data protection and records retention issues. Breach reporting to ICO

Information Governance Management Board:

Responsible for approving information security policies.

Caldicott Guardian:

bigspark’s Chief Operating Officer acts as the Caldicott Guardian


Appendix A: Summary of relevant legislation


The Computer Misuse Act 1990

Defines offences in relation to the misuse of computers as:

  1. Unauthorised access to computer material.
  2. Unauthorised access with intent to commit or facilitate commission of further offences.
  3. Unauthorised modification of computer material.


Defamation Act 1996

“Defamation is a false accusation of an offence or a malicious misrepresentation of someone's words or actions. The defamation laws exist to protect a person or an organisation's reputation from harm.1”

The Terrorism Act 2006

The Terrorism Act 2006 makes it an offence to write, publish or circulate any material that could be seen by any one or more of the persons to whom it has or may become available, as a direct or indirect encouragement or other inducement to the commission, preparation or instigation of acts of terrorism. It also prohibits the writing, publication or circulation of information which is likely to be useful to any one or more persons in the commission or preparation of terrorist acts or is in a form or context in which it is likely to be understood by any one or more of those persons as being wholly or mainly for the purpose of being so useful. In addition, it prohibits the glorification of the commission or preparation (whether in the past, in the future or generally) of terrorist acts or such offences; and the suggestion that what is being glorified is being glorified as conduct that should be emulated in existing circumstances.

General Data Protection Regulation and DPA 2018

The GDPR has applied to the UK from 25 May 2018. The GDPR reinforces and extends data subjects’ rights as laid out in the Data Protection Act (1998), and provides additional stipulations around accountability and governance, breach notification and transfer of data. It also extends the maximum penalties liable due to a data breach, from £500,000 to 4% global turnover. The GDPR requires bigspark to maintain an Information Asset Register, to ensure where personal data is voluntarily gathered people are required to explicitly opt in, and can also easily opt out. It requires data breaches to be reported to the Information Commissioner’s Office within 72hrs of bigspark becoming aware of their existence.

logo
About bigspark.aiResponsible AITry AIAI Lab
BlogTerms & ConditionsPrivacy PolicyInformation Security Policy
Contact

bigspark Ltd2 Lace Market SquareNottinghamNG1 1PB England

enquiries@bigspark.ai

responsible ai logo

© 2025 bigspark.ai All Rights Reserved.