Page 49 - Ipsos
P. 49
Information Classification: Internal Use
Ipsos Book of Policies & Procedures
- Cannot be copied to any storage media (USB hard drives, memory sticks, etc.) or computers
(home PCs, etc.) that are not Ipsos owned.
- Strictly Confidential Information stored on any Ipsos owned laptop, PC (if requested by client
or deemed necessary), CD’s, DVD’s, portable hard drive, USB key and hard disk must have
whole disk encryption installed. This includes laptops with stored Strictly Confidential
Information as e-mail attachments. Media and computers installed with whole disk encryption
will use 256-bit AES.
- PII and Sensitive Personal Information may only be used for the purposes identified to the
individual when it was collected, and may not be used or disclosed for any other purpose,
unless required by law.
- PII or Sensitive Personal Information cannot be modified or altered for any unlawful purposes.
- All working papers and documents containing Strictly Confidential Information should be
cleared off desks and secured at the end of the day in a locked cabinet.
- All Ipsos staff must deposit unwanted/not needed papers containing Strictly Confidential
Information into the shredder or designated shredding bins.
5.2 Transmission of Internal (Non Public) and Strictly Confidential
Information to another organization
- E-mail and ftp (File Transfer Protocol) are not allowed to be used for the purpose of
transmitting PII and Strictly Confidential Information outside of Ipsos. For the transmission of
PII or Strictly Confidential Information, please refer to the Master Service Agreement or NDA
for the client.
- SFTP (Secure File Transfer Protocol) and HTTPS (Secure HTTP) are permitted for
transferring Strictly Confidential Information. TLS 1 and higher are to be used and all versions
of SSL are to be disabled.
- Before transferring PII or projects that involve PII between Ipsos legal entities, ask the legal
department if a Data Processing agreement and/or NDA is required to be signed by the Ipsos
entities involved
- Encryption of the file may be required dependent on client requirements.
- Encryption of files requires a minimum strength of 128 –bit AES. It is recommended and
preferred to use 256 – bit AES (Common tools for encrypting files are WinZip, SecureZip,
PGP and WinRAR)
- An agreement must be in place to ensure the Confidentiality and security of the PII or Strictly
Confidential Information that is being transferred.
- Note that PII and Sensitive Personal Information (SPI) collected by Ipsos may only be shared
with a client in limited circumstances for valid research purposes. Please consult with your
local Privacy Officer and Legal department for guidance in a particular instance.
- It is extremely rare that extensive PII and SPI are provided by a client. Always verify the
sample the client is providing you is not in excess of what we require to complete the study. If
the sample supplied by a client is in excess of what is needed to complete the study, it is the
duty of the Ipsos staff involved to inform the client of this oversight and return the sample.
- In the rare event a client would like to send extensive PII and Sensitive Personal Information
(SPI) and there is a valid business case to do so, the Global Information Security Director
must be notified well in advance so as to implement special measures beyond the scope of
what is listed in this policy.
5.3 Transmission of Public Information
Public Information must be protected from:
Page 9 of 22
