1. Purpose

​

The purpose of this policy is to safeguard the information assets, digital infrastructure, and data entrusted to Primefocuz Study Abroad.
This policy ensures that all employees, contractors, and associates use information technology systems responsibly, securely, and in compliance with applicable laws, including:

 

The Information Technology Act, 2000 (India)

The Digital Personal Data Protection (DPDP) Act, 2023

Relevant GDPR provisions for handling international student data

 

The goal is to protect confidentiality, integrity, and availability of all information belonging to the company, its clients, students, and partners.

 

2. Scope and Applicability

This policy applies to:

All employees (full-time, part-time, contractual, and interns)

Consultants, vendors, or third parties who access company data or systems

 

All IT assets owned, leased, or managed by Primefocuz, including:

 

Laptops, desktops, tablets, mobile devices

Email, cloud storage, CRM, and ERP systems

Internet, Wi-Fi, and network infrastructure

Company-managed applications and portals

 

This policy covers data in any form — digital, printed, visual, or verbal.

 

3. Definitions

Information Assets: Any data, document, system, or device containing company or student information.

Confidential Data: Non-public data including student records, financial information, client databases, and business strategies.

Authorized User: An employee or contractor with granted access rights to company systems.

Data Breach: Unauthorized access, loss, or disclosure of sensitive data.

 

4. Objectives

Protect sensitive and personal data from unauthorized access or misuse.

Maintain system reliability and uptime.

Ensure secure access and storage of information.

Promote responsible use of company technology resources.

Comply with applicable laws and contractual obligations.

​

5. Acceptable Use Policy

All employees must use company IT systems solely for official purposes.

 

The following practices are mandatory:

 

Use only authorized software and accounts.

Access systems only with personal credentials (never share passwords).

Protect devices from theft, damage, or unauthorized use.

Regularly lock screens when away from the workstation.

Use company-approved email and communication tools for work.

Save official data only in company-approved storage drives or servers (not personal USBs or cloud).

​

Prohibited activities include:

​

Installing or downloading unlicensed software.

Accessing or sharing adult, offensive, or illegal content.

Using company email for personal, political, or unrelated commercial use.

Copying or transferring company data to personal drives.

Bypassing IT security controls or firewalls.

Sharing internal information with unauthorized individuals.

​

6. Password and Access Control Policy

​

To ensure system security:

Passwords must be at least 8 characters long, containing letters, numbers, and symbols.

Passwords must not be shared or written down in accessible areas.

Multi-factor authentication (MFA) must be used where available.

Access privileges will follow the principle of least privilege — employees receive only the access necessary for their roles.

IT will review and revoke access immediately upon employee exit or transfer.

Account credentials must be updated every 90 days.

​

7. Email, Internet, and Communication Security

Company email is to be used only for official communication.

All external emails should be worded professionally and comply with company confidentiality norms.

Employees must verify links and attachments before opening unknown emails (phishing awareness).

Internet access is monitored to prevent misuse.

​

Confidential files must never be shared over personal or public platforms (e.g., WhatsApp, Gmail, or public Google Drive).

Company social media and online accounts should only be accessed by authorized personnel.

​

8. Data Classification

All data handled by Primefocuz Study Abroad must be categorized as:

Public Data: Information available on the company’s website or marketing material.

Internal Data: Operational documents, internal communications, etc.

Confidential Data: Student applications, financial records, agreements, employee files.

Highly Sensitive Data: Access credentials, bank details, passwords, and student visa or immigration records.

Each level requires proportionate protection measures and limited access.

​

9. Data Storage and Backup

All official data must be stored on company-approved servers or secure cloud systems.

Regular data backups shall be performed weekly (or more frequently for critical systems).

External storage devices (USBs, external HDDs) must be encrypted and approved by IT.

Backups will be encrypted and stored securely to ensure data recovery in case of failure.

​

10. Data Transfer and Sharing

Data may only be shared with authorized individuals, departments, or partners with proper consent and purpose.

Sensitive data sent via email must be encrypted or password-protected.

​

Any third-party vendor handling company data must sign a Data Processing and Confidentiality Agreement.

Transferring data outside India or the UK must comply with data protection laws of both jurisdictions.

​

11. Device and Mobile Security

All laptops and desktops must have antivirus and firewall enabled.

Employees must not disable security updates or install unauthorized apps.

Mobile devices with company data must be password-protected and have remote wipe capability.

Lost or stolen devices must be reported to the IT team immediately.

​

12. Network and Wi-Fi Security

Company Wi-Fi is protected with strong encryption (WPA2/WPA3).

Guest access is provided separately and must not connect to internal systems.

Unauthorized networking devices (routers, hotspots) are prohibited.

IT reserves the right to monitor network activity for suspicious behaviour.

​

13. Data Retention and Disposal

Data shall be retained only as long as necessary for business or legal reasons.

Outdated data and records must be deleted or destroyed securely.

Printed confidential documents must be shredded before disposal.

Electronic data must be deleted permanently from all drives (including backups, where applicable).

​

14. Reporting Security Incidents

​

All employees must immediately report any of the following to the IT Department or Data Protection Officer (DPO):

 

Unauthorized system access

Lost or stolen devices

Phishing or suspicious emails

Data leaks or accidental sharing

Malware, virus, or ransomware alerts

The IT team will investigate, document, and take corrective action. Non-reporting of a known breach may lead to disciplinary action.

​

15. Remote Work and Data Protection

For employees working remotely or during travel:

​

Use only company-authorized VPNs and secure networks.

Avoid using public Wi-Fi without encryption.

Keep devices physically secure at all times.

Do not print or store confidential information in unprotected environments.

​

16. Third-Party and Vendor Access

Vendors or consultants who require access to company systems must:

Sign confidentiality and data handling agreements.

Use only authorized credentials provided by IT.

Have limited, time-bound access that will be revoked after project completion.

Comply with company data protection standards.

​

17. Disciplinary Action for Policy Violation

Any violation of this policy will be treated as misconduct and may result in:

Formal warning or written reprimand

Suspension of IT privileges

Termination of employment or contract

Legal action under the IT Act or other applicable laws

​

18. Training and Awareness

Primefocuz Study Abroad will:

Conduct regular IT security training for all employees.

Share monthly security bulletins to promote cyber safety.

Organize annual compliance refreshers for data handling practices.

​

19. Policy Review and Updates

The IT and HR Departments will review this policy annually or whenever significant technological or legal changes occur.
Any amendments will be communicated via company circular or email to all employees.

​

20. Employee Responsibility and Acknowledgement

Every employee is responsible for safeguarding company information.
Upon joining, all employees must read, understand, and sign the IT and Data Security Declaration Form, confirming their compliance with this policy.

 

Primefocuz Study Abroad values the trust placed by its students, partners, and employees.

Every team member plays a critical role in protecting this trust by maintaining the highest standards of cybersecurity, confidentiality, and data integrity