serif-logo

IT Helpdesk Privacy and Security Policy

Effective Date: 28/1/2026
Last Updated: 28/1/2026
Policy Owner: Serif Systems Limited


1. Purpose


This IT Helpdesk Privacy and Security Policy (“Policy”) sets out how Serif Systems Limited collects, accesses, processes, stores, transfers, and protects information obtained through its IT Helpdesk service.

The Policy is designed to ensure the confidentiality, integrity, and availability of information and to comply with applicable data protection and privacy laws in England and Wales, while supporting users globally.

2. Scope


This Policy applies to:

  • All IT Helpdesk staff, contractors, temporary workers, and authorised third parties
  • All systems, networks, applications, and devices supported by the IT Helpdesk
  • All users worldwide who receive IT support services, including employees, contractors, clients, and partners

3. Legal and Regulatory Framework


This Policy is governed by and interpreted in accordance with the laws of England and Wales, including but not limited to:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR), where applicable

Where users are located outside the UK, applicable local data protection laws may also apply. In the event of conflict, the Organisation will take reasonable steps to comply with all applicable legal obligations.

4. Definitions


  • Personal Data: Any information relating to an identified or identifiable individual.
  • Special Category Data: Personal data requiring higher protection under UK GDPR.
  • Sensitive Information: Authentication credentials, security keys, confidential business data, and system access information.
  • User: Any individual receiving IT Helpdesk support services.
  • Helpdesk Ticket: A documented request for IT support, including technical and personal information.

5. Data Collection


The IT Helpdesk may collect and process information strictly necessary to provide support, including:

  • Name, username, employee or user ID
  • Business contact details (email, phone number)
  • Device and system identifiers (IP address, hostname, operating system)
  • System logs, error reports, and configuration details
  • Communications related to support requests

The Organisation does not intentionally collect excessive or irrelevant personal data.

6. Lawful Basis for Processing


  • Performance of a contract or service obligation
  • Legitimate interests in maintaining secure and functional IT systems
  • Compliance with legal or regulatory obligations
  • Explicit consent, where required

7. Access Controls and Confidentiality


  • Access to information is restricted to authorised personnel on a least-privilege basis.
  • IT Helpdesk staff are subject to confidentiality obligations.
  • Passwords, credentials, and encryption keys must not be stored in plain text or disclosed.

8. Use of Information


  • Troubleshooting and resolving technical issues
  • Maintaining system security and stability
  • Preventing, detecting, and responding to security incidents
  • Audit, compliance, and service improvement purposes

Unauthorised use, disclosure, or retention of information is strictly prohibited.

9. Remote Access and Support


  • Remote access tools may be used solely for legitimate support purposes.
  • Users will be informed when remote access is initiated, where practicable.
  • Remote sessions must be logged and terminated once complete.
  • Covert monitoring or unauthorised surveillance is prohibited.

10. Information Security Measures


  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA), where appropriate
  • Encryption of data in transit and at rest
  • Secure logging and monitoring
  • Regular vulnerability management and patching

11. International Data Transfers


  • Transfers comply with UK GDPR requirements
  • Appropriate safeguards are implemented
  • Access is limited to what is necessary for support delivery

12. Data Retention and Disposal


  • Helpdesk records are retained only as long as necessary
  • Data is securely deleted or anonymised in line with policy

13. Third-Party Service Providers


  • Providers must meet equivalent privacy and security standards
  • Written agreements include data protection obligations
  • Providers are subject to due diligence and review

14. Incident Reporting and Breach Management


  • Incidents must be reported immediately
  • Managed in line with the Incident Response Plan
  • Regulators and individuals notified where required

15. User Responsibilities


  • Provide accurate information
  • Safeguard credentials and devices
  • Report security incidents promptly

16. Compliance and Enforcement


Failure to comply may result in disciplinary action, termination, or legal action. Compliance may be verified through monitoring, audits, and reviews.

17. Policy Review


This Policy will be reviewed periodically and updated to reflect changes in law, technology, or organisational requirements.

18. Governing Law and Jurisdiction


This Policy is governed by the laws of England and Wales, and the courts of England and Wales shall have exclusive jurisdiction.