Physical Security Policy

ETHISYS LTD 

Physical Security Policy 

Last Updated: 9 April 2026  ·  England & Wales  ·  UK GDPR / PECR Compliant 

 

Contact: privacy@ethisys.co.uk  ·  Company No. 11371203  ·  Registered in England and Wales 

This policy applies to all Ethisys Ltd employees, contractors, consultants, and visitors at all Ethisys premises. For queries, contact privacy@ethisys.co.uk. 

  1. Purpose and Scope

This Physical Security Policy establishes the controls Ethisys Ltd uses to protect its people, premises, assets, and information from physical threats including unauthorised access, theft, damage, and environmental hazards. 

This policy applies to all Ethisys Ltd premises, including: 

  • UK Office: 1 Queen Square, Bath, BA1 2HA, United Kingdom 
  • Spain Office: Edificio ULab, Plaza San Cristobal 14, Alicante 03002, España 
  • Client sites, co-working spaces, or temporary premises used by Ethisys Ltd staff 
  1. Policy Statement

Ethisys Ltd is committed to maintaining physical security controls that are proportionate to the risks faced by the business and its clients. Physical security is an essential component of our broader information security programme and supports compliance with UK GDPR, the Data Protection Act 2018, and our obligations under client contracts. 

  1. Site Access Control
  • Access to Ethisys premises is restricted to authorised staff, approved contractors, and escorted visitors. 
  • Where access control systems are in use (key fob, swipe card, PIN), individual credentials must not be shared. 
  • Lost or stolen access credentials must be reported to the Office Manager immediately and deactivated within 2 hours. 
  • Access rights are removed promptly upon an individual’s departure from the company or project. 
  • Tailgating (following someone through a secured door without personal credentials) is prohibited. 
  • Working outside normal business hours must be notified to the Office Manager in advance where required. 
  1. Visitor Management
  • All visitors must be pre-authorised and announced to a named host before arrival where possible. 
  • Visitors must sign in upon arrival, providing name, company, and purpose of visit. 
  • Visitors must wear a visitor badge or be clearly identifiable at all times while on premises. 
  • Visitors must be escorted by an Ethisys staff member at all times. 
  • Visitor logs must be retained for a minimum of 3 months. 
  • Unrecognised individuals found in restricted areas must be politely challenged and the incident reported. 
  1. CCTV and Surveillance
  • Where CCTV is operated, its use will comply with the ICO’s CCTV Code of Practice. 
  • CCTV signage must be prominently displayed at all monitored locations. 
  • CCTV footage will be retained for a maximum of 31 days unless required for an investigation. 
  • Access to CCTV recordings is restricted to authorised personnel only. 
  1. Clean Desk and Clear Screen Policy

6.1 Clean Desk 

  • Sensitive documents, printed materials, and removable media must be secured when not in use. 
  • Physical documents containing personal data must not be left unattended on desks. 
  • Whiteboards containing sensitive information must be erased at the end of each meeting or working day. 
  • Physical records containing credentials or sensitive data must be disposed of securely. 

6.2 Clear Screen 

  • Computers must be locked when leaving a workstation unattended, even briefly. 
  • Screen privacy filters are recommended for staff working in public or shared spaces. 
  • Automatic screen lock must activate after no more than 5 minutes of inactivity. 
  1. Equipment and Device Security
  • All company-owned devices must be physically secured when not in use (e.g., cable locks in shared spaces). 
  • Portable devices must not be left unattended in vehicles or public places. 
  • Company equipment must not be used by non-Ethisys individuals without prior authorisation. 
  • All portable devices containing company or client data must have full-disk encryption enabled. 
  • Devices must be recorded in the company asset register upon deployment and return. 
  1. Secure Disposal of Assets
  • Hard drives, mobile devices, and storage media must be securely wiped or physically destroyed before disposal. A GDPR-compliant third-party service must be used for high-sensitivity assets. 
  • Physical documents containing personal data must be cross-cut shredded or placed in a confidential waste bin. 
  • A certificate of destruction must be obtained and retained for all Restricted-class assets. 
  • No company device may be donated, sold, or discarded without written approval and confirmation of data removal. 
  1. Server Room and Network Infrastructure
  • Where Ethisys premises host networking equipment or servers, access is restricted to named technical personnel only. 
  • Server room and network cabinet access must be logged (entry/exit time and individual name). 
  • No unauthorised equipment may be connected to network infrastructure. 
  • Environmental controls (temperature, humidity, fire suppression) must be maintained and checked periodically. 
  • Remote-hands access by third parties must be pre-authorised in writing and supervised. 
  1. Remote Working and Home Office Security
  • Staff working remotely must ensure their workspace is physically secure and sensitive information is not visible to others during calls. 
  • Confidential calls must not be taken in public places where conversations can be overheard without headphones. 
  • Printed documents containing personal or client data must be cross-cut shredded or returned to the office. 
  • Staff travelling internationally should consult the Technical Lead if visiting high-risk jurisdictions. 
  • Lost or stolen devices must be reported immediately to enable remote wipe where available. 
  1. Physical Security Incidents

All physical security incidents must be reported promptly. Examples include: 

  • Theft or loss of company equipment or documents 
  • Unauthorised access to premises or restricted areas 
  • Discovery of unknown devices connected to the network 
  • Physical damage to premises, equipment, or security systems 
  • Any situation that could constitute or contribute to a personal data breach 

Report all incidents to the Office Manager and Technical Lead. Where a personal data breach is involved, the Data Protection contact must be notified so ICO reporting obligations under UK GDPR can be assessed. 

  1. Compliance and Enforcement

Failure to comply with this policy may result in disciplinary action up to and including termination of employment or contract. Serious breaches may be reported to law enforcement. Contractors in breach may have their access removed and contracts terminated. 

  1. Roles and Responsibilities

Role 

Responsibility 

Office Manager 

Day-to-day physical security oversight; visitor logs; credential management; incident coordination 

Technical Lead / CTO 

Policy ownership; server room access approval; device loss escalation 

All Employees 

Adherence to this policy; reporting incidents; challenging unrecognised visitors 

Contractors 

Compliance with applicable sections; escorted by a named Ethisys host at all times 

Data Protection Contact 

ICO notification obligations; privacy@ethisys.co.uk 
  1. Policy Review

This policy is reviewed annually or following a physical security incident, significant change to Ethisys premises, or relevant legal/regulatory change. The current version is effective from 9 April 2026. 

Questions: privacy@ethisys.co.uk