Skip to main content

Information Security Policy

New Left Review Ltd.

Version: 1.1

Effective date: 29 June 2023

Last review: 4 March 2026

Approved by: Rob Lucas, New Left Review Ltd.

1. Purpose

This Information Security Policy sets out how New Left Review Ltd. (“the Organisation”) protects the confidentiality, integrity, and availability of information it processes, in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

The policy supports the Organisation’s obligation under Article 5(1)(f) and Article 32 UK GDPR to implement appropriate technical and organisational measures to secure personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

2. Scope

This policy applies to:

  • All employees, directors, contractors, and authorised collaborators of the Organisation.
  • All information systems, whether electronic or physical, used in the course of the Organisation’s activities.
  • All personal data and non-personal information processed by the Organisation.

3. Organisational context and data processing

New Left Review Ltd. is a scholarly publisher producing a journal in print and online.

In the course of its activities, the Organisation processes only limited personal data that is necessary for contractual performance under Article 6(1)(b) UK GDPR, namely to:

  • Administer subscriptions to the printed journal.
  • Provide authenticated access to the Organisation’s website.

The categories of personal data processed are limited to:

  • Name
  • Postal and billing addresses
  • Email address
  • Telephone number
  • Website account credentials (stored using secure, industry-standard methods)

The Organisation:

  • Does not process special category data as defined by Article 9 UK GDPR.
  • Does not engage in profiling or automated decision-making.
  • Does not sell, trade, or otherwise monetise personal data.
  • Does not share customer personal data with third parties, except where strictly necessary to provide its services.

Further details on lawful bases, retention, and data subject rights are set out in the Organisation’s Privacy Policy.

4. Information security principles

The Organisation’s information security controls are guided by the following UK GDPR principles:

  • Lawfulness, fairness, and transparency: Personal data is processed only for legitimate, clearly defined purposes.
  • Data minimisation: Only personal data that is adequate, relevant, and necessary is collected and retained.
  • Integrity and confidentiality (Article 5(1)(f)): Information is protected against unauthorised access, alteration, disclosure, or loss.
  • Accountability (Article 5(2)): The Organisation takes responsibility for implementing and maintaining appropriate security measures.
  • Proportionality: Controls are commensurate with the low volume and low risk nature of the personal data processed.

5. Access control and user management

Access to systems and personal data is restricted to authorised individuals with a legitimate business need.

User accounts are unique and must not be shared.

Authentication credentials are managed using secure password practices and appropriate technical safeguards.

Access rights are reviewed periodically and revoked promptly when no longer required.

6. Hosting and processors

The Organisation’s website and associated systems are hosted by Brightbox, acting as a data processor.

Brightbox is responsible for infrastructure-level and physical security within the hosting environment.

The Organisation retains responsibility for application-level security, access controls, and data governance.

Air Business mail copies of the journal to customers. To perform this function, the Organisation sends them name and address details. Air Business is responsible for the security of this mailing data.

Processor relationships are governed by appropriate contractual arrangements consistent with Article 28 UK GDPR.

No other processors or third parties receive customer personal data.

7. Data storage, protection, and retention

Personal data is stored in secure digital systems protected by access controls and technical safeguards appropriate to the risk.

Any physical records are kept to an absolute minimum and stored securely.

Regular backups are maintained to ensure data availability and resilience.

Personal data is retained only for as long as necessary for the purposes described in the Privacy Policy and then securely deleted.

8. Incident management and data breaches

All suspected or actual information security incidents must be reported promptly to management.

The Organisation will assess incidents without undue delay and take proportionate remedial action.

Where an incident constitutes a personal data breach under Article 4(12) UK GDPR, the Organisation will:

  • Assess the risk to individuals’ rights and freedoms.
  • Notify the Information Commissioner’s Office (ICO) within 72 hours where required under Article 33.
  • Notify affected individuals where required under Article 34.

9. Training and awareness

Individuals with access to personal data are expected to understand their responsibilities under data protection law.

Guidance and oversight are provided proportionately to the Organisation’s size and structure.

10. Compliance, review, and governance

This policy supports compliance with UK GDPR, the Data Protection Act 2018, and ICO guidance.

New Left Review has also been independently assessed and certified as compliant with the Cyber Essentials security standard.

The policy is reviewed periodically and updated as necessary to reflect changes in legal requirements, risk, or operational practices.

Overall responsibility for information security rests with the Organisation’s management.