Information Transfer Policy¶
| Owner | Classification | Review Date | Status |
|---|---|---|---|
| CDO Office | Internal | April 2027 | Active |
Document Type: Policy | Owner: CISO | Classification: Confidential | Review Cycle: Annual
| Field | Detail |
|---|---|
| Document # | SP-IT-020 |
| Version | V1.3 |
| Issue Date | 04/09/2025 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Document Owner | Chief Technical Officer, Project Management Office, Head of Compliance |
| Authorised By | Yassir Pasha |
Document Creation¶
| Field | Detail |
|---|---|
| Document # | SP-IT-020 |
| Document Title | Information Transfer |
| Version | V1.2 |
| Confidentiality Level | Class 2 (Private Data / Confidential) |
| Date Created | 26/03/2021 |
| Issue Date | 04/09/2025 |
| Document Owner | Chief Technical Officer, Project Management Office, Head of Compliance |
| Author(s) | Simpaisa |
| Purpose | To ensure that Information transfer procedures are implemented |
| Authorised By | Yassir Pasha |
Reviewed By Steering Committee¶
| Name | Role |
|---|---|
| Yassir Pasha | Chief Executive Officer |
| Kamil Shaikh | Chief Operating Officer |
| Osama Hashmi | Chief Financial Officer |
| Bachir Njeim | Chief Strategy and Operations Officer |
| Saqlain Raza | Acting Chief Technology Officer |
| Rizwan Zafar | Chief Product Officer |
| Ahsan Hussain | Payment Channel Partnerships |
| Danish Abdul Hameed | Chief Information Security Officer |
| Shahroze Khan | Head of International Merchant Sales and Strategic Alliances |
| Noor Ali | Country Head Pakistan |
| Shoukat Bizinjo | Global Head of Regulatory Affairs & Regulatory |
Change Control¶
| Version | Date of Issue | Author(s) | Brief Description of Changes | Approved By |
|---|---|---|---|---|
| V1.0 | 08/04/2021 | Rizwan Zafar | Initial release | Salim Karim |
| V1.1 | 07/02/2022 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 02/02/2023 | Rizwan Zafar | Annual review | Salim Karim |
| V1.2 | 27/09/2024 | Syed Zubair Ahmed | Annual review | Yassir Pasha |
| V1.2 | 05/09/2025 | Simpaisa | Annual review | Yassir Pasha |
1 Introduction¶
This policy defines the preferred methods of transferring data. Whilst other methods are available, and customers or suppliers may dictate their preferred method, these are the ones that we deem to be the most appropriate for the types of information held.
This policy applies to the information as specified in the:
- Classification and Labelling of Information Policy.
This policy applies to all Simpaisa C-Suite, Directors, employees, contractors, consultants, temporary workers and other third parties who interact with Simpaisa information.
2 Policy¶
-
Prior to any data being transferred, there must be consideration of the requirement of the project and the data that is required.
-
Only data required for specific business purpose(s) is to be transferred. That is, any data not to be used for the specific project must be removed prior to transfer.
-
We will always use one of our preferred transfer methods unless specifically requested to use another method by a customer or supplier. Customer or supplier requirements for the transfer will generally be complied with unless there is deemed to be a significant risk to us from any requested insecure transfer.
-
Any transfer of personal data must be covered by a third-party connection agreement either as a separate document or as part of contractual documentation.
-
Best practice for file transfer is to ensure that the data to be transferred is compressed within a password encrypted file. This will limit unauthorised access to the file should someone gain access to it.
-
Prior to transferring any data internally and externally, check that the requesting person has an approved data request from the data owner.
2.1 Preferred Transfer Procedure Methods¶
2.1.1 E-mail¶
It is not recommended to supply data via e-mail. However, if there is no other possible transfer method then suitable encryption and/or password protection must be in place.
2.1.2 Web Services¶
Information transferred via this method must be carried out using HTTPS rather than HTTP. HTTPS ensures that information cannot be intercepted or modified during transmission. If using web services like WeTransfer, one should ensure that the attached file has suitable encryption and/or password protection.
2.1.3 Physical Media¶
If physical media is used the following rules apply:
-
Media must be supplied in suitable robust packaging using a delivery method that requires a signature on arrival. A tracking number must be supplied to allow the package to be traced during transit.
-
Data held on the media must be in a compressed, encrypted and/or password protected file.
-
Asset owners approve transfer methods, and senders maintain audit logs for each transport.
-
The recipient must be made aware of the following before sending via an alternative transfer method: the package is being sent, the estimated delivery date and time, the information it contains, the passwords required to access the data.
If the device is to be returned, the data must be securely removed from the device first.
2.1.4 Verbal Transfer¶
-
Avoid discussing confidential information in public places.
-
Use secure communication channels for sensitive conversations.
-
Do not leave voicemails or answering machine messages with confidential information.
-
Utilise secure messaging platforms or encrypted phone lines.
-
Conduct sensitive conversations in designated secure areas.
-
Clearly state information's classification level and handling requirements at the beginning.
Enforcement¶
Any employee found to have violated this policy may be subjected to disciplinary action in line with the HR Policy.