Critical Incident Response Plan (CIRP) Policy

1. Policy Statement

ITOtours is committed to ensuring the safety and well-being of our guests, staff, and operational integrity. Our Critical Incident Response Plan (CIRP) is designed to provide a structured and effective response to incidents that could impact our operations, reputation, or the communities we serve. This policy outlines our approach to preparing for, managing, and recovering from such incidents.

2. Scope

This policy applies to all employees, contractors, and partners involved in the operations of ITOtours, encompassing all services provided, including hotel allocations, transportation, and custom tour programs.

3. Objectives

  • To ensure a swift and effective response to any critical incident.
  • To minimize the impact of incidents on operations and stakeholders.
  • To safeguard the health and safety of guests and staff.
  • To maintain clear and effective communication with all stakeholders.
  • To facilitate a timely recovery and return to normal operations.

4. Identification of Critical Incidents

Critical incidents may include but are not limited to natural disasters, health crises, accidents, security threats, and significant operational failures. Each type of incident requires specific response strategies outlined in our detailed response procedures.

5. Roles and Responsibilities

  • CIRP Coordinator: Oversees the implementation of the CIRP, coordinates the response efforts, and serves as the primary point of contact.
  • Communication Officer: Manages all internal and external communications.
  • Safety Officer: Ensures the implementation of safety protocols and first aid measures.
  • Recovery Officer: Coordinates efforts to return to normal operations post-incident.

6. Communication Plan

The Communication Officer will manage communications, including notifying affected parties, coordinating with external agencies, and handling media inquiries.

7. Response Procedures

Detailed response procedures will be developed for identified critical incidents, including evacuation plans, emergency contact numbers, coordination with local emergency services, and specific action steps for staff.



8. Review and Improvement

The CIRP will be reviewed annually or following a significant incident to incorporate lessons learned and emerging best practices.

9. Policy Approval and Implementation

This policy is approved by the management of ITOtours and is effective immediately. All staff are required to familiarize themselves with the CIRP and participate in related training and drills.

Electronic Data Destruction Policy

1. Purpose and Scope

This policy establishes the guidelines for the secure destruction of electronic data to protect sensitive information from unauthorized access or exposure. It applies to all electronic media and devices owned by the company, including but not limited to computers, laptops, external hard drives, flash drives, and any electronic storage devices that contain or have ever contained company data.

2. Policy Statement

The company is committed to safeguarding personal and sensitive information from potential security threats by ensuring its proper disposal. This involves implementing and maintaining a robust electronic data destruction process that adheres to legal and regulatory requirements and industry best practices.

3. Responsibilities

  • IT Department: To oversee and implement the data destruction process, ensuring all electronic data is irrecoverably erased.
  • Employees: To comply with all procedures related to data handling and destruction and to ensure no unauthorized destruction of data occurs.
  • Data Protection Officer: To ensure the policy complies with legal and regulatory requirements and to conduct regular audits of the data destruction process.

4. Methods of Destruction

The following methods are approved for the destruction of electronic data:

  • Electronic Shredding: Software-based methods to overwrite the data on storage devices multiple times, ensuring the data cannot be recovered.
  • Degaussing: Using a high-powered magnet to destroy the data on magnetic storage devices.
  • Physical Destruction: Physically destroying the storage device, making it impossible to retrieve any data.

5. Procedure

  • Identification: Clearly identify all devices and media that require data destruction.
  • Authorization: Obtain authorization from the Data Protection Officer or a designated authority before proceeding with data destruction.
  • Execution: Carry out the destruction using one of the approved methods, ensuring the process is performed securely and effectively.
  • Documentation: Maintain a log of all data destruction activities, including details of the device/media destroyed, method of destruction, date, and personnel involved.
  • Verification: Conduct random audits to ensure the effectiveness of the destruction methods and compliance with the policy.

6. Training and Awareness

All employees will receive training on this policy and its importance for data security. Regular updates and refresher courses will be provided to ensure ongoing compliance and awareness.

7. Policy Review and Update

This policy will be reviewed annually or more frequently if necessary to reflect changes in legal, regulatory, or business requirements. Any amendments will be communicated to all employees.

8. Compliance

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment, legal action, and financial penalties.

Vendor/Third Party Risk Management Policy

1. Purpose and Scope

This policy aims to establish a standardized framework for managing and mitigating risks associated with third-party vendors and service providers. It applies to all departments and employees involved in the selection, engagement, and management of third-party entities across the organization.

2. Policy Statement

The organization is committed to ensuring that all third-party engagements are conducted in a manner that minimizes risk to our operations, reputation, and compliance obligations. We will systematically assess, monitor, and manage third-party risks through the lifecycle of the vendor relationship.

3. Definitions

  • Third-Party Vendor: Any external organization or individual that provides goods or services to the company.
  • Risk Management: The process of identifying, assessing, and controlling threats to an organization's capital and earnings.

4. Roles and Responsibilities

  • Senior Management: Ensure the policy is aligned with the organization's strategic goals.
  • Procurement Department: Lead the vendor selection process, ensuring all checks and balances are in place.
  • Risk Management Team: Conduct risk assessments, monitor vendor performance, and manage risk mitigation strategies.
  • Legal and Compliance: Ensure vendor agreements comply with applicable laws and regulations.
  • IT Department: Assess and manage technology-related risks from third-party vendors.

5. Vendor Selection Process

  • Pre-Assessment: Initial screening of vendors to ensure they meet the organization's minimum requirements.
  • Risk Assessment: Detailed evaluation of potential risks associated with a vendor, including financial stability, cybersecurity measures, and compliance practices.
  • Selection Criteria: Vendors must meet criteria related to reputation, reliability, cost-effectiveness, and alignment with organizational values.

6. Vendor Risk Assessment and Monitoring

  • Continuous Monitoring: Regular reviews of vendor performance, risk exposure, and compliance with contractual obligations.
  • Risk Mitigation Strategies: Development and implementation of action plans to address identified risks.
  • Reporting and Documentation: Maintaining comprehensive records of risk assessments, monitoring activities, and mitigation measures.

7. Compliance and Legal Considerations

Ensuring all vendor agreements include provisions for compliance with relevant laws, regulations, and standards. This includes data protection, cybersecurity, and industry-specific requirements.

8. Training and Awareness

Providing training for employees involved in the vendor management process to ensure they understand the risks and procedures associated with third-party engagements.

9. Policy Review and Update

Regularly reviewing and updating the policy to reflect changes in the regulatory landscape, industry practices, and organizational priorities.

10. Enforcement

Failure to comply with this policy may result in disciplinary action, up to and including termination of employment for individuals, and termination of contracts for vendors.


Data Protection Policy for ITO Tours UK


ITO Tours UK is committed to protecting the privacy and security of personal data. This Data Protection Policy outlines our practices and procedures for handling personal information in compliance with the UK's Data Protection Act 2018 and the General Data Protection Regulation (GDPR). Our aim is to process personal data respectfully, lawfully, and transparently.


This policy applies to all employees, contractors, and partners of ITO Tours UK who have access to personal data collected by the organization.


ITO Tours UK adheres to the following data protection principles:

  • Lawfulness, fairness, and transparency: Personal data shall be processed lawfully, fairly, and in a transparent manner.
  • Purpose limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimization: Only data that is necessary for the purposes for which it is processed is collected.
  • Accuracy: Every reasonable step must be taken to ensure that personal data that is inaccurate is erased or rectified without delay.
  • Storage limitation: Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary.
  • Integrity and confidentiality: Personal data shall be processed in a manner that ensures appropriate security, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

Data Subject Rights

Individuals have the following rights regarding their personal data:

  • The right to be informed
  • The right of access
  • The right to rectification
  • The right to erasure
  • The right to restrict processing
  • The right to data portability
  • The right to object
  • Rights in relation to automated decision making and profiling


Data Protection Measures

ITO Tours UK implements appropriate technical and organizational measures to ensure and demonstrate that data processing is performed in accordance with this policy. Measures include:

  • Data protection impact assessments
  • Integrating data protection into internal documents
  • Regularly training staff on data protection
  • Regularly testing the effectiveness of security practices

Data Breach Procedure

In the event of a data breach, ITO Tours UK will promptly evaluate the risk to individuals' rights and freedoms and report this breach to the appropriate supervisory authority within 72 hours, where feasible.

Policy Review and Update

This policy will be regularly reviewed and updated as necessary to ensure ongoing compliance with data protection laws and regulations.

Contact Information

For any inquiries regarding this policy or data protection practices, please contact our Data Protection Officer (DPO)

Data Subject Access Request (DSAR) Policy

1. Purpose This policy outlines the process by which [ITOtours] ("we," "us," "our") handles Data Subject Access Requests (DSARs) from individuals ("data subjects") seeking access to their personal data processed by us, in accordance with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Scope This policy applies to all personal data processed by [ITOtours], regardless of the format in which it is held. All employees and contractors of [Organization Name] are required to adhere to this policy when handling DSARs.

3. Identifying a DSAR A DSAR may be received by any part of our organization and can be made verbally or in writing. A request does not have to be officially labeled as a DSAR to warrant a response under this policy.

4. Submitting a DSAR Data subjects may submit a DSAR to [Designated Contact Information, e.g., email, postal address]. Requests should include sufficient information to identify the requester (e.g., full name, contact details) and any specific data or processing activities to which the request relates.

5. Verification of Identity Upon receiving a DSAR, we will take reasonable steps to verify the identity of the requester to ensure that personal data is not disclosed to unauthorized individuals. This may involve requesting additional information or documentation.

6. Processing a DSAR

  • Timeline: We aim to respond to DSARs within one month of receipt. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.
  • Fees: Access requests are generally provided free of charge. However, we may charge a reasonable fee for additional copies or if the request is manifestly unfounded or excessive.

7. Responding to a DSAR Our response will include the following information:

  • Confirmation of whether or not personal data concerning the data subject is being processed.
  • A copy of the personal data being processed, along with details of the processing purposes, categories of personal data, and recipients of the data.
  • Information on the data subject's rights, including the rights to rectification, erasure, restriction of processing, and to object to processing.

8. Exemptions and Limitations Certain exemptions and limitations to a DSAR may apply under specific circumstances or legal requirements. If any such exemptions apply, the data subject will be informed accordingly.

9. Training and Awareness All staff handling personal data will receive training on this policy and how to handle DSARs effectively and in compliance with our data protection obligations.

10. Policy Review and Updates This policy will be reviewed regularly and updated as necessary to ensure ongoing compliance with data protection laws and regulations.





Subscribe to our newsletter

This website uses cookies.

We use cookies to personalize content and ads, provide social media features, and analyze our traffic. 

Continuing on our website, we will assume that you comply. Please read our privacy policy for more information. You can return to the privacy policy at the bottom of the website at any time.