Somerset County Council - Data Protection Policy - Final

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Somerset County Council - Data Protection Policy - Final"

Transcription

1 Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will ensure all users of personal information are aware of the statutes and guidance that apply to the protection of that information. This policy provides information on the types of controls that are within scope, the rules and guidance that must be followed, the standards to be maintained, the risk to users, clients and the Council and the potential consequences of misuse This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors, Secondees and Volunteers Key Messages Data Protection is a legal responsibility for all Council Members, Officers, Contractors and Volunteers Data Protection applies to all the personal and sensitive data held by, and on behalf of the Council. All users must read and understand the policy framework around Data Protection There are significant risks in managing personal data both to clients and to the reputation of the Council The Council is obliged to fulfil the Data Protection Act in regard to Notification, Fair Processing Notices and Privacy Impact Assessments Clients, staff and members of the public have a statutory right to know all the information we hold about them in the Council Data Protection covers a broad range of subject matter including data collection, data processing, data sharing, , fax, phones, SMS messaging and records management You must report any suspected data breach of personal or sensitive data. This policy on a page is a summary of the detailed policy document please ensure you read, understand and comply with the full policy Version Final v1.1 Page 1 of 9

2 Revision History Revision Editor Previous Description of Revision Date Version Peter Grogan Initial Draft Peter Grogan v.01 Comments from R.Allen & D.Littlewood Peter Grogan v.02 Additions P.Grogan Peter Grogan v.03 Additions P.Grogan Peter Grogan v.04 Reformatting Peter Grogan v.05 Reformatting Peter Grogan v.06 HR Update & Union Approver Peter Grogan v.07 Logo & Unison Peter Grogan v.08 Approval by IM Board Peter Grogan v.09 HR amendments (Appx 1) Document Approvals This document requires the following approvals: Approval Name Date Information Governance Manager Peter Grogan Information Governance Board Donna Fitzgerald Unions / JNF Carrie-Anne Hiscock SCC HR Richard Crouch Elected Members David Huxtable Document Distribution This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors, Secondees and Volunteers Version Final v1.1 Page 2 of 9

3 1 Policy Statement FULL POLICY DOCUMENT Somerset County Council will ensure every user is aware of, and understands, their responsibilities with regard the security of data held by, and on behalf of, the Council in respect of; their responsibilities with regard to the security and protection of personal data the benefits of data sharing the necessity for records management the technical and administrative controls operating in the Council the statutory framework 2 Purpose Somerset County Council collects, holds and uses data about people and organisations with whom it deals with in order to conduct its business. The Council has a statutory duty under the Data Protection Act and related legislation to safeguard this information. This data covers, but is not restricted to, the following: Current, past and prospective employees Suppliers Customers School pupils and students Others with whom the Council communicates In addition, the law may occasionally require us to collect and use certain types of personal information to comply with the requirements of government departments, such as the Police the NHS and other 3 rd parties. This policy outlines every user s responsibilities in respect of Data Protection and allows users to focus on detailed areas by linking them to specific policy documents. 3 Scope Any information must be dealt with properly however it is collected, recorded and used, whether on paper, in a computer, or recorded on other media. This document describes the policies for correctly handling personal and sensitive data in order to comply with the Data Protection Act and related legislation. This policy relates to all data held by Somerset County Council in any form and includes UNCLASSIFIED, PROTECT or RESTRICTED information, as defined by HMG, held or processed by the Council. This policy is intended for all Somerset County Council Councillors, Committees, Departments, Partners, Employees and Volunteers of the Council, contractual third parties and agents of the Council who have responsibilities for processing data. 4 Definition This document defines the policy, practice and procedure to ensure the security of personal and sensitive information held by Somerset County Council. Version Final v1.1 Page 3 of 9

4 Somerset County Council fully endorses and adheres to the 8 Principles of Data Protection as set out in the Data Protection Act 1998, and other relevant information security legislation and the controls recommended in Government Connect and ISO27000x and the GCSx Code of Connection. Therefore, the Council will ensure that all Councillors, Committees, Departments, Partners, Employees, contractual third parties and agents of the Council who have access to any information held by or on behalf of the Council are fully aware of, and abide by, their duties and responsibilities under this legislation and guidance. Guidance on the Data Protection Act 5 Risks Somerset County Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: the loss or theft of personal & sensitive data lack of effective and safe data sharing inadequate records management inadequate processing of Data Subject Access Requests (DSARs) security breaches of the Data Protection Act inadequate destruction of data not annually notifying the ICO of SCC intention to process personal data not correctly making available privacy notices not carrying out privacy impact assessments Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in reputational damage, financial loss, ICO fines and an inability to provide necessary services to our customers. 6 Applying the Policy 6.1 Notification The process for Notification to the ICO under the Data Protection Act is carried out every year. The Somerset County Council Notification ref Z can be searched for at this link SCC Notification 6.2 Privacy Notice The Somerset County Council privacy notice is published on the internet on this link Privacy Notice If you regularly collect information in forms, questionnaires or surveys, ensure your documentation includes the Privacy Notice with provision for ensuring informed consent. If you regularly collect information over the phone ensure the script you read to the customer includes the Privacy Notice. Version Final v1.1 Page 4 of 9

5 6.3 Privacy Impact assessments The council promotes the use of Privacy Impact Assessments in all projects where personal and sensitive data is used. The Council guidance is published on the intranet on this link - SCC Privacy Impact assessments 6.4 Information Control The methods by which data is managed and controlled within the organisation need to ensure that data is effectively shared and protected whilst at rest and in transit, these issues are comprehensively addressed in the Information Control and Compliance Policy. 6.5 Personal Data Access Requests The public can request to see all the data that the Council holds about them or someone they have a legal responsibility for. The Council guidance on this can be found on this link- Data Subject Access Request Guidance 6.6 Computers Acceptable Use Policy (AUP) 6.7 Post The Council has to protect personal data across a wide range of technologies and in a variety of environments. The Acceptable Use Policy describes in detail how each aspect of this managed and your responsibilities for keeping personal and sensitive data secure. It includes specific policy on the following: Physical Security; Incident Management; Access Control; Home Working; Remote Working; Protective Marking; Device Connection; Web Browsing; Removable Media; Social Media; Surveillance and Monitoring; Password Security; Software; IT Procurement; and Smart Office / Clear desk. Personal and sensitive data can be sent through the normal postal system; the Royal Mail is a bonded courier and is trusted by the Police, the NHS and the Courts to deliver sensitive documents and correspondence. The Council must consider the risks of sending out all documents and consider if any additional safeguards are required to protect the information being sent. Documents can be classified according to their sensitivity, the volume of data they contain, the destination or recipient of the data. All these factors will influence a decision on the postal service used, as will the cost of delivery. RESTRICTED material must always be either hand delivered or sent by SPECIAL DELIVERY, double wrapped. The inner wrapper must be marked RESTRICTED with a return address. Most information sent out by the Council to individual clients will be classified as PROTECT and can be sent by first or second class post. If there is a significant amount of sensitive material consult your service guidelines as to whether to double wrap a package or consider SPECIAL DELIVERY. Each of the Council Services sends out a range of documents and each service has compiled guidelines which will mitigate the risk of items being; Version Final v1.1 Page 5 of 9

6 Sent to the wrong address or a previous address Opened by the wrong person Ripped open in transit Service Guidelines Each service has considered the information to be posted and has applied a risk assessment to the data their guidelines can be found here: Adult Social Care Children & Young People Environment Resources 6.8 Fax machines Fax should not be used to transmit personal and sensitive information except as a method of last resort or in an emergency. Fax machines carry greater risk than with regard to accidental disclosure; outside the Council, due to incorrect dialling inside the Council, if information is picked up or read by the wrong person Fax machines catering for personal and sensitive data should not be located in the common way areas or on corridors. If a fax machine has to be used the risk of disclosure can be mitigated by: ensuring that a trusted recipient is waiting at the other end of the fax line sending a preliminary test page to check that the fax number is correct on each page use the page X of Y function to check that the entire document is sent check that any fax auto-dial is correct for the recipient 6.9 Mobile phones and SMS messaging Personal mobile phones should not be used for Council business. No personal or sensitive information required for Council business should be stored on personal mobiles, this includes texts, s, photographs and video. In case your Council phone is lost or stolen ensure you: have a timeout on the screen to lock it out after 5 minutes have a password to lock the phone, preferably 8 digits mixed alpha-numeric if possible encrypt the data on your phone must only store essential data on the phone must only keep data on the phone for a short period Only Not Protectively Marked (NPM) information can be sent by text. Most mobile phones cannot be encrypted and the data may be stored on servers whose security status is unknown to the Council. On no account should PROTECT or RESTRICTED material be sent by text. If you use a Council phone on a regular basis and you use it for contacting clients, consider applying to your service for a Blackberry. These devices offer encryption, over the air delivery of , voice recording and password security. Version Final v1.1 Page 6 of 9

7 6.10 Phone calls When making phone calls of a personal and sensitive nature: in the office ensure you can not be overheard by anyone not directly concerned with the client on the phone. outside the office ensure you can not be overheard by anyone, where this is not possible use only first names and try and avoid discussing personal and sensitive issues Please refer to the detailed Policy for the policy on: as records do s and don ts OWA / Personal accounts the use of personal accounts protective marking RESTRICTED / PROTECT / UNCLASSIFIED junk mail - spam security Sending secure confidentiality malware - computer viruses 6.12 Universal Data Sharing Protocol The Council recognises the need to share personal and sensitive data with other partner organisations in order to safeguard the vulnerable and provide effective and efficient services. The Council has an overarching Universal Data Sharing Protocol to assist in the design of individual agreements with partner agencies. Please ensure that if the agreement is initiated by the other party that it contains all the elements contained within this document. Universal Data Sharing Protocol 6.13 Data Sharing Agreements If you intend to set up a service or change a service that will necessitate the sharing of personal or sensitive data with another data controller or data processor, such as a partner organisation, you must have a Data Sharing Agreement in place similar to the one below. Sample Data Sharing Agreement 6.14 Data Processing Agreement If you intend to set up a service or change a service that will necessitate the processing of personal or sensitive data by another organisation, such as an IT contractor, you must have a Data Processing Agreement in place similar to the one below. Sample Data Processing Agreement 6.15 Third Party Memorandums of Understanding (MoUs) If you intend to set up a service or change a service that will necessitate a 3 rd party or contractor accessing a data base or software application on the SCC network you must have an MoU in place similar to the one below. Sample Memorandum of Understanding Version Final v1.1 Page 7 of 9

8 6.16 Data Transfers If you intend to transfer personal or sensitive data to a 3 rd party or contractor you must have the data transfer approved by the IG Manager. Before approving the transfer the IG manager will consider: the sensitivity of the data the volume of data to be transmitted the security offered by the 3 rd party the country to which the data is to be sent 6.17 Records Management The Council s Records Management Policy concerns the lifecycle of the information from creation to destruction. Records should be created, stored, processed, accessed and destroyed in adherence to the Principles of the Data Protection Act and the Code of Practice that regulates the processing of the information. The policy is applicable to all records held by members and officers in computer and offices across the Council, and not only those held in the records stores and archives Data Retention Data should only be retained as long as it is needed to comply with the 5 th Principle of the Data Protection Act. The Council has a Retention Schedule that takes into account: statutory and legal obligations universal best practice local service guidance 6.19 Data Destruction Personal data must be destroyed when it is no longer necessary for the purpose for which it was collected. The Council has a Data Destruction Policy to advise on how data should be disposed of when it no longer required. The Council needs to be aware that it must destroy or erase outdated records on magnetic media, computers, disks, tapes etc, and paper in files, reports and notebooks Data Breaches If you are aware that you, or someone else, have disclosed personal or sensitive data to someone who did not have permission / authority to receive that information you must report it immediately to your line manager who will pass the information to the IG Team. You must also do the following: If any personal information has been sent to the wrong individual, in paper form, attempts must be made to recover the information, ideally in person. If any personal information has been sent to the wrong individual, in electronic form, attempts must be made to ensure the recipient has deleted the information from their computer / . The process that governs how that data breach is dealt with is covered in detail in the Incident Management Policy Version Final v1.1 Page 8 of 9

9 Appendix 1 Governance Arrangements Policy Compliance If any employee is found to have breached this policy, they may be subject to Somerset County Council s disciplinary procedure. Where it is considered that a criminal offence has potentially been committed, the Council will consider the need to refer the matter to the police. If you do not understand the implications of this policy or how it may apply to you, seek advice from the Information Governance Team. Policy Governance The following table identifies who within Somerset County Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation. Informed the person(s) or groups to be informed after policy implementation. Responsible Accountable Consulted Informed Information Governance Manager SIRO Head of Client Services Senior Management Team, HR, Unions All Members, employees, contractors, volunteers and 3 rd parties Review and Revision This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by the Information Governance Manager References The following Somerset County Council policy documents are directly relevant to this policy, and are referenced within this document: Corporate Information Security Policy Data Protection Policy Information Transparency Policy Acceptable Use Policy Legal Responsibility Policy Version Final v1.1 Page 9 of 9

Security Incident Policy

Security Incident Policy Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will

More information

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013

Information Security Incident Management Policy. Information Security Incident Management Policy. Policy and Guidance. June 2013 Information Security Incident Management Policy Policy and Guidance June 2013 Project Name Information Security Incident Management Policy Product Title Policy and Guidance Version Number 1.2 Final Page

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Date approved by Heads of Service 3 June 2014 Staff member responsible Director of Finance and Corporate Services Due for review June 2016 Data Protection Policy Content Page 1 Purpose

More information

Information Security Incident Protocol

Information Security Incident Protocol Information Security Incident Protocol Document Owner Caroline Dodge Tel: 01622-221652 caroline.dodge@kent.gov.uk Version Version 2: July 2013 Contents 1. Protocol Objectives 2. Scope 3. Protocol Statement

More information

HERTSMERE BOROUGH COUNCIL

HERTSMERE BOROUGH COUNCIL HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act

More information

Corporate ICT & Data Management. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy 90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control

More information

Policy Document Control Page

Policy Document Control Page Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction to the Data Protection Policy Everyone who works for Chorley Council uses personal data in the course of their duties. Chorley Council must gather and process personal

More information

Corporate Information Security Management Policy

Corporate Information Security Management Policy Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification

More information

Little Marlow Parish Council Registration Number for ICO Z3112320

Little Marlow Parish Council Registration Number for ICO Z3112320 Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with

More information

Security Incident Management Policy

Security Incident Management Policy Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015

More information

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY

WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY WEST LOTHIAN COUNCIL DATA PROTECTION ACT 1998 POLICY Version 3.0 DATA PROTECTION ACT 1998 POLICY CONTENTS 1. INTRODUCTION... 3 2. PROVISIONS OF THE ACT... 4 3. SCOPE... 4 4. GENERAL POLICY STATEMENT...

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages

More information

Information Protective Marking and Handling Policy

Information Protective Marking and Handling Policy Information Protective Marking and Handling Policy Change History Version Date Description Author 0.1 11/01/2013 First Draft Anna Moore 0.2 28/02/2013 Amended taking into account SSTP protective marking

More information

Information Security Policy

Information Security Policy Information Security Policy v2.0 Target Audience: Policy Endorsed by: ESCC Staff, members and other agencies handling ESCC information Governance Committee Final V2.0 Page 1 of 13 Information Security

More information

Information Governance Framework. June 2015

Information Governance Framework. June 2015 Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT

More information

Merthyr Tydfil County Borough Council. Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the

More information

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 -

Data Protection Policy. Leeds City Council. Information Governance team, Intelligence & Performance - 1 - Leeds City Council Data Protection Policy - 1 - Document Control Organisation Leeds City Council Title Data Protection Policy Author Mark Turnbull, Legal Services Filename DPA policyvr1.doc Owner Assistant

More information

Data Protection Procedures

Data Protection Procedures Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council

More information

IT Infrastructure Security Policy. Policy and Guidance

IT Infrastructure Security Policy. Policy and Guidance IT Infrastructure Security Policy Policy and Guidance June 2013 Project Name Product Title IT Infrastructure Security Policy Policy and Guidance Version Number 1.2 Final Document Control Organisation Mendip

More information

Policy and Procedure Document. Information Security Incident Management Policy and Procedure

Policy and Procedure Document. Information Security Incident Management Policy and Procedure Policy and Procedure Document Information Security Incident Management Policy and Procedure [23/08/2011] Page 1 of 9 Document Control Organisation Redditch Borough Council Title Information Security Incident

More information

NORTH SOMERSET COUNCIL. Corporate Information Security Policy

NORTH SOMERSET COUNCIL. Corporate Information Security Policy Corporate Information Security Policy NORTH SOMERSET COUNCIL Corporate Information Security Policy Version 1_8 FINAL Author Date Approved Review Date Contents Authorisation Statement... 3 Document Amendment

More information

Policy Document. Communications and Operation Management Policy

Policy Document. Communications and Operation Management Policy Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author

More information

Historic Environment Scotland

Historic Environment Scotland Historic Environment Scotland Data Protection Policy September 2015 Document Control Title Data Protection Policy Author Head of Records Management Approved by HES Board Date of Approval 16/11/2015 Version

More information

Information Security Policy

Information Security Policy Central Bedfordshire Council www.centralbedfordshire.gov.uk Information Security Policy January 2016 Security Classification: Not Protected 1 Approval History Version No Approved by Approval Date Comments

More information

43: DATA SECURITY POLICY

43: DATA SECURITY POLICY 43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3

More information

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007

East Northamptonshire Council Policy & Community Development. Data Protection Policy December 2007 East Northamptonshire Council Policy & Community Development Data Protection Policy December 2007 If you would like to receive this publication in an alternative format (large print, tape format or other

More information

Data Protection Policy

Data Protection Policy 1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The

More information

PRIVACY BREACH MANAGEMENT POLICY

PRIVACY BREACH MANAGEMENT POLICY PRIVACY BREACH MANAGEMENT POLICY DM Approval: Effective Date: October 1, 2014 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (ATIPP Act) public bodies such as the Department

More information

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will:

Satisfaction of principles In order to meet the requirements of the principles, Team Bees will: Data Protection Policy Introduction. Team Bees is required to maintain certain personal data about living individuals for the purposes of satisfying operational and legal obligations. Team Bees recognises

More information

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE

More information

Information Governance Policy

Information Governance Policy Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route

More information

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency

More information

Information Security Policy

Information Security Policy Information Security Policy 1 Version and Review Summary Rev Date Author Approver Revision description 1.00 April 2009 T Monachello Formal Review 1.01 1 st June 2009 T.Monachello Information Governance

More information

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION AND DATA STORAGE POLICY DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether

More information

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction

LCAT-Data Protection Policy-U LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY. Introduction LOOE COMMUNITY ACADEMY TRUST DATA PROTECTION POLICY Introduction 1. Looe Community Academy Trust (the Academy) is required to maintain certain personal data about living individuals for the purposes of

More information

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed

More information

Policy Document. IT Infrastructure Security Policy

Policy Document. IT Infrastructure Security Policy Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT

More information

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information NAMI EASTSIDE - 13 POLICY: Privacy and Security of Protected Health Information (HIPAA Policies and Procedures) DATE APPROVED: Pending INTENT: (At present, none of the activities that NAMI Eastside provides

More information

Information Security Policy. Appendix B. Secure Transfer of Information

Information Security Policy. Appendix B. Secure Transfer of Information Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document

More information

Caedmon College Whitby

Caedmon College Whitby Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be

More information

Data Protection Policy

Data Protection Policy Data Protection Policy January 2016 Next Review Due: January 2017 Co-ordinator: Miss M Rudge/Mrs J McColl 1 ACADEMY DATA PROTECTION POLICY POLICY DATE: JANUARY 2016 REVIEW DATE: JANUARY 2017 Introduction

More information

So the security measures you put in place should seek to ensure that:

So the security measures you put in place should seek to ensure that: Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.

More information

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

Data Transfer Policy. Data Transfer Policy London Borough of Barnet Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).

More information

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Policy September 2009 Newman University IT Services. Information Security Policy Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms

More information

Scottish Rowing Data Protection Policy

Scottish Rowing Data Protection Policy Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this

More information

Data Protection Policy

Data Protection Policy Data Protection Policy BMBC Data Protection Policy V1 Page 1 of 7 Table of Contents 1 INTRODUCTION... 3 2 POLICY STATEMENT... 3 3. SCOPE... 3 4 DATA PROTECTION PRINCIPLES... 4 5 PREREQUISITE CONDITIONS

More information

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has

More information

IT ACCESS CONTROL POLICY

IT ACCESS CONTROL POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary

More information

Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1

Schedule 13 Security Incident and Data Breach Policy. January 2015 v2.1 Schedule 13 Security Incident and Data Breach Policy January 2015 v2.1 Document History Purpose Document Purpose Document developed by Document Location To provide a corporate policy for the management

More information

DATA PROTECTION POLICY

DATA PROTECTION POLICY Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection

More information

Data Protection Breach Management Policy

Data Protection Breach Management Policy Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/

More information

Data Protection Policy June 2014

Data Protection Policy June 2014 Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:

More information

Data Protection Policy

Data Protection Policy London Borough of Enfield Data Protection Policy Author Mohi Nowaz Classification UNCLASSIFIED Date of First Issue 10/08/2012 Owner IGB Issue Status DRAFT Date of Latest Re-Issue 12/09/2012 Version 0.6

More information

Information Security Policy

Information Security Policy You can learn more about the programme by downloading the information in the related documents at the bottom of this page. Information Security Document Information Security Policy 1 Version History Version

More information

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 Revised and effective from 1st April 2012 Document Control Organisation Title Author Filename Owner

More information

Information Incident Management Policy

Information Incident Management Policy Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit

More information

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom

More information

Human Resources Policy documents. Data Protection Policy

Human Resources Policy documents. Data Protection Policy Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and

More information

REMOTE WORKING POLICY

REMOTE WORKING POLICY Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance

More information

Data Protection Policy

Data Protection Policy Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review

More information

Corporate Information Security Policy

Corporate Information Security Policy Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives

More information

Data Protection Procedure

Data Protection Procedure Data Protection Procedure [QP2.28] Procedure Number: QP2.28 Revision Number: 3 Date of issue: January 2006 Status: Approved Date of approval: May 2006 Responsibility for procedure: Director of Information

More information

INTRODUCTION. For technical guidance on SIM access, your local C2k support manager.

INTRODUCTION. For technical guidance on SIM access, your local C2k support manager. INTRODUCTION Data Protection and Information Security Guidance Schools collect and process personal information to deliver educational services. The school is the Data Controller as it determines the purpose

More information

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the

More information

DATA PROTECTION ACT 1998 COUNCIL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations

More information

Data controllers and data processors: what the difference is and what the governance implications are

Data controllers and data processors: what the difference is and what the governance implications are ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a

More information

Data Protection Policy

Data Protection Policy Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and

More information

RECORDS MANAGEMENT POLICY

RECORDS MANAGEMENT POLICY [Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body

More information

ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1

ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1 ORBIT POLICY O-DPA01 DATA PROTECTION POLICY V1.1 1 Document Control Document Title DATA PROTECTION POLICY References O-DPA01 Version V1.1 Classification Unclassified Status Issued Last Review August 2011

More information

Information Security Policy

Information Security Policy Information Security Policy Version 2 Date Approved by Board 8 March 2016 Date of previous approval 4 February 2014 Date of next Review February 2018 You may also be interested in the following policies:

More information

Information Governance Policy

Information Governance Policy Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its

More information

Data Protection Policy

Data Protection Policy Data Protection Policy 1. Introduction and purpose 1.1 Children s Hearings Scotland (CHS) is required to maintain certain personal data about individuals for the purposes of satisfying our statutory, operational

More information

PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL]

PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL] [Insert Date of Policy] PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS of [ABC SCHOOL] Address Independent schools in British Columbia are invited to adopt or adapt some or all of this

More information

www.neelb.org.uk Web Site Download Carol Johnston

www.neelb.org.uk Web Site Download Carol Johnston What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. www.neelb.org.uk Web Site Download Carol Johnston Corporate

More information

Information Governance

Information Governance CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this

More information

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees

Trafford Council. Data Protection. Policy, Statement and Guidance for Employees Trafford Council Data Protection Policy, Statement and Guidance for Employees Author Nick Evans Date August 2009 Status Final Version 1.3 Review Date October 2015 Review By Kathryn Wright Next Review October

More information

IG Toolkit Version 8. Information Security Assurance. Requirement 322. Detailed Guidance on Secure Transfers

IG Toolkit Version 8. Information Security Assurance. Requirement 322. Detailed Guidance on Secure Transfers IG Toolkit Version 8 Information Security Assurance Requirement 322 Detailed Guidance on Secure Transfers IG Toolkit Version 8 Requirement 322: Detailed guidance on secure transfers Page 1 of 7 All transfers

More information

University of Sunderland Business Assurance Information Security Policy

University of Sunderland Business Assurance Information Security Policy University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant

More information

Safe Haven Procedure. Final. Date Issued March 2009 Review Date March 2010 NHS East Midland Employees. Safe Haven Procedure: v1.

Safe Haven Procedure. Final. Date Issued March 2009 Review Date March 2010 NHS East Midland Employees. Safe Haven Procedure: v1. Safe Haven Procedure Final Version 1.0 (Final) Ratified By Executive Team Originator/Author Fabian Henderson Date Issued March 2009 Review Date March 2010 Target NHS East Midland Employees Safe Haven Procedure:

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY INFORMATION SECURITY POLICY ISO 27002 5.1 Author: Owner: Organisation: Chris Stone Ruskwig TruePersona Ltd Document No: SP- 5.1 Version No: 1.0 Date: 10 th January 2010 Copyright

More information

IG: Third Party Contracts and Contractors Policy

IG: Third Party Contracts and Contractors Policy IG: Third Party Contracts and Contractors Policy Document Summary This policy provides guidance on the Information Governance arrangements that need to be considered and / or implemented when engaging

More information

DATA AND PAYMENT SECURITY PART 1

DATA AND PAYMENT SECURITY PART 1 STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of

More information

Data Protection. Policy and Application July 2009

Data Protection. Policy and Application July 2009 Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:

More information

Information Security Incident Management Policy

Information Security Incident Management Policy Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation

More information

Quick Guide To Information Governance Policies

Quick Guide To Information Governance Policies Quick Guide To Information Governance Policies Data Protection The Data Protection Act 1998 established principles and rights in relation to the collection, use and storage of personal information by organisations.

More information

Infrastructure Security Policy

Infrastructure Security Policy Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd ICT Infrastructure Security Policy September 2013 Version 1.0 Page 1 of 11 CONTROL SHEET FOR ICT Infrastrutcure Security

More information

Administrative Procedures Memorandum A1452

Administrative Procedures Memorandum A1452 Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal

More information

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology

More information

Information Security Incident Management Policy and Procedure

Information Security Incident Management Policy and Procedure Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure

More information

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council

More information

Data and Information Security Policy

Data and Information Security Policy St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration

More information

INFORMATION SECURITY POLICY

INFORMATION SECURITY POLICY Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies

More information

Data Protection Policy

Data Protection Policy Data Protection Policy April 2014 Author: Jennifer McLaren, Assistant Principal, Curriculum Support & Finance Impact Assessment Date: 15 February 2010 Date: April 2014 Contents 1 Purpose... 2 2 Policy...

More information

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical

More information

INFORMATION RISK MANAGEMENT POLICY

INFORMATION RISK MANAGEMENT POLICY INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible

More information

Data Protection in Ireland

Data Protection in Ireland Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair

More information