Information Security Adults Services. Practice guidance. Revised Version: 1.2 Effective from: August 2014 Next review date: August 2015
|
|
- Alexandrina Porter
- 8 years ago
- Views:
Transcription
1 Information Security Adults Services Practice guidance Revised Version: 1.2 Effective from: August 2014 Next review date: August 2015 Sign off: Jenny Daniels Title: Head of Health and Social Care Practice Date: 11 th August 2011
2 Information security practice guidance 2 Status Revised document Version number 1.2 Issue date 11th August 2014 Author Greg Slay, lead for Quality Assurance Owner Sharon Gogan, Head of Adult Social Care Signed off by Jenny Daniels, Head of Health and Social Care Practice Date 11 th August 2011 Issue Date Author Principal Changes number 1 11 th August 2011 Greg Slay Published version on WSCC intranet nd April 2012 Greg Slay 1.2 Aug 2014 Greg Slay Updated to include cross-referencing to the county council s Acceptable Use Policy for IT facilities. Development of a Quick Reference guide. General revisions and reference to the relevant and applicable Management and Professional Instructions. Revised Quick Reference guide. Feedback: Our customers expect first class service and we aim to provide it. We therefore welcome feedback about our policies and procedures. If you have any comments about this document please socialcare@westsussex.gov.uk Copyright West Sussex County Council / Version 1.2 /August 2014 Page 2
3 Information security practice guidance 3 Contents Policy 1. Why information security is important 4 2. Information security the national picture 5 3. Data Protection Act: access to records 7 4. Passwords for computers and 7 Practice guidance 5. Information security is everybody s responsibility 7 6. Secure use of faxes 8 7. Clear desks at work 8 8. Document management away from the office 9 9. Case files (paper) retrieved from the File Store Sources of further information 9 Copyright West Sussex County Council / Version 1.2 /August 2014 Page 3
4 Information security practice guidance 4 Policy 1. Why information security is important 1.1 The county council, like many other public sector organizations, handles and manages a wide range of information, including personal data, as part of its business. Using that information appropriately can improve public services, as provided for both individual customers and carers and to local communities. But there is no place in our organisation for lax data protection practices: we need to ensure that we always have appropriate levels of security in place for the handling of sensitive information. Information is a critical business asset. 1.2 Across the county council, we are committed to working within the requirements of the Data Protection Act. In particular we want all our staff to comply with the eight principles of the Data Protection Act, to make sure that personal information is: Fairly and lawfully processed; Processed for limited purposes; Adequate, relevant and not excessive; Accurate and up to date; Not kept for longer than is necessary; Processed in line with citizen rights; Secure; and Not transferred to other organisations and/or countries without adequate protection measures being in place. 1.3 We need information to be handled in a way that protects the public. We would be vulnerable to a legal challenge under the Data Protection Act if, for example, secure arrangements were not in place for the distribution of sensitive customer-related information to our partner organisations and other audiences. 1.4 We understand and respect the need for our customers to have their privacy protected. We therefore have to ensure that only the right people get the information they need about our individual customers, whether on paper or by electronic means. Achieving this is particularly challenging against a background of changing services, expectations and technology developments. 1.5 The introduction of Frameworki, as a bespoke case recording and case management system for Adults Services, meant that we were much better placed than ever before to ensure the safety of personal data concerning our customers. Frameworki does not however, in itself, guarantee information security. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 4
5 Information security practice guidance The way in which we manage information is critical to our ability in Adults Services to protect the organisation - and the sensitive information held about customers and carers from unintended or deliberate security breaches. We therefore expect our staff to understand and embrace the need for information security to be a core part of their daily work and, at the same time, to be focused on the learning for themselves from actual security breaches caused by others. 1.7 We are committed to the maintenance of high practice standards for information management and sharing. We support the development of a working culture that properly values, protects and uses data, both in the planning and delivery of public services. We recognise that the task of improving information security will always be a continuing process. 1.8 Work was undertaken in 2011 to provide secure accounts to all Adults Services Helpdesks as well as key individuals. This was in order that we had robust arrangements in place to be able to respond to the particular need around secure e-communication with Sussex Police on adult safeguarding issues. Work to enhance encryption arrangements, thorough the introduction and use of the Voltage encryption system on standard s, will be introduced in autumn The county council s ing controlled access information policy confirms that the county council s internal corporate service is considered a secure service but only as long as mail is sent from one such corporate account to another. Particularly sensitive information should also be encrypted wherever possible. 2. Information security the national picture 2.1 The public sector in the UK holds vast amounts of sensitive information, something which unscrupulous other organizations are only too eager to access and exploit. Just one single breach of personal data could affect the lives of millions of people and seriously undermine public confidence. The pressure for public transparency coupled with the need for online information-sharing efficiencies therefore exposes public sector organisations, both centrally and locally, to significant risk. 2.2 The Government has introduced a secure computer network to connect all local authorities, called the Government Connect Secure Extranet (GCSx). GCSx is part of the wider Government Secure Intranet (GSi) and provides connectivity to virtually all central government departments. It also allows local authorities to securely exchange data electronically. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 5
6 Information security practice guidance We use the GCSx network to securely exchange sensitive information (up to HM Government s classification level of restricted ) with: central government departments, for example, the Department for Work and Pensions, the Department of Health (secure or the Home Office; the NHS (secure Sussex Police and other police authorities (secure pnn.police.uk); criminal justice agencies such as Sussex Probation Service and with prisons; other local authorities, at county, unitary and borough/ district levels. 2.4 The Government defines restricted information in a number of ways, including: information whose compromise would be likely to cause substantial distress to individuals; breaches of statutory restrictions on the disclosure of information; and breaches that would impede the effective development or operation of government policies. Breaches of restricted information: three examples Example 1: a member of staff working for a local social services authority ed a file containing sensitive personal information relating to 241 individuals physical and mental health. The file was sent to the wrong group address and the address that received the file included a large number of transportation companies, including taxi firms, coach and minibus hire services. Attempts to recall the were not entirely successful. As the information was neither encrypted nor password protected, it had the potential to be viewed by a significant number of unauthorised individuals. Example 2: confidential personal data relating to a number of individuals was mistakenly ed to over 100 unintended recipients who had, in fact, registered to receive a council newsletter. Example 3: a member of staff sent confidential sensitive information, including data relating to an individual s health, to the wrong internal group address. While the data in this breach did not leave the council s internal network, it did lead to sensitive data being circulated to individuals who should not have received it. These examples are from local authority cases investigated by the Information Commissioner and publicly reported. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 6
7 Information security practice guidance Although most people know how to use appropriately, it is clear from the examples in the text box above that errors can easily be made in an era of instant communication : as a result s are often sent to the wrong people. The Information Commissioner (website: ico.gov.uk) has therefore levied significant fines on local authorities for data breaches that have arisen from poor practice. 3. Data Protection Act: access to records 6.1 Health and social care workers working for Adults Services cannot disclose personal or personal sensitive information about customers to third parties unless specific conditions are met. A person (such as a family member or friend) cannot make a subject access request on the part of a relative or friend unless he/she has the consent of that person, or he/she is already invested with a Power of Attorney authority. 4. Passwords for computers and 4.1 Passwords are the backbone of information security in the computer age, whether in the context of Chip and Pin technology for debit/credit or P-cards, access to both wired and wireless computer networks, or access to . Passwords are also often used to protect documents sent in transit electronically. 4.2 Staff in Adults Services already and frequently send documentation attachments with . These documents often relate to our customers (identifying customers by full name or initials and address for example) and/or relating to personnel matters. 4.3 Unless such documents are attached to a secure and sent to and from a person in an organisation with a secure system, the documents are themselves not secure and are vulnerable to interception, thus compromising data security. Practice guidance 5. Information security is everybody s responsibility 5.1 Information security is the responsibility of every single member of staff in Adults Services. This means all permanent, contract and temporary members of staff, such as students on placement. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 7
8 Information security practice guidance Management and Professional Instructions 04 and 05 refer to arrangements in place within Adults Services for information security and for Frameworki and information security respectively. These Management and Professional Instructions can be accessed in the Professional Zone on West Sussex Connect to Support (visit: westsussexconnecttosupport.org). Compliance with these Management and Professional Instructions is overseen by the Adults Services Quality Assurance Management Board. 5.3 In the event that any member of the our staff becomes aware of any loss or theft of material protectively marked as Restricted, the arrangement we have put in place in West Sussex is that this must be immediately reported this to the IT Service Desk and following the normal county council information security reporting procedure. The corporate Security Incident Checklist template can be accessed in the Professional Zone on the West Sussex Connect to Support website. 5.4 Guidance on the use of the Voltage encryption system, used in Microsoft Outlook , will be advised to staff from autumn 2014 onwards. 6. Secure use of faxes 6.1 The introduction of Frameworki has led to a reduction in alternative routes of communication with Adults Services - as most communications are now handled electronically. 6.2 Faxes are not a secure means of transferring information from one person or organisation to another. In order to protect information being transmitted by fax, it is essential that staff check first to see if there is a more secure way to send the information in the first place such as secure , encrypted mail, or the use of a courier. Having exhausted other possibilities, it is important to: Check that the number is accurate (it is all too easy to get one of the digits wrong); Only send the information that actually needs to be sent; Confirm with the recipient that he/she is physically available to receive the , so that the fax is not sitting around uncollected; Use a cover sheet, identify for whom the fax is intended, and explain whether it is confidential or sensitive; and Ask for confirmation by telephone or that all the fax has in fact arrived at its destination. 7. Clear desks at work 7.1 Clear desk spot checks are periodically undertaken in county council offices. They take place early in the day, outside of office hours and the Copyright West Sussex County Council / Version 1.2 /August 2014 Page 8
9 Information security practice guidance 9 corporate spot check team is instructed to remove items which are left out. 7.2 The majority of teams now ensure their areas are left clear at the end of the day. But there is always room for improvement and staff must ensure all personal data is secured overnight. 7.3 Staff should not leave customer files in trays, make sure all cupboards and roller racks are locked and the keys put away. The tops of cupboards are not to be used for storage. 8. Document management away from the office 8.1 Adults Services staff visit customers and/or carers in their own homes and notes are often taken of discussions that have taken place. The need to be vigilant in relation to the management of person-sensitive information remains. Information collected should be transferred into Frameworki as soon as possible. If information needs to be kept for professional reasons over and above what can be inputted to Frameworki or kept otherwise on county council-supplied electronic equipment, it must be stored securely. 9. Case files (paper) retrieved from the File Store 9.1 Adults Services staff who request a customer and/or carer case file from the File Store are expected to return the file within the allotted timeframe. Where a file is subsequently reported as missing or lost, the guidance note on what arrangements need to be instituted in terms of reporting should be read and acted upon. Visit the Professional Zone on West Sussex Connect to Support (westsussexconnecttosupport.org) to access this guidance note. 10. Sources of further information 10.1 The county council s latest guidance on all matters relating to information management and security can be accessed on the county council s intranet, The Point (type information security in the search engine). Other resources available on The Point include information on setting up secure accounts (type secure in the search engine). A short e-learning course that must be completed by the relevant member of staff before any such account can be activated Guidance about information sharing in relation to people who lack mental capacity is provided in chapter 16 of the Mental Capacity Act Code of Practice. Visit: gov.uk for further information. Copyright West Sussex County Council / Version 1.2 /August 2014 Page 9
Case Recording Practice Adults Services
Case Recording Practice Adults Services Guidance on case recording practice and on document management Version: 3.3 Effective from: 1 st October 2014 Next review date: 1 st Nov 2015 Signed off by: Jenny
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationIslington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014
Islington ICT Physical Security of Information Policy A council-wide information technology policy Version 0.7 June 2014 Copyright Notification Copyright London Borough of Islington 2014 This document
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationGCSx Email Guide for Internal Users. How to send sensitive business and personal information securely
GCSx Email Guide for Internal Users How to send sensitive business and personal information securely Document control Description Version V.2 Created May 2013 GCSx Email Guide for Internal Users Status
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationEncrypt and Send Email Guide for Internal Users. How to send business or personally sensitive emails securely
Encrypt and Send Email Guide for Internal Users How to send business or personally sensitive emails securely Document control Description Encrypt and Send Email Guide for Internal Users Version V.2 Created
More informationEmail Policy. Version: 1.1. Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual:
Version: 1.1 Ratified by: NHS Bury CCG IM&T Steering Group Date ratified: February 2014 Name of originator /author (s): Responsible Committee / individual: Greater Manchester CSU - IT Department NHS Bury
More informationInformation Governance Toolkit. Information Security Assurance. Detailed Guidance on Secure Transfers
Information Governance Toolkit Information Security Assurance Detailed Guidance on Secure Transfers Information Transfers/Flows - Security Measures 1. The outcomes of information mapping and identified
More informationData Transfer Policy London Borough of Barnet
London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked
More informationSomerset County Council - Data Protection Policy - Final
Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council
More informationROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationIG Toolkit Version 8. Information Security Assurance. Requirement 322. Detailed Guidance on Secure Transfers
IG Toolkit Version 8 Information Security Assurance Requirement 322 Detailed Guidance on Secure Transfers IG Toolkit Version 8 Requirement 322: Detailed guidance on secure transfers Page 1 of 7 All transfers
More informationInformation Governance Policy
Information Governance Policy Responsible Officer Author Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date effective from August 2009 Date last amended August 2009
More informationInformation Governance
CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationINFORMATION GOVERNANCE POLICY
INFORMATION GOVERNANCE POLICY Issued by: Senior Information Risk Owner Policy Classification: Policy No: POLIG001 Information Governance Issue No: 1 Date Issued: 18/11/2013 Page No: 1 of 16 Review Date:
More informationWhy do we need to protect our information? What happens if we don t?
Warwickshire County Council Why do we need to protect our information? What happens if we don t? Who should read this? What does it cover? Linked articles All WCC employees especially mobile and home workers
More informationIxion Group Policy & Procedure. Remote Working
Ixion Group Policy & Procedure Remote Working Policy Statement The Ixion Group (Ixion) provide laptops and other mobile technology to employees who have a business requirement to work away from Ixion premises
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationHighland Council Information Security Policy
Highland Council Information Security Policy Document Owner: Vicki Nairn, Head of Digital Transformation Page 1 of 16 Contents 1. Document Control... 4 Version History... 4 Document Authors... 4 Distribution...
More informationMobility and Young London Annex 4: Sharing Information Securely
Young London Matters April 2009 Government Office For London Riverwalk House 157-161 Millbank London SW1P 4RR For further information about Young London Matters contact: younglondonmatters@gol.gsi.gov.uk
More informationCorporate Affairs Overview and Scrutiny Committee
Agenda item: 4 Committee: Corporate Affairs Overview and Scrutiny Committee Date of meeting: 29 January 2009 Subject: Lead Officer: Portfolio Holder: Link to Council Priorities: Exempt information: Delegated
More informationBexley Safeguarding Children Board. Information Sharing and Secure Document Transfer Guidance
Bexley Safeguarding Children Board Information Sharing and Secure Document Transfer Guidance All professionals who work with children and young people, or with adults who are parents or carers, should
More informationSecurity Awareness. A Supplier Guide/Employee Training Pack. May 2011 (updated November 2011)
Security Awareness A Supplier Guide/Employee Training Pack May 2011 (updated November 2011) Contents/Chapters 1. How do I identify a DWP asset 2. Delivering on behalf of DWP - Accessing DWP assets 3. How
More informationInformation Governance Policy
Information Governance Policy Policy Summary This policy outlines the organisation s approach to the management of Information Governance and information handling. It explains the accountability and reporting
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
More informationPAPER RECORDS SECURE HANDLING AND TRANSIT POLICY
PAPER RECORDS SECURE HANDLING AND TRANSIT POLICY CORPORATE POLICY Document Control Title Paper Records Secure Handling and Transit Policy Author Information Governance Manager ** Owner SIRO/CIARG Subject
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationSecure Transfer of Information Guidance for staff
Secure Transfer of Information Guidance for staff Document number CCG.GOV.013.1.1 Version: 1.1 Ratified by: NHS Bury CCG Quality and Risk Committee Date ratified: 8 th January 2014 Name of originator /author
More informationData Security and Extranet
Data Security and Extranet Derek Crabtree Schools ICT Support Manager derek.crabtree@merton.gov.uk Target Operating Model 2011 Merton Audit Organisation name: London Borough of Merton Periodic plan date:
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Electronic Mail Policy Version: 5 Reference Number: CO6 Keywords: (please enter tags/words that are associated to this policy) Email Supersedes Supersedes: Version
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationData Protection Act 1998. Guidance on the use of cloud computing
Data Protection Act 1998 Guidance on the use of cloud computing Contents Overview... 2 Introduction... 2 What is cloud computing?... 3 Definitions... 3 Deployment models... 4 Service models... 5 Layered
More informationU09 Remote Access Policy
Plymouth City Council U09 Remote Access Policy December 2008 This document is copyright to Plymouth City Council and should not be used or adapted for any purpose without the agreement of the Council.
More informationREPORT OF THE OFFICE OF THE ATTORNEY GENERAL ON THE INVESTIGATION CONDUCTED PURSUANT TO SECTION 4-61dd OF THE CONNECTICUT GENERAL STATUTES
REPORT OF THE OFFICE OF THE ATTORNEY GENERAL ON THE INVESTIGATION CONDUCTED PURSUANT TO SECTION 4-61dd OF THE CONNECTICUT GENERAL STATUTES Report on the State Department of Education Technical High School
More informationE-Mail Use Policy. All Staff Policy Reference No: Version Number: 1.0. Target Audience:
E-Mail Use Policy Authorship: Barry Jackson Information Governance, Security and Compliance Manager Committee Approved: Integrated Audit and Governance Committee Approved date: 11th March 2014 Review Date:
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationSECURITY POLICY REMOTE WORKING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY REMOTE WORKING Introduction This policy defines the security rules and responsibilities that apply when doing Council work outside of Council offices
More informationIT Data Security Policy
IT Data Security Policy Contents 1. Purpose...2 2. Scope...2 3. Policy...2 Access to the University computer network... 3 Security of computer network... 3 Data backup... 3 Secure destruction of data...
More informationThe potential legal consequences of a personal data breach
The potential legal consequences of a personal data breach Tue Goldschmieding, Partner 16 April 2015 The potential legal consequences of a personal data breach 15 April 2015 Contents 1. Definitions 2.
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationEveryone in the workplace has a legal duty to protect the privacy of information about individuals. AEP/BELB/LJ/2010 Awareness Session
Everyone in the workplace has a legal duty to protect the privacy of information about individuals AEP/BELB/LJ/2010 Awareness Session During 2007 alone, 36,989,300 people in the UK have had their private
More informationInformation security incident reporting procedure
Information security incident reporting procedure Responsible Officer Author Date effective from 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended
More informationE-SAFETY POLICY 2014/15 Including:
E-SAFETY POLICY 2014/15 Including: Staff ICT policy (Corporation approved) Data protection policy (Corporation approved) Staff guidelines for Data protection Data Security, awareness raising Acceptable
More informationPolicy Document Control Page. Updated to include new NHS mail encryption feature
Policy Document Control Page Title Title: Electronic Mail Policy Version: 6 Reference Number: CO6 Keywords: (please enter tags/words that are associated to this policy) Email Supersedes Supersedes: Version
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationData Protection and Data security Policy
Data Protection and Data security Policy Statement of policy and purpose of Policy 1. Somer Valley Community Radio Ltd (the Employer) is committed to ensuring that all personal information handled by us
More informationThird Party Security Requirements Policy
Overview This policy sets out the requirements expected of third parties to effectively protect BBC information. Audience Owner Contacts This policy applies to all third parties and staff, including contractors,
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationMerthyr Tydfil County Borough Council. Information Security Policy
Merthyr Tydfil County Borough Council Information Security Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of
More informationData Protection Policy
Data Protection Policy This policy applies to the national office of Special Olympics GB; athletes, volunteers, and paid staff its clubs and regions; all Special Olympics GB donors, sponsors, and supporters;
More informationThe post holder will be guided by general polices and regulations, but will need to establish the way in which these should be interpreted.
JOB DESCRIPTION Job Title: Membership and Events Manager Band: 7 Hours: 37.5 Location: Elms, Tatchbury Mount Accountable to: Head of Strategic Relationship Management 1. MAIN PURPOSE OF JOB The post holder
More informationIncident reporting procedure
Incident reporting procedure Responsible Officer Author Date effective from Aug 2009 Date last amended Aug 2009 Review date July 2012 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance
More informationStaff Guide to Information Sharing
Central Bedfordshire Council www.centralbedfordshire.gov.uk Staff Guide to Information Sharing May 2015 Security Classification: Not Protected Factors to consider before sharing information When deciding
More informationThe Bishop s Stortford High School Internet Use and Data Security Policy
Internet Acceptance Use and Data Security Policy Last Updated: 08/10/2012 Date of Next Review: 08/10/2015 Approved by GB: 10/10/2012 Responsible Committee: Student Welfare and Development Internet Acceptable
More informationSecurity Incident Management Policy
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
More informationPlease Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision.
May 2013 Bring Your Own Device Policy Template for Further Education Please Note: This guidance is for information only and is not intended to replace legal advice when faced with a risk decision. Table
More informationCollege of DuPage Information Technology. Information Security Plan
College of DuPage Information Technology Information Security Plan April, 2015 TABLE OF CONTENTS Purpose... 3 Information Security Plan (ISP) Coordinator(s)... 4 Identify and assess risks to covered data
More informationSt. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy
Learn, sparkle & shine St. Peter s C.E. Primary School Farnworth Email, Internet Security and Facsimile Policy Adopted from the LA Policy April 2015 CONTENTS Page No 1. Introduction 1 2. Guiding Principles
More informationOut of county placement notifications Adults Services. Policy and Procedures
Out of county placement notifications Adults Services Policy and Procedures Version: 1.1 Effective from: August 2012 Next review date: October 2015 Signed off by: Jenny Daniels Title: Head of Health and
More informationLINCOLNSHIRE COUNTY COUNCIL. Information Security Policy Framework. Document No. 8. Email Policy V1.3
LINCOLNSHIRE COUNTY COUNCIL Information Security Policy Framework Document No. 8 Email Policy V1.3 Document Control Reference V1.3 Email Policy Date 17 July 2015 Author Approved by Version History David
More informationName of responsible committee: Information Governance Board Date issued: 15 th April 09 Review date: 14 th April 11 Referenced Documents:
Storage and Transfer of Person Identifiable Information Policy Trust Wide Policy number: ULH-IM&T-AUP03 Version: 1.1 New or Replacement: New Approved by: Executive Board Date approved: 14 th April 09 Name
More informationData Security Breach Management Procedure
Academic Services Data Security Breach Management Procedure Document Reference: Data Breach Procedure 1.1 Document Type: Document Status: Document Owner: Review Period: Procedure v1.0 Approved by ISSG
More informationInformation Governance Policy
Information Governance Policy UNIQUE REF NUMBER: AC/IG/013/V1.2 DOCUMENT STATUS: Approved by Audit Committee 19 June 2013 DATE ISSUED: June 2013 DATE TO BE REVIEWED: June 2014 1 P age AMENDMENT HISTORY
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More information1. Introduction... 3. 2. Statement of Policy. 3. 3. The Eight Principles of Data Protection... 4. 4. Scope... 5. 5. Roles and Responsibilities.
Data Protection Policy 2011 Contents Page 1. Introduction... 3 2. Statement of Policy. 3 3. The Eight Principles of Data Protection...... 4 4. Scope.... 5 5. Roles and Responsibilities. 5 6. Development
More informationSmall businesses: What you need to know about cyber security
Small businesses: What you need to know about cyber security Contents Why you need to know about cyber security... 3 Understanding the risks to your business... 4 How you can manage the risks... 5 Planning
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationIntroduction to the NHS Information Governance Requirements
Introduction to the NHS Information Governance Requirements 2 Version April 2014 Information Governance ensures necessary safeguards for, and appropriate use of, patient and personal information. The widely
More informationInformation Security Policy
Information Security Policy Author: Responsible Lead Executive Director: Endorsing Body: Governance or Assurance Committee Alan Ashforth Alan Lawrie ehealth Strategy Group Implementation Date: September
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationINTERNET, E-MAIL USE AND
INTERNET, E-MAIL AND TELEPHONE USE AND MONITORING POLICY Originated by: Customer Services LJCC: 10 th April 2008 Full Council: June 2008 Implemented: June 2008 1.0 Introduction and Aim 1.1 The aim of this
More informationAcceptable Use Guidelines
Attachment to the Computer and Information Security and Information Management Policies Acceptable Use Guidelines NZQA Quality Management System Supporting Document Purpose These Acceptable Use Guidelines
More informationData Protection Policy
Data Protection Policy Version: V1 Ratified by: Operational Management Executive Committee Date ratified: 26 September 2013 Name and Title of originator/author(s): Chris Brady, FOI, Data Protection and
More informationAnnual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance
Annual Continuing Education (ACE) (Print version) Information Privacy and I.T. Security and Compliance Information Privacy and IT Security & Compliance The information in this module in addition to the
More informationDocument Management. Children s Services. Guidance. Partner organisation logo Version: 3
Document Management Children s Services Guidance Partner organisation logo Version: 3 Effective from: 8 Aug 2010 Revised: January 2014 Next review date: January 2016 Signed off by: Stuart Gallimore Title:
More informationBoys and Girls Clubs of Kawartha Lakes B: Administration B4: Information Management & Policy: Privacy & Consent Technology
Effective: Feb 18, 2015 Executive Director Replaces: 2010 Policy Page 1 of 5 REFERENCE: HIGH FIVE 1.4.3, 2.2.4, 2.5.3, PIDEDA POLICY: Our Commitment Boys and Girls Clubs of Kawartha Lakes (BGCKL) and the
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationProtective Marking for UK Government
Protective Marking for UK Government WHITE PAPER Contents Introduction 3 Regulatory Requirements 3 Government Protective Marking System (GPMS) 3 The Value Beyond Regulatory Requirements 4 Leveraging Other
More informationHP Laptop & Apple ipads
Shalom College Student 1:1 Laptop & ipad Program HP Laptop & Apple ipads Policy and Guidelines Booklet TABLE OF CONTENTS 1. Educational Opportunities of A 1 to 1 Laptop & ipad Program... 2 2. Overview
More informationInformation Governance Strategy :
Item 11 Strategy Strategy : Date Issued: Date To Be Reviewed: VOY xx Annually 1 Policy Title: Strategy Supersedes: All previous Strategies 18/12/13: Initial draft Description of Amendments 19/12/13: Update
More informationABERDARE COMMUNITY SCHOOL
ABERDARE COMMUNITY SCHOOL IT Security Policy Drafted June 2014 Revised on....... Mrs. S. Davies (Headteacher) Mr. A. Maddox (Chair of Interim Governing Body) IT SECURITY POLICY Review This policy has been
More informationInformation Governance Framework and Strategy. November 2014
November 2014 Authorship : Committee Approved : Chris Wallace Information Governance Manager CCG Senior Management Team and Joint Trade Union Partnership Forum Approved Date : November 2014 Review Date
More informationINFORMATION GOVERNANCE STAFF HANDBOOK
INFORMATION GOVERNANCE STAFF HANDBOOK Contents Why do YOU need to know about Information Governance (IG)?... 2 Keeping Information Safe... 2 Confidentiality... 2 Deciding to Communicate Important Information...
More informationData Protection Procedures
Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationINFORMATION GOVERNANCE POLICY & FRAMEWORK
INFORMATION GOVERNANCE POLICY & FRAMEWORK Version 1.2 Committee Approved by Audit Committee Date Approved 5 March 2015 Author: Responsible Lead: Associate IG Specialist, YHCS Corporate & Governance Manger
More information