Somerset County Council - Data Protection Policy - Final
|
|
- Aubrie Moody
- 7 years ago
- Views:
Transcription
1 Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will ensure all users of personal information are aware of the statutes and guidance that apply to the protection of that information. This policy provides information on the types of controls that are within scope, the rules and guidance that must be followed, the standards to be maintained, the risk to users, clients and the Council and the potential consequences of misuse This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors, Secondees and Volunteers Key Messages Data Protection is a legal responsibility for all Council Members, Officers, Contractors and Volunteers Data Protection applies to all the personal and sensitive data held by, and on behalf of the Council. All users must read and understand the policy framework around Data Protection There are significant risks in managing personal data both to clients and to the reputation of the Council The Council is obliged to fulfil the Data Protection Act in regard to Notification, Fair Processing Notices and Privacy Impact Assessments Clients, staff and members of the public have a statutory right to know all the information we hold about them in the Council Data Protection covers a broad range of subject matter including data collection, data processing, data sharing, , fax, phones, SMS messaging and records management You must report any suspected data breach of personal or sensitive data. This policy on a page is a summary of the detailed policy document please ensure you read, understand and comply with the full policy Version Final v1.1 Page 1 of 9
2 Revision History Revision Editor Previous Description of Revision Date Version Peter Grogan Initial Draft Peter Grogan v.01 Comments from R.Allen & D.Littlewood Peter Grogan v.02 Additions P.Grogan Peter Grogan v.03 Additions P.Grogan Peter Grogan v.04 Reformatting Peter Grogan v.05 Reformatting Peter Grogan v.06 HR Update & Union Approver Peter Grogan v.07 Logo & Unison Peter Grogan v.08 Approval by IM Board Peter Grogan v.09 HR amendments (Appx 1) Document Approvals This document requires the following approvals: Approval Name Date Information Governance Manager Peter Grogan Information Governance Board Donna Fitzgerald Unions / JNF Carrie-Anne Hiscock SCC HR Richard Crouch Elected Members David Huxtable Document Distribution This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors, Secondees and Volunteers Version Final v1.1 Page 2 of 9
3 1 Policy Statement FULL POLICY DOCUMENT Somerset County Council will ensure every user is aware of, and understands, their responsibilities with regard the security of data held by, and on behalf of, the Council in respect of; their responsibilities with regard to the security and protection of personal data the benefits of data sharing the necessity for records management the technical and administrative controls operating in the Council the statutory framework 2 Purpose Somerset County Council collects, holds and uses data about people and organisations with whom it deals with in order to conduct its business. The Council has a statutory duty under the Data Protection Act and related legislation to safeguard this information. This data covers, but is not restricted to, the following: Current, past and prospective employees Suppliers Customers School pupils and students Others with whom the Council communicates In addition, the law may occasionally require us to collect and use certain types of personal information to comply with the requirements of government departments, such as the Police the NHS and other 3 rd parties. This policy outlines every user s responsibilities in respect of Data Protection and allows users to focus on detailed areas by linking them to specific policy documents. 3 Scope Any information must be dealt with properly however it is collected, recorded and used, whether on paper, in a computer, or recorded on other media. This document describes the policies for correctly handling personal and sensitive data in order to comply with the Data Protection Act and related legislation. This policy relates to all data held by Somerset County Council in any form and includes UNCLASSIFIED, PROTECT or RESTRICTED information, as defined by HMG, held or processed by the Council. This policy is intended for all Somerset County Council Councillors, Committees, Departments, Partners, Employees and Volunteers of the Council, contractual third parties and agents of the Council who have responsibilities for processing data. 4 Definition This document defines the policy, practice and procedure to ensure the security of personal and sensitive information held by Somerset County Council. Version Final v1.1 Page 3 of 9
4 Somerset County Council fully endorses and adheres to the 8 Principles of Data Protection as set out in the Data Protection Act 1998, and other relevant information security legislation and the controls recommended in Government Connect and ISO27000x and the GCSx Code of Connection. Therefore, the Council will ensure that all Councillors, Committees, Departments, Partners, Employees, contractual third parties and agents of the Council who have access to any information held by or on behalf of the Council are fully aware of, and abide by, their duties and responsibilities under this legislation and guidance. Guidance on the Data Protection Act 5 Risks Somerset County Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: the loss or theft of personal & sensitive data lack of effective and safe data sharing inadequate records management inadequate processing of Data Subject Access Requests (DSARs) security breaches of the Data Protection Act inadequate destruction of data not annually notifying the ICO of SCC intention to process personal data not correctly making available privacy notices not carrying out privacy impact assessments Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in reputational damage, financial loss, ICO fines and an inability to provide necessary services to our customers. 6 Applying the Policy 6.1 Notification The process for Notification to the ICO under the Data Protection Act is carried out every year. The Somerset County Council Notification ref Z can be searched for at this link SCC Notification 6.2 Privacy Notice The Somerset County Council privacy notice is published on the internet on this link Privacy Notice If you regularly collect information in forms, questionnaires or surveys, ensure your documentation includes the Privacy Notice with provision for ensuring informed consent. If you regularly collect information over the phone ensure the script you read to the customer includes the Privacy Notice. Version Final v1.1 Page 4 of 9
5 6.3 Privacy Impact assessments The council promotes the use of Privacy Impact Assessments in all projects where personal and sensitive data is used. The Council guidance is published on the intranet on this link - SCC Privacy Impact assessments 6.4 Information Control The methods by which data is managed and controlled within the organisation need to ensure that data is effectively shared and protected whilst at rest and in transit, these issues are comprehensively addressed in the Information Control and Compliance Policy. 6.5 Personal Data Access Requests The public can request to see all the data that the Council holds about them or someone they have a legal responsibility for. The Council guidance on this can be found on this link- Data Subject Access Request Guidance 6.6 Computers Acceptable Use Policy (AUP) 6.7 Post The Council has to protect personal data across a wide range of technologies and in a variety of environments. The Acceptable Use Policy describes in detail how each aspect of this managed and your responsibilities for keeping personal and sensitive data secure. It includes specific policy on the following: Physical Security; Incident Management; Access Control; Home Working; Remote Working; Protective Marking; Device Connection; Web Browsing; Removable Media; Social Media; Surveillance and Monitoring; Password Security; Software; IT Procurement; and Smart Office / Clear desk. Personal and sensitive data can be sent through the normal postal system; the Royal Mail is a bonded courier and is trusted by the Police, the NHS and the Courts to deliver sensitive documents and correspondence. The Council must consider the risks of sending out all documents and consider if any additional safeguards are required to protect the information being sent. Documents can be classified according to their sensitivity, the volume of data they contain, the destination or recipient of the data. All these factors will influence a decision on the postal service used, as will the cost of delivery. RESTRICTED material must always be either hand delivered or sent by SPECIAL DELIVERY, double wrapped. The inner wrapper must be marked RESTRICTED with a return address. Most information sent out by the Council to individual clients will be classified as PROTECT and can be sent by first or second class post. If there is a significant amount of sensitive material consult your service guidelines as to whether to double wrap a package or consider SPECIAL DELIVERY. Each of the Council Services sends out a range of documents and each service has compiled guidelines which will mitigate the risk of items being; Version Final v1.1 Page 5 of 9
6 Sent to the wrong address or a previous address Opened by the wrong person Ripped open in transit Service Guidelines Each service has considered the information to be posted and has applied a risk assessment to the data their guidelines can be found here: Adult Social Care Children & Young People Environment Resources 6.8 Fax machines Fax should not be used to transmit personal and sensitive information except as a method of last resort or in an emergency. Fax machines carry greater risk than with regard to accidental disclosure; outside the Council, due to incorrect dialling inside the Council, if information is picked up or read by the wrong person Fax machines catering for personal and sensitive data should not be located in the common way areas or on corridors. If a fax machine has to be used the risk of disclosure can be mitigated by: ensuring that a trusted recipient is waiting at the other end of the fax line sending a preliminary test page to check that the fax number is correct on each page use the page X of Y function to check that the entire document is sent check that any fax auto-dial is correct for the recipient 6.9 Mobile phones and SMS messaging Personal mobile phones should not be used for Council business. No personal or sensitive information required for Council business should be stored on personal mobiles, this includes texts, s, photographs and video. In case your Council phone is lost or stolen ensure you: have a timeout on the screen to lock it out after 5 minutes have a password to lock the phone, preferably 8 digits mixed alpha-numeric if possible encrypt the data on your phone must only store essential data on the phone must only keep data on the phone for a short period Only Not Protectively Marked (NPM) information can be sent by text. Most mobile phones cannot be encrypted and the data may be stored on servers whose security status is unknown to the Council. On no account should PROTECT or RESTRICTED material be sent by text. If you use a Council phone on a regular basis and you use it for contacting clients, consider applying to your service for a Blackberry. These devices offer encryption, over the air delivery of , voice recording and password security. Version Final v1.1 Page 6 of 9
7 6.10 Phone calls When making phone calls of a personal and sensitive nature: in the office ensure you can not be overheard by anyone not directly concerned with the client on the phone. outside the office ensure you can not be overheard by anyone, where this is not possible use only first names and try and avoid discussing personal and sensitive issues Please refer to the detailed Policy for the policy on: as records do s and don ts OWA / Personal accounts the use of personal accounts protective marking RESTRICTED / PROTECT / UNCLASSIFIED junk mail - spam security Sending secure confidentiality malware - computer viruses 6.12 Universal Data Sharing Protocol The Council recognises the need to share personal and sensitive data with other partner organisations in order to safeguard the vulnerable and provide effective and efficient services. The Council has an overarching Universal Data Sharing Protocol to assist in the design of individual agreements with partner agencies. Please ensure that if the agreement is initiated by the other party that it contains all the elements contained within this document. Universal Data Sharing Protocol 6.13 Data Sharing Agreements If you intend to set up a service or change a service that will necessitate the sharing of personal or sensitive data with another data controller or data processor, such as a partner organisation, you must have a Data Sharing Agreement in place similar to the one below. Sample Data Sharing Agreement 6.14 Data Processing Agreement If you intend to set up a service or change a service that will necessitate the processing of personal or sensitive data by another organisation, such as an IT contractor, you must have a Data Processing Agreement in place similar to the one below. Sample Data Processing Agreement 6.15 Third Party Memorandums of Understanding (MoUs) If you intend to set up a service or change a service that will necessitate a 3 rd party or contractor accessing a data base or software application on the SCC network you must have an MoU in place similar to the one below. Sample Memorandum of Understanding Version Final v1.1 Page 7 of 9
8 6.16 Data Transfers If you intend to transfer personal or sensitive data to a 3 rd party or contractor you must have the data transfer approved by the IG Manager. Before approving the transfer the IG manager will consider: the sensitivity of the data the volume of data to be transmitted the security offered by the 3 rd party the country to which the data is to be sent 6.17 Records Management The Council s Records Management Policy concerns the lifecycle of the information from creation to destruction. Records should be created, stored, processed, accessed and destroyed in adherence to the Principles of the Data Protection Act and the Code of Practice that regulates the processing of the information. The policy is applicable to all records held by members and officers in computer and offices across the Council, and not only those held in the records stores and archives Data Retention Data should only be retained as long as it is needed to comply with the 5 th Principle of the Data Protection Act. The Council has a Retention Schedule that takes into account: statutory and legal obligations universal best practice local service guidance 6.19 Data Destruction Personal data must be destroyed when it is no longer necessary for the purpose for which it was collected. The Council has a Data Destruction Policy to advise on how data should be disposed of when it no longer required. The Council needs to be aware that it must destroy or erase outdated records on magnetic media, computers, disks, tapes etc, and paper in files, reports and notebooks Data Breaches If you are aware that you, or someone else, have disclosed personal or sensitive data to someone who did not have permission / authority to receive that information you must report it immediately to your line manager who will pass the information to the IG Team. You must also do the following: If any personal information has been sent to the wrong individual, in paper form, attempts must be made to recover the information, ideally in person. If any personal information has been sent to the wrong individual, in electronic form, attempts must be made to ensure the recipient has deleted the information from their computer / . The process that governs how that data breach is dealt with is covered in detail in the Incident Management Policy Version Final v1.1 Page 8 of 9
9 Appendix 1 Governance Arrangements Policy Compliance If any employee is found to have breached this policy, they may be subject to Somerset County Council s disciplinary procedure. Where it is considered that a criminal offence has potentially been committed, the Council will consider the need to refer the matter to the police. If you do not understand the implications of this policy or how it may apply to you, seek advice from the Information Governance Team. Policy Governance The following table identifies who within Somerset County Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation. Informed the person(s) or groups to be informed after policy implementation. Responsible Accountable Consulted Informed Information Governance Manager SIRO Head of Client Services Senior Management Team, HR, Unions All Members, employees, contractors, volunteers and 3 rd parties Review and Revision This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by the Information Governance Manager References The following Somerset County Council policy documents are directly relevant to this policy, and are referenced within this document: Corporate Information Security Policy Data Protection Policy Information Transparency Policy Acceptable Use Policy Legal Responsibility Policy Version Final v1.1 Page 9 of 9
Security Incident Policy
Organisation Title Author Owner Protective Marking Somerset County Council Security Incident Policy Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will
More informationCorporate ICT & Data Management. Data Protection Policy
90 Corporate ICT & Data Management Data Protection Policy Classification: Unclassified Date Created: January 2012 Date Reviewed January Version: 2.0 Author: Owner: Data Protection Policy V2 1 Version Control
More informationInformation Security Incident Protocol
Information Security Incident Protocol Document Owner Caroline Dodge Tel: 01622-221652 caroline.dodge@kent.gov.uk Version Version 2: July 2013 Contents 1. Protocol Objectives 2. Scope 3. Protocol Statement
More informationData Protection Policy
Data Protection Policy Owner : Head of Information Management Document ID : ICT-PL-0099 Version : 2.0 Date : May 2015 We will on request produce this Policy, or particular parts of it, in other languages
More informationHERTSMERE BOROUGH COUNCIL
HERTSMERE BOROUGH COUNCIL DATA PROTECTION POLICY October 2007 1 1. Introduction Hertsmere Borough Council ( the Council ) is fully committed to compliance with the requirements of the Data Protection Act
More informationData Protection Policy
Data Protection Policy Document Ref: DPA20100608-001 Version: 1.3 Classification: UNCLASSIFIED (IL 0) Status: ISSUED Prepared By: Ian Mason Effective From: 4 th January 2011 Contact: Governance Team ICT
More informationSecurity Incident Management Policy
Security Incident Management Policy January 2015 Document Version 2.4 Document Status Owner Name Owner Job Title Published Martyn Ward Head of ICT Business Delivery Document ref. Approval Date 27/01/2015
More informationCorporate Information Security Management Policy
Corporate Information Security Management Policy Signed: Chief Executive. 1. Definition of Information Security 1.1. Information security means safeguarding information from unauthorised access or modification
More informationPolicy Document Control Page
Policy Document Control Page Title Title: Data Protection Policy Version: 3 Reference Number: CO59 Keywords: Data, access, principles, protection, Act. Data Subject, Information Supersedes Supersedes:
More informationInformation Governance Framework. June 2015
Information Governance Framework June 2015 Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review
More informationLittle Marlow Parish Council Registration Number for ICO Z3112320
Data Protection Policy Little Marlow Parish Council Registration Number for ICO Z3112320 Adopted 2012 Reviewed 23 rd February 2016 Introduction The Parish Council is fully committed to compliance with
More informationMONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY
MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY Page 1 of 16 Contents Policy Information 3 Introduction 4 Responsibilities 7 Confidentiality 9 Data recording and storage 11 Subject Access 12 Transparency
More informationPolicy Document. Communications and Operation Management Policy
Policy Document Communications and Operation Management Policy [23/08/2011] Page 1 of 11 Document Control Organisation Redditch Borough Council Title Communications and Operation Management Policy Author
More informationMerthyr Tydfil County Borough Council. Data Protection Policy
Merthyr Tydfil County Borough Council Data Protection Policy 2014 Cyfarthfa High School is a Rights Respecting School, we recognise the importance of ensuring that the United Nations Convention of the
More informationData Protection Procedures
Data Protection Procedures PROCEDURE OVERVIEW: This Procedure outlines Down District Council s ( the Council ) commitment to the Data Protection Act 1998 ( the Act ) and provides a framework for the Council
More informationData Protection Policy
1 Data Protection Policy Version 1: June 2014 1 2 Contents 1. Introduction 3 2. Policy Statement 3 3. Purpose of the Data Protection Act 1998 3 4. The principles of the Data Protection Act 1998 4 5 The
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY Version 1.3 April 2014 Contents 1 POLICY STATEMENT...2 2 PURPOSE....2 3 LEGAL CONTEXT AND DEFINITIONS...2 3.1 Data Protection Act 1998...2 3.2 Other related legislation.....4 3.3
More informationPRIVACY BREACH MANAGEMENT POLICY
PRIVACY BREACH MANAGEMENT POLICY DM Approval: Effective Date: October 1, 2014 GENERAL INFORMATION Under the Access to Information and Protection of Privacy Act (ATIPP Act) public bodies such as the Department
More informationHow To Protect School Data From Harm
43: DATA SECURITY POLICY DATE OF POLICY: FEBRUARY 2013 STAFF RESPONSIBLE: HEAD/DEPUTY HEAD STATUS: STATUTORY LEGISLATION: THE DATA PROTECTION ACT 1998 REVIEWED BY GOVERNING BODY: FEBRUARY 2013 EDITED:
More informationDATA PROTECTION POLICY
Reference number Approved by Information Management and Technology Board Date approved 14 th May 2012 Version 1.1 Last revised N/A Review date May 2015 Category Information Assurance Owner Data Protection
More informationRHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1
RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1 Revised and effective from 1st April 2012 Document Control Organisation Title Author Filename Owner
More informationInformation Governance Policy
Information Governance Policy Version 1.1 Responsible Person Information Governance Manager Lead Director Head of Corporate Services Consultation Route Information Governance Steering Group Approval Route
More informationPolicy Document. IT Infrastructure Security Policy
Policy Document IT Infrastructure Security Policy [23/08/2011] Page 1 of 10 Document Control Organisation Redditch Borough Council Title IT Infrastructure Security Policy Author Mark Hanwell Filename IT
More informationData Protection Policy
Data Protection Policy CONTENTS Introduction...2 1. Statement of Intent...2 2. Fair Processing or Privacy Statement...3 3. Data Uses and Processes...4 4. Data Quality and Integrity...4 5. Technical and
More informationData Transfer Policy. Data Transfer Policy London Borough of Barnet
Data Transfer Policy Data Transfer Policy London Borough of Barnet Document Control POLICY NAME Data Transfer Policy Document Description Policy surrounding data transfers (electronic and paper based).
More informationINFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER 3 APPLIES TO: ALL STAFF 4 COMMITTEE & DATE APPROVED: AUDIT COMMITTEE
More informationDATA PROTECTION AND DATA STORAGE POLICY
DATA PROTECTION AND DATA STORAGE POLICY 1. Purpose and Scope 1.1 This Data Protection and Data Storage Policy (the Policy ) applies to all personal data collected and dealt with by Centre 404, whether
More informationLEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction
LEEDS BECKETT UNIVERSITY Information Security Policy 1.0 Introduction 1.1 Information in all of its forms is crucial to the effective functioning and good governance of our University. We are committed
More informationIT ACCESS CONTROL POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationDATA PROTECTION ACT 1998 COUNCIL POLICY
DATA PROTECTION ACT 1998 COUNCIL POLICY Page 1 of 5 POLICY STATEMENT Blackpool Council recognises the need to fully comply with the requirements of the Data Protection Act 1998 (DPA) and the obligations
More informationACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information
NAMI EASTSIDE - 13 POLICY: Privacy and Security of Protected Health Information (HIPAA Policies and Procedures) DATE APPROVED: Pending INTENT: (At present, none of the activities that NAMI Eastside provides
More informationInformation Security Incident Management Policy
Information Security Incident Management Policy Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT Policy & Regulation
More informationData Protection Policy June 2014
Data Protection Policy June 2014 Approving authority: Consultation via: Court Audit and Risk Committee, University Executive, Secretary's Board, Information Governance and Security Group Approval date:
More informationSo the security measures you put in place should seek to ensure that:
Guidelines This guideline offers an overview of what the Data Protection Act requires in terms of information security and aims to help you decide how to manage the security of the personal data you hold.
More informationInformation Security Policy. Appendix B. Secure Transfer of Information
Information Security Policy Appendix B Secure Transfer of Information Author: Data Protection and Information Security Officer. Version: 0.7 Date: March 2008 Document Control Information Document ID Document
More informationInformation Incident Management Policy
Information Incident Management Policy Change History Version Date Description 0.1 04/01/2013 Draft 0.2 26/02/2013 Replaced procedure details with broad principles 0.3 27/03/2013 Revised following audit
More informationScottish Rowing Data Protection Policy
Revision Approved by the Board August 2010 1. Introduction As individuals, we want to know that personal information about ourselves is handled properly, and we and others have specific rights in this
More informationDATA PROTECTION POLICY
DATA PROTECTION POLICY DATA PROTECTION POLICY Document Control Information Title Data Protection Policy Version V1.0 Author Diana Watt Date Approved 21 February 2013 Review Date Annually, on the anniversary
More informationINFORMATION SECURITY POLICY
INFORMATION SECURITY POLICY Rev Date Purpose of Issue/ Description of Change Equality Impact Assessment Completed 1. June 2011 Initial Issue 2. 29 th March 2012 Second Version 3. 15 th April 2013 Third
More informationHuman Resources Policy documents. Data Protection Policy
Policy documents Aims of the Policy apetito is committed to meeting its obligations under data protection law. As a business, apetito handles a range of Personal Data relating to its customers, staff and
More informationDATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff
DATA PROTECTION IT S EVERYONE S RESPONSIBILITY An Introductory Guide for Health Service Staff 1 Message from Director General Dear Colleagues The safeguarding of and access to personal information has
More informationInformation Security Incident Management Policy and Procedure
Information Security Incident Management Policy and Procedure Version Final 1.0 Document Control Organisation Title Author Filename Owner Subject Protective Marking North Dorset District Council IT Infrastructure
More informationInformation Governance
CONTROLLED Information Governance Caldicot Version-Workbok Non Caldicott Version - Workbook Version 12 January 2015 40 1 Don t Get Bitten by the Data Demon Notes Using this Workbook The objective of this
More informationREMOTE WORKING POLICY
Reference number Approved by Information Management and Technology Board Date approved 30 April 2013 Version 1.0 Last revised Review date March 2014 Category Owner Target audience Information Assurance
More informationProcedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom
Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom Indirani 02/11/2009 Draft 2 Include JG s comments Jackie Groom
More informationKEELE UNIVERSITY IT INFORMATION SECURITY POLICY
Contents 1. Introduction 2. Objectives 3. Scope 4. Policy Statement 5. Legal and Contractual Requirements 6. Responsibilities 7. Policy Awareness and Disciplinary Procedures 8. Maintenance 9. Physical
More informationPRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;
PRIVACY POLICY Our Privacy Commitment Glo Light Pty Ltd A.C.N. 099 730 177 trading as "Lighting Partners Australia of 16 Palmer Parade, Cremorne, Victoria 3121, ( LPA ) is committed to managing your personal
More informationCaedmon College Whitby
Caedmon College Whitby Data Protection and Information Security Policy College Governance Status This policy was re-issued in June 2014 and was adopted by the Governing Body on 26 June 2014. It will be
More informationSenior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES
Senior School 1 PURPOSE The policy defines and describes the acceptable use of ICT (Information and Communications Technology) and mobile phones for school-based employees. Its purpose is to minimise the
More informationPERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL]
[Insert Date of Policy] PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS of [ABC SCHOOL] Address Independent schools in British Columbia are invited to adopt or adapt some or all of this
More informationINITIAL APPROVAL DATE INITIAL EFFECTIVE DATE
TITLE AND INFORMATION TECHNOLOGY RESOURCES DOCUMENT # 1107 APPROVAL LEVEL Alberta Health Services Executive Committee SPONSOR Legal & Privacy / Information Technology CATEGORY Information and Technology
More informationData controllers and data processors: what the difference is and what the governance implications are
ICO lo : what the difference is and what the governance implications are Data Protection Act Contents Introduction... 3 Overview... 3 Section 1 - What is the difference between a data controller and a
More informationData Protection Breach Management Policy
Data Protection Breach Management Policy Please check the HSE intranet for the most up to date version of this policy http://hsenet.hse.ie/hse_central/commercial_and_support_services/ict/policies_and_procedures/policies/
More informationRecords Management Policy & Guidance
Records Management Policy & Guidance COMMERCIALISM Document Control Document Details Author Nigel Spencer Company Name The Crown Estate Department Name Information Services Document Name Records Management
More informationInformation Security Policy September 2009 Newman University IT Services. Information Security Policy
Contents 1. Statement 1.1 Introduction 1.2 Objectives 1.3 Scope and Policy Structure 1.4 Risk Assessment and Management 1.5 Responsibilities for Information Security 2. Compliance 3. HR Security 3.1 Terms
More informationInformation Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy
Bolsover District Council North East Derbyshire District Council & Rykneld Homes Ltd Information Security Incident Management Policy September 2013 Version 1.0 Page 1 of 13 CONTROL SHEET FOR Information
More informationCCG: IG06: Records Management Policy and Strategy
Corporate CCG: IG06: Records Management Policy and Strategy Version Number Date Issued Review Date V3 08/01/2016 01/01/2018 Prepared By: Consultation Process: Senior Governance Manager, NECS CCG Head of
More informationCorporate Information Security Policy
Corporate Information Security Policy. A guide to the Council s approach to safeguarding information resources. September 2015 Contents Page 1. Introduction 1 2. Information Security Framework 2 3. Objectives
More informationInformation Classification and. Handling Policy
Information Security Document Information Classification and 1 Version History Version Date Detail Author 1.0 27/06/2013 Approved by Information Governance Jo White Group 2.0 31/07/2013 Approved by Information
More informationwww.neelb.org.uk Web Site Download Carol Johnston
What I need to know about data protection and information security when purchasing a service that requires access to my information by a third party. www.neelb.org.uk Web Site Download Carol Johnston Corporate
More informationINFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c
INFORMATION SECURITY MANAGEMENT SYSTEM Version 1c Revised April 2011 CONTENTS Introduction... 5 1 Security Policy... 7 1.1 Information Security Policy... 7 1.2 Scope 2 Security Organisation... 8 2.1 Information
More informationRECORDS MANAGEMENT POLICY
[Type text] RECORDS MANAGEMENT POLICY POLICY TITLE Academic Year: 2013/14 onwards Target Audience: Governing Body All Staff and Students Stakeholders Final approval by: CMT - 1 October 2014 Governing Body
More informationBARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY
Putting Barnsley People First BARNSLE CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLIC Version: 2.0 Approved By: Governing Body Date Approved: Feb 2014 (initial approval), March
More informationDATA AND PAYMENT SECURITY PART 1
STAR has teamed up with Prevention of Fraud in Travel (PROFiT) and the Fraud Intelligence Network (FIN) to offer our members the best advice about fraud prevention. We recognise the increasing threat of
More informationIG Toolkit Version 8. Information Security Assurance. Requirement 322. Detailed Guidance on Secure Transfers
IG Toolkit Version 8 Information Security Assurance Requirement 322 Detailed Guidance on Secure Transfers IG Toolkit Version 8 Requirement 322: Detailed guidance on secure transfers Page 1 of 7 All transfers
More informationInformation Governance Policy
Information Governance Policy 1 Introduction Healthwatch Rutland (HWR) needs to collect and use certain types of information about the Data Subjects who come into contact with it in order to carry on its
More information1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.
MANCHESTER METROPOLITAN UNIVERSITY DATA PROTECTION POLICY This policy should be read in conjunction with the Data Protection Guidance, which is attached as: Appendix A Dealing with Personal Data Appendix
More informationROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING
ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING Introduction and Policy Aim The Royal Borough of Windsor and Maidenhead (the Council) recognises the need to protect Council
More informationSafe Haven Procedure. Final. Date Issued March 2009 Review Date March 2010 NHS East Midland Employees. Safe Haven Procedure: v1.
Safe Haven Procedure Final Version 1.0 (Final) Ratified By Executive Team Originator/Author Fabian Henderson Date Issued March 2009 Review Date March 2010 Target NHS East Midland Employees Safe Haven Procedure:
More informationInformation & ICT Security Policy Framework
Information & ICT Security Framework Version: 1.1 Date: September 2012 Unclassified Version Control Date Version Comments November 2011 1.0 First draft for comments to IT & Regulation Group and IMG January
More informationINFORMATION RISK MANAGEMENT POLICY
INFORMATION RISK MANAGEMENT POLICY DOCUMENT CONTROL: Version: 1 Ratified by: Steering Group / Risk Management Sub Group Date ratified: 21 November 2012 Name of originator/author: Manager Name of responsible
More informationCoffey International Limited Privacy Policy. July 2014
Coffey International Limited Privacy Policy July 2014 Privacy Policy 1. Introduction Coffey International Limited and its related bodies corporate (we, our, us) recognise your rights under the Privacy
More informationAdministrative Procedures Memorandum A1452
Page 1 of 11 Date of Issue February 2, 2010 Original Date of Issue Subject References February 2, 2010 PRIVACY BREACH PROTOCOL Policy 2197 Management of Personal Information APM 1450 Management of Personal
More informationInformation Security and Governance Policy
Information Security and Governance Policy Version: 1.0 Ratified by: Information Governance Group Date ratified: 19 th October 2012 Name of organisation / author: Derek Wilkinson Name of responsible Information
More informationINFORMATION GOVERNANCE AND DATA PROTECTION POLICY
INFORMATION GOVERNANCE AND DATA PROTECTION POLICY WN CCG Information Governance & Data Protection Policy July 2013 1 Document Control Sheet Name of Document: Information Governance & Data Protection Policy
More informationINFORMATION SECURITY MANAGEMENT POLICY
INFORMATION SECURITY MANAGEMENT POLICY Security Classification Level 4 - PUBLIC Version 1.3 Status APPROVED Approval SMT: 27 th April 2010 ISC: 28 th April 2010 Senate: 9 th June 2010 Council: 23 rd June
More informationUniversity of Sunderland Business Assurance Information Security Policy
University of Sunderland Business Assurance Information Security Policy Document Classification: Public Policy Reference Central Register Policy Reference Faculty / Service IG 003 Policy Owner Assistant
More informationData Transfer Policy London Borough of Barnet
London Borough of Barnet DATA PROTECTION 11 Document Control Document Description Data Transfer Policy Version v.2 Date Created December 2010 Status Authorisation Name Signature Date Prepared By: IS Checked
More informationDBC 999 Incident Reporting Procedure
DBC 999 Incident Reporting Procedure Signed: Chief Executive Introduction This procedure is intended to identify the actions to be taken in the event of a security incident or breach, and the persons responsible
More informationGuidance on data security breach management
Guidance on data security breach management Organisations which process personal data must take appropriate measures against unauthorised or unlawful processing and against accidental loss, destruction
More informationAngard Acceptable Use Policy
Angard Acceptable Use Policy Angard Staffing employees who are placed on assignments with Royal Mail will have access to a range of IT systems and mobile devices such as laptops and personal digital assistants
More informationInformation Security Incident Reporting & Investigation
Information Security Incident Reporting & Investigation Purpose: To ensure all employees, consultants, agency workers and volunteers are able to recognise an information security incident and know how
More informationINFORMATION SECURITY POLICY
Information Security Policy INFORMATION SECURITY POLICY Introduction Norwood UK recognises that information and information systems are valuable assets which play a major role in supporting the companies
More informationGuidance on data security breach management
ICO lo Guidance on data security breach management Data Protection Act Contents... 1 Data Protection Act... 1 Overview... 1 Containment and recovery... 2 Assessing the risks... 3 Notification of breaches...
More informationDEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
More informationInformation Governance Policy (incorporating IM&T Security)
(incorporating IM&T Security) ONCE PRINTED OFF, THIS IS AN UNCONTROLLED DOCUMENT. PLEASE CHECK THE INTRANET FOR THE MOST UP TO DATE COPY Target Audience: All staff employed or working on behalf of the
More informationBelmont 16 Foot Sailing Club. Privacy Policy
Belmont 16 Foot Sailing Club Privacy Policy APRIL 2014 1 P age Belmont 16 Foot Sailing Club Ltd (the 16s ) respects your right to privacy and is committed to protecting your personal information. This
More informationGuadalupe Regional Medical Center
Guadalupe Regional Medical Center Health Insurance Portability & Accountability Act (HIPAA) By Debby Hernandez, Compliance/HIPAA Officer HIPAA Privacy & Security Training Module 1 This module will address
More informationINFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK
INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK Policy approved by: Assurance Committee Date: 3 December 2014 Next Review Date: December 2016 Version: 1.0 Information Governance Strategic
More informationData and Information Security Policy
St. Giles School Inspire and achieve through creativity School Policy for: Date: February 2014 Data and Information Security Policy Legislation: Policy lead(s) The Data Protection Act 1998 (with consideration
More informationData Protection. Policy and Application July 2009
Data Protection Policy and Application July 2009 Produced for staff of the House of Commons Service by the Department of Resources Information Rights and Information Security (IRIS) Service Data Policy:
More informationOFFICIAL. NCC Records Management and Disposal Policy
NCC Records Management and Disposal Policy Issue No: V1.0 Reference: NCC/IG4 Date of Origin: 12/11/2013 Date of this Issue: 14/01/2014 1 P a g e DOCUMENT TITLE NCC Records Management and Disposal Policy
More informationAlixPartners, LLP. General Data Protection Statement
AlixPartners, LLP General Data Protection Statement GENERAL DATA PROTECTION STATEMENT 1. INTRODUCTION 1.1 AlixPartners, LLP ( AlixPartners ) is committed to fulfilling its obligations under the data protection
More informationData Protection Policy
Data Protection Policy September 2015 Contents 1. Scope 2. Purpose 3. Data protection roles 4. Staff training and guidance 5. About the Data Protection Act 1998 6. Policy 7. The Information Commissioner's
More informationHow To Protect Decd Information From Harm
Policy ICT Security Please note this policy is mandatory and staff are required to adhere to the content Summary DECD is committed to ensuring its information is appropriately managed according to the
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationData Protection Policy
Data Protection Policy Responsible Officer Author Date effective from July 2009 Ben Bennett, Business Planning & Resources Director Julian Lewis, Governance Manager Date last amended December 2012 Review
More informationEXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader
EXECUTIVE DECISION NOTICE SERVICE AREA: SUBJECT MATTER: DECISION: DECISION TAKER(S): DESIGNATION OF DECISION TAKER(S): GOVERNANCE ICT, Communications and Media PERSONAL DEVICE POLICY That the Personal
More informationPrivacy & Security Standards to Protect Patient Information
Privacy & Security Standards to Protect Patient Information Health Insurance Portability & Accountability Act (HIPAA) 12/16/10 Topics An An Introduction to to HIPAA HIPAA Patient Rights Rights Routine
More informationData Protection in Ireland
Data Protection in Ireland 0 Contents Data Protection in Ireland Introduction Page 2 Appointment of a Data Processor Page 2 Security Measures (onus on a data controller) Page 3 8 Principles Page 3 Fair
More information