Information Governance Framework. June 2015



Similar documents
INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

Council Policy. Records & Information Management

Data Protection Policy

DATA PROTECTION POLICY

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Data Protection Policy

Data Protection Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

Human Resources Policy documents. Data Protection Policy

Corporate ICT & Data Management. Data Protection Policy

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Data Protection Policy

Data Protection Breach Management Policy

Somerset County Council - Data Protection Policy - Final

DATA PROTECTION AND DATA STORAGE POLICY

DATA PROTECTION POLICY

Scotland s Commissioner for Children and Young People Records Management Policy

Data Protection Policy June 2014

Use of Social Networking Websites Policy. Joint Management Trade Union Committee. ENDORSED BY: Consultative Committee DATE: 14 February 2013

DATA PROTECTION POLICY

PRIVACY POLICY Personal information and sensitive information Information we request from you

The Manitoba Child Care Association PRIVACY POLICY

BRITISH COUNCIL DATA PROTECTION CODE FOR PARTNERS AND SUPPLIERS

Caedmon College Whitby

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

2. Scope 2.1 This policy covers all the activities and processes of the University that uses personal information in whatever format.

Privacy Policy Draft

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

DATA PROTECTION POLICY

Child and Adult Services Subject Access Requests Guidance

DATA PROTECTION ACT 1998 COUNCIL POLICY

Data Protection. Policy and Application July 2009

Information Sharing Policy

ROEHAMPTON UNIVERSITY DATA PROTECTION POLICY

The best advice before you decide on what action to take is to seek the advice of one of the specialist Whistleblowing teams.

AASA Online Privacy Policy CRP.020

Scottish Rowing Data Protection Policy

DATA PROTECTION POLICY

Policy on Public and School Bus Closed Circuit Television Systems (CCTV)

HERTSMERE BOROUGH COUNCIL

Derbyshire Constabulary GUIDANCE ON THE SAFE USE OF THE INTERNET AND SOCIAL MEDIA BY POLICE OFFICERS AND POLICE STAFF POLICY REFERENCE 09/268

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

CORK INSTITUTE OF TECHNOLOGY

University of Liverpool

Information Governance Policy

Third Party Security Requirements Policy

DATA PROTECTION CORPORATE POLICY

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

Data controllers and data processors: what the difference is and what the governance implications are

DISCIPLINARY PROCEDURE

Data Protection Policy

Information Governance Strategy & Policy

Policy Document. IT Infrastructure Security Policy

Issue 1.0. UoG/ILS/IS 001. Information Security and Assurance Policy. Information Security and Compliance Manager

Human Resources Author: Lou Hassen Version: 1 Review Date: Dec 2012 Page 1 of 7. Trinity Academy Disciplinary Policy

OFFICIAL. NCC Records Management and Disposal Policy

SOCIAL MEDIA POLICY FOR VOLUNTEERS TEMPLATE

St. Peter s C.E. Primary School Farnworth , Internet Security and Facsimile Policy

REMOTE WORKING POLICY

USE OF INFORMATION TECHNOLOGY FACILITIES

Data Security and Extranet

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Data Protection for the Guidance Counsellor. Issues To Plan For

PS 172 Protective Monitoring Policy

technical factsheet 176

Information Circular

DATA PROTECTION POLICY. Examples of personal data which TWM may require from clients include the following and for the reasons ascribed to each;

Data Protection Act Bring your own device (BYOD)

3. Consent for the Collection, Use or Disclosure of Personal Information

Corporate Information Security Management Policy

Data Protection Procedures

OBJECTS AND REASONS. (a) the regulation of the collection, keeping, processing, use or dissemination of personal data;

Conditions of Use. Communications and IT Facilities

Last updated: 30 May Credit Suisse Privacy Policy

The Manitowoc Company, Inc.

Data and Information Security Policy

SOUTHERN SLOPES COUNTY COUNCIL COMPUTER & INFORMATION TECHNOLOGY USE POLICY

Information Technology and Communications Policy

The potential legal consequences of a personal data breach

PROTECTION OF PERSONAL INFORMATION

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

STAFF & GOVERNOR USE OF SOCIAL MEDIA AND INTERNET SITES POLICY

Data Protection Policy

DATA AND PAYMENT SECURITY PART 1

University of Birmingham. Closed Circuit Television (CCTV) Code of Practice

POLICY FRAMEWORK AND STANDARDS INFORMATION SHARING BETWEEN GOVERNMENT AGENCIES

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

Data Protection Policy A copy of this policy is published in the following areas: The school s intranet The school s website

Transcription:

Information Governance Framework June 2015

Information Security Framework Janice McNay June 2015 1 Company Thirteen Group Lead Manager Janice McNay Date of Final Draft and Version Number June 2015 Review Date June 2018 Officer Responsible for Review Janice McNay

Information Security Framework Janice McNay June 2015 2 1 POLICY STATEMENT 1.1 Thirteen Group and its partner companies need to collect, use and hold information about people in order to operate effectively and efficiently and ensure that services appropriate to the needs of employees and customers are provided. 1.2 This information may be personal and/or sensitive, and may be collected, recorded and stored both manually on paper and/or electronically. It is vital that any information, however it is collected or stored, is dealt with lawfully and correctly and there are safeguards in place in the Data Protection Act 1998 to ensure this. 1.3 This framework aims to detail the organisational and legislative requirements with regards to the following: Data protection; ICT security; Confidentiality; Access to information; and Document management. 1.4 The need to adhere to this framework and associated policies is included in both the terms and conditions of staff employment and the Code of Conduct applicable to all staff and Board Directors. Any breaches will be investigated and where a serious breach has occurred disciplinary action may be taken. 2 REFERENCE MATERIAL 2.1 The following information has been used when developing this framework: Data Protection Act 1998 Data Protection Principles Guidance from the Information Commissioner s Office (ICO) website Data Protection Good Practice Guidance 3 DEFINITIONS 3.1 A full list of definitions is attached at appendix A. 4 POLICY CONTENTS 4.1 Data Protection 4.1.1 The Data Protection Act 1998 establishes a framework of rights and duties which are designed to safeguard personal data. The framework balances the legitimate needs of organisations to collect and use personal data for business and other purposes against the right of individuals to respect for the privacy of their personal details. The legislation itself is complex, but is underpinned by a set of eight straightforward, common-sense principles: Principle 1: Principle 2: Personal information must be fairly and lawfully processed Personal information must be processed for limited purposes

Information Security Framework Janice McNay June 2015 3 Principle 3: Principle 4: Principle 5: Principle 6: Principle 7: Principle 8: Personal information must be adequate, relevant and not excessive Personal information must be accurate and up to date Personal information must not be kept for longer than is necessary Personal information must be processed in line with the data subjects rights Personal information must be secure Personal information must not be transferred to other countries without adequate protection. 4.1.2 These principles must be followed by anyone processing personal data. More detailed information regarding the principles is attached at appendix B. 4.1.3 Use of Employee Protection Register / Concerns Markers Thirteen Group has a duty under the Health and Safety Act 1974 to provide a safe working environment for its employees. As many employees come into direct face-toface contact with customers and clients as part of their work, in situations which are sometimes volatile or that may present other risks to the safety of staff. Thirteen Group therefore recognises the necessity of using an Employee Protection Register / Concerns. However, it may be that sensitive personal data is included in the Employee Protection Register / Concerns Marker and therefore usage of the Employee Protection Register / Concerns Marker must comply with the Data Protection Act 1998. 4.1.4 Data Sharing Agreements Employees and Board Directors working for and on behalf of Thirteen Group must understand the importance of good practice when dealing with personal and sensitive personal data held in customer records, and appreciate the rules by which individuals data may be accessed and processed. Thirteen Group expects that data held by the organisation or any companies acting on behalf of the Group will be treated as confidential at all times, and will be processed in accordance with the Data Protection Act 1998 and Thirteen Group s other policies and procedures. Data will not be made available to third parties for commercial or marketing purposes. Organisations using any type of data held by Thirteen Group will have to sign up to a data sharing agreement and be bound by the requirements of that agreement. 4.1.5 Data Security Breaches A data security breach can happen for a number of reasons, for example: loss or theft of information on which data is stored; unauthorised access; equipment failure; human error; and fire or flood. If a potential breach is identified action will be taken to ensure the matter is contained and if possible the information recovered; an assessment of ongoing risk is made; there is notification of the breach to the affected parties as required; and there is evaluation of the effects of the breach and the response. Action may include disciplinary investigations if employees are involved.

Information Security Framework Janice McNay June 2015 4 4.2 ICT Security 4.2.1 Employees and Board Directors must use Thirteen Group s information technology and communications facilities sensibly, professionally, lawfully, and consistently, with respect for colleagues and for customers and in accordance with this framework and Thirteen Group s other policies and procedures. 4.2.2 Use of Electronic Email Thirteen Group s email facilities are provided for business purposes. Email facilities provided by Thirteen Group should not be abused, and only authorised users of the Group s computer systems are entitled to use email facilities. The use of the Group s email facilities assumes and implies compliance with this framework. Thirteen Group s other policies and procedures; and the Data Protection Act 1998. Every user has a duty to ensure that they practice appropriate and proper use and must understand their responsibilities in this regard. Complaints received from both internal and external sources, regarding any unacceptable use of email which involves Thirteen Group s email facilities. 4.2.3 Use of Internet / Intranet Thirteen Group provides access to the information, resources and facilities of the Internet to help employees and Board Directors do their jobs more efficiently and effectively. Thirteen Group has implemented security measures to block inappropriate content and entrusts employees and Board Directors to use the Internet and Intranet in a professional way which avoids any question of inappropriate use. Consider that when visiting websites, information identifying the PC may be logged. Therefore any activity may be associated with the Thirteen Group. 4.2.4 Misuse of Facilities Misuse of Thirteen Group s facilities and systems, including its telephone, email and internet systems, will be treated seriously and dealt with in accordance with Thirteen Group s disciplinary procedures. The Group reserves the right to undertake a detailed investigation in accordance with Thirteen Group s disciplinary procedures and information and data on electronic or paper records may be used as evidence. Where this is the case information to identify individuals will be redacted where required. 4.2.5 System Security Security of Thirteen Group s ICT system is of paramount importance. We owe a duty to all of our customers to ensure that all of our business transactions are kept confidential. If at any time we need to rely in court on any information which has been stored or processed using Thirteen Group s IT systems, it is essential that we are able to demonstrate the integrity of those systems. 4.2.6 Remote Working This applies to an employees and Board Directors use of Thirteen Group s devices, e.g. laptops, tablets, and mobile phones; and also to employees and Board Members

Information Security Framework Janice McNay June 2015 5 use of their own computer equipment or other computer equipment. Essential remote working practices will be outlined within Mobile Working Procedures. 4.2.7 Personal blogs / websites Thirteen Group expects employees and Board Directors to conduct themselves appropriately and in a manner which is consistent with a contract of employment and with Thirteen Group s policies and procedures. This includes when creating, updating, modifying or contributing to blogs, message boards and other content sharing sites outside of working hours including when using personal IT or the Group IT system during non working hours. 4.2.8 Social Media Thirteen Group currently uses social media to communicate effectively with customers and stakeholders. Employees and Board Directors must be aware at all times that, when contributing to social media activities involving comments/views about the Group they are acting as a representative of the organisation. This framework provides for effective use of social media whilst protecting the organisation's business information and any client or customer information within its custody, or safekeeping by safeguarding its confidentiality, integrity and availability. The personal use of social media is not allowed during work time, Users of social media should also be aware that if any activity is found to call the Groups integrity into questions appropriate investigations and action will be taken. 4.2.9 Monitoring Communications Thirteen Group is ultimately responsible for all business communications but will, so far as possible and appropriate, respect an employee or Board Director s privacy and autonomy whilst working. Thirteen Group may monitor your business communications for reasons which include: providing evidence of business transactions; ensuring that the Group s business procedures, policies and contracts are adhered to; complying with any legal obligations; monitoring standards of service, staff performance and for staff training; preventing or detecting unauthorised use of Thirteen Group s communications systems or criminal activities; and maintaining the effective operation of Thirteen Group s communications systems. 4.2.10 Use of Cloud Storage Systems Use of cloud computing services by employees and Board Directors for work purposes must be formally authorised by Thirteen Group s IT Manager. Thirteen Group s IT Manager will certify that Thirteen Group s security, privacy and all other IT management requirements will be adequately addressed by the cloud computing vendor. This is necessary to protect the integrity and confidentiality of Thirteen Group s data and the security of the corporate network. 4.2.11 Printing Thirteen Group strives to provide quality and cost effective print, copy, and scan services to meet the needs of employees and Board Directors whilst taking into consideration the impact of printing on the organizational sustainability goals.

Information Security Framework Janice McNay June 2015 6 4.2.12 Encryption Encryption provides an enhanced level of assurance that data being used cannot be viewed or otherwise discovered by unauthorised parties in the event of theft, loss or interception. Employees and Board Directors are required to employ Thirteen Group approved encryption techniques to preserve the confidentiality and integrity of, and control accessibility to, Group data which is classified as private and confidential where this data is processed, stored or transmitted. 4.3 Confidentiality 4.3.1 The Group is aware of its responsibilities when using or handling confidential information. There is a requirement that employees and Board Directors shall not misuse any information or allow others to do so. Confidential information must be used, processed, and handled in accordance with this framework; Thirteen Group s other policies and procedures; and the Data Protection Act 1998. 4.3.2 Sharing Confidential Information between Employees and Board Directors Within Thirteen Group, confidential information should only be available to employees and Board Directors who genuinely need to know confidential information to carry out their work effectively. Only facts from confidential information should be shared with the necessary and appropriate employees and Board Directors. Where confidential information is shared to an entire team, care should be taken to ensure that there is a legitimate need for the entire team to have access. 4.3.3 Confidential Correspondence Employees and Board Directors will have access to confidential correspondence and, when handling, should exercise care and caution when handling correspondence received into Thirteen Group, i.e. envelopes, marked confidential or personal should be handled in accordance with administration procedures, policies, and the Data Protection Act 1998. 4.3.4 Multi-Agency Partnerships Thirteen Group recognises the necessity of working with other agencies so that we are able to meet the needs of customers, clients or prospective customers and clients so that employees and Board Directors can carry out their work effectively. The Group will aim to maintain a balance between the need for confidentiality and the sharing of information necessary to make an effective response to other agencies requesting information. Employees and Board Directors should only share information with other agencies on a need-to-know basis, though the overarching principle should be to obtain consent. 4.3.5 Anonymous Information

Information Security Framework Janice McNay June 2015 7 Where employees or Board Directors of the Group are given information from anonymous sources the information will be passed to the relevant team for reference, or where appropriate, to take action to investigate any allegations that may be included within the information. All employees and Board Directors required to ensure that personal information gained from an anonymous source remains confidential. 4.3.6 Disclosure of Confidential Information Where requests are made for the disclosure of personal information employees and Board Directors must consider whether the consent of the individual concerned should be sought. The Group s overarching principle is that an individual s consent should be sought before disclosing personal information to other individuals or organisations, and confidential information should only be shared in exceptional circumstances. However, the Data Protection Act 1998 reinforces the Crime and Disorder Act 1998 in that it allows for the disclosure of personal information, where the disclosure is for the purposes of the prevention and detection of crime, or the apprehension or prosecution of offenders; and where failure to disclose would prejudice those objectives. 4.3.7 Breaches of Confidentiality All Thirteen Group employees and Board Directors have a duty of care to ensure that personal information remains confidential. Discussing customers, clients, former customers or clients, rehousing applicants or other employees in public places or in an unprofessional context is unacceptable. Customers, clients, contractors, employees, and Board Directors are all expected to respect the rights of others to confidentiality. Although the Group recognises that most breaches of confidentiality occur not out of malice but through thoughtlessness and lack of awareness of the consequences of an action any breach of confidentiality will be considered a serious issue and this could be regarded as gross misconduct where following investigation evidence shows that this has occurred. 4.4 Access to Information Thirteen Group believes that people have a right to see what information is kept about them, and fully endorses the principles of data protection, as specified in the Data Protection Act 1998 and other related legislation. Requests for information will be processed within the requirements of the Act and the access to information procedure followed when requests are received. 4.4.1 Freedom of Information The Freedom of Information Act 2000 gives any individual, regardless of age, nationality, or residence the right to access recorded information held by public sector organisations, as a registered charity, Thirteen Group is not obliged to meet with the requirements of this act however, as a commitment to being open and transparent the Group will consider reasonable requests for information.

Information Security Framework Janice McNay June 2015 8 4.4.2 Data Subject Access Request In accordance with the Data Protection Act 1998, applicants / customers/clients/ former customers/clients have a right to know what information Thirteen Group holds about them; what we use the information for; and to whom we have disclosed that information or to whom we may disclose that information to. Applicants can therefore make a request for this information by following the Data Subject Access Request Procedure. 4.4.3 Accuracy of Personal Data Applicants / customers/clients /former customers/clients have a right to request that information held by the Group, which they believe is inaccurate to be corrected or removed. If the information is not amended for a justifiable reason, the Group will provide an explanation as to why this has been decided. If the individual then disagrees with the decision this will be should recorded. 4.4.4 Employee Requests for Information In accordance with the Data Protection Act 1998, job applicants; employees; and former employees have a right to know what information the Group holds about them; what we use the information for; and to whom we have disclosed that information to or whom we may disclose that information to. This applies to information held in Thirteen Group s computer records and manual files. This information can be requested by using the Data Subject Access procedure. 4.4.5 Third Party Requests for Information Occasions may occur where third parties contact the Group to request information relating to a customer/client/applicant or former customer/client. Where this is the case third party consent to share this information must be received, or an informed decision be made to allow the information to be released without consent. This includes requests from relatives, other agencies, local authority councillors, MPs and Board Directors. 4.5 Document Management Thirteen Group will manage all documents and records created or received, using a reliable and well-designed system which describes the standards of practice the Group requires to manage and dispose of records. 4.5.1 Electronic Document and Records Management Thirteen Group endorses the use of electronic document and records management and expects employees and Board Directors to manage documents and records electronically wherever and whenever possible.

Information Security Framework Janice McNay June 2015 9 4.5.2 Document Retention A records retention schedule document is in place which sets out the classes of records the Group retains and the length of time these records need to be retained before final disposal action is taken (i.e. destruction or transfer to our archiving facility). The document retention schedule applies to information regardless of its format or the media in which it is created or might be held. 4.5.3 Disposal of Documents and Records All confidential documents and records will be disposed with in an appropriate way to ensure the security of that data. Equality and Diversity Customer Involvement and Consultation Monitoring and Review Responsibility

Information Security Framework Janice McNay June 2015 10 For use by the Governance team Date agreed at Erimus Board Date agreed at Housing Hartlepool Board Date agreed at Tees Valley Board Date agreed at Thirteen Care and Support Board Date agreed at Tristar Homes Board Date agreed at Thirteen Group Board Date added to Index Date added to Internet Date added to Intranet Linked to Policy or Procedure Number Linked to Strategy Number

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information