Somerset County Council - Data Protection Policy - Final



Similar documents
Security Incident Policy

Corporate ICT & Data Management. Data Protection Policy

Information Security Incident Protocol

Data Protection Policy

HERTSMERE BOROUGH COUNCIL

Data Protection Policy

Security Incident Management Policy

Corporate Information Security Management Policy

Policy Document Control Page

Information Governance Framework. June 2015

Little Marlow Parish Council Registration Number for ICO Z

MONMOUTHSHIRE COUNTY COUNCIL DATA PROTECTION POLICY

Policy Document. Communications and Operation Management Policy

Merthyr Tydfil County Borough Council. Data Protection Policy

Data Protection Procedures

Data Protection Policy

DATA PROTECTION POLICY

PRIVACY BREACH MANAGEMENT POLICY

How To Protect School Data From Harm

DATA PROTECTION POLICY

RHONDDA CYNON TAF COUNTY BOROUGH COUNCIL INFORMATION SECURITY INCIDENT MANAGEMENT POLICY Version 2.0.1

Information Governance Policy

Policy Document. IT Infrastructure Security Policy

Data Protection Policy

Data Transfer Policy. Data Transfer Policy London Borough of Barnet

INFORMATION GOVERNANCE AND SECURITY 1 POLICY DRAFTED BY: INFORMATION GOVERNANCE LEAD 2 ACCOUNTABLE DIRECTOR: SENIOR INFORMATION RISK OWNER

DATA PROTECTION AND DATA STORAGE POLICY

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

IT ACCESS CONTROL POLICY

DATA PROTECTION ACT 1998 COUNCIL POLICY

ACRONYMS: HIPAA: Health Insurance Portability and Accountability Act PHI: Protected Health Information

Information Security Incident Management Policy

Data Protection Policy June 2014

So the security measures you put in place should seek to ensure that:

Information Security Policy. Appendix B. Secure Transfer of Information

Information Incident Management Policy

Scottish Rowing Data Protection Policy

DATA PROTECTION POLICY

INFORMATION SECURITY POLICY

Human Resources Policy documents. Data Protection Policy

DATA PROTECTION IT S EVERYONE S RESPONSIBILITY. An Introductory Guide for Health Service Staff

Information Security Incident Management Policy and Procedure

Information Governance

REMOTE WORKING POLICY

Procedures on Data Security Breach Management Version Control Date Version Reason Owner Author 16/09/2009 Draft 1 Outline Draft Jackie Groom

KEELE UNIVERSITY IT INFORMATION SECURITY POLICY

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

Caedmon College Whitby

Senior School 1 PURPOSE 2 SCOPE 3 SCHOOL RESPONSIBILITIES

PERSONAL INFORMATION PRIVACY POLICY FOR EMPLOYEES AND VOLUNTEERS [ABC SCHOOL]

INITIAL APPROVAL DATE INITIAL EFFECTIVE DATE

Data controllers and data processors: what the difference is and what the governance implications are

Data Protection Breach Management Policy

Records Management Policy & Guidance

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Incident Management Policy and Procedure. CONTROL SHEET FOR Information Security Incident Management Policy

CCG: IG06: Records Management Policy and Strategy

Corporate Information Security Policy

Information Classification and. Handling Policy

Web Site Download Carol Johnston

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

RECORDS MANAGEMENT POLICY

BARNSLEY CLINICAL COMMISSIONING GROUP S REMOTE WORKING AND PORTABLE DEVICES POLICY

DATA AND PAYMENT SECURITY PART 1

IG Toolkit Version 8. Information Security Assurance. Requirement 322. Detailed Guidance on Secure Transfers

Information Governance Policy

1.2 Scope This policy and guidance applies to all University staff, students and others who use or process any personal information.

ROYAL BOROUGH OF WINDSOR AND MAIDENHEAD SECURITY POLICY INFORMATION HANDLING

Safe Haven Procedure. Final. Date Issued March 2009 Review Date March 2010 NHS East Midland Employees. Safe Haven Procedure: v1.

Information & ICT Security Policy Framework

INFORMATION RISK MANAGEMENT POLICY

Coffey International Limited Privacy Policy. July 2014

Administrative Procedures Memorandum A1452

Information Security and Governance Policy

INFORMATION GOVERNANCE AND DATA PROTECTION POLICY

INFORMATION SECURITY MANAGEMENT POLICY

University of Sunderland Business Assurance Information Security Policy

Data Transfer Policy London Borough of Barnet

DBC 999 Incident Reporting Procedure

Guidance on data security breach management

Angard Acceptable Use Policy

Information Security Incident Reporting & Investigation

INFORMATION SECURITY POLICY

Guidance on data security breach management

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Information Governance Policy (incorporating IM&T Security)

Belmont 16 Foot Sailing Club. Privacy Policy

Guadalupe Regional Medical Center

INFORMATION GOVERNANCE STRATEGIC VISION, POLICY AND FRAMEWORK

Data and Information Security Policy

Data Protection. Policy and Application July 2009

OFFICIAL. NCC Records Management and Disposal Policy

AlixPartners, LLP. General Data Protection Statement

Data Protection Policy

How To Protect Decd Information From Harm

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Data Protection Policy

EXECUTIVE DECISION NOTICE. ICT, Communications and Media. Councillor John Taylor. Deputy Executive Leader

Privacy & Security Standards to Protect Patient Information

Data Protection in Ireland

Transcription:

Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will ensure all users of personal information are aware of the statutes and guidance that apply to the protection of that information. This policy provides information on the types of controls that are within scope, the rules and guidance that must be followed, the standards to be maintained, the risk to users, clients and the Council and the potential consequences of misuse This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors, Secondees and Volunteers Key Messages Data Protection is a legal responsibility for all Council Members, Officers, Contractors and Volunteers Data Protection applies to all the personal and sensitive data held by, and on behalf of the Council. All users must read and understand the policy framework around Data Protection There are significant risks in managing personal data both to clients and to the reputation of the Council The Council is obliged to fulfil the Data Protection Act in regard to Notification, Fair Processing Notices and Privacy Impact Assessments Clients, staff and members of the public have a statutory right to know all the information we hold about them in the Council Data Protection covers a broad range of subject matter including data collection, data processing, data sharing, email, fax, phones, SMS messaging and records management You must report any suspected data breach of personal or sensitive data. This policy on a page is a summary of the detailed policy document please ensure you read, understand and comply with the full policy Version Final v1.1 Page 1 of 9

Revision History Revision Editor Previous Description of Revision Date Version 01.07.11 Peter Grogan Initial Draft 18.10.11 Peter Grogan v.01 Comments from R.Allen & D.Littlewood 21.10.11 Peter Grogan v.02 Additions P.Grogan 04.11.11 Peter Grogan v.03 Additions P.Grogan 04.01.12 Peter Grogan v.04 Reformatting 11.03.12 Peter Grogan v.05 Reformatting 15.06.12 Peter Grogan v.06 HR Update & Union Approver 17.07.12 Peter Grogan v.07 Logo & Unison 29.08.12 Peter Grogan v.08 Approval by IM Board 13.03.13 Peter Grogan v.09 HR amendments (Appx 1) Document Approvals This document requires the following approvals: Approval Name Date Information Governance Manager Peter Grogan 01.08.2012 Information Governance Board Donna Fitzgerald 29.08.2012 Unions / JNF Carrie-Anne Hiscock 08.08.2012 SCC HR Richard Crouch 09.08.2012 Elected Members David Huxtable Document Distribution This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors, Secondees and Volunteers Version Final v1.1 Page 2 of 9

1 Policy Statement FULL POLICY DOCUMENT Somerset County Council will ensure every user is aware of, and understands, their responsibilities with regard the security of data held by, and on behalf of, the Council in respect of; their responsibilities with regard to the security and protection of personal data the benefits of data sharing the necessity for records management the technical and administrative controls operating in the Council the statutory framework 2 Purpose Somerset County Council collects, holds and uses data about people and organisations with whom it deals with in order to conduct its business. The Council has a statutory duty under the Data Protection Act and related legislation to safeguard this information. This data covers, but is not restricted to, the following: Current, past and prospective employees Suppliers Customers School pupils and students Others with whom the Council communicates In addition, the law may occasionally require us to collect and use certain types of personal information to comply with the requirements of government departments, such as the Police the NHS and other 3 rd parties. This policy outlines every user s responsibilities in respect of Data Protection and allows users to focus on detailed areas by linking them to specific policy documents. 3 Scope Any information must be dealt with properly however it is collected, recorded and used, whether on paper, in a computer, or recorded on other media. This document describes the policies for correctly handling personal and sensitive data in order to comply with the Data Protection Act and related legislation. This policy relates to all data held by Somerset County Council in any form and includes UNCLASSIFIED, PROTECT or RESTRICTED information, as defined by HMG, held or processed by the Council. This policy is intended for all Somerset County Council Councillors, Committees, Departments, Partners, Employees and Volunteers of the Council, contractual third parties and agents of the Council who have responsibilities for processing data. 4 Definition This document defines the policy, practice and procedure to ensure the security of personal and sensitive information held by Somerset County Council. Version Final v1.1 Page 3 of 9

Somerset County Council fully endorses and adheres to the 8 Principles of Data Protection as set out in the Data Protection Act 1998, and other relevant information security legislation and the controls recommended in Government Connect and ISO27000x and the GCSx Code of Connection. Therefore, the Council will ensure that all Councillors, Committees, Departments, Partners, Employees, contractual third parties and agents of the Council who have access to any information held by or on behalf of the Council are fully aware of, and abide by, their duties and responsibilities under this legislation and guidance. Guidance on the Data Protection Act 5 Risks Somerset County Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: the loss or theft of personal & sensitive data lack of effective and safe data sharing inadequate records management inadequate processing of Data Subject Access Requests (DSARs) security breaches of the Data Protection Act inadequate destruction of data not annually notifying the ICO of SCC intention to process personal data not correctly making available privacy notices not carrying out privacy impact assessments Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in reputational damage, financial loss, ICO fines and an inability to provide necessary services to our customers. 6 Applying the Policy 6.1 Notification The process for Notification to the ICO under the Data Protection Act is carried out every year. The Somerset County Council Notification ref Z5957592 can be searched for at this link SCC Notification 6.2 Privacy Notice The Somerset County Council privacy notice is published on the internet on this link Privacy Notice If you regularly collect information in forms, questionnaires or surveys, ensure your documentation includes the Privacy Notice with provision for ensuring informed consent. If you regularly collect information over the phone ensure the script you read to the customer includes the Privacy Notice. Version Final v1.1 Page 4 of 9

6.3 Privacy Impact assessments The council promotes the use of Privacy Impact Assessments in all projects where personal and sensitive data is used. The Council guidance is published on the intranet on this link - SCC Privacy Impact assessments 6.4 Information Control The methods by which data is managed and controlled within the organisation need to ensure that data is effectively shared and protected whilst at rest and in transit, these issues are comprehensively addressed in the Information Control and Compliance Policy. 6.5 Personal Data Access Requests The public can request to see all the data that the Council holds about them or someone they have a legal responsibility for. The Council guidance on this can be found on this link- Data Subject Access Request Guidance 6.6 Computers Acceptable Use Policy (AUP) 6.7 Post The Council has to protect personal data across a wide range of technologies and in a variety of environments. The Acceptable Use Policy describes in detail how each aspect of this managed and your responsibilities for keeping personal and sensitive data secure. It includes specific policy on the following: Physical Security; Incident Management; Access Control; Home Working; Remote Working; Protective Marking; Device Connection; Web Browsing; Removable Media; Social Media; Surveillance and Monitoring; Password Security; Software; IT Procurement; Email and Smart Office / Clear desk. Personal and sensitive data can be sent through the normal postal system; the Royal Mail is a bonded courier and is trusted by the Police, the NHS and the Courts to deliver sensitive documents and correspondence. The Council must consider the risks of sending out all documents and consider if any additional safeguards are required to protect the information being sent. Documents can be classified according to their sensitivity, the volume of data they contain, the destination or recipient of the data. All these factors will influence a decision on the postal service used, as will the cost of delivery. RESTRICTED material must always be either hand delivered or sent by SPECIAL DELIVERY, double wrapped. The inner wrapper must be marked RESTRICTED with a return address. Most information sent out by the Council to individual clients will be classified as PROTECT and can be sent by first or second class post. If there is a significant amount of sensitive material consult your service guidelines as to whether to double wrap a package or consider SPECIAL DELIVERY. Each of the Council Services sends out a range of documents and each service has compiled guidelines which will mitigate the risk of items being; Version Final v1.1 Page 5 of 9

Sent to the wrong address or a previous address Opened by the wrong person Ripped open in transit Service Guidelines Each service has considered the information to be posted and has applied a risk assessment to the data their guidelines can be found here: Adult Social Care Children & Young People Environment Resources 6.8 Fax machines Fax should not be used to transmit personal and sensitive information except as a method of last resort or in an emergency. Fax machines carry greater risk than email with regard to accidental disclosure; outside the Council, due to incorrect dialling inside the Council, if information is picked up or read by the wrong person Fax machines catering for personal and sensitive data should not be located in the common way areas or on corridors. If a fax machine has to be used the risk of disclosure can be mitigated by: ensuring that a trusted recipient is waiting at the other end of the fax line sending a preliminary test page to check that the fax number is correct on each page use the page X of Y function to check that the entire document is sent check that any fax auto-dial is correct for the recipient 6.9 Mobile phones and SMS messaging Personal mobile phones should not be used for Council business. No personal or sensitive information required for Council business should be stored on personal mobiles, this includes texts, emails, photographs and video. In case your Council phone is lost or stolen ensure you: have a timeout on the screen to lock it out after 5 minutes have a password to lock the phone, preferably 8 digits mixed alpha-numeric if possible encrypt the data on your phone must only store essential data on the phone must only keep data on the phone for a short period Only Not Protectively Marked (NPM) information can be sent by text. Most mobile phones cannot be encrypted and the data may be stored on servers whose security status is unknown to the Council. On no account should PROTECT or RESTRICTED material be sent by text. If you use a Council phone on a regular basis and you use it for contacting clients, consider applying to your service for a Blackberry. These devices offer encryption, over the air delivery of email, voice recording and password security. Version Final v1.1 Page 6 of 9

6.10 Phone calls When making phone calls of a personal and sensitive nature: in the office ensure you can not be overheard by anyone not directly concerned with the client on the phone. outside the office ensure you can not be overheard by anyone, where this is not possible use only first names and try and avoid discussing personal and sensitive issues 6.11 Email Please refer to the detailed Email Policy for the policy on: email as records do s and don ts OWA / Personal email accounts the use of personal email accounts protective marking RESTRICTED / PROTECT / UNCLASSIFIED junk mail - spam security Sending secure email confidentiality malware - computer viruses 6.12 Universal Data Sharing Protocol The Council recognises the need to share personal and sensitive data with other partner organisations in order to safeguard the vulnerable and provide effective and efficient services. The Council has an overarching Universal Data Sharing Protocol to assist in the design of individual agreements with partner agencies. Please ensure that if the agreement is initiated by the other party that it contains all the elements contained within this document. Universal Data Sharing Protocol 6.13 Data Sharing Agreements If you intend to set up a service or change a service that will necessitate the sharing of personal or sensitive data with another data controller or data processor, such as a partner organisation, you must have a Data Sharing Agreement in place similar to the one below. Sample Data Sharing Agreement 6.14 Data Processing Agreement If you intend to set up a service or change a service that will necessitate the processing of personal or sensitive data by another organisation, such as an IT contractor, you must have a Data Processing Agreement in place similar to the one below. Sample Data Processing Agreement 6.15 Third Party Memorandums of Understanding (MoUs) If you intend to set up a service or change a service that will necessitate a 3 rd party or contractor accessing a data base or software application on the SCC network you must have an MoU in place similar to the one below. Sample Memorandum of Understanding Version Final v1.1 Page 7 of 9

6.16 Data Transfers If you intend to transfer personal or sensitive data to a 3 rd party or contractor you must have the data transfer approved by the IG Manager. Before approving the transfer the IG manager will consider: the sensitivity of the data the volume of data to be transmitted the security offered by the 3 rd party the country to which the data is to be sent 6.17 Records Management The Council s Records Management Policy concerns the lifecycle of the information from creation to destruction. Records should be created, stored, processed, accessed and destroyed in adherence to the Principles of the Data Protection Act and the Code of Practice that regulates the processing of the information. The policy is applicable to all records held by members and officers in computer and offices across the Council, and not only those held in the records stores and archives. 6.18 Data Retention Data should only be retained as long as it is needed to comply with the 5 th Principle of the Data Protection Act. The Council has a Retention Schedule that takes into account: statutory and legal obligations universal best practice local service guidance 6.19 Data Destruction Personal data must be destroyed when it is no longer necessary for the purpose for which it was collected. The Council has a Data Destruction Policy to advise on how data should be disposed of when it no longer required. The Council needs to be aware that it must destroy or erase outdated records on magnetic media, computers, disks, tapes etc, and paper in files, reports and notebooks. 6.20 Data Breaches If you are aware that you, or someone else, have disclosed personal or sensitive data to someone who did not have permission / authority to receive that information you must report it immediately to your line manager who will pass the information to the IG Team. You must also do the following: If any personal information has been sent to the wrong individual, in paper form, attempts must be made to recover the information, ideally in person. If any personal information has been sent to the wrong individual, in electronic form, attempts must be made to ensure the recipient has deleted the information from their computer / email. The process that governs how that data breach is dealt with is covered in detail in the Incident Management Policy Version Final v1.1 Page 8 of 9

Appendix 1 Governance Arrangements Policy Compliance If any employee is found to have breached this policy, they may be subject to Somerset County Council s disciplinary procedure. Where it is considered that a criminal offence has potentially been committed, the Council will consider the need to refer the matter to the police. If you do not understand the implications of this policy or how it may apply to you, seek advice from the Information Governance Team. Policy Governance The following table identifies who within Somerset County Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation. Informed the person(s) or groups to be informed after policy implementation. Responsible Accountable Consulted Informed Information Governance Manager SIRO Head of Client Services Senior Management Team, HR, Unions All Members, employees, contractors, volunteers and 3 rd parties Review and Revision This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by the Information Governance Manager References The following Somerset County Council policy documents are directly relevant to this policy, and are referenced within this document: Corporate Information Security Policy Data Protection Policy Information Transparency Policy Acceptable Use Policy Legal Responsibility Policy Version Final v1.1 Page 9 of 9

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information