Organisation Title Author Owner Protective Marking Somerset County Council Data Protection Policy - Final Peter Grogan Information Governance Manager Unclassified POLICY ON A PAGE Somerset County Council will ensure all users of personal information are aware of the statutes and guidance that apply to the protection of that information. This policy provides information on the types of controls that are within scope, the rules and guidance that must be followed, the standards to be maintained, the risk to users, clients and the Council and the potential consequences of misuse This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors, Secondees and Volunteers Key Messages Data Protection is a legal responsibility for all Council Members, Officers, Contractors and Volunteers Data Protection applies to all the personal and sensitive data held by, and on behalf of the Council. All users must read and understand the policy framework around Data Protection There are significant risks in managing personal data both to clients and to the reputation of the Council The Council is obliged to fulfil the Data Protection Act in regard to Notification, Fair Processing Notices and Privacy Impact Assessments Clients, staff and members of the public have a statutory right to know all the information we hold about them in the Council Data Protection covers a broad range of subject matter including data collection, data processing, data sharing, email, fax, phones, SMS messaging and records management You must report any suspected data breach of personal or sensitive data. This policy on a page is a summary of the detailed policy document please ensure you read, understand and comply with the full policy Version Final v1.1 Page 1 of 9
Revision History Revision Editor Previous Description of Revision Date Version 01.07.11 Peter Grogan Initial Draft 18.10.11 Peter Grogan v.01 Comments from R.Allen & D.Littlewood 21.10.11 Peter Grogan v.02 Additions P.Grogan 04.11.11 Peter Grogan v.03 Additions P.Grogan 04.01.12 Peter Grogan v.04 Reformatting 11.03.12 Peter Grogan v.05 Reformatting 15.06.12 Peter Grogan v.06 HR Update & Union Approver 17.07.12 Peter Grogan v.07 Logo & Unison 29.08.12 Peter Grogan v.08 Approval by IM Board 13.03.13 Peter Grogan v.09 HR amendments (Appx 1) Document Approvals This document requires the following approvals: Approval Name Date Information Governance Manager Peter Grogan 01.08.2012 Information Governance Board Donna Fitzgerald 29.08.2012 Unions / JNF Carrie-Anne Hiscock 08.08.2012 SCC HR Richard Crouch 09.08.2012 Elected Members David Huxtable Document Distribution This document will be distributed to: All Elected Members, Somerset County Council Staff, 3 rd Party Contractors, Secondees and Volunteers Version Final v1.1 Page 2 of 9
1 Policy Statement FULL POLICY DOCUMENT Somerset County Council will ensure every user is aware of, and understands, their responsibilities with regard the security of data held by, and on behalf of, the Council in respect of; their responsibilities with regard to the security and protection of personal data the benefits of data sharing the necessity for records management the technical and administrative controls operating in the Council the statutory framework 2 Purpose Somerset County Council collects, holds and uses data about people and organisations with whom it deals with in order to conduct its business. The Council has a statutory duty under the Data Protection Act and related legislation to safeguard this information. This data covers, but is not restricted to, the following: Current, past and prospective employees Suppliers Customers School pupils and students Others with whom the Council communicates In addition, the law may occasionally require us to collect and use certain types of personal information to comply with the requirements of government departments, such as the Police the NHS and other 3 rd parties. This policy outlines every user s responsibilities in respect of Data Protection and allows users to focus on detailed areas by linking them to specific policy documents. 3 Scope Any information must be dealt with properly however it is collected, recorded and used, whether on paper, in a computer, or recorded on other media. This document describes the policies for correctly handling personal and sensitive data in order to comply with the Data Protection Act and related legislation. This policy relates to all data held by Somerset County Council in any form and includes UNCLASSIFIED, PROTECT or RESTRICTED information, as defined by HMG, held or processed by the Council. This policy is intended for all Somerset County Council Councillors, Committees, Departments, Partners, Employees and Volunteers of the Council, contractual third parties and agents of the Council who have responsibilities for processing data. 4 Definition This document defines the policy, practice and procedure to ensure the security of personal and sensitive information held by Somerset County Council. Version Final v1.1 Page 3 of 9
Somerset County Council fully endorses and adheres to the 8 Principles of Data Protection as set out in the Data Protection Act 1998, and other relevant information security legislation and the controls recommended in Government Connect and ISO27000x and the GCSx Code of Connection. Therefore, the Council will ensure that all Councillors, Committees, Departments, Partners, Employees, contractual third parties and agents of the Council who have access to any information held by or on behalf of the Council are fully aware of, and abide by, their duties and responsibilities under this legislation and guidance. Guidance on the Data Protection Act 5 Risks Somerset County Council recognises that there are risks associated with users accessing and handling information in order to conduct official Council business. This policy aims to mitigate the following risks: the loss or theft of personal & sensitive data lack of effective and safe data sharing inadequate records management inadequate processing of Data Subject Access Requests (DSARs) security breaches of the Data Protection Act inadequate destruction of data not annually notifying the ICO of SCC intention to process personal data not correctly making available privacy notices not carrying out privacy impact assessments Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in reputational damage, financial loss, ICO fines and an inability to provide necessary services to our customers. 6 Applying the Policy 6.1 Notification The process for Notification to the ICO under the Data Protection Act is carried out every year. The Somerset County Council Notification ref Z5957592 can be searched for at this link SCC Notification 6.2 Privacy Notice The Somerset County Council privacy notice is published on the internet on this link Privacy Notice If you regularly collect information in forms, questionnaires or surveys, ensure your documentation includes the Privacy Notice with provision for ensuring informed consent. If you regularly collect information over the phone ensure the script you read to the customer includes the Privacy Notice. Version Final v1.1 Page 4 of 9
6.3 Privacy Impact assessments The council promotes the use of Privacy Impact Assessments in all projects where personal and sensitive data is used. The Council guidance is published on the intranet on this link - SCC Privacy Impact assessments 6.4 Information Control The methods by which data is managed and controlled within the organisation need to ensure that data is effectively shared and protected whilst at rest and in transit, these issues are comprehensively addressed in the Information Control and Compliance Policy. 6.5 Personal Data Access Requests The public can request to see all the data that the Council holds about them or someone they have a legal responsibility for. The Council guidance on this can be found on this link- Data Subject Access Request Guidance 6.6 Computers Acceptable Use Policy (AUP) 6.7 Post The Council has to protect personal data across a wide range of technologies and in a variety of environments. The Acceptable Use Policy describes in detail how each aspect of this managed and your responsibilities for keeping personal and sensitive data secure. It includes specific policy on the following: Physical Security; Incident Management; Access Control; Home Working; Remote Working; Protective Marking; Device Connection; Web Browsing; Removable Media; Social Media; Surveillance and Monitoring; Password Security; Software; IT Procurement; Email and Smart Office / Clear desk. Personal and sensitive data can be sent through the normal postal system; the Royal Mail is a bonded courier and is trusted by the Police, the NHS and the Courts to deliver sensitive documents and correspondence. The Council must consider the risks of sending out all documents and consider if any additional safeguards are required to protect the information being sent. Documents can be classified according to their sensitivity, the volume of data they contain, the destination or recipient of the data. All these factors will influence a decision on the postal service used, as will the cost of delivery. RESTRICTED material must always be either hand delivered or sent by SPECIAL DELIVERY, double wrapped. The inner wrapper must be marked RESTRICTED with a return address. Most information sent out by the Council to individual clients will be classified as PROTECT and can be sent by first or second class post. If there is a significant amount of sensitive material consult your service guidelines as to whether to double wrap a package or consider SPECIAL DELIVERY. Each of the Council Services sends out a range of documents and each service has compiled guidelines which will mitigate the risk of items being; Version Final v1.1 Page 5 of 9
Sent to the wrong address or a previous address Opened by the wrong person Ripped open in transit Service Guidelines Each service has considered the information to be posted and has applied a risk assessment to the data their guidelines can be found here: Adult Social Care Children & Young People Environment Resources 6.8 Fax machines Fax should not be used to transmit personal and sensitive information except as a method of last resort or in an emergency. Fax machines carry greater risk than email with regard to accidental disclosure; outside the Council, due to incorrect dialling inside the Council, if information is picked up or read by the wrong person Fax machines catering for personal and sensitive data should not be located in the common way areas or on corridors. If a fax machine has to be used the risk of disclosure can be mitigated by: ensuring that a trusted recipient is waiting at the other end of the fax line sending a preliminary test page to check that the fax number is correct on each page use the page X of Y function to check that the entire document is sent check that any fax auto-dial is correct for the recipient 6.9 Mobile phones and SMS messaging Personal mobile phones should not be used for Council business. No personal or sensitive information required for Council business should be stored on personal mobiles, this includes texts, emails, photographs and video. In case your Council phone is lost or stolen ensure you: have a timeout on the screen to lock it out after 5 minutes have a password to lock the phone, preferably 8 digits mixed alpha-numeric if possible encrypt the data on your phone must only store essential data on the phone must only keep data on the phone for a short period Only Not Protectively Marked (NPM) information can be sent by text. Most mobile phones cannot be encrypted and the data may be stored on servers whose security status is unknown to the Council. On no account should PROTECT or RESTRICTED material be sent by text. If you use a Council phone on a regular basis and you use it for contacting clients, consider applying to your service for a Blackberry. These devices offer encryption, over the air delivery of email, voice recording and password security. Version Final v1.1 Page 6 of 9
6.10 Phone calls When making phone calls of a personal and sensitive nature: in the office ensure you can not be overheard by anyone not directly concerned with the client on the phone. outside the office ensure you can not be overheard by anyone, where this is not possible use only first names and try and avoid discussing personal and sensitive issues 6.11 Email Please refer to the detailed Email Policy for the policy on: email as records do s and don ts OWA / Personal email accounts the use of personal email accounts protective marking RESTRICTED / PROTECT / UNCLASSIFIED junk mail - spam security Sending secure email confidentiality malware - computer viruses 6.12 Universal Data Sharing Protocol The Council recognises the need to share personal and sensitive data with other partner organisations in order to safeguard the vulnerable and provide effective and efficient services. The Council has an overarching Universal Data Sharing Protocol to assist in the design of individual agreements with partner agencies. Please ensure that if the agreement is initiated by the other party that it contains all the elements contained within this document. Universal Data Sharing Protocol 6.13 Data Sharing Agreements If you intend to set up a service or change a service that will necessitate the sharing of personal or sensitive data with another data controller or data processor, such as a partner organisation, you must have a Data Sharing Agreement in place similar to the one below. Sample Data Sharing Agreement 6.14 Data Processing Agreement If you intend to set up a service or change a service that will necessitate the processing of personal or sensitive data by another organisation, such as an IT contractor, you must have a Data Processing Agreement in place similar to the one below. Sample Data Processing Agreement 6.15 Third Party Memorandums of Understanding (MoUs) If you intend to set up a service or change a service that will necessitate a 3 rd party or contractor accessing a data base or software application on the SCC network you must have an MoU in place similar to the one below. Sample Memorandum of Understanding Version Final v1.1 Page 7 of 9
6.16 Data Transfers If you intend to transfer personal or sensitive data to a 3 rd party or contractor you must have the data transfer approved by the IG Manager. Before approving the transfer the IG manager will consider: the sensitivity of the data the volume of data to be transmitted the security offered by the 3 rd party the country to which the data is to be sent 6.17 Records Management The Council s Records Management Policy concerns the lifecycle of the information from creation to destruction. Records should be created, stored, processed, accessed and destroyed in adherence to the Principles of the Data Protection Act and the Code of Practice that regulates the processing of the information. The policy is applicable to all records held by members and officers in computer and offices across the Council, and not only those held in the records stores and archives. 6.18 Data Retention Data should only be retained as long as it is needed to comply with the 5 th Principle of the Data Protection Act. The Council has a Retention Schedule that takes into account: statutory and legal obligations universal best practice local service guidance 6.19 Data Destruction Personal data must be destroyed when it is no longer necessary for the purpose for which it was collected. The Council has a Data Destruction Policy to advise on how data should be disposed of when it no longer required. The Council needs to be aware that it must destroy or erase outdated records on magnetic media, computers, disks, tapes etc, and paper in files, reports and notebooks. 6.20 Data Breaches If you are aware that you, or someone else, have disclosed personal or sensitive data to someone who did not have permission / authority to receive that information you must report it immediately to your line manager who will pass the information to the IG Team. You must also do the following: If any personal information has been sent to the wrong individual, in paper form, attempts must be made to recover the information, ideally in person. If any personal information has been sent to the wrong individual, in electronic form, attempts must be made to ensure the recipient has deleted the information from their computer / email. The process that governs how that data breach is dealt with is covered in detail in the Incident Management Policy Version Final v1.1 Page 8 of 9
Appendix 1 Governance Arrangements Policy Compliance If any employee is found to have breached this policy, they may be subject to Somerset County Council s disciplinary procedure. Where it is considered that a criminal offence has potentially been committed, the Council will consider the need to refer the matter to the police. If you do not understand the implications of this policy or how it may apply to you, seek advice from the Information Governance Team. Policy Governance The following table identifies who within Somerset County Council is Accountable, Responsible, Informed or Consulted with regards to this policy. The following definitions apply: Responsible the person(s) responsible for developing and implementing the policy. Accountable the person who has ultimate accountability and authority for the policy. Consulted the person(s) or groups to be consulted prior to final policy implementation. Informed the person(s) or groups to be informed after policy implementation. Responsible Accountable Consulted Informed Information Governance Manager SIRO Head of Client Services Senior Management Team, HR, Unions All Members, employees, contractors, volunteers and 3 rd parties Review and Revision This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12 months. Policy review will be undertaken by the Information Governance Manager References The following Somerset County Council policy documents are directly relevant to this policy, and are referenced within this document: Corporate Information Security Policy Data Protection Policy Information Transparency Policy Acceptable Use Policy Legal Responsibility Policy Version Final v1.1 Page 9 of 9